+- Additional sanitization of script tags to avoid XSS attacks. This revision breaks any script tags in the `<body>`. You should add script tags to the `<head>` tag. For more information, see [Enable JavaScript and page layout versions in Azure Active Directory B2C](javascript-and-page-layout.md?pivots=b2c-user-flow).

+- Added additional sanitization of script tags to avoid XSS attacks. This revision breaks any script tags in the `<body>`. You should add script tags to the `<head>` tag. For more information, see [Enable JavaScript and page layout versions in Azure Active Directory B2C](javascript-and-page-layout.md?pivots=b2c-user-flow).

+Applications in the gallery that are enabled for provisioning have templates to streamline configuration. Use the request below to [retrieve the template for the provisioning configuration](/graph/api/synchronization-synchronization-list-templates?preserve-view=true&tabs=http&view=graph-rest-beta). Note that you will need to provide the ID. The ID refers to the preceding resource, which in this case is the servicePrincipal resource.

+To enable provisioning, you'll first need to [create a job](/graph/api/synchronization-synchronization-post-jobs?preserve-view=true&tabs=http&view=graph-rest-beta). Use the following request to create a provisioning job. Use the templateId from the previous step when specifying the template to be used for the job.

+You should already be familiar with Azure monitoring and Log Analytics. If not, jump over to learn about them, and then come back to learn about application provisioning logs. To learn more about Azure monitoring, see [Azure Monitor overview](/azure/azure-monitor/overview). To learn more about Azure Monitor logs and Log Analytics, see [Overview of log queries in Azure Monitor](/azure/azure-monitor/logs/log-query-overview).

+Azure Monitor workbooks provide a flexible canvas for data analysis. They also provide for the creation of rich visual reports within the Azure portal. To learn more, see [Azure Monitor Workbooks overview](/azure/azure-monitor/visualize/workbooks-overview).

+You can create custom queries and show the data on Azure dashboards. To learn how, see [Create and share dashboards of Log Analytics data](/azure/azure-monitor/logs/get-started-queries). Also, be sure to check out [Overview of log queries in Azure Monitor](/azure/azure-monitor/logs/log-query-overview).

+To learn more about alerts, see [Azure Monitor Log Alerts](/azure/azure-monitor/alerts/alerts-create-new-alert-rule).

+- [Get started with queries in Azure Monitor logs](/azure/azure-monitor/logs/get-started-queries)

+- [Create and manage alert groups in the Azure portal](/azure/azure-monitor/alerts/action-groups)

+- [Install and use the log analytics views for Microsoft Entra ID](/azure/azure-monitor/visualize/workbooks-view-designer-conversion-overview)

+Replace "{ID}" with the value of the Application ID, and replace "{jobId}" with the [ID of the synchronization job](/graph/synchronization-configure-with-directory-extension-attributes?preserve-view=true&tabs=http&view=graph-rest-beta#list-synchronization-jobs-in-the-context-of-the-service-principal).

+- **Referenced Object Attribute** - If it's a Reference type attribute, then this menu lets you select the table and attribute in the target application that contains the value associated with the attribute. For example, if you have an attribute named "Department" whose stored value references an object in a separate "Departments" table, you would select "Departments.Name". The reference tables and the primary ID fields supported for a given application are preconfigured and can't be edited using the Microsoft Entra admin center. However, you can edit them using the [Microsoft Graph API](/graph/synchronization-configure-with-custom-target-attributes).

+While this tutorial uses a CSV file as a system of record, you can customize the sample Azure Logic Apps workflow to read data from any system of record. Azure Logic Apps provides a wide range of [built-in connectors](/azure/logic-apps/connectors/built-in/reference/) and [managed connectors](/connectors/connector-reference/connector-reference-logicapps-connectors) with pre-built triggers and actions that you can use in your integration workflow.

+|2 | Pre-process and convert data to SCIM format. | By default, the Logic Apps workflow converts each record in the CSV file to a SCIM Core User + Enterprise User representation. If you plan to use custom SCIM schema extensions, update the step "Construct SCIMUser" to include your custom SCIM schema extensions. | If you want to run C# code for advanced formatting and data validation, use [custom Azure Functions](/azure/logic-apps/logic-apps-azure-functions).|

+|6 | Deploy your PowerShell based automation to production. | Once you have verified your API-driven provisioning flow and customized the PowerShell script to meet your requirements, you can deploy the automation as a [PowerShell Workflow runbook in Azure Automation](/azure/automation/learn/automation-tutorial-runbook-textual) or as a server process [scheduled to run on a Windows server](/troubleshoot/windows-server/system-management-components/schedule-server-process). | - |

+- To learn about Azure Virtual Desktop support for B2B users, see [Prerequisites for Azure Virtual Desktop](/azure/virtual-desktop/prerequisites?tabs=portal).

+* [Microsoft Q&A Microsoft Entra forum](/answers/tags/455/entra-id)

+Install the [log analytics views for Microsoft Entra activity logs](/azure/azure-monitor/visualize/workbooks-view-designer-conversion-overview) to get access to [prebuilt reports](https://github.com/AzureAD/Deployment-Plans/tree/master/Log%20Analytics%20Views) around provisioning events in your environment.

+You should already be familiar with Azure monitoring and Log Analytics. If not, jump over to learn about them and then come back to learn about application provisioning logs. To learn more about Azure monitoring, see [Azure Monitor overview](/azure/azure-monitor/overview). To learn more about Azure Monitor logs and Log Analytics, see [Overview of log queries in Azure Monitor](/azure/azure-monitor/logs/log-query-overview) and [Provisioning Logs for troubleshooting cloud sync](../hybrid/cloud-sync/how-to-troubleshoot.md).

+You can create custom queries and show the data on Azure dashboards. To learn how, see [Create and share dashboards of Log Analytics data](/azure/azure-monitor/logs/get-started-queries). Also, be sure to check out [Overview of log queries in Azure Monitor](/azure/azure-monitor/logs/log-query-overview).

+To learn more about alerts, see [Azure Monitor Log Alerts](/azure/azure-monitor/alerts/alerts-create-new-alert-rule).

+This tutorial describes how to deploy the SCIM [reference code](https://aka.ms/scimreferencecode) with [Azure App Service](/azure/app-service/). Then, test the code by using Postman or by integrating with the Microsoft Entra provisioning service. The tutorial is intended for developers who want to get started with SCIM, or anyone interested in testing a [SCIM endpoint](./use-scim-to-provision-users-and-groups.md).

+The steps here deploy the SCIM endpoint to a service by using [Visual Studio 2019](https://visualstudio.microsoft.com/downloads/) and [Visual Studio Code](https://code.visualstudio.com/) with [Azure App Service](/azure/app-service/). The SCIM reference code can run locally, hosted by an on-premises server, or deployed to another external service.

+1. To deploy the Microsoft.SCIM.WebHostSample app to Azure App Services, [create a new App Services](/azure/app-service/quickstart-dotnetcore?tabs=net60&pivots=development-environment-vscode#2-publish-your-web-app).

+The Microsoft Entra provisioning service currently operates under the IP Ranges for Microsoft Entra ID as listed [here](https://www.microsoft.com/download/details.aspx?id=56519&WT.mc_id=rss_alldownloads_all). You can add the IP ranges listed under the Microsoft Entra ID tag to allow traffic from the Microsoft Entra provisioning service into your application. You need to review the IP range list carefully for computed addresses. An address such as '40.126.25.32' could be represented in the IP range list as '40.126.0.0/18'. You can also programmatically retrieve the IP range list using the following [API](/rest/api/virtualnetwork/service-tags/list).

+To add more attributes to the XPATH table for the benefit of customers implementing this integration, please leave a comment below or directly [contribute](/contribute/) to the article.

+> Microsoft is updating Azure services to use TLS certificates from a different set of Root Certificate Authorities (CAs). This change is being made because the current CA certificates do not comply with one of the CA/Browser Forum Baseline requirements. For more information, see [Azure TLS certificate changes](/azure/security/fundamentals/tls-certificate-changes).

+To prevent false positives, learn how to [Customize Web Application Firewall rules](/azure/web-application-firewall/ag/application-gateway-customize-waf-rules-portal), configure [Web Application Firewall exclusion lists](/azure/web-application-firewall/ag/application-gateway-waf-configuration?tabs=portal), or [Web Application Firewall custom rules](/azure/web-application-firewall/ag/create-custom-waf-rules).

+[waf-overview]: /azure/web-application-firewall/ag/ag-overview

+[appgw_quick]: /azure/application-gateway/quick-create-portal

+[private-dns]: /azure/dns/private-dns-getstarted-portal

+[waf-logs]: /azure/application-gateway/application-gateway-diagnostics#firewall-log

+To prevent false positives, learn how to [Customize Web Application Firewall rules](/azure/web-application-firewall/ag/application-gateway-customize-waf-rules-portal), configure [Web Application Firewall exclusion lists](/azure/web-application-firewall/ag/application-gateway-waf-configuration?tabs=portal), or [Web Application Firewall custom rules](/azure/web-application-firewall/ag/create-custom-waf-rules).

+[front-door-overview]: /azure/frontdoor/front-door-overview

+[front-door-origin]: /azure/frontdoor/origin?pivots=front-door-standard-premium#origin-host-header

+[front-door-tier]: /azure/frontdoor/standard-premium/tier-comparison

+[front-door-custom-domain]: /azure/frontdoor/standard-premium/how-to-add-custom-domain

+[private-dns]: /azure/dns/private-dns-getstarted-portal

+[waf-logs]: /azure/application-gateway/application-gateway-diagnostics#firewall-log

+[Configure KCD on a managed domain](/entra/identity/domain-services/deploy-kcd).

+* If you have problems with connector connectivity issues, ask your question in the [Microsoft Q&A question page for Microsoft Entra ID](/answers/tags/455/entra-id) or create a ticket with our support team.

+10. Follow the instructions at [Manage DNS records and record sets by using the Microsoft Entra admin center](/azure/dns/dns-operations-recordsets-portal) to add a DNS record that redirects the new external URL to the *msappproxy.net* domain in Azure DNS. If a different DNS provider is used, please contact the vendor for the instructions.

+ * Before using custom domains in Application Proxy you must create a CNAME record in public DNS, allowing clients to resolve the custom defined external URL to the pre-defined Application Proxy address. Failing to create a CNAME record for an application that uses a custom domain will prevent remote users from connecting to the application. Steps required to add CNAME records can vary from DNS provider to provider, so learn how to [manage DNS records and record sets by using the Microsoft Entra admin center](/azure/dns/dns-operations-recordsets-portal).

+Connectors have both admin and session logs. The admin logs include key events and their errors. The session logs include all the transactions and their processing details. Logs and counters are located in Windows Event Logs for more information see [Understand Microsoft Entra application proxy Connectors](./application-proxy-connectors.md#under-the-hood). Follow this [tutorial to configure event log data sources in Azure Monitor](/azure/azure-monitor/agents/data-sources-windows-events).

+3. The request is sent to [Service Bus](/azure/service-bus-messaging/).

+- [Common scenarios, examples, tutorials, and walkthroughs for Azure Logic Apps](/azure/logic-apps/logic-apps-examples-and-scenarios)

+For more information, see [Protect apps with Microsoft Defender for Cloud Apps Conditional Access App Control](/defender-cloud-apps/proxy-intro-aad).

+To test the deployment of Microsoft Entra applications with Conditional Access Application Control, follow the instructions in [Test the deployment for Microsoft Entra apps](/defender-cloud-apps/proxy-deployment-aad).

+8. Configure the Intune policy you want by referring to [How to create and assign app protection policies](/mem/intune/apps/app-protection-policies).

+If the application returns an error page after trying to load a report for more than a few minutes, you might need to change the timeout setting. By default, Application Proxy supports applications that take up to 85 seconds to respond to a request. To lengthen this setting to 180 seconds, select the back-end timeout to **Long** in the App Proxy settings page for the application. For tips on how to create fast and reliable reports see [Power BI Reports Best Practices](/power-bi/guidance/power-bi-optimization).

+Increasingly, organizations are moving their networks into hosted environments. This enables them to place their apps in a hosted environment that is also part of their corporate network, and still be within the domain. In this case, the patterns discussed in the preceding sections can be applied to the new application location. If you're considering this option, see [Microsoft Entra Domain Services](/entra/identity/domain-services/overview).

+Besides network topology, there are currently no further recommendations for performance tuning. As the Application Proxy service expands it might come to a data center that is physically closer. The closer proximity might help with latency. For a list of Azure data centers, see the [latency test page](https://www.azurespeed.com/Azure/Latency).

+Since Microsoft Entra application proxy authentication and authorization are built on top of Microsoft Entra ID, you can use Microsoft Entra Conditional Access to ensure only trusted devices can access APIs published through Application Proxy. Use Microsoft Entra join or Microsoft Entra hybrid joined for desktops, and Intune Managed for devices. You can also take advantage of Microsoft Entra ID P1 or P2 features like Microsoft Entra multifactor authentication, and the machine learning-backed security of [Microsoft Entra ID Protection](../identity-protection/overview-identity-protection.md).

+You can also use Conditional Access to configure Multi-Factor Authentication policies, adding another layer of security to your user authentications. Additionally, your applications can also be routed to Microsoft Defender for Cloud Apps via Microsoft Entra Conditional Access to provide real-time monitoring and controls, via [access](/defender-cloud-apps/access-policy-aad) and [session](/defender-cloud-apps/session-policy-aad) policies

+| [New-AzureADGroupAppRoleAssignment](/powershell/module/azuread/new-azureadgroupapproleassignment) | Assigns a group to an application role. |

+| [New-AzureADUserAppRoleAssignment](/powershell/module/azuread/new-azureaduserapproleassignment) | Assigns a user to an application role. |

+| [Get-AzureADUser](/powershell/module/azuread/get-azureaduser)| Gets a user. |

+| [Get-AzureADGroup](/powershell/module/azuread/get-azureadgroup)| Gets a group. |

+| [Get-AzureADUserAppRoleAssignment](/powershell/module/azuread/get-azureaduserapproleassignment) | Get a user application role assignment. |

+| [Get-AzureADGroupAppRoleAssignment](/powershell/module/azuread/get-azureadgroupapproleassignment) | Get a group application role assignment. |

+In today's digital workplace, users work anywhere with multiple devices and apps. The only constant is user identity. That's why the first step to a secure network today is to use [Microsoft Entra identity management](/azure/security/fundamentals/identity-management-overview) capabilities as your security control plane. A model that uses identity as your control plane is typically comprised of the following components:

+* **Intune integration**. With Intune, corporate traffic is routed separately from personal traffic. Application Proxy ensures that the corporate traffic is authenticated. [Application Proxy and the Intune Managed Browser](/mem/intune/apps/manage-microsoft-edge#how-to-configure-application-proxy-settings-for-protected-browsers) capability can also be used together to enable remote users to securely access internal websites from iOS and Android devices.

+* **Securely publish REST APIs**. When you have business logic or APIs running on-premises or hosted on virtual machines in the cloud, Application Proxy provides a public endpoint for API access. API endpoint access lets you control authentication and authorization without requiring incoming ports. It provides additional security through Microsoft Entra ID P1 or P2 features such as multi-factor authentication and device-based Conditional Access for desktops, iOS, MAC, and Android devices using Intune. To learn more, see [How to enable native client applications to interact with proxy applications](./application-proxy-configure-native-client-application.md) and [Protect an API by using OAuth 2.0 with Microsoft Entra ID and API Management](/azure/api-management/api-management-howto-protect-backend-with-aad).

+* Microsoft 365 [Audit log activities](/purview/audit-log-activities?view=o365-worldwide&preserve-view=true) - search for events and discover activities audited in Microsoft 365

+ * [Learn about data loss prevention](/purview/dlp-learn-about-dlp?view=o365-worldwide&preserve-view=true)

+ * See, [What is group-based licensing in Microsoft Entra ID?](../fundamentals/concept-group-based-licensing.md)

+* [Manage Azure AD B2C with Microsoft Graph](/azure/active-directory-b2c/microsoft-graph-operations)

+* [Block OneDrive use from Office](/microsoft-365/troubleshoot/group-policy/block-onedrive-use-from-office)

+See, [Learn about sensitivity labels](/purview/sensitivity-labels?view=o365-worldwide&preserve-view=true).

+* [Microsoft Purview compliance portal](/purview/microsoft-365-compliance-center?view=o365-worldwide&preserve-view=true)

+See, [Apply a sensitivity label to content automatically](/purview/apply-sensitivity-label-automatically?view=o365-worldwide&preserve-view=true)

+* [Enable sensitivity labels for Office files in SharePoint and OneDrive](/purview/sensitivity-labels-sharepoint-onedrive-files?view=o365-worldwide&preserve-view=true).

+* [Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 Groups, and SharePoint sites](/purview/sensitivity-labels-teams-groups-sites)

+* [Get started with sensitivity labels](/purview/get-started-with-sensitivity-labels?view=o365-worldwide&preserve-view=true)

+* [Create and publish sensitivity labels](/purview/create-sensitivity-labels?view=o365-worldwide&preserve-view=true)

+* [Restrict access to content by using sensitivity labels to apply encryption](/purview/encryption-sensitivity-labels?view=o365-worldwide&preserve-view=true)

+* [Manage external meetings and chat in Microsoft Teams](/microsoftteams/trusted-organizations-external-meetings-chat)

+* [Step 1. Determine your cloud identity model](/microsoft-365/enterprise/deploy-identity-solution-identity-model)

+* [Get started with the SharePoint admin center](/sharepoint/manage-sites-in-new-admin-center)

+- [Azure architecture icons](/azure/architecture/icons/)

+* [Create and configure a Microsoft Entra Domain Services instance](/entra/identity/domain-services/tutorial-create-instance)

+* [Configure virtual networking for a Microsoft Entra Domain Services instance](/entra/identity/domain-services/tutorial-configure-networking)

+* [Configure Secure LDAP for a Microsoft Entra Domain Services managed domain](/entra/identity/domain-services/tutorial-configure-ldaps)

+* [Create an outbound forest trust to an on-premises domain in Microsoft Entra Domain Services](/entra/identity/domain-services/tutorial-create-forest-trust)

+* [Web sign-in with OpenID Connect in Azure Active Directory B2C](/azure/active-directory-b2c/openid-connect)

+* [Secure your application by using OpenID Connect and Microsoft Entra ID](../develop/v2-protocols-oidc.md)

+- [Windows Hello for Business Overview](/windows/security/identity-protection/hello-for-business/): Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a type of user credential that is tied to a device and uses a biometric or PIN.

+> For scenarios not covered by LCW, customers can leverage the extensibility of [Logic Applications](/azure/logic-apps/logic-apps-overview).

+ - See, [What is Azure Active Directory B2C?](/azure/active-directory-b2c/overview)

+ - See, [Planning and design](/azure/active-directory-b2c/best-practices#planning-and-design)

+ - See, [Tutorial: Create an Azure Active Directory B2C tenant](/azure/active-directory-b2c/tutorial-create-tenant)

+ - [Seamless migration](/azure/active-directory-b2c/user-migration#seamless-migration)

+ * See, [Tutorial: Create an Azure Active Directory B2C tenant](/azure/active-directory-b2c/tutorial-create-tenant)

+* [The new App registrations experience for Azure Active Directory B2C](/azure/active-directory-b2c/app-registrations-training-guide)

+ * Refer to [Azure Active Directory B2C code samples](/azure/active-directory-b2c/integrate-with-app-code-samples) for implementation

+ * [Comparing user flows and custom policies](/azure/active-directory-b2c/user-flow-overview#comparing-user-flows-and-custom-policies)

+ * [Add an identity provider to your Azure Active Directory B2C tenant](/azure/active-directory-b2c/add-identity-provider)

+ * [Migrate users to Azure AD B2C](/azure/active-directory-b2c/user-migration)

+ * See, [Quickstart: Set up sign in for an ASP.NET application using Azure AD B2C](/azure/active-directory-b2c/quickstart-web-app-dotnet)

+ * See, [Active Directory Federation Services](/windows-server/identity/ad-fs/ad-fs-overview)

+ * See, [ClaimsSchema](/azure/active-directory-b2c/claimsschema)

+ * [Set up a sign-up and sign-in flow in Azure Active Directory B2C](/azure/active-directory-b2c/add-sign-up-and-sign-in-policy?pivots=b2c-user-flow)

+|Identity provider (IdP)| See, [Select an identity provider](/azure/active-directory-b2c/add-identity-provider#select-an-identity-provider). For example, for a customer-to-customer (C2C) mobile app use an easy sign-in process. </br>B2C with digital services has compliance requirements. </br>Consider email sign-in. |

+| User migration | Confirm if you'll [migrate users to Azure AD B2C](/azure/active-directory-b2c/user-migration): Just-in-time (JIT) migration and bulk import/export. </br>See the video [Azure AD B2C user migration strategies](https://www.youtube.com/watch?v=lCWR6PGUgz0&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=2).|

+|Application samples | See, [Azure Active Directory B2C code samples](/azure/active-directory-b2c/integrate-with-app-code-samples).|

+|Penetration testing | Inform your operations team about pen tests, then test user flows including the OAuth implementation. </br>See, [Penetration testing](/azure/security/fundamentals/pen-testing) and [Penetration testing rules of engagement](https://www.microsoft.com/msrc/pentest-rules-of-engagement).

+| Unit testing | Unit test and generate tokens. </br>See, [Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials](../develop/v2-oauth-ropc.md). </br>If you reach the Azure AD B2C token limit, see [Azure AD B2C: File Support Requests](/azure/active-directory-b2c/find-help-open-support-ticket). </br>Reuse tokens to reduce investigation on your infrastructure. </br>[Set up a resource owner password credentials flow in Azure Active Directory B2C](/azure/active-directory-b2c/add-ropc-policy?pivots=b2c-user-flow&tabs=app-reg-ga).|

+| Load testing | Learn about [Azure AD B2C service limits and restrictions](/azure/active-directory-b2c/service-limits). </br>Calculate the expected authentications and user sign-ins per month. </br>Assess high load traffic durations and business reasons: holiday, migration, and event. </br>Determine expected peak rates for sign-up, traffic, and geographic distribution, for example per second.

+ * See, [Tutorial: Configure Microsoft Dynamics 365 Fraud Protection with Azure Active Directory B2C](/azure/active-directory-b2c/partner-dynamics-365-fraud-protection)

+ * See, [Identity Protection and Conditional Access in Azure AD B2C](/azure/active-directory-b2c/conditional-access-identity-protection-overview)

+ * [Azure Active Directory B2C ISV partners](/azure/active-directory-b2c/partner-gallery)

+ * See, [Guidelines for using JavaScript](/azure/active-directory-b2c/javascript-and-page-layout?pivots=b2c-custom-policy#guidelines-for-using-javascript)

+ * See, [Embedded sign-up or sign-in experience](/azure/active-directory-b2c/embedded-login?pivots=b2c-custom-policy)

+ * [Monitor Azure AD B2C with Azure Monitor](/azure/active-directory-b2c/azure-monitor)

+ * [Accessing Azure AD B2C audit logs](/azure/active-directory-b2c/view-audit-logs)

+- [Register a Microsoft Graph application](/azure/active-directory-b2c/microsoft-graph-get-started)

+- [Manage Azure AD B2C with Microsoft Graph](/azure/active-directory-b2c/microsoft-graph-operations)

+- [Deploy custom policies with Azure Pipelines](/azure/active-directory-b2c/deploy-custom-policies-devops)

+- [Manage Azure AD B2C custom policies with Azure PowerShell](/azure/active-directory-b2c/manage-custom-policies-powershell)

+[Recommendations and best practices for Azure Active Directory B2C](/azure/active-directory-b2c/best-practices)

+1. Your application persists the token cache for at least three days. Applications should use the deviceΓÇÖs token cache location or the [token cache serialization API](/entra/msal/dotnet/how-to/token-cache-serialization) to persist the token cache even when the user closes the application.

+1. Your application makes use of the MSAL [AcquireTokenSilent API](/entr) may fail to acquire a token from the backup authentication system if user interaction is required.

+- Use of [classic Conditional Access policies](../conditional-access/policy-migration-mfa.md).

+- [Microsoft Entra SLA performance reporting](../reports-monitoring/reference-sla-performance.md)

+* [How to use managed identities for App Service and Azure Functions](/azure/app-service/overview-managed-identity?tabs=dotnet)

+ * [Azure Storage documentation](/azure/storage/)

+ * [Azure Event Hubs documentation](/azure/event-hubs/), or

+ * [Azure Monitor Logs overview](/azure/azure-monitor/logs/data-platform-logs)

+ * [What is Azure Key Vault?](/azure/key-vault/general/basic-concepts)

+> See all available workbooks and the prerequisites for using them in [How to use Azure Monitor workbooks for reports](../reports-monitoring/howto-use-workbooks.md).

+- A Log Analytics workspace in your Azure subscription to send logs to Azure Monitor logs. Learn how to [create a Log Analytics workspace](/azure/azure-monitor/logs/quick-create-workspace).

+- Microsoft Entra logs integrated with Azure Monitor logs. Learn how to [Integrate Microsoft Entra sign-in logs with Azure Monitor Stream.](../reports-monitoring/howto-integrate-activity-logs-with-azure-monitor-logs.md)

+To configure the underlying query and set alerts, complete the following steps using the sample query as the basis for your configuration. The query structure description appears at the end of this section. Learn how to create, view, and manage log alerts using Azure Monitor in [Manage log alerts](/azure/azure-monitor/alerts/alerts-create-new-alert-rule).

+[Learn more about workbooks](../reports-monitoring/howto-use-workbooks.md)

+The following information addresses Office 365 in the context of this paper's scenarios. Detailed information is available at [Microsoft 365 inter-tenant collaboration 365 inter-tenant collaboration](/microsoft-365/enterprise/microsoft-365-inter-tenant-collaboration) describes options that include using a central location for files and conversations, sharing calendars, using IM, audio/video calls for communication, and securing access to resources and applications.

+- External users may be unhidden using [Azure AD PowerShell](/powershell/module/azuread/). You can execute the [Set-AzureADUser](/powershell/module/azuread/set-azureaduser) PowerShell cmdlet to set the **ShowInAddressList** property to a value of **\$true.**

+ - Set the feature using the [Set-SPOTenant](/powershell/module/sharepoint-online/set-spotenant) and [Set-SPOSite](/powershell/module/sharepoint-online/set-sposite) [SharePoint Online PowerShell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online) cmdlets.

+This advanced deployment uses MIM as a synchronization engine. MIM calls the [Microsoft Graph API](https://developer.microsoft.com/graph) and [Exchange Online PowerShell](/powershell/exchange/exchange-online-powershell?view=exchange-ps&preserve-view=true). Alternative implementations can include the cloud-hosted [Active Directory Synchronization Service](/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview) (ADSS) managed service offering from [Microsoft Industry Solutions](https://www.microsoft.com/industrysolutions). There are non-Microsoft offerings that you can create from scratch with other IAM offerings (such as SailPoint, Omada, and OKTA).

+- Organizations can use [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) to manage the device and enforce compliance policies, attest device health, and set Conditional Access policies based on whether the device is compliant. Microsoft Intune can manage iOS devices, Mac desktops (Via JAMF integration), Windows desktops (natively using Mobile Device Management for Windows 10, and co-management with Microsoft Configuration Manager) and Android mobile devices.

+- [Identity and device access configurations](/microsoft-365/security/office-365-security/microsoft-365-policies-configurations)

+If legacy authentication is widely used in your environment, you should plan to migrate legacy clients to clients that support [modern authentication](/microsoft-365/enterprise/modern-auth-for-office-2013-and-2016) as soon as possible. In the same token, if you have some users already using modern authentication but others that still use legacy authentication, you should take the following steps to lock down legacy authentication clients:

+To avoid this scenario, you should refer to [detect and remediate illicit consent grants in Office 365](/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants) to identify and fix any applications with illicit grants or applications that have more grants than are necessary. Next, [remove self-service altogether](../manage-apps/configure-user-consent.md) and [establish governance procedures](../manage-apps/configure-admin-consent-workflow.md). Finally, schedule regular reviews of app permissions and remove them when they are not needed.

+If available, use a security information and event management (SIEM) solution to analyze and find patterns of access across regions. If you don't use a SIEM product, or it isn't ingesting authentication information from Microsoft Entra ID, we recommend you use [Azure Monitor](/azure/azure-monitor/overview) to identify patterns of access across regions.

+Having access to sign-in activity, audits and risk events for Microsoft Entra ID is crucial for troubleshooting, usage analytics, and forensics investigations. Microsoft Entra ID provides access to these sources through REST APIs that have a limited retention period. A security information and event management (SIEM) system, or equivalent archival technology, is key for long-term storage of audits and supportability. To enable long-term storage of Microsoft Entra logs, you must either add them to your existing SIEM solution or use [Azure Monitor](../reports-monitoring/concept-log-monitoring-integration-options-considerations.md). Archive logs that can be used as part of your incident response plans and investigations.

+- [How to use the Microsoft Entra ID Power BI Content Pack](../reports-monitoring/howto-use-workbooks.md)

+Microsoft Entra ID streamlines the management of licenses through [group-based licensing](../fundamentals/concept-group-based-licensing.md) for Microsoft cloud services. This way, IAM provides the group infrastructure and delegated management of those groups to the proper teams in the organizations. There are multiple ways to set up the membership of groups in Microsoft Entra ID, including:

+- [Prepare directory attributes for synchronization with Microsoft 365 by using the IdFix tool](/microsoft-365/enterprise/set-up-directory-synchronization)

+The [identity secure score](../reports-monitoring/concept-identity-secure-score.md) provides a quantifiable measure of the security posture of your organization. It's key to constantly review and address findings reported and strive to have the highest score possible. The score helps you to:

+Microsoft sends email communications to administrators to notify various changes in the service, configuration updates that are needed, and errors that require admin intervention. It's important that customers set the notification email addresses so that notifications are sent to the proper team members who can acknowledge and act upon all notifications. We recommend you add multiple recipients to the [Message Center](/microsoft-365/admin/manage/message-center) and request that notifications (including Microsoft Entra Connect Health notifications) be sent to a distribution list or shared mailbox. If you only have one Global Administrator account with an email address, be sure to configure at least two email-capable accounts.

+- [Change your organization's address, technical contact, and more](/microsoft-365/admin/manage/change-address-contact-and-more)

+The [tier model](/security/privileged-access-workstations/privileged-access-access-model) is composed of three levels and only includes administrative accounts, not standard user accounts.

+For more information, see [Securing privileged access](/security/privileged-access-workstations/overview). Also, see [Secure access practices for administrators in Microsoft Entra ID](../roles/security-planning.md).

+- **Collaboration**. Use Microsoft 365 Groups and Microsoft Teams for modern collaboration. Decommission on-premises distribution lists, and [upgrade distribution lists to Microsoft 365 Groups in Outlook](/microsoft-365/admin/create-groups/office-365-groups).

+Deploy Microsoft Entra joined Windows 10 workstations with mobile device management policies. Enable Windows Autopilot for a fully automated provisioning experience. See [Plan your Microsoft Entra join implementation](../devices/device-join-plan.md) and [Windows Autopilot](/autopilot/windows-autopilot).

+- **Deploy privileged access devices.** For more information, see [Device roles and profiles](/security/privileged-access-workstations/privileged-access-devices#device-roles-and-profiles).

+ Applications or resources that required servers can be migrated to Azure infrastructure as a service (IaaS). Use Microsoft Entra Domain Services to decouple trust and dependency on on-premises instances of Active Directory. To achieve this decoupling, make sure virtual networks used for Microsoft Entra Domain Services don't have a connection to corporate networks. See [Microsoft Entra Domain Services](/entra/identity/domain-services/overview).

+ Use credential tiering. Application servers are typically considered tier-1 assets. For more information, see [Enterprise access model](/security/privileged-access-workstations/privileged-access-access-model#ADATM_BM).

+ Use UEBA to get insights on anomaly detection. Microsoft Defender for Cloud Apps provides UEBA in the cloud. See [Investigate risky users](/defender-cloud-apps/tutorial-ueba).

+ You can integrate on-premises UEBA from Azure Advanced Threat Protection (ATP). Microsoft Defender for Cloud Apps reads signals from Microsoft Entra ID Protection. See [Connect to your Active Directory Forest](/defender-for-identity/directory-service-accounts).

+ Microsoft Entra ID provides Azure Monitor integration for the sign-in activity log and audit logs. See [Microsoft Entra activity logs in Azure Monitor](../reports-monitoring/concept-log-monitoring-integration-options-considerations.md).

+ Use the Microsoft Graph API to ingest risk events. See [Use the Microsoft Graph identity protection APIs](/graph/api/resources/identityprotection-overview).

+ You can stream Microsoft Entra logs to Azure Monitor logs. See [Integrate Microsoft Entra logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-azure-monitor-logs.md).

+The [Microsoft Entra audit log](../reports-monitoring/concept-audit-logs.md) contains information on all delete operations performed in your tenant. Export these logs to a security information and event management tool such as [Microsoft Sentinel](/azure/sentinel/overview).

+The [Microsoft Entra audit log](../reports-monitoring/concept-audit-logs.md) contains information on all delete and configuration operations performed in your tenant. We recommend that you export these logs to a security information and event management tool such as [Microsoft Sentinel](/azure/sentinel/overview). You can also use Microsoft Graph to audit changes and build a custom solution to monitor differences over time. For more information on finding deleted items by using Microsoft Graph, see [List deleted items - Microsoft Graph v1.0](/graph/api/directory-deleteditems-list?tabs=http).

+ - [Migrate your SPA from implicit grant](https://developer.microsoft.com/identity/blogs/msal-js-2-0-supports-authorization-code-flow-is-now-generally-available/) to [authorization code grant flow](/azure/active-directory-b2c/implicit-flow-single-page-application) with Proof Key for Code Exchange (PKCE) and Cross-origin Resource Sharing (CORS) support. Migrate your application from MSAL.js 1.x to MSAL.js 2.x to realize the resiliency of Web applications.

+With [Single sign-on (SSO)](../manage-apps/what-is-single-sign-on.md), users sign in once with a single account and get access to multiple applications. The application can be a web, mobile, or a Single page application (SPA), regardless of platform or domain name. When the user initially signs in to an application, Azure AD B2C persists a [cookie-based session](/azure/active-directory-b2c/session-behavior).

+- Use Azure [WAF](/azure/web-application-firewall/overview), which provides centralized protection against attacks.

+- Use WAF with Microsoft Entra [Identity Protection and Conditional Access to provide multi-layer protection](/azure/active-directory-b2c/conditional-access-identity-protection-overview) when using Azure AD B2C.

+- Take an inventory of all the [keys and certificates configured](/azure/active-directory-b2c/policy-keys-overview) in Azure AD B2C. This list is likely to include keys used in custom policies, [APIs](/azure/active-directory-b2c/secure-rest-api), signing ID token, and certificates for SAML.

+We recommend your test plan to include [comprehensive API tests](/azure/active-directory-b2c/best-practices#testing). If you're planning for an upcoming surge because of promotion or holiday traffic, you need to revise your load testing with the new estimates. Conduct load testing of your APIs and Content Delivery Network (CDN) in a developer environment and not in production.

+[Azure AD B2C](/azure/active-directory-b2c/overview) is a Customer Identity and Access Management (CIAM) platform that is designed to help you launch your critical customer facing applications successfully. We have many built-in features for [resilience](https://azure.microsoft.com/blog/advancing-azure-active-directory-availability/) that are designed to help our service scale to your needs and improve resilience in the face of potential outage situations. In addition, when launching a mission critical application, it's important to consider various design and configuration elements in your application. Consider how the application is configured within Azure AD B2C to ensure that you get a resilient behavior in response to outage or failure scenarios. In this article, we'll discuss some of the best practices to help you increase resilience.

+* [Token cache serialization in MSAL.NET](/entra/msal/dotnet/how-to/token-cache-serialization)

+* [Microsoft Identity Web authentication library](/entra/msal/dotnet/microsoft-identity-web/)

+- **Monitoring**: Use [Azure Monitor](/azure/active-directory-b2c/azure-monitor) to continuously monitor health against key Service Level Objectives (SLO) and get notification whenever a critical change happens. Begin by identifying Azure AD B2C policy or an application as a critical component of your business whose health needs to be monitored to maintain SLO. Identify key indicators that align with your SLOs.

+ Access the [key indicators](/azure/active-directory-b2c/view-audit-logs) in [application insights](/azure/active-directory-b2c/analytics-with-application-insights) where Azure AD B2C policy-based logs, [audit logs](/azure/active-directory-b2c/analytics-with-application-insights), and sign-in logs are stored.

+- **Alerting**: Using log analytics define [alerts](/azure/azure-monitor/alerts/alerts-create-new-alert-rule) that get triggered when there are sudden changes in the key indicators. These changes may negatively impact the SLOs. Alerts use various forms of notification methods including email, SMS, and webhooks. Start by defining a criterion that acts as a threshold against which alert will be triggered. For example:

+ - Upon receiving an alert, troubleshoot the issue using [Log Analytics](/azure/azure-monitor/visualize/workbooks-view-designer-conversion-overview), [Application Insights](/azure/active-directory-b2c/troubleshoot-with-application-insights), and [VS Code extension](https://marketplace.visualstudio.com/items?itemName=AzureADB2CTools.aadb2c) for Azure AD B2C. After you resolve the issue and deploy an updated application or policy, it continues to monitor the key indicators until they return back to normal range.

+- **Service alerts**: Use the [Azure AD B2C service level alerts](/azure/service-health/service-health-overview) to get notified of service issues, planned maintenance, health advisory, and security advisory.

+- **Reporting**: [By using log analytics](../reports-monitoring/howto-integrate-activity-logs-with-azure-monitor-logs.md), build reports that help you gain understanding about user insights, technical challenges, and growth opportunities.

+ - **Health Dashboard**: Create [custom dashboards using Azure Dashboard](/azure/azure-monitor/app/tutorial-app-dashboards) feature, which supports adding charts using Log Analytics queries. For example, identify pattern of successful and failed sign-ins, failure reasons and telemetry about devices used to make the requests.

+To help you set up the most common identity tasks, Azure AD B2C provides built-in configurable [user flows](/azure/active-directory-b2c/user-flow-overview). You can also build your own [custom policies](/azure/active-directory-b2c/custom-policy-overview) that offer you maximum flexibility. However, it's recommended to use custom policies only to address complex scenarios.

+Should you [choose custom policies](/azure/active-directory-b2c/user-flow-overview) because of your business requirements, make sure you perform policy-level testing for functional, performance, or scale in addition to application-level testing.

+See the article that [compares user flows and custom polices](/azure/active-directory-b2c/user-flow-overview#comparing-user-flows-and-custom-policies) to help you decide.

+When using an [external identity provider](/azure/active-directory-b2c/add-identity-provider) such as Facebook, make sure to have a fallback plan in case the external provider becomes unavailable.

+ 3. Notify and allow users to [switch to an alternate IDP](/azure/active-directory-b2c/customize-ui-with-html#configure-dynamic-custom-page-content-uri) during an outage.

+When using a [phone service for Multi-factor authentication (MFA)](/azure/active-directory-b2c/phone-authentication-user-flows), make sure to consider an alternative service provider. The local Telco or phone service provider may experience disruptions in their service.

+Identity experience framework (IEF) policies allow you to call an external system using a [RESTful API technical profile](/azure/active-directory-b2c/restful-technical-profile). External systems aren't controlled by the IEF runtime environment and are a potential failure point.

+- Use [API connectors of built-in sign-up user flow](/azure/active-directory-b2c/api-connectors-overview) wherever possible to integrate with web APIs either After federating with an identity provider during sign-up or before creating the user. Since the user flows are already extensively tested, it's likely that you don't have to perform user flow-level functional, performance, or scale testing. You still need to test your applications for functionality, performance, and scale.

+- Azure AD B2C RESTful API [technical profiles](/azure/active-directory-b2c/restful-technical-profile) don't provide any caching behavior. Instead, RESTful API profile implements a retry logic and a timeout that is built into the policy.

+- For APIs that need writing data, queue up a task to have such tasks executed by a background worker. Services like [Azure queues](/azure/storage/queues/storage-queues-introduction) can be used. This practice will make the API return efficiently and increase the policy execution performance.

+- An API could fail for various reasons, make your application resilient to such failures. [Return an HTTP 4XX error message](/azure/active-directory-b2c/restful-technical-profile#returning-validation-error-message) if the API is unable to complete the request. In the Azure AD B2C policy, try to gracefully handle the unavailability of the API and perhaps render a reduced experience.

+- [Handle transient errors gracefully](/azure/active-directory-b2c/restful-technical-profile#error-handling). The RESTful API profile allows you to configure error messages for various [circuit breakers](/azure/architecture/patterns/circuit-breaker).

+- Proactively monitor and using Continuous Integration/Continuous Delivery (CICD), rotate the API access credentials such as passwords and certificates used by the [Technical profile engine](/azure/active-directory-b2c/restful-technical-profile).

+- Recommendation is to get the right token at the beginning of the user journey instead of calling multiple times for each API and [secure an Azure APIM API](/azure/active-directory-b2c/secure-api-management?tabs=app-reg-ga).

+* Secure your hybrid identity infrastructure by following [Five steps to securing your identity infrastructure](/azure/security/fundamentals/steps-secure-identity).

+For more information, see [Learn more about cloud-native endpoints](/mem/solutions/cloud-native-endpoints/cloud-native-endpoints-overview).

+ > Depending on the anticipated demands of applications that require legacy protocols, you can choose to deploy [Microsoft Entra Domain Services](/entra/identity/domain-services/overview) when more current alternatives won't work.

+ * [Azure Files](/azure/storage/files/storage-files-introduction) offers fully managed file shares in the cloud that are accessible via the industry-standard SMB or NFS protocol. Customers can use native [Microsoft Entra authentication to Azure Files](/azure/virtual-desktop/create-profile-container-azure-ad) over the internet without line of sight to a domain controller.

+* You can [convert distribution lists to Microsoft 365 groups](/microsoft-365/admin/create-groups/office-365-groups) in Outlook. This approach is a great way to give your organization's distribution lists all the features and functionality of Microsoft 365 groups.

+ * Plan to deploy [Platform SSO for macOS 13](https://techcommunity.microsoft.com/t5/microsoft-intune-blog/microsoft-simplifies-endpoint-manager-enrollment-for-apple/ba-p/3570319).

+* [Deploy Microsoft Entra joined VMs in Azure Virtual Desktop](/azure/virtual-desktop/azure-ad-joined-session-hosts)

+| Update management| Microsoft Configuration Manager, Windows Server Update Services| [Azure Automation Update Management](/azure/automation/update-management/overview) |

+| Configuration management| GPO, Microsoft Configuration Manager| [Azure Automation State Configuration](/azure/automation/automation-dsc-overview) |

+| Monitoring| System Center Operations Manager| [Azure Monitor Log Analytics](/azure/azure-monitor/logs/log-analytics-overview) |

+1. Deploy Microsoft Entra Domain Services into an Azure virtual network and [extend the schema](/entra/identity/domain-services/concepts-custom-attributes) to incorporate additional attributes needed by the applications.

+>* Use Microsoft Entra Domain Services if the dependencies are aligned with [common deployment scenarios for Microsoft Entra Domain Services](/entra/identity/domain-services/scenarios).

+This project focuses on moving your VPN authentication to Microsoft Entra ID. It's important to know that different configurations are available for VPN gateway connections. You need to determine which configuration best fits your needs. For more information on designing a solution, see [VPN gateway design](/azure/vpn-gateway/design).

+* For Windows 10 devices, consider integrating [Microsoft Entra ID support into the built-in VPN client](/windows-server/remote/remote-access/how-to-aovpn-conditional-access).

+Microsoft Entra Domain Services allows you to migrate application servers to the cloud IaaS and decouple from Active Directory, while using Microsoft Entra application proxy to enable remote access. To learn more about this scenario, check [Deploy Microsoft Entra application proxy for Microsoft Entra Domain Services](/entra/identity/domain-services/deploy-azure-app-proxy).

+* For specific device configuration and control, you can use device filters in Conditional Access policies to [target or exclude specific devices](../conditional-access/concept-condition-filters-for-devices.md). This enables you to restrict access to Azure management tools from a designated secure admin workstation (SAW). Other approaches you can take include using [Azure Virtual desktop](/azure/virtual-desktop/terminology), [Azure Bastion](/azure/bastion/bastion-overview), or [Cloud PC](/graph/cloudpc-concept-overview).

+ * Azure RBAC [custom roles](/azure/role-based-access-control/custom-roles) allow designing least privileged roles based on organizational needs. We recommend that custom roles definitions are authored or reviewed by specialized security teams and mitigate risks of unintended excessive privileges. Authoring of custom roles can be audited through [Azure Policy](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json).

+Some approaches you can use for [using secure devices as part of your privileged access story](/security/privileged-access-workstations/privileged-access-devices) include using Conditional Access policies to [target or exclude specific devices](../conditional-access/concept-condition-filters-for-devices.md), using [Azure Virtual desktop](/azure/virtual-desktop/terminology), [Azure Bastion](/azure/bastion/bastion-overview), or [Cloud PC](/graph/cloudpc-concept-overview), or creating Azure-managed workstations or privileged access workstations.

+* [Microsoft Customer Agreement](/azure/cost-management-billing/understand/mca-overview) (MCA) roles don't integrate natively with PIM. To mitigate this, use dedicated MCA accounts and monitor usage of these accounts.

+* Don't allow ad-hoc subscription creation through the portals or by other means. Instead consider managing [subscriptions programmatically using Azure Resource Manager](/azure/cost-management-billing/manage/programmatically-create-subscription) and pulling consumption and billing reports [programmatically](/rest/api/consumption/). This can help limit subscription provisioning to authorized users and enforce your policy and taxonomy goals. Guidance on following [AZOps principals](https://github.com/azure/azops/wiki/introduction) can be used to help create a practical solution.

+ 1. For customers who choose to enable cross-tenant subscription management in non-production tenants through Azure Lighthouse, make sure that the same access policies from the production privileged account (for example, privileged access only from [secured workstations](/security/privileged-access-workstations/privileged-access-deployment)) are enforced when authenticating to manage subscriptions.

+* If your organization has pre-approved reference architectures, the subscription provisioning can be integrated with resource deployment tools such as [Azure Blueprints](/azure/governance/blueprints/overview) or [Terraform](https://www.terraform.io).

+**Azure subscription discovery** - For each discovered tenant, a Microsoft Entra Global Administrator can [elevate access](/azure/role-based-access-control/elevate-access-global-admin) to gain visibility of all subscriptions in the environment. This elevation will assign the global administrator the User Access Administrator built-in role at the root management group.

+**Resource discovery** - After gaining resource Read access in the environment, [Azure Resource Graph](/azure/governance/resource-graph/overview) can be used to query resources in the environment.

+**Central security log management** - Ingest logs from each environment in a [centralized way](/security/benchmark/azure/security-control-logging-monitoring), following consistent best practices across environments (for example, diagnostics settings, log retention, SIEM ingestion, etc.). [Azure Monitor](/azure/azure-monitor/overview) can be used to ingest logs from different sources such as endpoint devices, network, operating systems' security logs, etc.

+Microsoft Entra ID provides [Azure Monitor integration](../reports-monitoring/concept-log-monitoring-integration-options-considerations.md) for the sign-in activity log and audit logs. Risk events can be ingested through [Microsoft Graph API](/graph/tutorial-riskdetection-api).

+Azure AD B2C tenants can be [integrated with Azure Monitor](/azure/active-directory-b2c/azure-monitor). We recommend monitoring of Azure AD B2C using the same criteria discussed above for Microsoft Entra ID.

+Subscriptions that have enabled cross-tenant management with Azure Lighthouse can enable cross-tenant monitoring if the logs are collected by Azure Monitor. The corresponding Log Analytics workspaces can reside in the resource tenant and can be analyzed centrally in the managing tenant using Azure Monitor workbooks. To learn more, check [Monitor delegated resources at scale - Azure Lighthouse](/azure/lighthouse/how-to/monitor-at-scale).

+* **User entity behavioral analytics (UEBA) alerts** - UEBA should be used to get insightful information based on anomaly detection. [Microsoft Microsoft 365 Defender for Cloud Apps](https://www.microsoft.com/security/business/siem-and-xdr/microsoft-defender-cloud-apps) provides [UEBA in the cloud](/defender-cloud-apps/tutorial-ueba). Customers can integrate [on-premises UEBA from Microsoft Microsoft 365 Defender for Identity](/microsoft-365/security/defender/microsoft-365-security-center-mdi). MCAS reads signals from Microsoft Entra ID Protection.

+Similarly, Azure Monitor can be integrated with ITSM systems through the [IT Service Management Connector](/azure/azure-monitor/alerts/itsmc-overview).

+Users, groups, and service principal objects (workload identities) in the Microsoft Entra tenant are granted roles by using [Azure Role Based Access Control](/azure/role-based-access-control/overview) (RBAC) and [Azure attribute-based access control](/azure/role-based-access-control/conditions-overview) (ABAC).

+Lastly, all Azure resources in the Microsoft Entra tenant affect tenant-wide [Azure Quotas and Limits](/azure/azure-resource-manager/management/azure-subscription-service-limits).

+* **Identity compromise** - Within the boundary of a tenant, any identity can be assigned any role, given the one providing access has sufficient privileges. While the effect of compromised non-privileged identities is largely contained, compromised administrators can have broad implications. For example, if a Microsoft Entra Global Administrator account is compromised, Azure resources can become compromised. To mitigate risk of identity compromise, or bad actors, implement [tiered administration](/security/privileged-access-workstations/privileged-access-access-model) and ensure that you follow principles of least privilege for [Microsoft Entra Administrator Roles](../roles/delegate-by-task.md). Similarly, ensure that you create Conditional Access policies that specifically exclude test accounts and test service principals from accessing resources outside of the test applications. For more information on privileged access strategy, see [Privileged access: Strategy](/security/privileged-access-workstations/privileged-access-strategy).

+* **Quotas** - Consumption of tenant-wide [Azure Quotas and Limits](/azure/azure-resource-manager/management/azure-subscription-service-limits) is separated from that of the other tenants.

+With a new tenant, you have a separate set of administrators. Organizations can choose to use corporate identities through [Microsoft Entra B2B collaboration](../external-identities/what-is-b2b.md). Similarly, organizations can implement [Azure Lighthouse](/azure/lighthouse/overview) for cross-tenant management of Azure resources so that non-production Azure subscriptions are managed by identities in the production counterpart. Azure Lighthouse can't be used to manage services outside of Azure, such as Microsoft Intune. For Managed Service Providers (MSPs), [Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-overview?view=o365-worldwide&preserve-view=true) is an admin portal that helps secure and manage devices, data, and users at scale for small- and medium-sized business (SMB) customers who are using Microsoft 365 Business Premium, Microsoft 365 E3, or Windows 365 Business.

+**Resource group** - A container that holds related resources for an Azure solution such as a collection of virtual machines, associated VNets, and load balancers that require management by specific teams. The [resource group](/azure/azure-resource-manager/management/overview) includes those resources that you want to manage as a group. You decide which resources belong in a resource group based on what makes the most sense for your organization. Resource groups can also be used to help with life-cycle management by deleting all resources that have the same lifespan at one time. This approach also provides security benefit by leaving no fragments that might be exploited.

+**Management group** - [Azure management groups](/azure/governance/management-groups/overview) provide a hierarchical method of applying policies and compliance at different scopes above subscriptions. It can be at the tenant root management group (highest scope) or at lower levels in the hierarchy. You organize subscriptions into containers called "management groups" and apply your governance conditions to the management groups. All subscriptions within a management group automatically inherit the conditions applied to the management group. Note, policy definitions can be applied to a management group or subscription.

+**Resource provider** - A service that supplies Azure resources. For example, a common [resource provider](/azure/azure-resource-manager/management/resource-providers-and-types) is Microsoft. Compute, which supplies the virtual machine resource. Microsoft. Storage is another common resource provider.

+**Resource Manager template** - A JavaScript Object Notation (JSON) file that defines one or more resources to deploy to a resource group, subscription, tenant, or management group. The template can be used to deploy the resources consistently and repeatedly. See [Template deployment overview](/azure/azure-resource-manager/templates/overview). Additionally, the [Bicep language](/azure/azure-resource-manager/bicep/overview) can be used instead of JSON.

+Each Azure subscription is associated with controls used by [Azure Resource Manager](/azure/azure-resource-manager/management/overview) (ARM). Resource Manager is the deployment and management service for Azure, it has a trust relationship with Microsoft Entra ID for identity management for organizations, and the Microsoft Account (MSA) for individuals. Resource Manager provides a management layer that enables you to create, update, and delete resources in your Azure subscription. You use management features like access control, locks, and tags, to secure and organize your resources after deployment.

+>Prior to ARM, there was another deployment model named Azure Service Manager (ASM) or "classic". To learn more, see [Azure Resource Manager vs. classic deployment](/azure/azure-resource-manager/management/deployment-models). Managing environments with the ASM model is out of scope of this content.

+* **User permission check** - Permissions are assigned to users using [role-based access control (RBAC)](/azure/role-based-access-control/overview). An RBAC role specifies a set of permissions a user may take on a specific resource. RBAC helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.

+* **Azure policy check** - [Azure policies](/azure/governance/policy/overview) specify the operations allowed or explicitly denied for a specific resource. For example, a policy can specify that users are only allowed (or not allowed) to deploy a specific type of virtual machine.

+**Azure Lighthouse** - [Azure Lighthouse](/azure/lighthouse/overview) enables resource management across tenants. Organizations can delegate roles at the subscription or resource group level to identities in another tenant.

+Subscriptions that enable [delegated resource management](/azure/lighthouse/concepts/architecture) with Azure Lighthouse have attributes that indicate the tenant IDs that can manage subscriptions or resource groups, and mapping between the built-in RBAC role in the resource tenant to identities in the service provider tenant. At runtime, Azure Resource Manager will consume these attributes to authorize tokens coming from the service provider tenant.

+* The account owner who created the subscription will be assigned the Service Administrator and Account Administrator roles. (The Azure EA Portal assigns Azure Service Manager (ASM) or "classic" roles to manage subscriptions. To learn more, see [Azure Resource Manager vs. classic deployment](/azure/azure-resource-manager/management/deployment-models).)

+To learn more, visit [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](/azure/role-based-access-control/rbac-and-directory-admin-roles).

+Customers enrolled with a [Microsoft Customer Agreement](/azure/cost-management-billing/understand/mca-overview) (MCA) have a different billing management system with its own roles.

+A [billing account](/azure/cost-management-billing/manage/understand-mca-roles) for the Microsoft Customer Agreement contains one or more [billing profiles](/azure/cost-management-billing/manage/understand-mca-roles) that allow managing invoices and payment methods. Each billing profile contains one or more [invoice sections](/azure/cost-management-billing/manage/understand-mca-roles) to organize costs on the billing profile's invoice.

+In the Microsoft Entra Fundamentals section, you learned Azure RBAC is the authorization system that provides fine-grained access management to Azure resources, and includes many [built-in roles](/azure/role-based-access-control/built-in-roles). You can create [custom roles](/azure/role-based-access-control/custom-roles), and assign roles at different scopes. Permissions are enforced by assigning RBAC roles to objects requesting access to Azure resources.

+Microsoft Entra roles operate on concepts like [Azure role-based access control](/azure/role-based-access-control/overview). The [difference between these two role-based access control systems](/azure/role-based-access-control/rbac-and-directory-admin-roles) is that Azure RBAC uses Azure Resource Management to control access to Azure resources such as virtual machines or storage, and Microsoft Entra roles control access to Microsoft Entra ID, applications, and Microsoft services such as Office 365.

+[Attribute-based access control (ABAC)](/azure/role-based-access-control/conditions-overview) is an authorization system that defines access based on attributes associated with security principals, resources, and environment. With ABAC, you can grant a security principal access to a resource based on attributes. Azure ABAC refers to the implementation of ABAC for Azure.

+* Consider regions that provide Availability Zones capabilities for high availability requirements. For more information, see [Regions and Availability Zones in Azure](/azure/reliability/availability-zones-service-support).

+When you first deploy Microsoft Entra Domain Services, an automatic one-way synchronization is configured to replicate the objects from Microsoft Entra ID. This one-way synchronization continues to run in the background to keep the Microsoft Entra Domain Services managed domain up to date with any changes from Microsoft Entra ID. No synchronization occurs from Microsoft Entra Domain Services back to Microsoft Entra ID. For more information, see [How objects and credentials are synchronized in a Microsoft Entra Domain Services managed domain](/entra/identity/domain-services/synchronization).

+**Group Policy Objects (GPO)** - To configure GPO in a Microsoft Entra Domain Services managed domain you must use Group Policy Management tools on a server that has been domain joined to the Microsoft Entra Domain Services managed domain. For more information, see [Administer Group Policy in a Microsoft Entra Domain Services managed domain](/entra/identity/domain-services/manage-group-policy).

+**Secure LDAP** - Microsoft Entra Domain Services provides a secure LDAP service that can be used by applications that require it. This setting is disabled by default and to enable secure LDAP a certificate needs to be uploaded, in addition, the NSG that secures the VNet that Microsoft Entra Domain Services is deployed on to must allow port 636 connectivity to the Microsoft Entra Domain Services managed domains. For more information, see [Configure secure LDAP for a Microsoft Entra Domain Services managed domain](/entra/identity/domain-services/tutorial-configure-ldaps).

+**Administration** - To perform administration duties on Microsoft Entra Domain Services (for example, domain join machines or edit GPO), the account used for this task needs to be part of the Microsoft Entra DC Administrators group. Accounts that are members of this group can't directly sign-in to domain controllers to perform management tasks. Instead, you create a management VM that is joined to the Microsoft Entra Domain Services managed domain, then install your regular AD DS management tools. For more information, see [Management concepts for user accounts, passwords, and administration in Microsoft Entra Domain Services](/entra/identity/domain-services/administration-concepts).

+* **Users created in Microsoft Entra ID** - Need to reset their password for the correct hashes to be generated for usage with Microsoft Entra Domain Services. For more information, see [Enable synchronization of password hashes](/entra/identity/domain-services/tutorial-configure-password-hash-sync).

+**Network** - Microsoft Entra Domain Services is deployed on to an Azure VNet so considerations need to be made to ensure that servers and applications are secured and can access the managed domain correctly. For more information, see [Virtual network design considerations and configuration options for Microsoft Entra Domain Services](/entra/identity/domain-services/network-considerations).

+* **VNet DNS Server** - As previously discussed about the "hub and spoke" model, it's important to have DNS configured correctly on the VNets to ensure that servers joined to the Microsoft Entra Domain Services managed domain have the correct DNS settings to resolve the Microsoft Entra Domain Services managed domain. Each VNet has a DNS server entry that is passed to servers as they obtain an IP address and these DNS entries need to be the IP addresses of the Microsoft Entra Domain Services managed domain. For more information, see [Update DNS settings for the Azure virtual network](/entra/identity/domain-services/tutorial-create-instance).

+* No central management or configuration of servers. For example, there's no Group Policy that can be applied to a group of servers. Organizations should consider deploying [Update Management in Azure](/azure/automation/update-management/overview) to manage patching and updates of these servers.

+If you must ensure that global administrators are unable to manage a specific resource, you must isolate that resource in a separate tenant with separate global administrators. This can be especially important for backups, see [multi-user authorization guidance](/azure/backup/multi-user-authorization) for examples of this.

+If you must ensure full isolation (including staging of organization-level configuration) of Microsoft 365 services, you need to choose a [multiple tenant isolation](/azure/backup/multi-user-authorization).

+For more information, see [Azure built-in roles](/azure/role-based-access-control/built-in-roles) and [What is Azure role-based access control (Azure RBAC)?](/azure/role-based-access-control/overview).

+Both top-level scopes should be strictly monitored. It's important to plan for other dimensions of resource isolation such as networking. For general guidance on Azure networking, see [Azure best practices for network security](/azure/security/fundamentals/network-best-practices). Infrastructure as a Service (IaaS) workloads have special scenarios where both identity and resource isolation need to be part of the overall design and strategy.

+* [Sign-in logs](../reports-monitoring/concept-sign-ins.md)

+* [Microsoft 365 Audit logs](/purview/audit-solutions-overview)

+* [Azure Key Vault logs](/azure/key-vault/general/logging)

+* **[Microsoft Sentinel](/azure/sentinel/overview)** ΓÇô enables intelligent security analytics at the enterprise level with security information and event management (SIEM) capabilities.

+* **[Azure Monitor](/azure/azure-monitor/overview)** ΓÇô automated monitoring and alerting of various conditions. Can create or use workbooks to combine data from different sources.

+* **[Azure Event Hubs](/azure/event-hubs/event-hubs-about) integrated with a SIEM**- [Microsoft Entra logs can be integrated to other SIEMs](../reports-monitoring/howto-stream-logs-to-event-hub.md) such as Splunk, ArcSight, QRadar, and Sumo Logic via the Azure Event Hubs integration.

+* **[Microsoft Defender for Cloud Apps](/defender-cloud-apps/what-is-defender-for-cloud-apps)** ΓÇô discover and manage apps, govern across apps and resources, and check your cloud appsΓÇÖ compliance.

+For more information on monitoring app permissions, see this tutorial: [Investigate and remediate risky OAuth apps](/defender-cloud-apps/investigate-risky-oauth).

+| How and when your Key Vaults are accessed and by whom| Medium| [Azure Key Vault logs](/azure/key-vault/general/logging?tabs=Vault)| Resource type: Key Vaults| Look for: any access to Key Vault outside regular processes and hours, any changes to Key Vault ACL.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDiagnostics/AzureKeyVaultAccessManipulation.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+After you set up Azure Key Vault, [enable logging](/azure/key-vault/general/howto-logging?tabs=azure-cli). See [how and when your Key Vaults are accessed](/azure/key-vault/general/logging?tabs=Vault), and [configure alerts](/azure/key-vault/general/alert) on Key Vault to notify assigned users or distribution lists via email, phone, text, or [Event Grid](/azure/key-vault/general/event-grid-overview) notification, if health is affected. In addition, setting up [monitoring](/azure/key-vault/general/alert) with Key Vault insights gives you a snapshot of Key Vault requests, performance, failures, and latency. [Log Analytics](/azure/azure-monitor/logs/log-analytics-overview) also has some [example queries](/azure/azure-monitor/logs/queries) for Azure Key Vault that can be accessed after selecting your Key Vault and then under ΓÇ£MonitoringΓÇ¥ selecting ΓÇ£LogsΓÇ¥.

+The act of consenting to an application isn't malicious. However, investigate new end-user consent grants looking for suspicious applications. You can [restrict user consent operations](/azure/security/fundamentals/steps-secure-identity).

+* [Incident response playbook - App consent grant investigation](/security/operations/incident-response-playbook-app-consent)

+* Azure Key Vault security overview and security guidance - [Azure Key Vault security overview](/azure/key-vault/general/security-features)

+* OAuth attack detection guidance - [Unusual addition of credentials to an OAuth app](/defender-cloud-apps/investigate-anomaly-alerts)

+* Microsoft Entra monitoring configuration information for SIEMs - [Partner tools with Azure Monitor integration](/azure/azure-monitor/essentials/stream-monitoring-data-event-hubs)

+* [Sign-in logs in Microsoft Entra ID (preview)](../reports-monitoring/concept-sign-ins.md)

+ * [What is Microsoft Sentinel?](/azure/sentinel/overview)

+ * [Azure Monitor overview](/azure/azure-monitor/overview)

+ * [Azure Event Hubs-A big data streaming platform and event ingestion service](/azure/event-hubs/event-hubs-about)

+ * [Tutorial: Stream Microsoft Entra logs to an Azure event hub](../reports-monitoring/howto-stream-logs-to-event-hub.md)

+* [Sign-in logs](../reports-monitoring/concept-sign-ins.md)

+* [Azure Key Vault logs](/azure/key-vault/general/logging?tabs=Vault)

+* **[Microsoft Sentinel](/azure/sentinel/overview)** ΓÇô enables intelligent security analytics at the enterprise level by providing security information and event management (SIEM) capabilities.

+* **[Azure Monitor](/azure/azure-monitor/overview)** ΓÇô enables automated monitoring and alerting of various conditions. Can create or use workbooks to combine data from different sources.

+* **[Azure Event Hubs](/azure/event-hubs/event-hubs-about) -integrated with a SIEM**- [Microsoft Entra logs can be integrated to other SIEMs](../reports-monitoring/howto-stream-logs-to-event-hub.md) such as Splunk, ArcSight, QRadar, and Sumo Logic via the Azure Event Hubs integration.

+[Mobile device management](/windows/client-management/mdm/) (MDM) helps you keep Windows 10 devices compliant. With Windows version 1809, we released a [security baseline](/windows/client-management/mdm/) of policies. Microsoft Entra ID can [integrate with MDM](/windows/client-management/azure-active-directory-integration-with-mdm) to enforce device compliance with corporate policies, and can report a deviceΓÇÖs compliance status.

+Attackers who have compromised a userΓÇÖs device may retrieve the [BitLocker](/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10) keys in Microsoft Entra ID. It's uncommon for users to retrieve keys, and should be monitored and investigated.

+* [Sign-in logs](../reports-monitoring/concept-sign-ins.md)

+* [Azure Key Vault logs](/azure/key-vault/general/logging?tabs=Vault)

+* **[Microsoft Sentinel](/azure/sentinel/overview)** ΓÇô Enables intelligent security analytics at the enterprise level by providing security information and event management (SIEM) capabilities.

+* **[Azure Monitor](/azure/azure-monitor/overview)** ΓÇô Enables automated monitoring and alerting of various conditions. Can create or use workbooks to combine data from different sources.

+* **[Azure Event Hubs](/azure/event-hubs/event-hubs-about)** integrated with a SIEM - [Microsoft Entra logs can be integrated to other SIEMs](../reports-monitoring/howto-stream-logs-to-event-hub.md) such as Splunk, ArcSight, QRadar and Sumo Logic via the Azure Event Hubs integration.

+* [Working with security alerts in Microsoft Defender for Identity](/defender-for-identity/manage-security-alerts) - This article describes how to review and manage alerts after they're logged.

+| Pass-the-ticket like attacks| High| | | Follow guidance in:<br>[Security principal reconnaissance (LDAP) (external ID 2038)](/defender-for-identity/reconnaissance-discovery-alerts)<br>[Tutorial: Compromised credential alerts](/defender-for-identity/credential-access-alerts)<br>[Understand and use Lateral Movement Paths with Microsoft Defender for Identity](/defender-for-identity/use-case-lateral-movement-path)<br>[Understanding entity profiles](/defender-for-identity/investigate-assets) |

+| Kerberos-related events|High | Microsoft Defender for Identity monitoring| | Review guidance available at [Microsoft Defender for Identity Lateral Movement Paths (LMPs)](/defender-for-identity/understand-lateral-movement-paths) |

+ * [Azure security baseline for Microsoft Defender for Identity](/security/benchmark/azure/baselines/defender-for-identity-security-baseline)

+ * [Monitor sign-ins with the Microsoft Entra sign-in log](../reports-monitoring/concept-sign-ins.md)

+ * [Connect Microsoft Entra ID Protection data to Microsoft Sentinel](/azure/sentinel/data-connectors/azure-active-directory-identity-protection)

+* [Sign-in logs](../reports-monitoring/concept-sign-ins.md)

+* [Azure Key Vault logs](/azure/key-vault/general/logging?tabs=Vault)

+* **[Microsoft Sentinel](/azure/sentinel/overview)** - Enables intelligent security analytics at the enterprise level by providing security information and event management (SIEM) capabilities.

+* **[Azure Monitor](/azure/azure-monitor/overview)** - Enables automated monitoring and alerting of various conditions. Can create or use workbooks to combine data from different sources.

+* **[Azure Event Hubs](/azure/event-hubs/event-hubs-about)** integrated with a SIEM. Microsoft Entra logs can be integrated to other SIEMs such as Splunk, ArcSight, QRadar and Sumo Logic via the Azure Event Hubs integration. For more information, see [Stream Microsoft Entra logs to an Azure event hub](../reports-monitoring/howto-stream-logs-to-event-hub.md).

+* **Domain Service** - Microsoft Entra Domain Services (AD DS) provides managed domain services such as domain join, group policy. For more information, see [What is Microsoft Entra Domain Services](/entra/identity/domain-services/overview).

+* **Azure Resource Manager** - Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in your Azure account. For more information, see [What is Azure Resource Manager](/azure/azure-resource-manager/management/overview).

+* **Activity logs** - The Activity log is an Azure [platform log](/azure/azure-monitor/essentials/platform-logs-overview) that provides insight into subscription-level events. This log includes such information as when a resource is modified or when a virtual machine is started. For more information, see [Azure Activity log](/azure/azure-monitor/essentials/activity-log).

+* For more information on the shared responsibility model, see [Shared responsibility in the cloud](/azure/security/fundamentals/shared-responsibility).

+* [Azure Key Vault insights](/azure/key-vault/key-vault-insights-overview)

+* **[Microsoft Sentinel](/azure/sentinel/overview)**. Enables intelligent security analytics at the enterprise level by providing security information and event management (SIEM) capabilities.

+* **[Azure Monitor](/azure/azure-monitor/overview)**. Enables automated monitoring and alerting of various conditions. Can create or use workbooks to combine data from different sources.

+* **[Azure Event Hubs](/azure/event-hubs/event-hubs-about)** integrated with a SIEM. Enables Microsoft Entra logs to be pushed to other SIEMs such as Splunk, ArcSight, QRadar, and Sumo Logic via the Azure Event Hubs integration. For more information, see [Stream Microsoft Entra logs to an Azure event hub](../reports-monitoring/howto-stream-logs-to-event-hub.md).

+| Privileged accounts that don't follow naming policy| | Azure subscription | [List Azure role assignments using the Azure portal](/azure/role-based-access-control/role-assignments-list-portal)| List role assignments for subscriptions and alert where the sign-in name doesn't match your organization's format. An example is the use of ADM_ as a prefix. |

+* [Enable security audits for Microsoft Entra Domain Services](/entra/identity/domain-services/security-audit-events)

+| Privileged changes in Microsoft Entra Domain Services | High | Microsoft Entra Domain Services | Look for event [4673](/windows/security/threat-protection/auditing/event-4673) | [Enable security audits for Microsoft Entra Domain Services](/entra/identity/domain-services/security-audit-events)<br>For a list of all privileged events, see [Audit Sensitive Privilege use](/windows/security/threat-protection/auditing/audit-sensitive-privilege-use). |

+For more information about managing elevation, see [Elevate access to manage all Azure subscriptions and management groups](/azure/role-based-access-control/elevate-access-global-admin). For information on monitoring elevations by using information available in the Microsoft Entra logs, see [Azure Activity log](/azure/azure-monitor/essentials/activity-log), which is part of the Azure Monitor documentation.

+* For more information on the shared responsibility model, see [Shared responsibility in the cloud](/azure/security/fundamentals/shared-responsibility).

+* [Sign-in logs](../reports-monitoring/concept-sign-ins.md)

+* [Azure Key Vault logs](/azure/key-vault/general/logging?tabs=Vault)

+* [**Microsoft Sentinel**](/azure/sentinel/overview) ΓÇô enables intelligent security analytics at the enterprise level by providing security information and event management (SIEM) capabilities.

+* [**Azure Monitor**](/azure/azure-monitor/overview) ΓÇô enables automated monitoring and alerting of various conditions. Can create or use workbooks to combine data from different sources.

+* [**Azure Event Hubs**](/azure/event-hubs/event-hubs-about) **integrated with a SIEM**- [Microsoft Entra logs can be integrated to other SIEMs](../reports-monitoring/howto-stream-logs-to-event-hub.md) such as Splunk, ArcSight, QRadar, and Sumo Logic via the Azure Event Hubs integration.

+* [Sign-in logs](../reports-monitoring/concept-sign-ins.md)

+* [Azure Key Vault logs](/azure/key-vault/general/logging?tabs=Vault)

+* **[Microsoft Sentinel](/azure/sentinel/overview)** ΓÇô enables intelligent security analytics at the enterprise level by providing security information and event management (SIEM) capabilities.

+* **[Azure Monitor](/azure/azure-monitor/overview)** ΓÇô enables automated monitoring and alerting of various conditions. Can create or use workbooks to combine data from different sources.

+* **[Azure Event Hubs](/azure/event-hubs/event-hubs-about)** integrated with a SIEM - [Microsoft Entra logs can be integrated to other SIEMs](../reports-monitoring/howto-stream-logs-to-event-hub.md) such as Splunk, ArcSight, QRadar and Sumo Logic via the Azure Event Hubs integration.

+| Privileged accounts that don't follow naming policy.| High| Azure Subscription| [List Azure role assignments using the Azure portal - Azure RBAC](/azure/role-based-access-control/role-assignments-list-portal)| List role assignments for subscriptions and alert where sign-in name does not match your organizations format. For example, ADM_ as a prefix. |

+* Microsoft Entra audit logs - [Parse text data in Azure Monitor Logs](/azure/azure-monitor/logs/parse-text)

+* Azure Subscriptions - [List Azure role assignments using Azure PowerShell](/azure/role-based-access-control/role-assignments-list-powershell)

+You use Microsoft Entra ID Protection and the Microsoft Entra sign-in logs to help discover threats indicated by unusual sign-in characteristics. Information about Identity Protection is available at [What is Identity Protection](../identity-protection/overview-identity-protection.md). You can also replicate the data to Azure Monitor or a SIEM for monitoring and alerting purposes. To define normal for your environment and to set a baseline, determine:

+ * See, [Password and account lockout policies on Microsoft Entra Domain Services managed domains](/entra/identity/domain-services/password-policy)

+* [What is Azure Resource Manager?](/azure/azure-resource-manager/management/overview)

+* [What is Azure role-based Azure RBAC?](/azure/role-based-access-control/overview)

+* [Azure control plane and data plane](/azure/azure-resource-manager/management/control-plane-and-data-plane)

+ * See, [List Azure role assignments using Azure PowerShell](/azure/role-based-access-control/role-assignments-list-powershell).

+* [About Azure Key Vault](/azure/key-vault/general/overview)

+* [Assign a Key Vault access policy](/azure/key-vault/general/assign-access-policy)

+* [How to use managed identities for App Service and Azure Functions](/azure/app-service/overview-managed-identity?tabs=dotnet)

+* [Hybrid Identity: Directory integration tools comparison](../hybrid/index.yml) describes differences between Microsoft Entra Connect Sync and Microsoft Entra Connect cloud provisioning.

+* [Hybrid Identity: Directory integration tools comparison](../hybrid/index.yml) describes differences between Microsoft Entra Connect Sync and Microsoft Entra Connect cloud provisioning.

+> Starting in August, 2023, anomalous sign-ins don't generate notifications, similarly to how sign-ins from unfamiliar locations don't generate notifications. To approve an anomalous sign-in, users can open Microsoft Authenticator, or Authenticator Lite in a relevant companion app like Outlook. Then they can either pull down to refresh or tap **Refresh**, and approve the request.

+1. Once the user selects certificate-based authentication, the client is redirected to the certauth endpoint, which is [https://certauth.login.microsoftonline.com](https://certauth.login.microsoftonline.com) for Azure Global. For [Azure Government](/azure/azure-government/compare-azure-government-global-azure#guidance-for-developers), the certauth endpoint is [https://certauth.login.microsoftonline.us](https://certauth.login.microsoftonline.us).

+Sign-in logs provide information about sign-ins and how your resources are used by your users. For more information about sign-in logs, see [Sign-in logs in Microsoft Entra ID](../reports-monitoring/concept-sign-ins.md).

+Password expiration policies are unchanged but they're included in this topic for completeness. A *Global Administrator* or *User Administrator* can use the [Azure AD module for PowerShell](/powershell/module/azuread/) to set user passwords not to expire.

+| Passwords | No | Yes | No |

+Users can access manage mode by going to [Security info](https://aka.ms/mysecurityinfo) or by selecting **Security info** from My Account. From there, users can add methods, delete or change existing methods, change the default method, and more.

+### Update a password in MySignIns (preview)

+A user navigates to [Security info](https://aka.ms/mysecurityinfo). After signing in, the user can update their password. For more information about different authentication methods that you can require by using Conditional Access policies, see [How to secure the registration of security info](/azure/active-directory/conditional-access/howto-conditional-access-policy-registration). When finished, the user has the new password updated on the Security info page.

+To unlock admin access to your tenant, you should create emergency access accounts. These emergency access accounts, also known as *break glass* accounts, allow access to manage Microsoft Entra configuration when normal privileged account access procedures arenΓÇÖt available. At least two emergency access accounts should be created following the [emergency access account recommendations](../roles/security-emergency-access.md).

+- Use trusted devices via [Microsoft Entra hybrid join](../devices/overview.md) or [Microsoft Intune](/mem/intune/fundamentals/intune-planning-guide). Trusted devices will improve user experience because the trusted device itself can satisfy the strong authentication requirements of policy without an MFA challenge to the user. MFA will then be required when enrolling a new device and when accessing apps or resources from untrusted devices.

+ * Any administrator-initiated end-user password reset from the [Microsoft Graph API](/graph/api/authenticationmethod-resetpassword).

+The [Microsoft Entra ID Secure Score](../reports-monitoring/concept-identity-secure-score.md) provides a score for **Require MFA for administrative roles** in your tenant. This improvement action tracks the MFA usage of Global administrator, Security administrator, Exchange administrator, and SharePoint administrator.

+- [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/)

+> [!NOTE]

+> The **Use for sign-in** option is default enabled on **SMS** settings. This option enables SMS sign-in. If SMS sign-in is enabled for users, they will be skipped from cross-tenant synchronization. If you are using cross-tenant synchronization or don't want to enable SMS sign-in, disable SMS Sign-in for target users.

+Push notifications sent by Authenticator Lite aren't configurable and don't depend on the Authenticator feature settings. Authenticator Lite doesn't support passwordless authentication mode. The settings for features included in the Authenticator Lite experience are listed in the following table. Every authentication includes a number matching prompt and does not include app and location context, regardless of Microsoft Authentiator feature settings.

+A nudge won't appear if a user is presented with the [terms of use (ToU)](../conditional-access/terms-of-use.md) screen during sign-in.

+A nudge won't appear if a user is redirected during sign-in due to [Conditional Access custom controls](../conditional-access/controls.md) settings.

+To configure Microsoft Entra ID to ignore MFA requests to your on-premises federation server, install the [Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation?view=graph-powershell-1.0&preserve-view=true&viewFallbackFrom=graph-powershell-) and set [federatedIdpMfaBehavior](/graph/api/resources/internaldomainfederation?view=graph-rest-1.0#federatedidpmfabehavior-values&preserve-view=true) to `rejectMfaByFederatedIdp`, as shown in the following example.

+Many [Azure Monitor workbooks](../reports-monitoring/howto-use-workbooks.md) and **Usage & Insights** reports are available to monitor your deployment.

+You can check the status of **federatedIdpMfaBehavior** by using [Get-MgDomainFederationConfiguration](/powershell/module/microsoft.graph.identity.directorymanagement/get-mgdomainfederationconfiguration?view=graph-powershell-1.0&preserve-view=true&viewFallbackFrom=graph-powershell-beta).

+**Microsoft Entra ID keeps most auditing data for 30 days** and makes the data available by using the [Microsoft Entra admin center](https://entra.microsoft.com) or API for you to download into your analysis systems. If you require longer retention, export and consume logs in a SIEM tool such as [Microsoft Sentinel](/azure/sentinel/connect-azure-active-directory), Splunk, or Sumo Logic. We recommend longer retention for auditing, trend analysis, and other business needs as applicable

+This document discusses how to enable passwordless authentication to on-premises resources for environments with both *Microsoft Entra joined* and *Microsoft Entra hybrid joined* Windows 10 devices. This passwordless authentication functionality provides seamless single sign-on (SSO) to on-premises resources when you use Microsoft-compatible security keys, or with [Windows Hello for Business Cloud trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust)

+| [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) (Optional) | X | X |

+1. Sign in to the [Microsoft Intune admin center](https://intune.microsoft.com/).

+1. Sign in to the [Microsoft Intune admin center](https://intune.microsoft.com/).

+1. The remainder of the policy settings include assigning to specific users, devices, or groups. For more information, see [Assign user and device profiles in Microsoft Intune](/mem/intune/configuration/device-profile-assign).

+For more information, see [New-MgUserAuthenticationTemporaryAccessPassMethod](/powershell/module/microsoft.graph.identity.signins/new-mguserauthenticationtemporaryaccesspassmethod) and [Get-MgUserAuthenticationTemporaryAccessPassMethod](/powershell/module/microsoft.graph.identity.signins/get-mguserauthenticationtemporaryaccesspassmethod?view=graph-powershell-1.0&preserve-view=true&viewFallbackFrom=graph-powershell-beta).

+For more information, see [Remove-MgUserAuthenticationTemporaryAccessPassMethod](/powershell/module/microsoft.graph.identity.signins/remove-mguserauthenticationtemporaryaccesspassmethod?view=graph-powershell-1.0&preserve-view=true&viewFallbackFrom=graph-powershell-beta).

+ * [Single Sign-On and App Protection Policies on Mobile Platform](../develop/mobile-sso-support-overview.md)

+> This configuration option uses HRD policy. For more information, see [homeRealmDiscoveryPolicy resource type](/graph/api/resources/homerealmdiscoverypolicy).

+ For more information on installation, see [Install the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation).

+Run this PowerShell in an ISE window or save as a `.PS1` file to run locally. The operation can only be done by using the [MSOnline module](/powershell/module/msonline/#msonline).

+ * If your domain isn't already using DFSR, you must migrate before installing Microsoft Entra Password Protection. For more information, see [SYSVOL Replication Migration Guide: FRS to DFS Replication](/windows-server/storage/dfs-replication/migrate-sysvol-to-dfsr)

+> You can create an MFA registration policy by using [Microsoft Entra ID Protection - Configure MFA Policy](../identity-protection/howto-identity-protection-configure-mfa-policy.md).

+Audit logs for registration and password reset are available for 30 days. If security auditing within your corporation requires longer retention, the logs need to be exported and consumed into a SIEM tool such as [Microsoft Sentinel](/azure/sentinel/connect-azure-active-directory), Splunk, or ArcSight.

+Azure [GOV endpoints](/azure/azure-government/compare-azure-government-global-azure#guidance-for-developers):

+| 31034| ServiceBusListenerError| This event indicates that there was an error connecting to your tenant's Service Bus listener. If the error message includes "The remote certificate is invalid", check to make sure that your Microsoft Entra Connect server has all the required Root CAs as described in [Azure TLS certificate changes](/azure/security/fundamentals/tls-certificate-changes). |

+If you have general questions about Microsoft Entra ID and self-service password reset, you can ask the community for assistance on the [Microsoft Q&A question page for Microsoft Entra ID](/answers/tags/455/entra-id). Members of the community include engineers, product managers, MVPs, and fellow IT professionals.

+description: In this tutorial, you learn how to enable Microsoft Entra ID Protection to protect users when risky sign-in behavior is detected on their account.

+# Customer intent: As a Microsoft Entra Administrator, I want to learn how to use Microsoft Entra ID Protection to protect users by automatically detecting risk sign-in behavior and prompting for additional forms of authentication or request a password change.

+| Azure Service Bus | [Migrate to shared access signatures](/azure/service-bus-messaging/service-bus-sas) |

+| Azure Service Bus Relay | [Migrate to shared access signatures](/azure/azure-relay/relay-migrate-acs-sas) |

+| Azure Managed Cache | [Migrate to Azure Cache for Redis](/azure/azure-cache-for-redis/cache-faq) |

+| Azure Backup | [Upgrade the Azure Backup agent](/azure/backup/backup-azure-file-folder-backup-faq) |

+- [Azure AD B2C documentation](/azure/active-directory-b2c/overview)

+- [Azure AD B2C custom policies](/azure/active-directory-b2c/custom-policy-overview)

+Microsoft Entra Conditional Access is a feature included in [Microsoft Entra ID P1 or P2](../fundamentals/whatis.md). You can learn more about licensing requirements in the [unlicensed usage report](../reports-monitoring/overview-monitoring-health.md). Developers can join the [Microsoft Developer Network](/), which includes a free subscription to the Enterprise Mobility Suite, which includes Microsoft Entra ID P1 or P2.

+You can add users as guest accounts to Azure AD through the [Azure AD B2B collaboration](../external-identities/what-is-b2b.md) and you can do this [programmatically](/azure/active-directory-b2c/integrate-with-app-code-samples). When using B2B, users can create a self-service portal that does not require an invitation to sign in. For more info, see [Self-service portal for Azure AD B2B collaboration sign-up](../external-identities/self-service-portal.md).

+- [Securing devices as part of the privileged access story](/security/privileged-access-workstations/privileged-access-devices)

+- [Microsoft Intune Enrollment](/mem/intune/enrollment/multi-factor-authentication)

+> The Microsoft Azure Management application applies to [Azure PowerShell](/powershell/azure/what-is-azure-powershell), which calls the [Azure Resource Manager API](/azure/azure-resource-manager/management/overview). It does not apply to [Microsoft Graph PowerShell](/powershell/microsoftgraph/overview), which calls the [Microsoft Graph API](/graph/overview).

+ - Azure AD Graph: email, offline_access, openid, profile, User.Read

+ - MS Graph: email, offline_access, openid, profile, User.Read, People.Read

+ - Azure AD Graph: email, offline_access, openid, profile, User.Read, User.Read.All, and User.ReadBasic.All

+ - MS Graph: email, offline_access, openid, profile, User.Read, User.Read.All, User.ReadBasic.All, People.Read, People.Read.All, GroupMember.Read.All, Member.Read.Hidden

+Traffic forwarding profiles in Global Secure Access enable administrators to define and control how traffic is routed through Microsoft Entra Internet Access and Microsoft Entra Private Access. Traffic forwarding profiles can be assigned to devices and remote networks. For an example of how to apply a Conditional Access policy to these traffic profiles, see the article [How to apply Conditional Access policies to the Microsoft 365 traffic profile](/entra/global-secure-access/how-to-target-resource-microsoft-365-profile).

+For more information about these profiles, see the article [Global Secure Access traffic forwarding profiles](/entra/global-secure-access/concept-traffic-forwarding).

+- [Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites](/purview/sensitivity-labels-teams-groups-sites)

+- [Microsoft Defender for Cloud Apps](/defender-cloud-apps/session-policy-aad?branch=pr-en-us-2082#require-step-up-authentication-authentication-context)

+When administrators configure location as a condition, they can choose to include or exclude locations. These named locations may include the public IPv4 or IPv6 network information, country or region, unknown areas that don't map to specific countries or regions, and [Global Secure Access' compliant network](/entra/global-secure-access/how-to-compliant-network).

+| Office 2016 apps, Universal Office apps, Office 2013 (with modern authentication), [OneDrive sync client](/sharepoint/enable-conditional-access) | SharePoint Online | Windows 10 |

+Organizations that have deployed Intune can use the information returned from their devices to identify devices that meet specific policy compliance requirements. Intune sends compliance information to Microsoft Entra ID so Conditional Access can decide to grant or block access to resources. For more information about compliance policies, see [Set rules on devices to allow access to resources in your organization by using Intune](/mem/intune/protect/device-compliance-get-started).

+In Conditional Access policy, you can require that an [Intune app protection policy](/mem/intune/apps/app-protection-policy) is present on the client app before access is available to the selected applications. These mobile application management (MAM) app protection policies allow you to manage and protect your organization's data within specific applications.

+Locations connect IP addresses, geographies, and [Global Secure Access' compliant network](/entra/global-secure-access/how-to-compliant-network) to Conditional Access policy decisions. Administrators can choose to define locations and mark some as trusted like those for their organization's primary network locations.

+[Managing device compliance with Intune](/mem/intune/protect/device-compliance-get-started)

+[Microsoft Defender for Cloud Apps and Conditional Access](/defender-cloud-apps/proxy-intro-aad)

+Conditional Access App Control uses a reverse proxy architecture and is uniquely integrated with Microsoft Entra Conditional Access. Microsoft Entra Conditional Access allows you to enforce access controls on your organizationΓÇÖs apps based on certain conditions. The conditions define what user or group of users, cloud apps, and locations and networks a Conditional Access policy applies to. After youΓÇÖve determined the conditions, you can route users to [Microsoft Defender for Cloud Apps](/defender-cloud-apps/what-is-defender-for-cloud-apps) where you can protect data with Conditional Access App Control by applying access and session controls.

+For more information, see the article [Deploy Conditional Access App Control for featured apps](/defender-cloud-apps/proxy-deployment-aad).

+For an explanation of the office update channels, see [Overview of update channels for Microsoft 365 Apps](/deployoffice/updates/overview-update-channels). The recommendation is that organizations don't disable Web Account Manager (WAM).

+ For detailed steps, see [Assign Azure roles](/azure/role-based-access-control/role-assignments-portal).

+Users who perform specialized roles like those described in [Privileged access security levels](/security/privileged-access-workstations/privileged-access-security-levels#specialized) are possible targets for this functionality. We recommend piloting with a small subset to begin.

+You can also use [Log Analytics](../reports-monitoring/tutorial-configure-log-analytics-workspace.md) to query the sign-in logs (interactive and non-interactive) for blocked requests due to token protection enforcement failure.

+Many of the following examples use tools like [Managed Identities](../managed-identities-azure-resources/overview.md), [Logic Apps](/azure/logic-apps/logic-apps-overview), [OneDrive](https://www.microsoft.com/microsoft-365/onedrive/online-cloud-storage), [Teams](https://www.microsoft.com/microsoft-365/microsoft-teams/group-chat-software/), and [Azure Key Vault](/azure/key-vault/general/overview).

+1. [Create a Log Analytics workspace in Azure Monitor](/azure/azure-monitor/logs/quick-create-workspace).

+1. [Integrate Microsoft Entra logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-azure-monitor-logs.md).

+For more information about how to stream Microsoft Entra sign-in logs to a Log Analytics workspace, see the article [Integrate Microsoft Entra logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-azure-monitor-logs.md).

+- For more information about Microsoft Entra workbooks, see the article, [How to use Azure Monitor workbooks for Microsoft Entra reports](../reports-monitoring/howto-use-workbooks.md).

+Microsoft recommends you require MFA on the following roles at a minimum, based on [identity score recommendations](../reports-monitoring/concept-identity-secure-score.md):

+Microsoft recommends you require enable this policy for the following roles at a minimum, based on [identity score recommendations](../reports-monitoring/concept-identity-secure-score.md):

+[Device compliance policies work with Microsoft Entra ID](/mem/intune/protect/device-compliance-get-started#device-compliance-policies-work-with-azure-ad)

+Log Analytics integration must be completed before workbooks are displayed. For more information about how to stream Microsoft Entra sign-in logs to a Log Analytics workspace, see the article [Integrate Microsoft Entra logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-azure-monitor-logs.md).

+- [Integrate Microsoft Entra logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-azure-monitor-logs.md)

+[App protection policies overview](/mem/intune/apps/app-protection-policy)

+Organizations with access to Global Secure Access preview features have another location listed that is made up of users and devices that comply with your organization's security policies. For more information, see the section [Enable Global Secure Access signaling for Conditional Access](/entra/global-secure-access/how-to-compliant-network#enable-global-secure-access-signaling-for-conditional-access). It can be used with Conditional Access policies to perform a compliant network check for access to resources.

+We recommend organizations utilize Global Secure Access to enable [source IP restoration](/entra/global-secure-access/how-to-source-ip-restoration) to avoid this change in address and simplify management.

+You can view the aggregate affects of your Conditional Access policies in the **Insights and Reporting workbook**. To access the workbook, you need an Azure Monitor subscription and you'll need to [stream your sign-in logs to a log analytics workspace](../reports-monitoring/howto-integrate-activity-logs-with-azure-monitor-logs.md).

+A: If you've configured both Microsoft Entra terms of use and [Intune terms and conditions](/mem/intune/enrollment/terms-and-conditions-create), the user is required to accept both. For more information, see the [Choosing the right Terms solution for your organization blog post](https://go.microsoft.com/fwlink/?linkid=2010506&clcid=0x409).

+Find these options under **Identity** > **Monitoring & health** > **Diagnostic settings** > **Edit setting**. If you don't have a diagnostic setting, follow the instructions in the article [Create diagnostic settings to send platform logs and metrics to different destinations](/azure/azure-monitor/essentials/diagnostic-settings) to create one.

+Log Analytics allows organizations to query data using built in queries or custom created Kusto queries, for more information, see [Get started with log queries in Azure Monitor](/azure/azure-monitor/logs/get-started-queries).

+- [What is Microsoft Entra monitoring?](../reports-monitoring/overview-monitoring-health.md)

+- [Install and use the log analytics views for Microsoft Entra ID](/azure/azure-monitor/visualize/workbooks-view-designer-conversion-overview)

+| `onprem_sid`| String, in [SID format](/windows/win32/secauthz/sid-components) | In cases where the user has an on-premises authentication, this claim provides their SID. Use this claim for authorization in legacy applications. |

+[OpenID Connect Core](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation) says "The Issuer Identifier \[...\] MUST exactly match the value of the iss (issuer) Claim." For applications which use a tenant-specific metadata endpoint (like `https://login.microsoftonline.com/8eaef023-2b34-4da1-9baa-8bc8c9d6a490/v2.0/.well-known/openid-configuration` or `https://login.microsoftonline.com/contoso.onmicrosoft.com/v2.0/.well-known/openid-configuration`), this is all that is needed.

+- [Using Azure CLI](/cli/azure/azure-cli-sp-tutorial-1)

+Microsoft Enterprise SSO plug-in for Apple devices is compatible with various [Microsoft Entra Conditional Access policies](../conditional-access/overview.md) and password change events. `browser_sso_interaction_enabled` is required to be enabled to achieve compatibility.

+[Multifactor authentication](../authentication/concept-mfa-howitworks.md) is a process in which users are prompted during the sign-in process for an additional form of identification, such as a code on their cellphone or a fingerprint scan. Multifactor authentication can be enabled for specific resources. When the Microsoft Enterprise SSO plug-in is enabled, user will be asked to perform multifactor authentication in the first application that requires it. Microsoft Enterprise SSO plug-in will show its own user interface on top of the application that is currently active.

+[Sign-in frequency](../conditional-access/howto-conditional-access-session-lifetime.md#user-sign-in-frequency) defines the time period before a user is asked to sign in again when attempting to access a resource. If a user is trying to access a resource after the time period has passed in various apps, a user would normally need to sign in again in each of those apps. When the Microsoft Enterprise SSO plug-in is enabled, a user will be asked to sign in to the first application that participates in SSO. Microsoft Enterprise SSO plug-in will show its own user interface on top of the application that is currently active.

+For more information, see the [Intune configuration documentation](/mem/intune/configuration/ios-device-features-settings).

+* For more information on how Microsoft Entra ID also provides Azure Active Directory B2C so that organizations can sign in users, typically customers, by using social identities like a Google account, see [Azure Active Directory B2C documentation](/azure/active-directory-b2c/).

+- [Azure Government](/azure/azure-government/)

+- [Azure Germany (Closed on October 29, 2021)](/azure/germany/)

+> [Application RBAC](./custom-rbac-for-developers.md) differs from [Azure RBAC](/azure/role-based-access-control/overview) and [Microsoft Entra RBAC](../roles/custom-overview.md#understand-azure-ad-role-based-access-control). Azure custom roles and built-in roles are both part of Azure RBAC, which helps manage Azure resources. Microsoft Entra RBAC allows management of Microsoft Entra resources.

+[Azure ABAC](/azure/role-based-access-control/conditions-overview) is an example of an ABAC solution that is available today. Azure ABAC builds on Azure RBAC by adding role assignment conditions based on attributes in the context of specific actions.

+- For an example of configuring simple authentication-based authorization, see [Configure your App Service or Azure Functions app to use Microsoft Entra login](/azure/app-service/configure-authentication-provider-aad).

+ | **[Resource Group](/azure/azure-resource-manager/management/overview)** | *myResourceGroup* | Select and existing resource group, or name for the new one in which you'll create your function app. |

+Microsoft Entra sign-in logs also integrate with [Azure Monitor](/azure/azure-monitor/). You can set up alerts and monitoring, visualize the data, and integrate with security information and event management (SIEM) tools. For example, you can set up notifications if the number of errors exceed a certain threshold that you choose.

+1. If you use a cloud provider to host your API, use a hosting plan that keeps the API always "warm". For Azure Functions, it can be either [the Premium plan or Dedicated plan](/azure/azure-functions/functions-scale).

+Role-based access control (RBAC) allows certain users or groups to have specific permissions to access and manage resources. Application RBAC differs from [Azure role-based access control](/azure/role-based-access-control/overview) and [Microsoft Entra role-based access control](../roles/custom-overview.md#understand-azure-ad-role-based-access-control). Azure custom roles and built-in roles are both part of Azure RBAC, which is used to help manage Azure resources. Microsoft Entra RBAC is used to manage Microsoft Entra resources. This article explains application-specific RBAC. For information about implementing application-specific RBAC, see [How to add app roles to your application and receive them in the token](./howto-add-app-roles-in-apps.md).

+Using [Azure AD B2C Custom policies](/azure/active-directory-b2c/custom-policy-overview) it's possible to interact with custom data stores and to include custom claims within a token.

+- [Azure Identity Management and access control security best practices](/azure/security/fundamentals/identity-management-best-practices)

+- A Microsoft Entra [tenant](./quickstart-create-new-tenant.md).

+The inline script runs in the context of the pipeline, assign the [Application.Administrator](../roles/permissions-reference.md#application-administrator) role to the app so the script can create app registrations:

+[AAD-RBAC]: /azure/role-based-access-control/role-assignments-portal

+- [Building Zero Trust ready apps with the Microsoft identity platform](/security/zero-trust/develop/identity)

+- [Using authentication context with Microsoft Purview Information Protection and SharePoint](/purview/sensitivity-labels-teams-groups-sites#more-information-about-the-dependencies-for-the-authentication-context-option)

+- When users sign in to Microsoft online services like Microsoft 365.

+**Simplify sign up for your application.** During sign up for your application, the Microsoft identity platform can send essential information about a user so that you can pre-fill your sign up form or eliminate it completely. Users can sign up for your application using their Microsoft Entra account via a familiar consent experience similar to those found in social media and mobile applications. Any user can sign up and sign in to an application that is integrated with the Microsoft identity platform without requiring IT involvement. Learn more about [signing-up your application for Microsoft Entra account login](/azure/app-service/configure-authentication-provider-aad).

+**Multi-factor authentication.** The Microsoft identity platform provides native multi-factor authentication. IT administrators can require multi-factor authentication to access your application, so that you do not have to code this support yourself. Learn more about [Multi-Factor Authentication](../authentication/index.yml).

+To access resources in your subscription, you must assign the application to a role. Decide which role offers the right permissions for the application. To learn about the available roles, see [Azure built-in roles](/azure/role-based-access-control/built-in-roles).

+The following example covers a simple scenario. It uses [New-ΓÇïAzADΓÇïServiceΓÇïPrincipal](/powershell/module/az.resources/new-azadserviceprincipal) to create a service principal with a self-signed certificate, and uses [New-AzRoleAssignment](/powershell/module/az.resources/new-azroleassignment) to assign the [Reader](/azure/role-based-access-control/built-in-roles#reader) role to the service principal. The role assignment is scoped to your currently selected Azure subscription. To select a different subscription, use [Set-AzContext](/powershell/module/az.accounts/set-azcontext).

+The following example uses a certificate issued from a Certificate Authority to create service principal. The assignment is scoped to the specified Azure subscription. It adds the service principal to the [Reader](/azure/role-based-access-control/built-in-roles#reader) role. If an error occurs during the role assignment, it retries the assignment.

+To access resources in your subscription, you must assign a role to the application. Decide which role offers the right permissions for the application. To learn about the available roles, see [Azure built-in roles](/azure/role-based-access-control/built-in-roles).

+You might need to configure extra permissions on resources that your application needs to access. For example, you must also [update a key vault's access policies](/azure/key-vault/general/security-features#privileged-access) to give your application access to keys, secrets, or certificates.

+- To learn about specifying security policies, see [Azure role-based access control (Azure RBAC)](/azure/role-based-access-control/role-assignments-portal).

+- For a list of available actions that can be granted or denied to users, see [Azure Resource Manager Resource Provider operations](/azure/role-based-access-control/resource-provider-operations).

+Configure AD to send sign-in events to Azure Monitor by following the steps in [Integrate your Microsoft Entra sign-in and audit logs with Azure Monitor](../reports-monitoring/howto-integrate-activity-logs-with-azure-monitor-logs.md). In the **Diagnostic settings** configuration step, select the **SignInLogs** check box.

+ or [Azure Key Vault](/azure/key-vault/general/basic-concepts) to store and regularly rotate your credentials.

+1. Sign into the [App Registration portal](https://aka.ms/PublisherVerificationPreview) using [multi-factor authentication](../authentication/concept-mfa-licensing.md)

+1. Sign in using [multi-factor authentication](../authentication/concept-mfa-licensing.md) to an organizational (Microsoft Entra) account authorized to make changes to the app you want to mark as Publisher Verified and on the CPP Account in Partner Center.

+The Microsoft Authentication Library (MSAL) enables application developers to authenticate users with social and local identities by using [Azure Active Directory B2C (Azure AD B2C)](/azure/active-directory-b2c/). Azure AD B2C is an identity management service. Use it to customize and control how customers sign up, sign in, and manage their profiles when they use your applications.

+The `redirect_uri` must be registered in the app configuration, and also in `AndroidManifest.xml` to support redirection during the [authorization code grant flow](/azure/active-directory-b2c/authorization-code-flow).

+Claims returned in the IdToken are populated by the Security Token Service (STS), not by MSAL. Depending on the identity provider (IdP) used, some claims may be absent. Some IdPs don't currently provide the `preferred_username` claim. Because this claim is used by MSAL for caching, a placeholder value, `MISSING FROM THE TOKEN RESPONSE`, is used in its place. For more information on B2C IdToken claims, see [Overview of tokens in Azure Active Directory B2C](/azure/active-directory-b2c/tokens-overview#claims).

+Learn more about Azure Active Directory B2C (Azure AD B2C) at [What is Azure Active Directory B2C?](/azure/active-directory-b2c/overview)

+- [Microsoft Edge](/microsoft-edge/)

+- [Microsoft Power Apps](/power-apps/)

+- [Microsoft Viva Engage](/viva/engage/overview) (previously [Yammer](/viva/engage/overview))

+ - For information about ROPC in MSAL.NET and Azure AD B2C, see [Using ROPC with Azure AD B2C](/entra/msal/dotnet/acquiring-tokens/desktop-mobile/social-identities#resource-owner-password-credentials-ropc).

+The [Microsoft Authentication Library for JavaScript (MSAL.js)](https://github.com/AzureAD/microsoft-authentication-library-for-js) enables JavaScript developers to authenticate users with social and local identities using [Azure Active Directory B2C](/azure/active-directory-b2c/overview) (Azure AD B2C).

+MSAL.js enables [single-page applications](/azure/active-directory-b2c/application-types#single-page-applications) to sign-in users with Azure AD B2C using the [authorization code flow with PKCE](/azure/active-directory-b2c/authorization-code-flow) grant. With MSAL.js and Azure AD B2C:

+- [Sign in users with Azure AD B2C in a single-page application](/azure/active-directory-b2c/configure-authentication-sample-spa-app)

+- [Call an Azure AD B2C protected web API](/azure/active-directory-b2c/enable-authentication-web-api)

+Microsoft Intune supports zero-touch provisioning for devices in Microsoft Entra shared device mode, which means that the device can be set up and enrolled in Intune with minimal interaction from the frontline worker. To set up device in shared device mode when using Microsoft Intune as the MDM, see [Set up enrollment for devices in Microsoft Entra shared device mode](/mem/intune/enrollment/automated-device-enrollment-shared-device-mode).

+[Azure Government](/azure/azure-government/) applications can use Microsoft Entra Government identities and Microsoft Entra Public identities to authenticate users. Because you can use any of these identities, decide which authority endpoint you should choose for your scenario:

+To get an Azure Government subscription, see [Managing and connecting to your subscription in Azure Government](/azure/azure-government/compare-azure-government-global-azure).

+- [Azure Government](/azure/azure-government/)

+- [Azure Germany (closes on October 29, 2021)](/azure/germany/)

+- Application identification verification, which is also required in some enterprise scenarios. For more information, see [Intune mobile application management (MAM)](/mem/intune/apps/mam-faq).

+Learn about [Xamarin iOS-specific considerations with MSAL.NET](msal-net-xamarin-ios-considerations.md).

+You can also write your cache to disk by providing your own **cache plugin**. The cache plugin must implement the interface [ICachePlugin](/javascript/api/%40azure/msal-node/icacheplugin). Like logging, caching is part of the configuration options and is created with the initialization of the MSAL Node instance:

+ Title: Tutorial - Web app accesses Microsoft Graph as the user

+description: In this tutorial, you learn how to access data in Microsoft Graph from a web app for a signed-in user.

+ms.devlang: csharp, javascript

+#Customer intent: As an application developer, I want to learn how to access data in Microsoft Graph from a web app for a signed-in user.

+# Tutorial: Access Microsoft Graph from a secured app as the user

+Learn how to access Microsoft Graph from a web app running on Azure App Service.

+You want to add access to Microsoft Graph from your web app and perform some action as the signed-in user. This section describes how to grant delegated permissions to the web app and get the signed-in user's profile information from Microsoft Entra ID.

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+>

+> * Grant delegated permissions to a web app.

+> * Call Microsoft Graph from a web app for a signed-in user.

+## Prerequisites

+* A web application running on Azure App Service that has the [App Service authentication/authorization module enabled](multi-service-web-app-authentication-app-service.md).

+## Grant front-end access to call Microsoft Graph

+Now that you've enabled authentication and authorization on your web app, the web app is registered with the Microsoft identity platform and is backed by a Microsoft Entra application. In this step, you give the web app permissions to access Microsoft Graph for the user. (Technically, you give the web app's Microsoft Entra application the permissions to access the Microsoft Graph Microsoft Entra application for the user.)

+In the [Microsoft Entra admin center](https://entra.microsoft.com) menu, select **Applications**.

+Select **App registrations** > **Owned applications** > **View all applications in this directory**. Select your web app name, and then select **API permissions**.

+Select **Add a permission**, and then select Microsoft APIs and Microsoft Graph.

+Select **Delegated permissions**, and then select **User.Read** from the list. Select **Add permissions**.

+## Configure App Service to return a usable access token

+The web app now has the required permissions to access Microsoft Graph as the signed-in user. In this step, you configure App Service authentication and authorization to give you a usable access token for accessing Microsoft Graph. For this step, you need to add the User.Read scope for the downstream service (Microsoft Graph): `https://graph.microsoft.com/User.Read`.

+> [!IMPORTANT]

+> If you don't configure App Service to return a usable access token, you receive a ```CompactToken parsing failed with error code: 80049217``` error when you call Microsoft Graph APIs in your code.

+# [Azure Resource Explorer](#tab/azure-resource-explorer)

+Go to [Azure Resource Explorer](https://resources.azure.com/) and using the resource tree, locate your web app. The resource URL should be similar to `https://resources.azure.com/subscriptions/subscriptionId/resourceGroups/SecureWebApp/providers/Microsoft.Web/sites/SecureWebApp20200915115914`.

+[//]: # (BROKEN LINK HttpLinkUnauthorized ABOVE: https://resources.azure.com/)

+The Azure Resource Explorer is now opened with your web app selected in the resource tree. At the top of the page, select **Read/Write** to enable editing of your Azure resources.

+In the left browser, drill down to **config** > **authsettingsV2**.

+In the **authsettingsV2** view, select **Edit**. Find the **login** section of **identityProviders** -> **azureActiveDirectory** and add the following **loginParameters** settings: `"loginParameters":[ "response_type=code id_token","scope=openid offline_access profile https://graph.microsoft.com/User.Read" ]` .

+```json

+"identityProviders": {

+ "azureActiveDirectory": {

+ "enabled": true,

+ "login": {

+ "loginParameters":[

+ "response_type=code id_token",

+ "scope=openid offline_access profile https://graph.microsoft.com/User.Read"

+ ]

+ }

+ }

+ }

+},

+```

+Save your settings by selecting **PUT**. This setting can take several minutes to take effect. Your web app is now configured to access Microsoft Graph with a proper access token. If you don't, Microsoft Graph returns an error saying that the format of the compact token is incorrect.

+# [Azure CLI](#tab/azure-cli)

+Use the Azure CLI to call the App Service Web App REST APIs to [get](/rest/api/appservice/web-apps/get-auth-settings) and [update](/rest/api/appservice/web-apps/update-auth-settings) the auth configuration settings so your web app can call Microsoft Graph. Open a command window and login to Azure CLI:

+```azurecli

+az login

+```

+Get your existing 'config/authsettingsv2ΓÇÖ settings and save to a local *authsettings.json* file.

+```azurecli

+az rest --method GET --url '/subscriptions/{SUBSCRIPTION_ID}/resourceGroups/{RESOURCE_GROUP}/providers/Microsoft.Web/sites/{WEBAPP_NAME}/config/authsettingsv2/list?api-version=2020-06-01' > authsettings.json

+```

+Open the authsettings.json file using your preferred text editor. Find the **login** section of **identityProviders** -> **azureActiveDirectory** and add the following **loginParameters** settings: `"loginParameters":[ "response_type=code id_token","scope=openid offline_access profile https://graph.microsoft.com/User.Read" ]` .

+```json

+"identityProviders": {

+ "azureActiveDirectory": {

+ "enabled": true,

+ "login": {

+ "loginParameters":[

+ "response_type=code id_token",

+ "scope=openid offline_access profile https://graph.microsoft.com/User.Read"

+ ]

+ }

+ }

+ }

+},

+```

+Save your changes to the *authsettings.json* file and upload the local settings to your web app:

+```azurecli

+az rest --method PUT --url '/subscriptions/{SUBSCRIPTION_ID}/resourceGroups/{RESOURCE_GROUP}/providers/Microsoft.Web/sites/{WEBAPP_NAME}/config/authsettingsv2?api-version=2020-06-01' --body @./authsettings.json

+```

+## Call Microsoft Graph

+Your web app now has the required permissions and also adds Microsoft Graph's client ID to the login parameters.

+# [C#](#tab/programming-language-csharp)

+Using the [Microsoft.Identity.Web library](https://github.com/AzureAD/microsoft-identity-web/), the web app gets an access token for authentication with Microsoft Graph. In version 1.2.0 and later, the Microsoft.Identity.Web library integrates with and can run alongside the App Service authentication/authorization module. Microsoft.Identity.Web detects that the web app is hosted in App Service and gets the access token from the App Service authentication/authorization module. The access token is then passed along to authenticated requests with the Microsoft Graph API.

+To see this code as part of a sample application, see the [sample on GitHub](https://github.com/Azure-Samples/ms-identity-easyauth-dotnet-storage-graphapi/tree/main/2-WebApp-graphapi-on-behalf).

+> [!NOTE]

+> The Microsoft.Identity.Web library isn't required in your web app for basic authentication/authorization or to authenticate requests with Microsoft Graph. It's possible to [securely call downstream APIs](/azure/app-service/tutorial-auth-aad#call-api-securely-from-server-code) with only the App Service authentication/authorization module enabled.

+>

+> However, the App Service authentication/authorization is designed for more basic authentication scenarios. For more complex scenarios (handling custom claims, for example), you need the Microsoft.Identity.Web library or [Microsoft Authentication Library](msal-overview.md). There's a little more setup and configuration work in the beginning, but the Microsoft.Identity.Web library can run alongside the App Service authentication/authorization module. Later, when your web app needs to handle more complex scenarios, you can disable the App Service authentication/authorization module and Microsoft.Identity.Web will already be a part of your app.

+### Install client library packages

+Install the [Microsoft.Identity.Web](https://www.nuget.org/packages/Microsoft.Identity.Web/) and [Microsoft.Identity.Web.GraphServiceClient](https://www.nuget.org/packages/Microsoft.Identity.Web.GraphServiceClient) NuGet packages in your project by using the .NET Core command-line interface or the Package Manager Console in Visual Studio.

+#### .NET Core command line

+Open a command line, and switch to the directory that contains your project file.

+Run the install commands.

+```dotnetcli

+dotnet add package Microsoft.Identity.Web.GraphServiceClient

+dotnet add package Microsoft.Identity.Web

+```

+#### Package Manager Console

+Open the project/solution in Visual Studio, and open the console by using the **Tools** > **NuGet Package Manager** > **Package Manager Console** command.

+Run the install commands.

+```powershell

+Install-Package Microsoft.Identity.Web.GraphServiceClient

+Install-Package Microsoft.Identity.Web

+```

+### Startup.cs

+In the *Startup.cs* file, the ```AddMicrosoftIdentityWebApp``` method adds Microsoft.Identity.Web to your web app. The ```AddMicrosoftGraph``` method adds Microsoft Graph support.

+```csharp

+using Microsoft.AspNetCore.Builder;

+using Microsoft.AspNetCore.Hosting;

+using Microsoft.Extensions.Configuration;

+using Microsoft.Extensions.DependencyInjection;

+using Microsoft.Extensions.Hosting;

+using Microsoft.Identity.Web;

+using Microsoft.AspNetCore.Authentication.OpenIdConnect;

+// Some code omitted for brevity.

+public class Startup

+{

+ // This method gets called by the runtime. Use this method to add services to the container.

+ public void ConfigureServices(IServiceCollection services)

+ {

+ services.AddOptions();

+ string[] initialScopes = Configuration.GetValue<string>("DownstreamApi:Scopes")?.Split(' ');

+ services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)

+ .AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"))

+ .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)

+ .AddMicrosoftGraph(Configuration.GetSection("DownstreamApi"))

+ .AddInMemoryTokenCaches();

+ services.AddAuthorization(options =>

+ {

+ // By default, all incoming requests will be authorized according to the default policy

+ options.FallbackPolicy = options.DefaultPolicy;

+ });

+ services.AddRazorPages()

+ .AddMvcOptions(options => {})

+ .AddMicrosoftIdentityUI();

+ services.AddControllersWithViews()

+ .AddMicrosoftIdentityUI();

+ }

+}

+```

+### appsettings.json

+*Microsoft Entra ID* specifies the configuration for the Microsoft.Identity.Web library. In the [Microsoft Entra admin center](https://entra.microsoft.com), select **Applications** from the portal menu and then select **App registrations**. Select the app registration created when you enabled the App Service authentication/authorization module. (The app registration should have the same name as your web app.) You can find the tenant ID and client ID in the app registration overview page. The domain name can be found in the Microsoft Entra overview page for your tenant.

+*Graph* specifies the Microsoft Graph endpoint and the initial scopes needed by the app.

+```json

+{

+ "AzureAd": {

+ "Instance": "https://login.microsoftonline.com/",

+ "Domain": "[Enter the domain of your tenant, e.g. contoso.onmicrosoft.com]",

+ "TenantId": "[Enter 'common', or 'organizations' or the Tenant Id (Obtained from the Entra admin center. Select 'Endpoints' from the 'App registrations' blade and use the GUID in any of the URLs), e.g. da41245a5-11b3-996c-00a8-4d99re19f292]",

+ "ClientId": "[Enter the Client Id (Application ID obtained from the Microsoft Entra admin center), e.g. ba74781c2-53c2-442a-97c2-3d60re42f403]",

+ "ClientSecret": "[Copy the client secret added to the app from the Microsoft Entra admin center]",

+ "ClientCertificates": [

+ ],

+ // the following is required to handle Continuous Access Evaluation challenges

+ "ClientCapabilities": [ "cp1" ],

+ "CallbackPath": "/signin-oidc"

+ },

+ "DownstreamApis": {

+ "MicrosoftGraph": {

+ // Specify BaseUrl if you want to use Microsoft graph in a national cloud.

+ // See https://learn.microsoft.com/graph/deployments#microsoft-graph-and-graph-explorer-service-root-endpoints

+ // "BaseUrl": "https://graph.microsoft.com/v1.0",

+ // Set RequestAppToken this to "true" if you want to request an application token (to call graph on

+ // behalf of the application). The scopes will then automatically

+ // be ['https://graph.microsoft.com/.default'].

+ // "RequestAppToken": false

+ // Set Scopes to request (unless you request an app token).

+ "Scopes": [ "User.Read" ]

+ // See https://aka.ms/ms-id-web/downstreamApiOptions for all the properties you can set.

+ }

+ },

+ "Logging": {

+ "LogLevel": {

+ "Default": "Information",

+ "Microsoft": "Warning",

+ "Microsoft.Hosting.Lifetime": "Information"

+ }

+ },

+ "AllowedHosts": "*"

+}

+```

+### Index.cshtml.cs

+The following example shows how to call Microsoft Graph as the signed-in user and get some user information. The ```GraphServiceClient``` object is injected into the controller, and authentication has been configured for you by the Microsoft.Identity.Web library.

+```csharp

+using System.Threading.Tasks;

+using Microsoft.AspNetCore.Mvc.RazorPages;

+using Microsoft.Graph;

+using System.IO;

+using Microsoft.Identity.Web;

+using Microsoft.Extensions.Logging;

+// Some code omitted for brevity.

+[AuthorizeForScopes(Scopes = new[] { "User.Read" })]

+public class IndexModel : PageModel

+{

+ private readonly ILogger<IndexModel> _logger;

+ private readonly GraphServiceClient _graphServiceClient;

+ public IndexModel(ILogger<IndexModel> logger, GraphServiceClient graphServiceClient)

+ {

+ _logger = logger;

+ _graphServiceClient = graphServiceClient;

+ }

+ public async Task OnGetAsync()

+ {

+ try

+ {

+ var user = await _graphServiceClient.Me.GetAsync();

+ ViewData["Me"] = user;

+ ViewData["name"] = user.DisplayName;

+ using (var photoStream = await _graphServiceClient.Me.Photo.Content.GetAsync())

+ {

+ byte[] photoByte = ((MemoryStream)photoStream).ToArray();

+ ViewData["photo"] = Convert.ToBase64String(photoByte);

+ }

+ }

+ catch (Exception ex)

+ {

+ ViewData["photo"] = null;

+ }

+ }

+}

+```

+# [Node.js](#tab/programming-language-nodejs)

+Using a custom **AuthProvider** class that encapsulates authentication logic, the web app gets the user's access token from the incoming requests header. The **AuthProvider** instance detects that the web app is hosted on App Service and gets the access token from the App Service authentication/authorization module. The access token is then passed down to the Microsoft Graph SDK client to make an authenticated request to the `/me` endpoint.

+To see this code as part of a sample application, see *graphController.js* in the [sample on GitHub](https://github.com/Azure-Samples/ms-identity-easyauth-nodejs-storage-graphapi/tree/main/2-WebApp-graphapi-on-behalf).

+> [!NOTE]

+> The App Service authentication/authorization is designed for more basic authentication scenarios. Later, when your web app needs to handle more complex scenarios, you can disable the App Service authentication/authorization module and the **AuthProvider** instance in the sample will fallback to use [MSAL Node](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node), which is the recommended library for adding authentication/authorization to Node.js applications.

+```nodejs

+const graphHelper = require('../utils/graphHelper');

+// Some code omitted for brevity.

+exports.getProfilePage = async(req, res, next) => {

+ try {

+ const graphClient = graphHelper.getAuthenticatedClient(req.session.protectedResources["graphAPI"].accessToken);

+ const profile = await graphClient

+ .api('/me')

+ .get();

+ res.render('profile', { isAuthenticated: req.session.isAuthenticated, profile: profile, appServiceName: appServiceName });

+ } catch (error) {

+ next(error);

+ }

+}

+```

+To query Microsoft Graph, use the [Microsoft Graph JavaScript SDK](https://github.com/microsoftgraph/msgraph-sdk-javascript). The code for this is located in [utils/graphHelper.js](https://github.com/Azure-Samples/ms-identity-easyauth-nodejs-storage-graphapi/blob/main/2-WebApp-graphapi-on-behalf/utils/graphHelper.js):

+```nodejs

+const graph = require('@microsoft/microsoft-graph-client');

+// Some code omitted for brevity.

+getAuthenticatedClient = (accessToken) => {

+ // Initialize Graph client

+ const client = graph.Client.init({

+ // Use the provided access token to authenticate requests

+ authProvider: (done) => {

+ done(null, accessToken);

+ }

+ });

+ return client;

+}

+```

+## Clean up resources

+If you're finished with this tutorial and no longer need the web app or associated resources, [clean up the resources you created](multi-service-web-app-clean-up-resources.md).

+## Next steps

+> [!div class="nextstepaction"]

+> [App service accesses Microsoft Graph as the app](multi-service-web-app-access-microsoft-graph-as-app.md)

+For detailed steps, see [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal).

+The authentication/authorization module is enabled and configured through the Azure portal and app settings. No SDKs, specific languages, or changes to application code are required.ΓÇï A variety of identity providers are supported, which includes Microsoft Entra ID, Microsoft Account, Facebook, Google, and TwitterΓÇïΓÇï. When the authentication/authorization module is enabled, every incoming HTTP request passes through it before being handled by app code.ΓÇïΓÇï To learn more, see [Authentication and authorization in Azure App Service](/azure/app-service/overview-authentication-authorization).

+For this tutorial, you need a web app deployed to App Service. You can use an existing web app, or you can follow one of the [ASP.NET Core](/azure/app-service/quickstart-dotnetcore), [Node.js](/azure/app-service/quickstart-nodejs), [Python](/azure/app-service/quickstart-python), or [Java](/azure/app-service/quickstart-java) quickstarts to create and publish a new web app to App Service.

+You now have a web app running on App Service. Next, you enable authentication and authorization for the web app. You use Microsoft Entra ID as the identity provider. For more information, see [Configure Microsoft Entra authentication for your App Service application](/azure/app-service/configure-authentication-provider-aad).

+ - The UI option **Token configuration** blade isn't available for apps registered in an Azure AD B2C tenant, which can be configured by modifying the application manifest. For more information, see [Add claims and customize user input using custom policies in Azure Active Directory B2C](/azure/active-directory-b2c/configure-user-input)

+- [Microsoft Entra Microsoft Q&A](/answers/tags/455/entra-id)

+To begin building external facing applications that sign in social and local accounts, create an Azure AD B2C tenant. To begin, see [Create an Azure AD B2C tenant](/azure/active-directory-b2c/tutorial-create-tenant).

+MSAL ([Microsoft.Identity.Client](/dotnet/api/microsoft.identity.client)) is the library used to sign in users and request security tokens. The security tokens are used to access an API protected by the Microsoft identity platform. You can install MSAL by running the following command in Visual Studio's *Package Manager Console*:

+MSAL has two methods for acquiring tokens in a UWP app: [`AcquireTokenInteractive`](/dotnet/api/microsoft.identity.client.acquiretokeninteractiveparameterbuilder) and [`AcquireTokenSilent`](/dotnet/api/microsoft.identity.client.acquiretokensilentparameterbuilder).

+* [Visual Studio](https://visualstudio.microsoft.com/vs/) with the [Universal Windows Platform development](/windows/apps/windows-app-sdk/set-up-your-development-environment) workload installed

+This quickstart uses a sample Angular single-page app (SPA) to show you how to sign in users by using the [authorization code flow](./v2-oauth2-auth-code-flow.md) with Proof Key for Code Exchange (PKCE) and call the Microsoft Graph API. The sample uses the [Microsoft Authentication Library for JavaScript](/javascript/api/%40azure/msal-react/) to handle authentication.

+- Learn more by building this Angular SPA from scratch with the following series - [Tutorial: Sign in users and call Microsoft Graph](./tutorial-v2-angular-auth-code.md)

+This quickstart uses a sample JavaScript (JS) single-page app (SPA) to show you how to sign in users by using the [authorization code flow](./v2-oauth2-auth-code-flow.md) with Proof Key for Code Exchange (PKCE) and call the Microsoft Graph API. The sample uses the [Microsoft Authentication Library for JavaScript](/javascript/api/@azure/msal-react) to handle authentication.

+This quickstart uses a sample React single-page app (SPA) to show you how to sign in users by using the [authorization code flow](./v2-oauth2-auth-code-flow.md) with Proof Key for Code Exchange (PKCE). The sample uses the [Microsoft Authentication Library for JavaScript](/javascript/api/@azure/msal-react) to handle authentication.

+- Learn more by building this React SPA from scratch with the following series - [Tutorial: Sign in users and call Microsoft Graph](./tutorial-single-page-app-react-register-app.md)

+- A Microsoft Entra tenant. For more information on how to get a Microsoft Entra tenant, see [how to get a Microsoft Entra tenant.](./quickstart-create-new-tenant.md)

+| AADSTS51004 | UserAccountNotInDirectory - The user account doesnΓÇÖt exist in the directory. An application likely chose the wrong tenant to sign into, and the currently logged in user was prevented from doing so since they did not exist in your tenant. If this user should be able to log in, add them as a guest. For further information, please visit [add B2B users](../external-identities/add-users-administrator.md). |

+### Directory Schema extensions

+1. Select the source of the attribute by clicking on the appropriate radio button.

+1. Select the **Source** where the claim is going to retrieve its value. You can either select a user attribute from the dropdown for the source attribute or apply a transformation to the user attribute. You can also select a directory schema extension before emitting it as a claim.

+To view and update the membership of the [Global Administrator](../roles/permissions-reference.md#global-administrator) role, see:

+You can manage the [Azure AD Joined Device Local Administrator](../roles/permissions-reference.md#azure-ad-joined-device-local-administrator) role from **Device settings**.

+- [Windows Autopilot](/autopilot/windows-autopilot) -

+Windows Autopilot provides you with an option to prevent primary user performing the join from becoming a local administrator by [creating an Autopilot profile](/autopilot/enrollment-autopilot#create-an-autopilot-deployment-profile).

+- [Bulk enrollment](/mem/intune/enrollment/windows-bulk-enroll) - a Microsoft Entra join that is performed in the context of a bulk enrollment happens in the context of an autocreated user. Users signing in after a device has been joined aren't added to the administrators group.

+| | [Passwordless](../authentication/concept-authentication-passwordless.md) options like [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-planning-guide) and FIDO2.0 security keys. |

+Administrators can make organization applications available to Microsoft Entra joined devices using Configuration Manager to [Manage apps from the Microsoft Store for Business and Education](/mem/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business).

+Microsoft Entra join can be accomplished using self-service options like the Out of Box Experience (OOBE), bulk enrollment, or [Windows Autopilot](/autopilot/enrollment-autopilot).

+| | [Passwordless](../authentication/concept-authentication-passwordless.md) options like [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-planning-guide) and FIDO2.0 security keys. |

+* **Trusted Platform Module** (TPM): A TPM is a hardware component built into a device that provides hardware-based security functions for user and device secrets. More details can be found in the article [Trusted Platform Module Technology Overview](/windows/security/hardware-security/tpm/trusted-platform-module-overview).

+Device registration is a prerequisite for device based authentication in Microsoft Entra ID. A PRT is issued to users only on registered devices. For more in-depth details on device registration, see the article [Windows Hello for Business and Device Registration](./device-registration-how-it-works.md). During device registration, the dsreg component generates two sets of cryptographic key pairs:

+ * When a previous existing PRT and RT are used for access to an app, the PRT and RT are regarded as the first proof of authentication. A new RT is required with a second proof and an imprinted MFA claim. This process also issues a new PRT and RT.

+- [Overview of Windows Autopilot](/autopilot/windows-autopilot)

+outlined in [Microsoft Entra integration with MDM](/windows/client-management/azure-active-directory-integration-with-mdm).

+Through co-management, you can use Microsoft Configuration Manager to manage certain aspects of your devices while policies are delivered through your MDM platform. Microsoft Intune enables co-management with Microsoft Configuration Manager. For more information on co-management for Windows 10 or newer devices, see [What is co-management?](/mem/configmgr/comanage/overview). If you use an MDM product other than Intune, check with your MDM provider on applicable co-management scenarios.

+Remote desktop connection to a Microsoft Entra joined devices requires the host machine to be either Microsoft Entra joined or Microsoft Entra hybrid joined. Remote desktop from an unjoined or non-Windows device isn't supported. For more information, see [Connect to remote Microsoft Entra joined pc](/windows/client-management/client-tools/connect-to-remote-aadj-pc)

+> For Windows Hello for Business Hybrid Key Trust, see [Configure Microsoft Entra joined devices for On-premises Single-Sign On using Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso).

+1. Receives a Kerberos [Ticket-Granting Ticket (TGT)](/windows/win32/secauthn/ticket-granting-tickets) or NTLM token based on the protocol the on-premises resource or application supports. If the attempt to get the Kerberos TGT or NTLM token for the domain fails, Credential Manager entries are tried, or the user may receive an authentication pop-up requesting credentials for the target resource. This failure can be related to a delay caused by a DCLocator timeout.

+You can deploy the package by using a software distribution system like [Microsoft Configuration Manager](/mem/configmgr/). The package supports the standard silent installation options with the `quiet` parameter. The current branch of Configuration Manager offers benefits over earlier versions, like the ability to track completed registrations.

+Other than the built-in Microsoft Entra roles of Cloud Device Administrator, Intune Administrator, and Global Administrator that are granted *device.LocalCredentials.Read.All*, you can use [Microsoft Entra custom roles](../roles/custom-create.md) or administrative units to authorize local administrator password recovery. For example,

+- Custom roles must be assigned the *microsoft.directory/deviceLocalCredentials/password/read* permission to authorize local administrator password recovery. During the preview, you must create a custom role and grant permissions using the [Microsoft Graph API](../roles/custom-create.md#create-a-role-with-the-microsoft-graph-api) or [PowerShell](../roles/custom-create.md#create-a-role-using-powershell). Once you have created the custom role, you can assign it to users.

+- You can also create a Microsoft Entra ID [administrative unit](../roles/administrative-units.md), add devices, and assign the Cloud Device Administrator role scoped to the administrative unit to authorize local administrator password recovery.

+Use of the SSH extension for Azure CLI on Azure Kubernetes Service (AKS) clusters is not supported. For more information, see [Support policies for AKS](/azure/aks/support-policies).

+> This functionality is also available for [Azure Arc-enabled servers](/azure/azure-arc/servers/ssh-arc-overview).

+1. Create a VM by running [az vm create](/cli/azure/vm?preserve-view=true#az-vm-create&preserve-view=true). Use a supported distribution in a supported region.

+The `provisioningState` value of `Succeeded` appears when the extension is successfully installed on the VM. The VM must have a running [VM agent](/azure/virtual-machines/extensions/agent-linux) to install the extension.

+> The Virtual Machine Administrator Login and Virtual Machine User Login roles use `dataActions` and can be assigned at the management group, subscription, resource group, or resource scope. We recommend that you assign the roles at the management group, subscription, or resource group level and not at the individual VM level. This practice avoids the risk of reaching the [Azure role assignments limit](/azure/role-based-access-control/troubleshoot-limits) per subscription.

+1. Assign the following role. For detailed steps, see [Assign Azure roles by using the Azure portal](/azure/role-based-access-control/role-assignments-portal).

+For more information on how to use Azure RBAC to manage access to your Azure subscription resources, see [Steps to assign an Azure role](/azure/role-based-access-control/role-assignments-steps).

+In addition to these capabilities, you can use Azure Policy to detect and flag Linux VMs that have unapproved local accounts created on their machines. To learn more, review [Azure Policy](/azure/governance/policy/overview).

+If you see an "Azure role not assigned" error on your SSH prompt, verify that you've configured Azure RBAC policies for the VM that grants the user either the Virtual Machine Administrator Login role or the Virtual Machine User Login role. If you're having problems with Azure role assignments, see the article [Troubleshoot Azure RBAC](/azure/role-based-access-control/troubleshooting).

+[Microsoft Entra Guest accounts](../external-identities/what-is-b2b.md) can't connect to Azure VMs or Azure Bastion enabled VMs via Microsoft Entra authentication.

+> If a device object with the same displayName as the hostname of a VM where an extension is installed exists, the VM fails to join Microsoft Entra ID with a hostname duplication error. Avoid duplication by [modifying the hostname](/azure/virtual-network/virtual-networks-viewing-and-modifying-hostnames#modify-a-hostname).

+1. Assign the following role. For detailed steps, see [Assign Azure roles by using the Azure portal](/azure/role-based-access-control/role-assignments-portal).

+- [Assign Azure roles by using the Azure CLI](/azure/role-based-access-control/role-assignments-cli)

+- [Assign Azure roles by using the Azure portal](/azure/role-based-access-control/role-assignments-portal)

+- [Assign Azure roles by using Azure PowerShell](/azure/role-based-access-control/role-assignments-powershell)

+> If your organization has configured and is using [Microsoft Entra Conditional Access](../conditional-access/overview.md), your device must satisfy the Conditional Access requirements to allow connection to the remote computer. Conditional Access policies may be applied to the application **Microsoft Remote Desktop (a4a365df-50f1-4397-bc59-1a1564b8bb9c)** for controlled access.

+> If you're using a Microsoft Entra registered Windows 10 or later PC, you must enter credentials in the `AzureAD\UPN` format (for example, `AzureAD\john@contoso.com`). At this time, you can use Azure Bastion to log in with Microsoft Entra authentication [via the Azure CLI and the native RDP client mstsc](/azure/bastion/native-client).

+In addition to these capabilities, you can use Azure Policy to detect and flag Windows VMs that have unapproved local accounts created on their machines. To learn more, review [Azure Policy](/azure/governance/policy/overview).

+> If you're having problems with Azure role assignments, see [Troubleshoot Azure RBAC](/azure/role-based-access-control/troubleshooting).

+For devices running the Windows desktop operating system, supported versions are listed in this article [Windows 10 release information](/windows/release-health/). As a best practice, Microsoft recommends you upgrade to the latest version of Windows.

+- If you're using [Unified Write Filter](/windows/iot/iot-enterprise/customize/unified-write-filter) and similar technologies that clear changes to the disk at reboot, they must be applied after the device is Microsoft Entra hybrid joined. Enabling such technologies before completion of Microsoft Entra hybrid join will result in the device getting unjoined on every reboot.

+ - The management options for [Printers](/universal-print/fundamentals/) and [Windows Autopilot](/autopilot/windows-autopilot) are limited in Microsoft Entra ID. These devices must be managed from their respective admin interfaces.

+ > The **Require multifactor authentication to register or join devices with Microsoft Entra ID** setting applies to devices that are either Microsoft Entra joined (with some exceptions) or Microsoft Entra registered. This setting doesn't apply to Microsoft Entra hybrid joined devices, [Microsoft Entra joined VMs in Azure](./howto-vm-sign-in-azure-ad-windows.md#enable-azure-ad-login-for-a-windows-vm-in-azure), or Microsoft Entra joined devices that use [Windows Autopilot self-deployment mode](/autopilot/self-deploying).

+- The [Get-AzureADDevice](/powershell/module/azuread/get-azureaddevice) cmdlet.

+1. Disable the device using the [Set-AzureADDevice](/powershell/module/azuread/set-azureaddevice) cmdlet (disable by using -AccountEnabled option).

+1. Remove the device using the [Remove-AzureADDevice](/powershell/module/azuread/remove-azureaddevice) cmdlet.

+Registered devices are often managed with [Microsoft Intune](/mem/intune/fundamentals/deployment-guide-enrollment). Devices are enrolled in Intune in several ways, depending on the operating system.

+* [iOS](/mem/intune/user-help/sign-in-to-the-company-portal)

+- [MDM enrollment of Windows 10-based devices](/windows/client-management/mdm-enrollment-of-windows-devices)

+- [Troubleshooting Windows device enrollment errors in Intune](/troubleshoot/mem/intune/device-enrollment/troubleshoot-windows-enrollment-errors)

+| **NTE_AUTHENTICATION_IGNORED** (0x80090031/-2146893775) | TPM is locked out. | Transient error. Wait for the cool-down period. The join attempt should succeed after a while. For more information, see [TPM fundamentals](/windows/security/hardware-security/tpm/tpm-fundamentals#anti-hammering). |

+This article discusses how to troubleshoot issues that involve the [primary refresh token](./concept-primary-refresh-token.md) (PRT) when you authenticate on a Microsoft Entra joined Windows device by using your Microsoft Entra credentials.

+- [Azure Government](/azure/azure-government/documentation-government-welcome)

+For more information, see: [How trust relationships work for forests in Active Directory](/entra/identity/domain-services/concepts-forest-trust).

+Now within the Azure portal you have access to view key data for your Azure AD-DS Domain Controllers such as: LDAP Searches/sec, Total Query Received/sec, DNS Total Response Sent/sec, LDAP Successful Binds/sec, memory usage, processor time, Kerberos Authentications, and NTLM Authentications. For more information, see: [Check fleet metrics of Azure Active Directory Domain Services](/entra/identity/domain-services/fleet-metrics).

+Represents a tenant's customizable terms of use agreement that is created, and managed, with Azure Active Directory (Azure AD). You can use the following methods to create and manage the [Azure Active Directory Terms of Use feature](/graph/api/resources/agreement#json-representation) according to your scenario. For more information, see: [agreement resource type](/graph/api/resources/agreement).

+Azure Active Directory Domain Services will now support synchronizing custom attributes from Azure AD for on-premises accounts. For more information, see: [Custom attributes for Azure Active Directory Domain Services](/entra/identity/domain-services/concepts-custom-attributes).

+ID Protection provides organizations access to powerful resources to see and respond quickly to these suspicious actions.

+> ID Protection generates risk detections only when the correct credentials are used. If incorrect credentials are used on a sign-in, it does not represent risk of credential compromise.

+##### Investigating atypical travel detections

+1. If you're able to confirm the activity wasn't performed by a legitimate user:

+ 1. **Recommended action**: Mark the sign-in as compromised, and invoke a password reset if not already performed by self-remediation. Block user if attacker has access to reset password or perform MFA and reset password.

+1. If a user is known to use the IP address in the scope of their duties:

+ 1. **Recommended action**: Dismiss the alert

+1. If you're able to confirm that the user recently travelled to the destination mentioned detailed in the alert:

+ 1. **Recommended action**: Dismiss the alert.

+1. If you're able to confirm that the IP address range is from a sanctioned VPN.

+ 1. **Recommended action**: Mark sign-in as safe and add the VPN IP address range to named locations in Azure AD and Microsoft Defender for Cloud Apps.

+##### Investigating anomalous token detections

+1. If you're able to confirm that the activity wasn't performed by a legitimate user using a combination of risk alert, location, application, IP address, User Agent, or other characteristics that are unexpected for the user:

+ 1. **Recommended action**: Mark the sign-in as compromised, and invoke a password reset if not already performed by self-remediation. Block the user if an attacker has access to reset password or perform MFA and reset password and revoke all tokens.

+1. If you're able to confirm location, application, IP address, User Agent, or other characteristics are expected for the user and there aren't other indications of compromise:

+ 1. **Recommended action**: Allow the user to self-remediate with a Conditional Access risk policy or have an admin confirm sign-in as safe.

+For further investigation of token based detections, see the article [Token tactics: How to prevent, detect, and respond to cloud token theft](https://www.microsoft.com/security/blog/2022/11/16/token-tactics-how-to-prevent-detect-and-respond-to-cloud-token-theft/) and the [Token theft investigation playbook](/security/operations/token-theft-playbook).

+##### Investigating token issuer anomaly detections

+1. If you're able to confirm that the activity wasn't performed by a legitimate user:

+ 1. **Recommended action**: Mark the sign-in as compromised, and invoke a password reset if not already performed by self-remediation. Block the user if an attacker has access to reset password or perform MFA and reset password and revoke all tokens.

+1. If the user confirmed this action was performed by them and there are no other indicators of compromise:

+ 1. **Recommended action**: Allow the user to self-remediate with a Conditional Access risk policy or have an admin confirm sign-in as safe.

+For further investigation of token based detections, see the article [Token tactics: How to prevent, detect, and respond to cloud token theft](https://www.microsoft.com/security/blog/2022/11/16/token-tactics-how-to-prevent-detect-and-respond-to-cloud-token-theft/).

+**Calculated offline**. This risk detection type indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server. This detection matches the IP addresses of the user's device against IP addresses that were in contact with a bot server while the bot server was active. **This detection has been deprecated**. ID Protection no longer generates new "Malware linked IP address" detections. Customers who currently have "Malware linked IP address" detections in their tenant will still be able to view, remediate, or dismiss them until the 90-day detection retention time is reached.

+##### Investigating suspicious browser detections

+1. Browser is not commonly used by the user or activity within the browser does not match the users normally behavior.

+ 1. **Recommended action**: Mark the sign-in as compromised, and invoke a password reset if not already performed by self-remediation. Block the user if an attacker has access to reset password or perform MFA and reset password and revoke all tokens.

+##### Investigating malicious IP address detections

+1. If you're able to confirm that the activity wasn't performed by a legitimate user:

+ 1. **Recommended action**: Mark the sign-in as compromised, and invoke a password reset if not already performed by self-remediation. Block the user if an attacker has access to reset password or perform MFA and reset password and revoke all tokens.

+1. If a user is known to use the IP address in the scope of their duties:

+ 1. **Recommended action**: Dismiss the alert

+**Calculated offline**. This detection is discovered using information provided by [Microsoft Defender for Cloud Apps](/defender-cloud-apps/anomaly-detection-policy#suspicious-inbox-manipulation-rules). This detection looks at your environment and triggers alerts when suspicious rules that delete or move messages or folders are set on a user's inbox. This detection may indicate: a user's account is compromised, messages are being intentionally hidden, and the mailbox is being used to distribute spam or malware in your organization.

+##### Investigating password spray detections

+1. If you're able to confirm that the activity wasn't performed by a legitimate user:

+ 1. **Recommended action**: Mark the sign-in as compromised, and invoke a password reset if not already performed by self-remediation. Block the user if an attacker has access to reset password or perform MFA and reset password and revoke all tokens.

+1. If a user is known to use the IP address in the scope of their duties:

+ 1. **Recommended action**: Dismiss the alert

+1. If you're able to confirm that the account has not been compromised and can see no brute force or password spray indicators against the account.

+ 1. **Recommended action**: Allow the user to self-remediate with a Conditional Access risk policy or have an admin confirm sign-in as safe.

+For further investigation of password spray risk detections, see the article [Guidance for identifying and investigating password spray attacks](/security/operations/incident-response-playbook-password-spray).

+**Calculated offline**. This detection is discovered using information provided by [Microsoft Defender for Cloud Apps](/defender-cloud-apps/anomaly-detection-policy#impossible-travel). This detection identifies user activities (is a single or multiple sessions) originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second. This risk may indicate that a different user is using the same credentials.

+**Calculated offline**. This detection is discovered using information provided by [Microsoft Defender for Cloud Apps](/defender-cloud-apps/anomaly-detection-policy#activity-from-infrequent-country). This detection considers past activity locations to determine new and infrequent locations. The anomaly detection engine stores information about previous locations used by users in the organization.

+**Calculated offline**. This detection is discovered using information provided by [Microsoft Defender for Cloud Apps](/defender-cloud-apps/anomaly-detection-policy#activity-from-anonymous-ip-addresses). This detection identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.

+**Calculated offline**. This detection is discovered using information provided by [Microsoft Defender for Cloud Apps](/defender-cloud-apps/anomaly-detection-policy#suspicious-inbox-forwarding). This detection looks for suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.

+##### Investigating leaked credentials detections

+1. If this detection signal has alerted for a leaked credential for a user:

+ 1. **Recommended action**: Mark the sign-in as compromised, and invoke a password reset if not already performed by self-remediation. Block the user if an attacker has access to reset password or perform MFA and reset password and revoke all tokens.

+ID Protection categorizes risk into three tiers: low, medium, and high. When configuring [ID Protection policies](./concept-identity-protection-policies.md), you can also configure it to trigger upon **No risk** level. No Risk means there's no active indication that the user's identity has been compromised.

+Disabled user accounts can be re-enabled. If the credentials of a disabled account are compromised, and the account gets re-enabled, bad actors might use those credentials to gain access. ID Protection generates risk detections for suspicious activities against disabled user accounts to alert customers about potential account compromise. If an account is no longer in use and wont be re-enabled, customers should consider deleting it to prevent compromise. No risk detections are generated for deleted accounts.

+- [Identity Secure Score](../reports-monitoring/concept-identity-secure-score.md)

+You can also query risky workload identities [using the Microsoft Graph API](/graph/use-the-api). There are two new collections in the [Identity Protection APIs](/graph/api/resources/identityprotection-overview).

+Organizations can choose to store data for longer periods by changing diagnostic settings in Microsoft Entra ID to send **RiskyUsers**, **UserRiskEvents**, **RiskyServicePrincipals**, and **ServicePrincipalRiskEvents** data to a Log Analytics workspace, archive data to a storage account, stream data to an event hub, or send data to a partner solution. Find these options in the [Microsoft Entra admin center](https://entra.microsoft.com) > **Identity** > **Monitoring & health** > **Diagnostic settings** > **Edit setting**. If you don't have a diagnostic setting, follow the instructions in the article [Create diagnostic settings to send platform logs and metrics to different destinations](/azure/azure-monitor/essentials/diagnostic-settings) to create one.

+Log Analytics allows organizations to query data using built in queries or custom created Kusto queries, for more information, see [Get started with log queries in Azure Monitor](/azure/azure-monitor/logs/get-started-queries).

+By routing logs to an Azure storage account, you can keep it for longer than the default retention period. For more information, see the article [Tutorial: Archive Microsoft Entra logs to an Azure storage account](../reports-monitoring/howto-archive-logs-to-storage-account.md).

+Azure Event Hubs can look at incoming data from sources like Microsoft Entra ID Protection and provide real-time analysis and correlation. For more information, see the article [Tutorial: Stream Microsoft Entra logs to an Azure event hub](../reports-monitoring/howto-stream-logs-to-event-hub.md)

+Organizations can choose to [connect Microsoft Entra data to Microsoft Sentinel](/azure/sentinel/data-connectors/azure-active-directory-identity-protection) as well for further processing.

+- [Install and use the log analytics views for Microsoft Entra ID](/azure/azure-monitor/visualize/workbooks-view-designer-conversion-overview)

+- [Connect data from Microsoft Entra ID Protection](/azure/sentinel/data-connectors/azure-active-directory-identity-protection)

+- [Tutorial: Stream Microsoft Entra logs to an Azure event hub](../reports-monitoring/howto-stream-logs-to-event-hub.md)

+- [Overview of Microsoft Graph](/graph/overview)

+Identity Protection provides organizations with reporting they can use to investigate identity risks in their environment. These reports include **risky users**, **risky sign-ins**, **risky workload identities**, and **risk detections**. Investigation of events is key to better understanding and identifying any weak points in your security strategy. All of these reports allow for downloading of events in .CSV format or integration with other security solutions like a dedicated SIEM tool for further analysis.

+#### Understand the scope

+1. Consider creating a known traveler database for updated organizational travel reporting and use it to cross-reference travel activity.

+1. Add corporate VPN's and IP Address ranges to named locations to reduce false positives.

+1. Review the logs to identify similar activities with the same characteristics. This could be an indication of more compromised accounts.

+ 1. If there are common characteristics, like IP address, geography, success/failure, etc..., consider blocking these with a Conditional Access policy.

+ 1. Review which resource may have been compromised, such as potential data downloads or administrative modifications.

+ 1. Enable self-remediation policies through Conditional Access

+1. If you see that the user performed other risky activities, such as downloading a large volume of files from a new location, this is a strong indication of a possible compromise.

+ 1. If you have access to other security tools like [Microsoft Sentinel](/azure/sentinel/overview), check for corresponding alerts that might indicate a larger issue.

+> [!IMPORTANT]

+> If you suspect an attacker can impersonate the user, reset their password, and perform MFA; you should block the user and revoke all refresh and access tokens.

+1. This account was the victim of a password spray attack:

+1. This detection was triggered by a real-time rule:

+ 1. Validate that no other users in your directory are targets of the same attack. This can be found by the TI_RI_#### number assigned to the rule.

+ 1. Real-time rules protect against novel attacks identified by Microsoft's threat intelligence. If multiple users in your directory were targets of the same attack, investigate unusual patterns in other attributes of the sign in.

+Information about integrating Identity Protection information with Microsoft Sentinel can be found in the article,ΓÇ»[Connect data from Microsoft Entra ID Protection](/azure/sentinel/data-connectors-reference#microsoft).

+When your organization is comfortable with the managed authentication experience, you can defederate your domain from Okta. To begin, use the following commands to connect to Microsoft Graph PowerShell. If you don't have the Microsoft Graph PowerShell module, download it by entering `Install-Module Microsoft.Graph`.

+1. In PowerShell, sign in to Microsoft Entra ID by using a Global Administrator account.

+ ```powershell

+ Connect-MgGraph -Scopes "Domain.ReadWrite.All", "Directory.AccessAsUser.All"

+ ```

+2. To convert the domain, run the following command:

+ ```powershell

+ Update-MgDomain -DomainId yourdomain.com -AuthenticationType "Managed"

+ ```

+3. Verify that the domain has been converted to managed by running the command below. The Authentication type should be set to managed.

+ ```powershell

+ Get-MgDomain -DomainId yourdomain.com

+ ```

+1. In the source tenant, use the [Add synchronization secrets](/graph/api/synchronization-serviceprincipal-put-synchronization) API to save your credentials.

+For cross-tenant synchronization, users don't receive an email or have to accept a consent prompt. If users want to see what tenants they belong to, they can open their [My Account](https://support.microsoft.com/account-billing/my-account-portal-for-work-or-school-accounts-eab41bfe-3b9e-441e-82be-1f6e568d65fd) page and select **Organizations**. In the Microsoft Entra admin center, users can open their [Portal settings](/azure/azure-portal/set-preferences), view their **Directories + subscriptions**, and switch directories.

+- IT admins can also manually [restore](../fundamentals/users-restore.md) the user directly in the target tenant.

+- Cross-tenant synchronization deprovisioning: Currently, [SkipOutOfScopeDeletions](../app-provisioning/skip-out-of-scope-deletions.md?toc=/azure/active-directory/multi-tenant-organizations/toc.json&pivots=cross-tenant-synchronization) works for application provisioning jobs, but not for Microsoft Entra cross-tenant synchronization. To avoid soft deletion of users taken out of scope of cross-tenant synchronization, set [Target Object Actions for Delete](cross-tenant-synchronization-configure.md#step-8-optional-define-who-is-in-scope-for-provisioning-with-scoping-filters) to disabled.

+ - Optionally choose to save your workbook content to an [Azure Storage Account](/azure/azure-monitor/visualize/workbooks-bring-your-own-storage).

+* **Number of sign-ins not protected by multi-factor authentication requirement by location:** This widget shows the sign-ins counts that aren't protected by MFA requirement in map bubble chart on the world map.

+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department|String|

+ |title|String|

+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager|String|

+This call creates a new **private key**, recovery key and update key, stores these keys in the specified Azure Key Vault and sets the permissions to this Key Vault for the verifiable credential service and a create new **DID** with corresponding DID Document.

+Decentralized Identifiers (DIDs) are different. DIDs are user-generated, self-owned, globally unique identifiers rooted in decentralized systems trust systems. They possess unique characteristics, like greater assurance of immutability, censorship resistance, and tamper evasiveness. These attributes are critical for any ID system intended to provide self-ownership and user control.

+In order to be able to resolve DID documents, DIDs are typically recorded on an underlying network of some kind that represents a trust system. Microsoft currently supports DID:Web trust system. DID:Web is a permission based model that allows trust using a web domainΓÇÖs existing reputation. DID:Web is in support status General Available.

+With the Web trust system, updating your linked domain isn't supported. You have to opt out and re-onboard.

+Follow these steps to quickly set up a domain to use for Linked Domain:

+For Web trust system, you need register your decentralized ID to be able to issue and verify your credentials. You have to make this information available on your website and complete this registration. Otherwise your public key isn't made public.

+Consider the scenario in the diagram where Proseware, an e-commerce website, wants to offer Woodgrove employees corporate discounts.

+ ΓÇ£A ***holder*** is a role an entity might perform by possessing one or more verifiable credentials and generating presentations from them. A holder is usually, but not always, a subject of the verifiable credentials they're holding. Holders store their credentials in credential repositories.ΓÇ¥

+ ΓÇ£A ***decentralized identifier*** is a portable URI-based identifier, also known as a DID, associated with an entity. These identifiers are often used in a verifiable credential and are associated with subjects, issuers, and verifiers.ΓÇ¥

+* In the scenario, both the issuer and verifier have a DID, and a DID document. The DID document contains the public key, and the list of DNS web domains associated with the DID (also known as linked domains).

+ ΓÇ£A ***distributed ledger*** is a noncentralized system for recording events. These systems establish sufficient confidence for participants to rely upon the data recorded by others to make operational decisions. They typically use distributed databases where different nodes use a consensus protocol to confirm the ordering of cryptographically signed transactions. The linking of digitally signed transactions over time often makes the history of the ledger effectively immutable.ΓÇ¥

+Alice accepts employment with Woodgrove. As part of the onboarding process, a Microsoft Entra account is created for Alice to use inside of the Woodgrove trust boundary. AliceΓÇÖs manager must figure out how to enable Alice, who works remotely, to receive initial sign-in information in a secure way. In the past, the IT department might have provided those credentials to their manager, who would print them and hand them to Alice. Printing the credentials doesnΓÇÖt work with remote employees.

+As an employee, Alice is operating inside of the trust boundary of Woodgrove. Woodgrove acts as the identity provider (IDP) and maintains complete control of the identity and the configuration of the apps Alice uses to interact within the Woodgrove trust boundary. To use resources in the Microsoft Entra ID trust boundary, Alice provides potentially multiple forms of proof of identification to sign in WoodgroveΓÇÖs trust boundary and access the resources inside of WoodgroveΓÇÖs technology environment. Multiple proofs is a typical scenario that is well served using a centralized identity architecture.

+* Alice only uses the credential that Woodgrove maintains to access Woodgrove resources. Alice has no need to track when the credential is used since Woodgrove is managing the credential and which is only used with Woodgrove resources. The identity is only valid inside of the Woodgrove trust boundary when access to Woodgrove resources is necessary, so Alice has no need to possess the credential.

+* VCs can be used inside of the trust boundary for account recovery. For example, if the employee has lost their phone and computer, they can regain access by getting a new VC from the identity verification service, that is trusted by Woodgrove, and then use that VC to get new credentials.

+* Alice doesnΓÇÖt need to provide Proseware personal information, such as an email. Alice maintains the VC in a wallet application on a personal device. The only person that can use the VC is Alice, and Alice must initiate usage of the credential. Each usage of the VC is being recorded by the wallet application, so Alice has a record of when and where the VC is used.

+By combining centralized and decentralized identity architectures for operating inside and outside of trust boundaries at Woodgrove, complexity and risk can be reduced and limited relationships become easier to manage.

+Woodgrove adds new and ends current business relationships with other organizations and needs to determine when centralized and decentralized identity architectures are used.

+By combining centralized and decentralized identity architectures, the responsibility and effort associated with identity and proof of identity is distributed, risk is . The user doesn't risk releasing their private information as often or to as many unknown verifiers. Specifically:

+* In centralized identity architectures, the IDP issues credentials and performs verification of those issued credentials. The IDP processes information about all identities. It either stores them in a directory or retrieves them from a directory. Optionally, IDPs can accept security tokens from other IDP systems, such as social sign-ins or business partners. For a relying party to use identities in the IDP trust boundary, they must be configured to accept the tokens issued by the IDP.

+For example: When VC holders need to access a resource, they must present the VC to that relying party. They do so by using a wallet application to read the RPΓÇÖs request to present a VC. As a part of reading the request, the wallet application uses the RPΓÇÖs DID to find the RPΓÇÖs public keys using the trust system, validating that the request to present the VC hasn't been tampered with. To prove domain ownership, the wallet also checks that the DID is being referenced in a metadata document hosted in the DNS domain of the RP.

+ * DID of the issuer. The issuer's DID is used by the wallet app to resolve via the trust system to find the public keys and linked domains.

+ * URL with the VC manifest, which specifies the contract requirements to issue the VC. The contract requirement can include id_token, self-attested attributes that must be provided, or the presentation of another VC.

+ 1. Validates that the issuance request message is signed by the issuerΓÇÖs keys found in the DID document resolved via the trust system. Validating the signature ensures that the message hasn't been tampered with.

+ 1. Validates that the issuer owns the DNS domain referenced in the issuerΓÇÖs DID document.

+1. The Microsoft Entra Verified ID service validates the response sent by the wallet. In some cases, the VC issuer can revoke the VC. To make sure the VC is still valid, the verifier needs to check with the VC issuer. This depends on how the verifier asked for the VC in step 2.

+To deliver on the aspirations of the [Decentralized Identity Foundation](https://identity.foundation/) (DIF) and W3C [Design goals](https://www.w3.org/TR/did-core/), the following items should be considered when creating a verifiable credential solution:

+As part of your plan for an issuance solution, you must design a solution that enables the interactions between the issuer, the user, and the verifier. The following diagram shows the components of your issuance architecture.

+Each tenant uses the multitenant Microsoft Entra Verified ID service, and has a decentralized identifier (DID). The DID provides proof that the issuer owns the domain incorporated into the DID. The DID is used by the subject and the verifier to validate the issuer.

+* Rules are an issuer-defined model that describes the required inputs of a verifiable credential. Rules also defined trusted input sources, and the mapping of input claims to output claims stored in the VC. Depending on the type of attestation defined in the rules definition, the input claims can come from different providers. Input claims may come from an OIDC Identity Provider, from an id_token_hint or from self asserted claims during issuance via user input in the wallet.

+

+Microsoft Entra Verified ID currently supports Web as trust system [DID Web](https://w3c-ccg.github.io/did-method-web/), where the DID document is hosted on the issuers webserver.

+Microsoft Authenticator is the mobile application. The Authenticator orchestrates the interactions between the user, the Microsoft Entra Verified ID service and the contract used to issue VCs. It acts as a digital wallet in which the holder of the VC stores the VC, including the private key of the subject of the VC. Authenticator is also the mechanism used to present VCs for verification.

+These services provide supporting roles that don't necessarily need to integrate with Microsoft Entra Verified ID issuance service. This layer typically includes:

+* **Attribute stores** ΓÇô Attribute stores might be outside of directory services and provide attributes needed to issue a VC. For example, a student information system might provide claims about degrees earned.

+Your specific use cases determine your credential design. The use case determines:

+* the way users need to prove their identity to get their VC

+* if credentials need to be revoked

+**Identity Verification**: a credential is issued based on multiple criteria. Multiple criteria may include verifying the authenticity of government-issued documents like a passport or driverΓÇÖs license and corelating the information in that document with other information such as:

+All verifiable credentials must declare their *type* in their [rules definition](rules-and-display-definitions-model.md#rulesmodel-type). The credential type distinguishes a verifiable credentials schema from other credentials and it ensures interoperability between issuers and verifiers. To indicate a credential type, provide one or more credential types that the credential satisfies. Each type is a unique string. Often, a URI is used to ensure global uniqueness. The URI doesn't need to be addressable. It's treated as a string. As an example, a diploma credential issued by Contoso University might declare the following types:

+* **Favor abstract claims**: Each claim should meet the need while minimizing the detail. For example, a claim named ΓÇ£ageOverΓÇ¥ with discrete values such as 13, 21, 60, is more abstract than a date of birth claim.

+* **Plan for revocability**: We recommend you define an index claim to enable mechanisms to find and revoke credentials. You're limited to defining one index claim per contract. It's important to note that values for indexed claims aren't stored in the backend, only a hash of the claim value. For more information, see [Revoke a previously issued verifiable credential](../verifiable-credentials/how-to-issuer-revoke.md).

+* The Microsoft Entra Verified ID issuance service is deployed in West Europe, North Europe, West US 2, West Central US, Australia and Japan Azure regions. If your Microsoft Entra tenant resides within EU, the Microsoft Entra Verified ID service is in EU too.

+* To limit latency, deploy your issuance frontend website and key vault in the region listed above.

+* If you're planning a large rollout and onboarding of VCs, consider batching VC creation to ensure you don't exceed limits.

+As part of your plan for performance, determine what you monitor to better understand the performance of the solution. In addition to application-level website monitoring, consider the following as you define your VC issuance monitoring strategy:

+For scalability, consider implementing metrics for the following items:

+* Monitor Azure Key Vault using the following link:

+If the rare event that the Microsoft Entra Verified ID issuance service or Azure Key Vault services become unavailable, the entire solution becomes unavailable.

+**Data residency**: The Microsoft Entra Verified ID issuance service is deployed in a subset of Azure regions. The service is used for compute functions only. We don't store values of verifiable credentials in Microsoft systems. However, as part of the issuance process, personal data is sent and used when issuing VCs. Using the VC service shouldn't impact data residency requirements. If you store any personal information as a part of identity verification, that should be stored in a manner and region that meets your compliance requirements. For Azure-related guidance, visit the Microsoft Trust Center website.

+**Revoking credentials**: Determine if your organization needs to revoke credentials. For example, an admin may need to revoke credentials when an employee leaves the company. For more information, see [Revoke a previously issued verifiable credential](how-to-issuer-revoke.md).

+**Expiring credentials**: Determine how your credentials expire. For example, if you issue a VC as proof of having a driverΓÇÖs license, it might expire after a few years. Other VCs can have a shorter validity to ensure users come back periodically to update their VC.

+When planning for operations, it's critical you develop a schema to use for troubleshooting, reporting and distinguishing various customers you support. Additionally, if the operations team is responsible for executing VC revocation, that process must be defined. Each step in the process should be correlated so that you can determine which log entries can be associated with each unique issuance request. For auditing, we recommend you capture each attempt of credential issuing individually. Specifically:

+* If you're an identity verification service issuing VCs on behalf of multiple customers, monitor and mitigate by customer or contract ID for customer-facing reporting and billing.

+* If you're an identity verification service issuing VCs on behalf of multiple customers, use the customer or contract ID for customer-facing reporting and billing, monitoring, and mitigating.

+As part of your design considerations focused on security, we recommend the following items:

+ * Treat the service principal that represents the website and the user as a single trust boundary. While it's possible to create multiple websites, there's only one key set for the issuance solution.

+For security logging and monitoring, we recommend the following items:

+* Enable logging and alerting of Azure Key Vault. Track credential issuance operations, key extraction attempts and permission changes. Monitor and send alert for configuration changes. More information can be found at [How to enable Key Vault logging](../../key-vault/general/howto-logging.md).

+When you complete your POC, gather all the information and documentation generated, and consider tearing down the issuer configuration.

+For more information on Key Vault implementation and operation, see [Best practices to use Key Vault](../../key-vault/general/best-practices.md). For more information on Securing Azure environments with Active Directory, see [Securing Azure environments with Microsoft Entra ID](https://aka.ms/AzureADSecuredAzure).

+If you havenΓÇÖt already, we suggest you review the [Microsoft Entra Verified ID architecture overview](introduction-to-verifiable-credentials-architecture.md). You also want to review [Plan your Microsoft Entra Verified ID issuance solution](plan-issuance-solution.md).

+This content covers the technical aspects of planning for a verifiable credential verification solution using Microsoft products and services. The solution interfaces with a trust system, where currently DID Web is supported. DID Web is a centralized public key infrastructure.

+In the context of a verifier solution, the Microsoft Entra Verified ID service is the interface between the Microsoft components of the solution and the trust system. The service provisions the key set to Key Vault, provisions the decentralized identifier (DID).

+The service requires a Microsoft Entra tenant that provides an Identity and Access Management (IAM) control plane for the Azure resources that are part of the solution. Each Microsoft Entra tenant uses the multitenant Microsoft Entra Verified ID service, and it issues a single DID document representing the verifier. If you have multiple relying parties using your verification service, they all use the same verifier DID. The verifier DID provides pointers to the public key that allows subjects and issuers to validate messages that come from the relying party.

+The Azure Key Vault service stores your verifier keys, which are generated when you enable the Microsoft Entra Verified ID issuance service. The keys are used to provide message security. Each verifier has a single key set used for signing, updating, and recovering VCs. This key set is used each time you service a verification request. Microsoft key set currently uses Elliptic Curve Cryptography (ECC) [SECP256k1](https://en.bitcoin.it/wiki/Secp256k1). We're exploring other cryptographic signature schemas that are adopted by the broader DID community.

+Microsoft Entra Verified ID currently supports [DID Web](https://w3c-ccg.github.io/did-method-web/) as a trust system, where the DID document is hosted on the issuers webserver.

+Microsoft Authenticator is the mobile application. The Authenticator orchestrates the interactions between the user, the Microsoft Entra Verified ID service and the contract used to issue VCs. It acts as a digital wallet in which the holder of the VC stores the VC, including the private key of the subject of the VC. Authenticator is also the mechanism used to present VCs for verification.

+The relying party web front end uses the Request Service API to verify VCs by generating deep links or QR codes that the subjectΓÇÖs wallet consumes. Depending on the scenario, the front end can be a publicly accessible or internal website to enable end-user experiences that require verification. However, the endpoints that the wallet accesses must be publicly accessible. Specifically, it controls redirection to the wallet with specific request parameters.

+* External Identities that Microsoft Entra ID onboard using APIs to issue business-to-business (B2B) invitations, or entitlement management assignment to packages.

+* **Storing VC Attributes**: Where possible don't store attributes from VCs in your app-specific store. Be especially careful with personal data. If specific flows within your applications require this information, consider asking for the VC to retrieve the claims on demand.

+ * **External identities** - invitation: When an external user is invited to the target system, the RP can generate a link with a unique identifier that represents the invitation transaction. This link can be sent to the external userΓÇÖs email address. This unique identifier should be sufficient to correlate the VC verification request to the invitation record or underlying data and continue the provisioning workflow. The attributes in the VC can be used to validate or complete the external user attributes.

+ * **Authorization**: In this scenario, the user presents the VC to make an authorization decision. VCs designed for proof of completion of a training or holding a specific certification, are a good fit for this scenario. The VC attributes should contain fine-grained information conducive to authorization decisions and auditing. For example, the VC is used to certify the individual is trained and can access sensitive financial apps. The app logic can check the department claim for fine-grained authorization, and use the employee ID for audit purposes.

+ * **Confirmation of identity verification**: In this scenario, the goal is to confirm that the same person who initially onboarded is indeed the one attempting to access the high-value application. A credential from an identity verification issuer would be a good fit. The application logic should validate that the attributes from the VC align with the user who logged in the application.

+* **Check Revocation**: When using VCs to access sensitive resources, it's common to check the status of the VC with the original issuer and deny access for revoked VCs. When working with the issuers, ensure that revocation is explicitly discussed as part of the design of your scenario.

+ * **Session establishment**: Users must present a VC as part of initiating the session with the application. Presenting a VC is a good fit when the nature of the entire application is high-value.

+ * **Authorization**: Based on the application requirements, the applications might consume the VC attributes for fine-grained authorization decisions and auditing. For example, if an e-commerce website offers discounts to employees of the organizations in a particular location, they can validate discount eligibility based on the country/region claim in the VC (if present).

+* **Check Revocation**: When using VCs to access sensitive resources, it's common to check the status of the VC with the original issuer and deny access for revoked VCs. When working with the issuers, ensure that revocation is explicitly discussed as part of the design of your scenario.

+**Account portal**: Web front end that orchestrates the API calls for VC presentation and validation. This orchestration can include Microsoft Graph calls to recover accounts in Microsoft Entra ID.

+**Custom logic or workflows**: Logic with organization-specific steps before and after updating the user account. Custom logic might include approval workflows, other validations, logging, notifications, etc.

+**Microsoft Entra enterprise directory**: The Microsoft Entra tenant that contains the accounts that are being created or updated through the account portal.

+**VC Attribute correlation with Microsoft Entra ID**: When defining the attributes of the VC in collaboration with the issuer, make sure you agree on claims that identify the user. For example, if identity verification provider (IDV) verifies the identity prior to onboarding employees, ensure that the issued VC includes claims that can be matched against internal systems. Such claims might be a phone number, address, or date of birth. The RP can ask for information not found in the VC as part of this process, such as the last four digits of their social security number (SSN).

+**Role of VCs with Existing Microsoft Entra Credential Reset Capabilities**: Microsoft Entra ID has a built-in self-service password reset (SSPR) capability. Verifiable Credentials can be used to provide another way to recover in cases where users don't have access to or lost control of the SSPR method. In scenarios where the user have lost both computer and mobile, the user can reobtain a VC from an identity proof issuer and present it to recover their account remotely.

+Similarly, you can use a VC to generate a temporary access pass that allows users to reset their MFA authentication methods without a password.

+* If your RP is running in Azure, use Managed Identities to call Microsoft Graph. Managed Identities removes the risks around managing service principal credentials in code or configuration files. For more information, see [Managed identities for Azure resources.](../managed-identities-azure-resources/overview.md)

+The following are IAM considerations when incorporating VCs to relying parties. Relying parties are typically applications.

+* A human has the VC in their wallet and must interactively present the VC. Non-interactive flows such as on-behalf-of aren't supported.

+* Determine if an expired VC has meaning in your application; if so check the value of the `exp` claim (the expiration time) of the VC as part of the authorization checks. One example where expiration isn't relevant is requiring a government-issued document such as a driverΓÇÖs license to validate if the subject is older than 18. The date of birth claim is valid, even if the VC is expired.

+ * If it isn't relevant, then skip the call to check status API (which is on by default).

+ * If it's relevant, add the proper handling of exceptions in your application.

+You can use information in presented VCs to build a user profile. If you want to consume attributes to build a profile, consider the following items.

+* When the VC is issued, it contains a snapshot of attributes as of issuance. VCs might have long validity periods, and you must determine the age of attributes that you'll accept as sufficiently fresh to use as a part of the profile.

+* If a VC needs to be presented every time the subject starts a session with the RP, consider using the output of the VC presentation to build a non-persistent user profile with the attributes. A non-persistent user profile helps to reduce privacy risks associated with storing user properties at rest. Your application may need to save the subjectΓÇÖs attributes locally. If so, only save the claims that your application needs. Do not save the whole VC.

+ * Consider using the `sub` claim as an immutable identifier of the user. This is an opaque unique attribute that is constant for a given subject/RP pair.

+ * Define a mechanism to deprovision the user profile from the application. Due to the decentralized nature of the Microsoft Entra Verified ID system, there's no application user provisioning lifecycle.

+ * Don't store personal data claims returned in the VC token.

+The following items provide areas to consider when planning for performance:

+* The Microsoft Entra Verified ID issuance service is deployed in West Europe, North Europe, West US 2, and West Central US Azure regions. To limit latency, deploy your verification front end (website) and key vault in the closest region.

+To best plan for high availability and disaster recovery, we suggest the following items:

+* Microsoft Entra Verified ID service is deployed in the West Europe, North Europe, West US 2, and West Central US, Australia and Japan Azure regions. Consider deploying your supporting web servers and supporting applications in one of those regions, specifically in the ones from which you expect most of your validation traffic to originate.

+As you're designing for security, consider the following:

+ * Enable logging for Key Vault to track signing operations, and to monitor and alert on configuration changes. See [How to enable Key Vault logging](../../key-vault/general/howto-logging.md) for more information.

+ Title: Tutorial - Quick setup of your tenant for Microsoft Entra Verified ID

+description: In this tutorial, you learn how to quickly configure your tenant to support the Verified ID service.

+# Customer intent: As an enterprise, we want to enable customers to manage information about themselves by using verifiable credentials.

+# Quick Microsoft Entra Verified ID setup

+Quick Verified ID setup, available in preview, removes several configuration steps an admin needs to complete with a single click on a `Get started` button. The quick setup takes care of signing keys, registering your decentralized ID and verify your domain ownership. It also creates a Verified Workplace Credential for you.

+In this tutorial, you learn how to use the quick setup to configure your Microsoft Entra tenant to use the verifiable credentials service.

+Specifically, you learn how to:

+> [!div class="checklist"]

+> - Configure your the Verified ID service using the quick setup.

+> - Controlling how issuances of Verified Workplace Credentials in MyAccount

+## Prerequisites

+- Ensure that you have the [global administrator](../../active-directory/roles/permissions-reference.md#global-administrator) or the [authentication policy administrator](../../active-directory/roles/permissions-reference.md#authentication-policy-administrator) permission for the directory you want to configure. If you're not the global administrator, you need the [application administrator](../../active-directory/roles/permissions-reference.md#application-administrator) permission to complete the app registration including granting admin consent.

+- Ensure that you have a custom domain registered for the Microsoft Entra tenant. If you don't have one registered, the setup defaults to the manual setup experience.

+## Set up Verified ID

+If you have a custom domain registered for your Microsoft Entra tenant, you see this `Get started` option. If you don't have a custom domain registered, either register it before setting up Verified ID or continue using the [manual setup](verifiable-credentials-configure-tenant.md).

+To set up Verified ID, follow these steps:

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Administrator](../roles/permissions-reference.md#global-administrator).

+1. Select **Verified ID**.

+1. From the left menu, select **Setup**.

+1. Click the **Get started** button.

+1. If you have multiple domains registered for your Microsoft Entra tenant, select the one you would like to use for Verified ID.

+ :::image type="content" source="media/verifiable-credentials-configure-tenant-quick/verifiable-credentials-select-domain.png" alt-text="Screenshot that shows how to select domain.":::

+When the setup process is complete, you see a default workplace credential available to edit and offer to employees of your tenant on their MyAccount page.

+## MyAccount available now to simplify issuance of Workplace Credentials

+Issuing Verified Workplace Credentials is now available via [myaccount.microsoft.com](https://myaccount.microsoft.com/). Users can sign in to myaccount using their Microsoft Entra ID credentials and issue themselves a Verified Workplace Credential via the `Get my Verified ID` option.

+As an admin, you can either remove the option in MyAccount and create your custom application for issuing Verified Workplace Credentials. You can also select specific groups of users that are allowed to be issued credentials from MyAccount.

+## How Quick Verified ID setup works

+- A shared signing key is used across multiple tenants within a given region. It's no longer required to deploy Azure Key Vault. Since it's a shared key, the validityInterval of issued credentials is limited to six months.

+- The custom domain registered for your Microsoft Entra tenant is used for domain verification. It's no longer required to upload your DID configuration JSON to verify your domain.

+- The Decentralized identifier (DID) gets a name like `did:web:verifiedid.entra.microsoft.com:tenantid:authority-id`

+## Register an application in Microsoft Entra ID

+If you're planning to use custom credentials or set up your own application for issuing or verification Verified ID, you need to register an application and grant the appropriate permissions for it. Follow this section in the manual setup to [register an application](verifiable-credentials-configure-tenant.md#register-an-application-in-microsoft-entra-id)

+## Next steps

+- [Learn how to issue Microsoft Entra Verified ID credentials from a web application](verifiable-credentials-configure-issuer.md).

+- [Learn how to verify Microsoft Entra Verified ID credentials](verifiable-credentials-configure-verifier.md).

+ Title: Tutorial - Manual Microsoft Entra Verified ID setup

+description: In this tutorial, you learn how to manually configure your tenant to support the Verified ID service.

+# Manual Microsoft Entra Verified ID setup

+Manual Verified ID setup is the classic way of setting up Verified ID where you as an admin have to configure Azure KeyVault, take care of registering your decentralized ID and verifying your domain.

+In this tutorial, you learn how to use the manual setup to configure your Microsoft Entra tenant to use the verifiable credentials service.

+> - Configure your the Verified ID service using the manual setup.

+1. Select **Verified ID**.

+1. From the middle menu, select **Configure organization settings**

+Decentralized Identifiers (DIDs) are unique identifiers that can be used to secure access to resources, sign and verify credentials, and facilitate application data exchange. Unlike traditional usernames and email addresses, entities and owning and controlling the DIDs themselves (be it a person, device, or company). DIDs exist independently of any external organization or trusted intermediary. [The W3C Decentralized Identifier spec](https://www.w3.org/TR/did-core/) explains DIDs in further detail.

+Credentials are a part of our daily lives. Driver's licenses are used to assert that we're capable of operating a motor vehicle. University degrees can be used to assert our level of education and government-issued passports enable us to travel between countries and regions. Verifiable Credentials provides a mechanism to express these sorts of credentials on the Web in a way that is cryptographically secure, privacy respecting, and machine-verifiable. [The W3C Verifiable Credentials spec](https://www.w3.org/TR/vc-data-model/) explains verifiable credentials in further detail.

+There are multiple ways of offering a recovery mechanism to users, each with their own tradeoffs. Microsoft currently evaluating options and designing approaches to recovery that offer convenience and security while respecting a user's privacy and self-sovereignty.

+We implement [the Decentralized Identity Foundation's Well Known DID Configuration spec](https://identity.foundation/.well-known/resources/did-configuration/) in order to connect a DID to a highly known existing system, domain names. Each DID created using the Microsoft Entra Verified ID has the option of including a root domain name that is encoded in the DID Document. Follow the article titled [Link your Domain to your Distributed Identifier](how-to-dnsbind.md) to learn more.

+Microsoft now offers two different trust systems, Web and ION. You can choose to use either one of them during tenant onboarding. ION is a decentralized, permissionless, scalable decentralized identifier Layer 2 network that runs atop Bitcoin. It achieves scalability without including a special crypto asset token, trusted validators, or centralized consensus mechanisms. We use Bitcoin for the base Layer 1 substrate because of the strength of the decentralized network to provide a high degree of immutability for a chronological event record system.

+Resetting requires that you opt out and opt back into the Microsoft Entra Verified ID service. Your existing verifiable credentials configuration is reset and your tenant will obtain a new DID to use during issuance and presentation.

+ 1. If you're in the European region, it's recommended that your Azure Key Vault, and container are in the same European region to avoid performance and latency issues. Create new instances of these services in the same EU region as needed.

+1. See the value for Country or Region. If the value is a country or a region in Europe, your Microsoft Entra Verified ID service is set up in Europe.

+The tutorials for deploying and running the [samples](verifiable-credentials-configure-issuer.md#prerequisites) describes the use of the `ngrok` tool as an application proxy. This tool is sometimes blocked by IT admins from being used in corporate networks. An alternative is to deploy the sample to [Azure App Service](../../app-service/overview.md) and run it in the cloud. The following links help you deploy the respective sample to Azure App Service. The Free pricing tier is sufficient for hosting the sample. For each tutorial, you need to start by first creating the Azure App Service instance, then skip creating the app since you already have an app and then continue the tutorial with deploying it.

+Regardless of which language of the sample you're using, they'll pick up the Azure AppService hostname `https://something.azurewebsites.net` and use it as the public endpoint. You don't need to configure something extra to make it work. If you make changes to the code or configuration, you need to redeploy the sample to Azure AppServices. Troubleshooting/debugging is easier running the sample on your local machine, where traces to the console window show you errors, but you can achieve almost the same by using the [Log Stream](../../app-service/troubleshoot-diagnostic-logs.md#stream-logs).

+## October 2023

+- [Quick Verified ID setup](verifiable-credentials-configure-tenant-quick.md) introduced as preview which enables an admin to onboard a Microsoft Entra tenant with just one click of a button.

+- [MyAccount available now to simplify issuance of Workplace Credentials](verifiable-credentials-configure-tenant-quick.md#myaccount-available-now-to-simplify-issuance-of-workplace-credentials)

+- [Manual Verified ID setup](verifiable-credentials-configure-tenant.md) still available as an option to `Quick Verified ID setup`.

+POST https://verifiedid.did.msidentity.com/v1.0/verifiablecredentials/createPresentationRequest

+POST https://verifiedid.did.msidentity.com/v1.0/verifiablecredentials/createIssuanceRequest

+GET https://verifiedid.did.msidentity.com/v1.0/verifiablecredentials/presentationRequests/:requestId

+POST https://verifiedid.did.msidentity.com/v1.0/verifiablecredentials/completeIssuance

+POST https://verifiedid.did.msidentity.com/v1.0/verifiablecredentials/verifyPresentation

+The `presentation_verified` callback from the Request Service API now returns when a Verified ID credential was issued and when it expires. Business rules can use these values to see the time window of when the presented Verified ID credential is valid. An example of this is that it expires in an hour while the business required in needs to be valid until the end of the day.

+- Updates to our samples in [Github](https://github.com/Azure-Samples/active-directory-verifiable-credentials) showcasing how to dynamically display VC claims.

+Program](https://www.microsoft.com/licensing/how-to-buy/how-to-buy), and the [Cloud Solution Providers program](/azure/lighthouse/concepts/cloud-solution-provider). Azure and Microsoft 365 subscribers can also purchase Workload

+- [App health recommendations](../reports-monitoring/howto-use-recommendations.md): Provides recommendations for addressing identity hygiene gaps in your application portfolio so you can improve the security and resilience posture of a tenant.

+This article describes how to block the creation of federated identity credentials on user-assigned managed identities by using Azure Policy. By blocking the creation of federated identity credentials, you can block everyone from using [workload identity federation](workload-identity-federation.md) to access Microsoft Entra protected resources. [Azure Policy](/azure/governance/policy/overview) helps enforce certain business rules on your Azure resources and assess compliance of those resources.

+If federated identity credentials are provisioned in a loop, you can [provision them serially](/azure/azure-resource-manager/templates/copy-resources#serial-or-parallel) by setting *"mode": "serial"*.

+It's possible to use a deny [Azure Policy](/azure/governance/policy/overview) as in the following ARM template example:

+- To create a user-assigned managed identity and configure a federated identity credential, your account needs the [Contributor](/azure/role-based-access-control/built-in-roles#contributor) or [Owner](/azure/role-based-access-control/built-in-roles#owner) role assignment.

+- **Cluster issuer URL** is the [OIDC issuer URL](/azure/aks/use-oidc-issuer) for the managed cluster or the [OIDC Issuer URL](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/oidc-issuer.html) for a self-managed cluster.

+- To create a user-assigned managed identity and configure a federated identity credential, your account needs the [Contributor](/azure/role-based-access-control/built-in-roles#contributor) or [Owner](/azure/role-based-access-control/built-in-roles#owner) role assignment.

+- To create a user-assigned managed identity and configure a federated identity credential, your account needs the [Contributor](/azure/role-based-access-control/built-in-roles#contributor) or [Owner](/azure/role-based-access-control/built-in-roles#owner) role assignment.

+ - Use [Azure Cloud Shell](/azure/cloud-shell/overview), which you can open by using the **Try It** button in the upper-right corner of code blocks.

+- To create a user-assigned managed identity and configure a federated identity credential, your account needs the [Contributor](/azure/role-based-access-control/built-in-roles#contributor) or [Owner](/azure/role-based-access-control/built-in-roles#owner) role assignment.

+- Use a [custom template from Azure Marketplace](/azure/azure-resource-manager/templates/deploy-portal#deploy-resources-from-custom-template) to create a template from scratch or base it on an existing common or [quickstart template](https://azure.microsoft.com/resources/templates/).

+- Derive from an existing resource group by exporting a template. You can export them from either [the original deployment](/azure/azure-resource-manager/management/manage-resource-groups-portal#export-resource-groups-to-templates) or from the [current state of the deployment](/azure/azure-resource-manager/management/manage-resource-groups-portal#export-resource-groups-to-templates).

+- Use a local [JSON editor (such as VS Code)](/azure/azure-resource-manager/templates/quickstart-create-templates-use-the-portal), and then upload and deploy by using PowerShell or the Azure CLI.

+- Use the Visual Studio [Azure Resource Group project](/azure/azure-resource-manager/templates/create-visual-studio-deployment-project) to create and deploy a template.

+Federated identity credential and parent user assigned identity can be created or updated be means of template below. You can [deploy ARM templates](/azure/azure-resource-manager/templates/quickstart-create-templates-use-the-portal) from the [Azure portal](https://portal.azure.com).

+- To create a user-assigned managed identity and configure a federated identity credential, your account needs the [Contributor](/azure/role-based-access-control/built-in-roles#contributor) or [Owner](/azure/role-based-access-control/built-in-roles#owner) role assignment.

+ - To run in the cloud, use [Azure Cloud Shell](/azure/cloud-shell/overview).

+ - To run locally, install [curl](https://curl.se/download.html) and the [Azure CLI](/cli/azure/install-azure-cli).

+- For information about the required format of JWTs created by external identity providers, read about the [assertion format](../develop/certificate-credentials.md#assertion-format).

+[Create an app registration](../develop/quickstart-register-app.md) in Microsoft Entra ID. Grant your app access to the Azure resources targeted by your external software workload.

+- **Cluster issuer URL** is the [OIDC issuer URL](/azure/aks/use-oidc-issuer) for the managed cluster or the [OIDC Issuer URL](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/oidc-issuer.html) for a self-managed cluster.

+- [Create an app registration](../develop/quickstart-register-app.md) in Microsoft Entra ID. Grant your app access to the Azure resources targeted by your external software workload.

+*issuer* is your service account issuer URL (the [OIDC issuer URL](/azure/aks/use-oidc-issuer) for the managed cluster or the [OIDC Issuer URL](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/oidc-issuer.html) for a self-managed cluster).

+ - Use [Azure Cloud Shell](/azure/cloud-shell/overview), which you can open by using the **Try It** button in the upper-right corner of code blocks.

+- [Create an app registration](../develop/quickstart-register-app.md) in Microsoft Entra ID. Grant your app access to the Azure resources targeted by your external software workload.

+- *Issuer* is your service account issuer URL (the [OIDC issuer URL](/azure/aks/use-oidc-issuer) for the managed cluster or the [OIDC Issuer URL](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/oidc-issuer.html) for a self-managed cluster).

+[Create an app registration](../develop/quickstart-register-app.md) in Microsoft Entra ID. Grant your app access to the Azure resources targeted by your external software workload.

+- *issuer* is your service account issuer URL (the [OIDC issuer URL](/azure/aks/use-oidc-issuer) for the managed cluster or the [OIDC Issuer URL](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/oidc-issuer.html) for a self-managed cluster).

+- For more information, read about how Microsoft Entra ID uses the [OAuth 2.0 client credentials grant](../develop/v2-oauth2-client-creds-grant-flow.md#third-case-access-token-request-with-a-federated-credential) and a client assertion issued by another IdP to get a token.

+- Workloads running on any Kubernetes cluster (Azure Kubernetes Service (AKS), Amazon Web Services EKS, Google Kubernetes Engine (GKE), or on-premises). Establish a trust relationship between your user-assigned managed identity or app in Microsoft Entra ID and a Kubernetes workload (described in the [workload identity overview](/azure/aks/workload-identity-overview)).

+- Other workloads running in compute platforms outside of Azure. Configure a trust relationship between your [user-assigned managed identity](workload-identity-federation-create-trust-user-assigned-managed-identity.md) or [application](workload-identity-federation-create-trust.md) in Microsoft Entra ID and the external IdP for your compute platform. You can use tokens issued by that platform to authenticate with Microsoft identity platform and call APIs in the Microsoft ecosystem. Use the [client credentials flow](../develop/v2-oauth2-client-creds-grant-flow.md#third-case-access-token-request-with-a-federated-credential) to get an access token from Microsoft identity platform, passing in the identity provider's JWT instead of creating one yourself using a stored certificate.

+1. The external workload (the login action in a GitHub workflow, for example) [sends the token to Microsoft identity platform](../develop/v2-oauth2-client-creds-grant-flow.md#third-case-access-token-request-with-a-federated-credential) and requests an access token.

+- Read the [workload identity overview](/azure/aks/workload-identity-overview) to learn how to configure a Kubernetes workload to get an access token from Microsoft identity provider and access Microsoft Entra protected resources.

+- How Microsoft Entra ID uses the [OAuth 2.0 client credentials grant](../develop/v2-oauth2-client-creds-grant-flow.md#third-case-access-token-request-with-a-federated-credential) and a client assertion issued by another IdP to get a token.

+ Title: Multi-modal embeddings concepts - Image Analysis 4.0

+# Multi-modal embeddings (version 4.0 preview)

+Multi-modal embedding is the process of generating a numerical representation of an image that captures its features and characteristics in a vector format. These vectors encode the content and context of an image in a way that is compatible with text search over the same vector space.

+Image retrieval systems have traditionally used features extracted from the images, such as content labels, tags, and image descriptors, to compare images and rank them by similarity. However, vector similarity search is gaining more popularity due to a number of benefits over traditional keyword-based search and is becoming a vital component in popular content search services.

+## Business applications

+Multi-modal embedding has a variety of applications in different fields, including:

+- Digital asset management: Multi-modal embedding can be used to manage large collections of digital images, such as in museums, archives, or online galleries. Users can search for images based on visual features and retrieve the images that match their criteria.

+- Security and surveillance: Vectorization can be used in security and surveillance systems to search for images based on specific features or patterns, such as in, people & object tracking, or threat detection.

+- Forensic image retrieval: Vectorization can be used in forensic investigations to search for images based on their visual content or metadata, such as in cases of cyber-crime.

+- E-commerce: Vectorization can be used in online shopping applications to search for similar products based on their features or descriptions or provide recommendations based on previous purchases.

+- Fashion and design: Vectorization can be used in fashion and design to search for images based on their visual features, such as color, pattern, or texture. This can help designers or retailers to identify similar products or trends.

+> Multi-modal embedding is not designed analyze medical images for diagnostic features or disease patterns. Please do not use Multi-modal embedding for medical purposes.

+1. Vectorize Images and Text: the Multi-modal embeddings APIs, **VectorizeImage** and **VectorizeText**, can be used to extract feature vectors out of an image or text respectively. The APIs return a single feature vector representing the entire input.

+ > Multi-modal embedding does not do any biometric processing of human faces. For face detection and identification, see the [Azure AI Face service](./overview-identity.md).

+### Relevance score

+The image and video retrieval services return a field called "relevance." The term "relevance" denotes a measure of similarity score between a query and image or video frame embeddings. The relevance score is comprised of two components:

+1. The cosine similarity (that falls in the range of [0,1]) between the query and image or video frame embeddings.

+1. A metadata score, which reflects the similarity between the query and the metadata associated with the image or video frame.

+> [!IMPORTANT]

+> The relevance score is a good measure to rank results such as images or video frames with respect to a single query. However, the relevance score cannot be accurately compared across queries. Therefore, it's not possible to easily map the relevance score to a confidence level. It's also not possible to trivially create a threshold algorithm to eliminate irrelevant results based solely on the relevance score.

+Enable Multi-modal embeddings for your search service and follow the steps to generate vector embeddings for text and images.

+* [Call the Multi-modal embeddings APIs](./how-to/image-retrieval.md)

+ Title: Do image retrieval using multi-modal embeddings - Image Analysis 4.0

+# Do image retrieval using multi-modal embeddings (version 4.0 preview)

+The Multi-modal embeddings APIs enable the _vectorization_ of images and text queries. They convert images to coordinates in a multi-dimensional vector space. Then, incoming text queries can also be converted to vectors, and images can be matched to the text based on semantic closeness. This allows the user to search a set of images using text, without the need to use image tags or other metadata. Semantic closeness often produces better results in search.

+## Try out Multi-modal embeddings

+You can try out the Multi-modal embeddings feature quickly and easily in your browser using Vision Studio.

+Cosine similarity is a method for measuring the similarity of two vectors. In an image retrieval scenario, you'll compare the search query vector with each image's vector. Images that are above a certain threshold of similarity can then be returned as search results.

+ Title: Do video retrieval using vectorization - Image Analysis 4.0

+description: Learn how to call the Spatial Analysis Video Retrieval APIs to vectorize video frames and search terms.

+# Do video retrieval using vectorization (version 4.0 preview)

+Azure AI Spatial Analysis Video Retrieval APIs are part of Azure AI Vision and enable developers to create an index, add documents (videos and images) to it, and search with natural language. Developers can define metadata schemas for each index and ingest metadata to the service to help with retrieval. Developers can also specify what features to extract from the index (vision, speech) and filter their search based on features.

+## Prerequisites

+- Azure subscription - [Create one for free](https://azure.microsoft.com/free/cognitive-services).

+- Once you have your Azure subscription, [create a Vision resource using the portal](/azure/cognitive-services/cognitive-services-apis-create-account). For this preview, you must create your resource in the East US region.

+- An Azure Storage resource - [Create one](/azure/storage/common/storage-account-create?tabs=azure-portal)

+## Input requirements

+### Supported file formats

+| File format | Description |

+| -- | -- |

+| `asf` | ASF (Advanced / Active Streaming Format) |

+| `flv` | FLV (Flash Video) |

+| `matroskamm`, `webm` | Matroska / WebM |

+| `mov`, `mp4`, `m4a`, `3gp`, `3g2`, `mj2` | QuickTime / MOV |

+| `mpegts` | MPEG-TS (MPEG-2 Transport Stream) |

+| `rawvideo` | raw video |

+| `rm` | RealMedia |

+| `rtsp` | RTSP input |

+### Supported codecs

+| Codec | Format |

+| -- | -- |

+| `h264` | H.264 / AVC / MPEG-4 AVC / MPEG-4 part 10 |

+| `rawvideo` | raw video |

+| `h265` | HEVC

+| `libvpx-vp9` | libvpx VP9 (codec vp9) |

+## Call the Video Retrieval APIs

+To use the Spatial Analysis Video Retrieval APIs in a typical pattern, you would do the following steps:

+1. Create an index using **PUT - Create an index**.

+2. Add video documents to the index using **PUT - CreateIngestion**.

+3. Wait for the ingestion to complete, checking with **GET - ListIngestions**.

+4. Search for a keyword or phrase using **POST - SearchByText**.

+### Use Video Retrieval APIs for metadata-based search

+The Spatial Analysis Video Retrieval APIs allows a user to add metadata to video files. Metadata is additional information associated with video files such as "Camera ID," "Timestamp," or "Location" that can be used to organize, filter, and search for specific videos. This example demonstrates how to create an index, add video files with associated metadata, and perform searches using different features.

+### Step 1: Create an Index

+To begin, you need to create an index to store and organize the video files and their metadata. The example below demonstrates how to create an index named "my-video-index."

+```bash

+curl.exe -v -X PUT "https://<YOUR_ENDPOINT_URL>/computervision/retrieval/indexes/my-video-index?api-version=2023-05-01-preview" -H "Ocp-Apim-Subscription-Key: <YOUR_SUBSCRIPTION_KEY>" -H "Content-Type: application/json" --data-ascii "

+{

+ 'metadataSchema': {

+ 'fields': [

+ {

+ 'name': 'cameraId',

+ 'searchable': false,

+ 'filterable': true,

+ 'type': 'string'

+ },

+ {

+ 'name': 'timestamp',

+ 'searchable': false,

+ 'filterable': true,

+ 'type': 'datetime'

+ }

+ ]

+ },

+ 'features': [

+ {

+ 'name': 'vision',

+ 'domain': 'surveillance'

+ },

+ {

+ 'name': 'speech'

+ }

+ ]

+}"

+```

+**Response:**

+```

+HTTP/1.1 201 Created

+Content-Length: 530

+Content-Type: application/json; charset=utf-8

+request-id: cb036529-d1cf-4b44-a1ef-0a4e9fc62885

+api-supported-versions: 2023-01-15-preview,2023-05-01-preview

+x-envoy-upstream-service-time: 202

+Date: Thu, 06 Jul 2023 18:05:05 GMT

+Connection: close

+{

+ "name": "my-video-index",

+ "metadataSchema": {

+ "language": "en",

+ "fields": [

+ {

+ "name": "cameraid",

+ "searchable": false,

+ "filterable": true,

+ "type": "string"

+ },

+ {

+ "name": "timestamp",

+ "searchable": false,

+ "filterable": true,

+ "type": "datetime"

+ }

+ ]

+ },

+ "userData": {},

+ "features": [

+ {

+ "name": "vision",

+ "modelVersion": "2023-05-31",

+ "domain": "surveillance"

+ },

+ {

+ "name": "speech",

+ "modelVersion": "2023-06-30",

+ "domain": "generic"

+ }

+ ],

+ "eTag": "\"7966244a79384cca9880d67a4daa9eb1\"",

+ "createdDateTime": "2023-07-06T18:05:06.7582534Z",

+ "lastModifiedDateTime": "2023-07-06T18:05:06.7582534Z"

+}

+```

+### Step 2: Add video files to the index

+Next, you can add video files to the index with their associated metadata. The example below demonstrates how to add two video files to the index using SAS URLs to provide access.

+```bash

+curl.exe -v -X PUT "https://<YOUR_ENDPOINT_URL>/computervision/retrieval/indexes/my-video-index/ingestions/my-ingestion?api-version=2023-05-01-preview" -H "Ocp-Apim-Subscription-Key: <YOUR_SUBSCRIPTION_KEY>" -H "Content-Type: application/json" --data-ascii "

+{

+ 'videos': [

+ {

+ 'mode': 'add',

+ 'documentId': '02a504c9cd28296a8b74394ed7488045',

+ 'documentUrl': 'https://example.blob.core.windows.net/videos/02a504c9cd28296a8b74394ed7488045.mp4?sas_token_here',

+ 'metadata': {

+ 'cameraId': 'camera1',

+ 'timestamp': '2023-06-30 17:40:33'

+ }

+ },

+ {

+ 'mode': 'add',

+ 'documentId': '043ad56daad86cdaa6e493aa11ebdab3',

+ 'documentUrl': '[https://example.blob.core.windows.net/videos/043ad56daad86cdaa6e493aa11ebdab3.mp4?sas_token_here',

+ 'metadata': {

+ 'cameraId': 'camera2'

+ }

+ }

+ ]

+}"

+```

+**Response:**

+```

+HTTP/1.1 202 Accepted

+Content-Length: 152

+Content-Type: application/json; charset=utf-8

+request-id: ee5e48df-13f8-4a87-a337-026947144321

+operation-location: http://api.example.com.trafficmanager.net/retrieval/indexes/my-test-index/ingestions/my-ingestion

+api-supported-versions: 2023-01-15-preview,2023-05-01-preview

+x-envoy-upstream-service-time: 709

+Date: Thu, 06 Jul 2023 18:15:34 GMT

+Connection: close

+{

+ "name": "my-ingestion",

+ "state": "Running",

+ "createdDateTime": "2023-07-06T18:15:33.8105687Z",

+ "lastModifiedDateTime": "2023-07-06T18:15:34.3418564Z"

+}

+```

+### Step 3: Wait for ingestion to complete

+After you add video files to the index, the ingestion process starts. It might take some time depending on the size and number of files. To ensure the ingestion is complete before performing searches, you can use the **Get Ingestion** call to check the status. Wait for this call to return `"state" = "Completed"` before proceeding to the next step.

+```bash

+curl.exe -v _X GET "https://<YOUR_ENDPOINT_URL>/computervision/retrieval/indexes/my-video-index/ingestions?api-version=2023-05-01-preview&$top=20" -H "ocp-apim-subscription-key: <YOUR_SUBSCRIPTION_KEY>"

+```

+**Response:**

+```

+HTTP/1.1 200 OK

+Content-Length: 164

+Content-Type: application/json; charset=utf-8

+request-id: 4907feaf-88f1-4009-a1a5-ad366f04ee31

+api-supported-versions: 2023-01-15-preview,2023-05-01-preview

+x-envoy-upstream-service-time: 12

+Date: Thu, 06 Jul 2023 18:17:47 GMT

+Connection: close

+{

+ "value": [

+ {

+ "name": "my-ingestion",

+ "state": "Completed",

+ "createdDateTime": "2023-07-06T18:15:33.8105687Z",

+ "lastModifiedDateTime": "2023-07-06T18:15:34.3418564Z"

+ }

+ ]

+}

+```

+### Step 4: Perform searches with metadata

+After you add video files to the index, you can search for specific videos using metadata. This example demonstrates two types of searches: one using the "vision" feature and another using the "speech" feature.

+#### Search with "vision" feature

+To perform a search using the "vision" feature, specify the query text and any desired filters.

+```bash

+POST -v -X "https://<YOUR_ENDPOINT_URL>/computervision/retrieval/indexes/my-video-index:queryByText?api-version=2023-05-01-preview" -H "Ocp-Apim-Subscription-Key: <YOUR_SUBSCRIPTION_KEY>" -H "Content-Type: application/json" --data-ascii "

+{

+ 'queryText': 'a man with black hoodie',

+ 'filters': {

+ 'stringFilters': [

+ {

+ 'fieldName': 'cameraId',

+ 'values': [

+ 'camera1'

+ ]

+ }

+ ],

+ 'featureFilters': ['vision']

+ }

+}"

+```

+**Response:**

+```

+HTTP/1.1 200 OK

+Content-Length: 3289

+Content-Type: application/json; charset=utf-8

+request-id: 4c2477df-d89d-4a98-b433-611083324a3f

+api-supported-versions: 2023-05-01-preview

+x-envoy-upstream-service-time: 233

+Date: Thu, 06 Jul 2023 18:42:08 GMT

+Connection: close

+{

+ "value": [

+ {

+ "documentId": "02a504c9cd28296a8b74394ed7488045",

+ "documentKind": "VideoFrame",

+ "start": "00:01:58",

+ "end": "00:02:09",

+ "best": "00:02:03",

+ "relevance": 0.23974405229091644

+ },

+ {

+ "documentId": "02a504c9cd28296a8b74394ed7488045",

+ "documentKind": "VideoFrame",

+ "start": "00:02:27",

+ "end": "00:02:29",

+ "best": "00:02:27",

+ "relevance": 0.23762696981430054

+ },

+ {

+ "documentId": "02a504c9cd28296a8b74394ed7488045",

+ "documentKind": "VideoFrame",

+ "start": "00:00:26",

+ "end": "00:00:27",

+ "best": "00:00:26",

+ "relevance": 0.23250913619995117

+ },

+ ]

+}

+```

+#### Search with "speech" feature

+To perform a search using the "speech" feature, provide the query text and any desired filters.

+```bash

+curl.exe -v -X POST "https://<YOUR_ENDPOINT_URL>com/computervision/retrieval/indexes/my-video-index:queryByText?api-version=2023-05-01-preview" -H "Ocp-Apim-Subscription-Key: <YOUR_SUBSCRIPTION_KEY>" -H "Content-Type: application/json" --data-ascii "

+{

+ 'queryText': 'leave the area',

+ 'dedup': false,

+ 'filters': {

+ 'stringFilters': [

+ {

+ 'fieldName': 'cameraId',

+ 'values': [

+ 'camera1'

+ ]

+ }

+ ],

+ 'featureFilters': ['speech']

+ }

+}"

+```

+**Response:**

+```

+HTTP/1.1 200 OK

+Content-Length: 49001

+Content-Type: application/json; charset=utf-8

+request-id: b54577bb-1f46-44d8-9a91-c9326df3ac23

+api-supported-versions: 2023-05-01-preview

+x-envoy-upstream-service-time: 148

+Date: Thu, 06 Jul 2023 18:43:07 GMT

+Connection: close

+{

+ "value": [

+ {

+ "documentId": "02a504c9cd28296a8b74394ed7488045",

+ "documentKind": "SpeechTextSegment",

+ "start": "00:07:07.8400000",

+ "end": "00:07:08.4400000",

+ "best": "00:07:07.8400000",

+ "relevance": 0.8597901463508606

+ },

+ {

+ "documentId": "02a504c9cd28296a8b74394ed7488045",

+ "documentKind": "SpeechTextSegment",

+ "start": "00:07:02.0400000",

+ "end": "00:07:03.0400000",

+ "best": "00:07:02.0400000",

+ "relevance": 0.8506758213043213

+ },

+ {

+ "documentId": "02a504c9cd28296a8b74394ed7488045",

+ "documentKind": "SpeechTextSegment",

+ "start": "00:07:10.4400000",

+ "end": "00:07:11.5200000",

+ "best": "00:07:10.4400000",

+ "relevance": 0.8474636673927307

+ }

+ ]

+}

+```

+## Next steps

+[Multi-modal embeddings concepts](../concept-image-retrieval.md)

+## Video Retrieval

+Spatial Analysis Video Retrieval is a service that lets you create a search index, add documents (videos and images) to it, and search with natural language. Developers can define metadata schemas for each index and ingest metadata to the service to help with retrieval. Developers can also specify what features to extract from the index (vision, speech) and filter their search based on features.

+[Call the Video Retrieval APIs](./how-to/video-retrieval.md)

+## Multi-modal embeddings (v4.0 preview only)

+The multi-modal embeddings APIs enable the _vectorization_ of images and text queries. They convert images to coordinates in a multi-dimensional vector space. Then, incoming text queries can also be converted to vectors, and images can be matched to the text based on semantic closeness. This allows the user to search a set of images using text, without needing to use image tags or other metadata. Semantic closeness often produces better results in search.

+[Multi-modal embeddings](./concept-image-retrieval.md)

+Learn what's new in the service. These items might be release notes, videos, blog posts, and other types of information. Bookmark this page to stay up to date with new features, enhancements, fixes, and documentation updates.

+### Multi-modal embeddings APIs (public preview)

+The [Multi-modal embeddings APIs](./how-to/image-retrieval.md), part of the Image Analysis 4.0 API, enable the _vectorization_ of images and text queries. They let you convert images and text to coordinates in a multi-dimensional vector space. You can now search with natural language and find relevant images using vector similarity search.

+| Hate and Fairness | Hate and fairness-related harms refer to any content that attacks or uses pejorative or discriminatory language with reference to a person or identity group based on certain differentiating attributes of these groups including but not limited to race, ethnicity, nationality, gender identity and expression, sexual orientation, religion, immigration status, ability status, personal appearance, and body size. </br></br> Fairness is concerned with ensuring that AI systems treat all groups of people equitably without contributing to existing societal inequities. Similar to hate speech, fairness-related harms hinge upon disparate treatment of identity groups. |

+| Sexual | Sexual describes language related to anatomical organs and genitals, romantic relationships, acts portrayed in erotic or affectionate terms, pregnancy, physical sexual acts, including those portrayed as an assault or a forced sexual violent act against one's will, prostitution, pornography, and abuse. |

+| Violence | Violence describes language related to physical actions intended to hurt, injure, damage, or kill someone or something; describes weapons, guns and related entities, such as manufactures, associations, legislation, and so on. |

+| Self-Harm | Self-harm describes language related to physical actions intended to purposely hurt, injure, damage one's body or kill oneself. |

+**Text**: The current version of the text model supports the full 0-7 severity scale. The classifier detects amongst all severities along this scale.

+**Image**: The current version of the image model supports a trimmed version of the full 0-7 severity scale for image analysis. The classifier only returns severities 0, 2, 4, and 6; each two adjacent levels are mapped to a single level.

+| **Severity Level** | **Description** |

+| | |

+| Level 0 ΓÇô Safe | Content that might be related to violence, self-harm, sexual or hate & fairness categories, but the terms are used in general, journalistic, scientific, medical, or similar professional contexts that are **appropriate for most audiences**. This level doesn't include content unrelated to the above categories. |

+| Level 1 | Content that might be related to violence, self-harm, sexual or hate & fairness categories but the terms are used in general, journalistic, scientific, medial, and similar professional contexts that **may not be appropriate for all audiences**. This level might contain content that, in other contexts, might acquire a different meaning and higher severity level. Content can express **negative or positive sentiments towards identity groups or representations without endorsement of action.** |

+| Level 2 ΓÇô Low | Content that expresses **general hate speech that does not target identity groups**, expressions **targeting identity groups with positive sentiment or intent**, use cases exploring a **fictional world** (for example, gaming, literature) and depictions at low intensity. |

+| Level 3 | Content that expresses **prejudiced, judgmental or opinionated views**, including offensive use of language, stereotyping, and depictions aimed at **identity groups with negative sentiment**. |

+| Level 4 ΓÇô Medium | Content that **uses offensive, insulting language towards identity groups, including fantasies or harm at medium intensity**. |

+| Level 5 | Content that displays harmful instructions, **attacks against identity groups**, and **displays of harmful actions** with the **aim of furthering negative sentiments**. |

+| Level 6 ΓÇô High | Content that displays **harmful actions, damage** , including promotion of severe harmful acts, radicalization, and non-consensual power exchange or abuse. |

+| Level 7 | Content of the highest severity and maturity that **endorses, glorifies, or promotes extreme forms of activity towards identity groups**, includes extreme or illegal forms of harm, and radicalization. |

+|REST APIs (Authoring) | [REST API documentation](/rest/api/language/2023-04-01/text-analysis-authoring) |

+|REST APIs (Runtime) | [REST API documentation](/rest/api/language/2023-04-01/text-analysis-runtime/submit-job) |

+## Ingesting your data into Azure Cognitive Search

+> [!TIP]

+> For documents and datasets with long text, you should use the available [data preparation script](https://go.microsoft.com/fwlink/?linkid=2244395). The script chunks data so that your response with the service will be more accurate. This script also supports scanned PDF files and images.

+There are three different sources of data that you can use with Azure OpenAI on your data.

+* Blobs in an Azure storage container that you provide

+* Local files uploaded using the Azure OpenAI Studio

+* URLs/web addresses.

+Once data is ingested, an [Azure Cognitive Search](/azure/search/search-what-is-azure-search) index in your search resource gets created to integrate the information with Azure OpenAI models.

+**Data ingestion from Azure storage containers**

+1. Ingestion assets are created in Azure Cognitive Search resource and Azure storage account. Currently these assets are: indexers, indexes, data sources, a [custom skill](/azure/search/cognitive-search-custom-skill-interface) in the search resource, and a container (later called the chunks container) in the Azure storage account. You can specify the input Azure storage container using the [Azure OpenAI studio](https://oai.azure.com/), or the [ingestion API](../reference.md#start-an-ingestion-job).

+2. Data is read from the input container, contents are opened and chunked into small chunks with a maximum of 1024 tokens each. If vector search is enabled, the service will calculate the vector representing the embeddings on each chunk. The output of this step (called the "preprocessed" or "chunked" data) is stored in the chunks container created in the previous step.

+3. The preprocessed data is loaded from the chunks container, and indexed in the Azure Cognitive Search index.

+**Data ingestion from local files**

+Using the Azure OpenAI Studio, you can upload files from your machine. The service then stores the files to an Azure storage container and performs ingestion from the container.

+**Data ingestion from URLs**

+A crawling component first crawls the provided URL and stores its contents to an Azure Storage Container. The service then performs ingestion from the container.

+### Troubleshooting failed ingestion jobs

+To troubleshoot a failed job, always look out for errors or warnings specified either in the API response or Azure OpenAI studio. Here are some of the common errors and warnings:

+**Quota Limitations Issues**

+*An index with the name X in service Y could not be created. Index quota has been exceeded for this service. You must either delete unused indexes first, add a delay between index creation requests, or upgrade the service for higher limits.*

+*Standard indexer quota of X has been exceeded for this service. You currently have X standard indexers. You must either delete unused indexers first, change the indexer 'executionMode', or upgrade the service for higher limits.*

+Resolution:

+Upgrade to a higher pricing tier or delete unused assets.

+**Preprocessing Timeout Issues**

+*Could not execute skill because the Web Api request failed*

+*Could not execute skill because Web Api skill response is invalid*

+Resolution:

+Break down the input documents into smaller documents and try again.

+**Permissions Issues**

+*This request is not authorized to perform this operation*

+Resolution:

+This means the storage account is not accessible with the given credentials. In this case, please review the storage account credentials passed to the API and ensure the storage account is not hidden behind a private endpoint (if a private endpoint is not configured for this resource).

+## Custom parameters

+In the **Data parameters** section in Azure OpenAI Studio, you can modify following additional settings.

+|Parameter name | Description |

+|||

+|**Retrieved documents** | Specifies the number of top-scoring documents from your data index used to generate responses. You might want to increase the value when you have short documents or want to provide more context. The default value is 3. |

+| **Strictness** | Sets the threshold to categorize documents as relevant to your queries. Raising the value means a higher threshold for relevance and filters out more less-relevant documents for responses. Setting this value too high might cause the model to fail to generate responses due to limited available documents. The default value is 3. |

+See the following table for scenarios supported by virtual networks and private endpoints **when you bring your own Azure Cognitive Search index**.

+| Network access to the Azure OpenAI Resource | Network access to the Azure Cognitive search resource | Is vector search enabled? | Azure OpenAI studio | Chat with the model using the API |

+||-|||--|

+| Public | Public | Either | Supported | Supported |

+| Private | Public | Yes | Not supported | Supported |

+| Private | Public | No | Supported | Supported |

+| Regardless of resource access allowances | Private | Either | Not supported | Supported |

+Additionally, data ingestion has the following configuration support:

+| Network access to the Azure OpenAI Resource | Network access to the Azure Cognitive search resource | Azure OpenAI studio support | [Ingestion API](../reference.md#start-an-ingestion-job) support |

+||-|--|--|

+| Public | Public | Supported | Supported |

+| Private | Regardless of resource access allowances. | Not supported | Not supported |

+| Public | Private | Not supported | Not supported |

+|Azure RBAC role | Which resource needs this role? | Needed when |

+||||

+| [Cognitive Services OpenAI Contributor](../how-to/role-based-access-control.md#cognitive-services-openai-contributor) | The Azure Cognitive Search resource, to access Azure OpenAI resource. | You want to use Azure OpenAI on your data. |

+|[Search Index Data Reader](/azure/role-based-access-control/built-in-roles#search-index-data-reader) | The Azure OpenAI resource, to access the Azure Cognitive Search resource. | You want to use Azure OpenAI on your data. |

+|[Search Service Contributor](/azure/role-based-access-control/built-in-roles#search-service-contributor) | The Azure OpenAI resource, to access the Azure Cognitive Search resource. | You plan to create a new Azure Cognitive Search index. |

+|[Storage Blob Data Contributor](/azure/role-based-access-control/built-in-roles#storage-blob-data-contributor) | You have an existing Blob storage container that you want to use, instead of creating a new one. | The Azure Cognitive Search and Azure OpenAI resources, to access the storage account. |

+| [Cognitive Services OpenAI User](../how-to/role-based-access-control.md#cognitive-services-openai-user) | The web app, to access the Azure OpenAI resource. | You want to deploy a web app. |

+| [Contributor](/azure/role-based-access-control/built-in-roles#contributor) | Your subscription, to access Azure Resource Manager. | You want to deploy a web app. |

+| [Cognitive Services Contributor Role](/azure/role-based-access-control/built-in-roles#cognitive-services-contributor) | The Azure Cognitive Search resource, to access Azure OpenAI resource. | You want to deploy a [web app](#using-the-web-app). |

+> The system message is only guidance. The model might not adhere to every instruction specified because it has been primed with certain behaviors such as objectivity, and avoiding controversial statements. Unexpected behavior might occur if the system message contradicts with these behaviors.

+This option encourages the model to respond using your data only, and is selected by default. If you unselect this option, the model might more readily apply its internal knowledge to respond. Determine the correct selection based on your use case and scenario.

+The optimal search option can vary depending on your dataset and use-case. You might need to experiment with multiple options to determine which works best for your use-case.

+> Power Virtual Agents supports Azure Cognitive Search indexes with keyword or semantic search only. Other data sources and advanced features might not be supported.

+- Publishing creates an Azure App Service in your subscription. It might incur costs depending on the [pricing plan](https://azure.microsoft.com/pricing/details/app-service/windows/) you select. When you're done with your app, you can delete it from the Azure portal.

+OpenAI uses the `model` keyword argument to specify what model to use. Azure OpenAI has the concept of [deployments](create-resource.md?pivots=web-portal#deploy-a-model) and uses the `deployment_id` keyword argument to describe which model deployment to use. Azure OpenAI also supports the use of `engine` interchangeably with `deployment_id`. `deployment_id` corresponds to the custom name you chose for your model during model deployment. By convention in our docs, we often show `deployment_id`'s which match the underlying model name, but if you chose a different deployment name that doesn't match the model name you need to use that name when working with models in Azure OpenAI.

+ deployment_id="text-davinci-003" # This must match the custom deployment name you chose for your model.

+ deployment_id="gpt-4" # This must match the custom deployment name you chose for your model.

+ deployment_id="text-embedding-ada-002" # This must match the custom deployment name you chose for your model.

+ deployment_id="text-embedding-ada-002" # This must match the custom deployment name you chose for your model.

+| ```logprobs``` | integer | Optional | null | Include the log probabilities on the logprobs most likely tokens, as well the chosen tokens. For example, if logprobs is 10, the API will return a list of the 10 most likely tokens. the API will always return the logprob of the sampled token, so there might be up to logprobs+1 elements in the response. This parameter cannot be used with `gpt-35-turbo`. |

+|```functions``` | [`FunctionDefinition[]`](#functiondefinition) | Optional | | A list of functions the model can generate JSON inputs for. This parameter requires API version [`2023-07-01-preview`](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-07-01-preview/generated.json)|

+| name | string | The `name` of the author of this message. `name` is required if role is `function`, and it should be the name of the function whose response is in the `content`. Can contain a-z, A-Z, 0-9, and underscores, with a maximum length of 64 characters.|

+| arguments | string | The arguments to call the function with, as generated by the model in JSON format. Note that the model does not always generate valid JSON, and might fabricate parameters not defined by your function schema. Validate the arguments in your code before calling your function. |

+The definition of a caller-specified function that chat completions can invoke in response to matching user input. This requires API version [`2023-07-01-preview`](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-07-01-preview/generated.json)

+| `embeddingEndpoint` | string | Optional | null | The endpoint URL for an Ada embedding model deployment, generally of the format `https://YOUR_RESOURCE_NAME.openai.azure.com/openai/deployments/YOUR_DEPLOYMENT_NAME/embeddings?api-version=2023-05-15`. Use with the `embeddingKey` parameter for [vector search](./concepts/use-your-data.md#search-options) outside of private networks and private endpoints. |

+| `embeddingKey` | string | Optional | null | The API key for an Ada embedding model deployment. Use with `embeddingEndpoint` for [vector search](./concepts/use-your-data.md#search-options) outside of private networks and private endpoints. |

+| `embeddingDeploymentName` | string | Optional | null | The Ada embedding model deployment name within the same Azure OpenAI resource. Used instead of `embeddingEndpoint` and `embeddingKey` for [vector search](./concepts/use-your-data.md#search-options). Should only be used when both the `embeddingEndpoint` and `embeddingKey` parameters are defined. When this parameter is provided, Azure OpenAI on your data will use an internal call to evaluate the Ada embedding model, rather than calling the Azure OpenAI endpoint. This enables you to use vector search in private networks and private endpoints. Billing remains the same whether this parameter is defined or not. Available in regions where embedding models are [available](./concepts/models.md#embeddings-models-1) starting in API versions `2023-06-01-preview` and later.|

+### Start an ingestion job

+```console

+curl -i -X PUT https://YOUR_RESOURCE_NAME.openai.azure.com/openai/extensions/on-your-data/ingestion-jobs/JOB_NAME?api-version=2023-10-01-preview \

+-H "Content-Type: application/json" \

+-H "api-key: YOUR_API_KEY" \

+-H "searchServiceEndpoint: https://YOUR_AZURE_COGNITIVE_SEARCH_NAME.search.windows.net" \

+-H "searchServiceAdminKey: YOUR_SEARCH_SERVICE_ADMIN_KEY" \

+-H "storageConnectionString: YOUR_STORAGE_CONNECTION_STRING" \

+-H "storageContainer: YOUR_INPUT_CONTAINER" \

+-d '{ "dataRefreshIntervalInMinutes": 10 }'

+```

+### Example response

+```json

+{

+ "id": "test-1",

+ "dataRefreshIntervalInMinutes": 10,

+ "completionAction": "cleanUpAssets",

+ "status": "running",

+ "warnings": [],

+ "progress": {

+ "stageProgress": [

+ {

+ "name": "Preprocessing",

+ "totalItems": 100,

+ "processedItems": 100

+ },

+ {

+ "name": "Indexing",

+ "totalItems": 350,

+ "processedItems": 40

+ }

+ ]

+ }

+}

+```

+| Parameters | Type | Required? | Default | Description |

+||||||

+| `dataRefreshIntervalInMinutes` | string | Required | 0 | The data refresh interval in minutes. If you want to run a single ingestion job without a schedule, set this parameter to `0`. |

+| `completionAction` | string | Optional | `cleanUpAssets` | What should happen to the assets created during the ingestion process upon job completion. Valid values are `cleanUpAssets` or `keepAllAssets`. `keepAllAssets` leaves all the intermediate assets for users interested in reviewing the intermediate results, which can be helpful for debugging assets. `cleanUpAssets` removes the assets after job completion. |

+| `searchServiceEndpoint` | string | Required |null | The endpoint of the search resource in which the data will be ingested. |

+| `searchServiceAdminKey` | string | Optional | null | If provided, the key will be used to authenticate with the `searchServiceEndpoint`. If not provided, the system-assigned identity of the Azure OpenAI resource will be used. In this case, the system-assigned identity must have "Search Service Contributor" role assignment on the search resource. |

+| `storageConnectionString` | string | Required | null | The connection string for the storage account where the input data is located. An account key has to be provided in the connection string. It should look something like `DefaultEndpointsProtocol=https;AccountName=<your storage account>;AccountKey=<your account key>` |

+| `storageContainer` | string | Required | null | The name of the container where the input data is located. |

+| `embeddingEndpoint` | string | Optional | null | Not required if you use semantic or only keyword search. It is required if you use vector, hybrid, or hybrid + semantic search |

+| `embeddingKey` | string | Optional | null | The key of the embedding endpoint. This is required if the embedding endpoint is not empty. |

+### List ingestion jobs

+```console

+curl -i -X GET https://YOUR_RESOURCE_NAME.openai.azure.com/openai/extensions/on-your-data/ingestion-jobs?api-version=2023-10-01-preview \

+-H "api-key: YOUR_API_KEY"

+```

+

+### Example response

+```json

+{

+ "value": [

+ {

+ "id": "test-1",

+ "dataRefreshIntervalInMinutes": 10,

+ "completionAction": "cleanUpAssets",

+ "status": "succeeded",

+ "warnings": []

+ },

+ {

+ "id": "test-2",

+ "dataRefreshIntervalInMinutes": 10,

+ "completionAction": "cleanUpAssets",

+ "status": "failed",

+ "error": {

+ "code": "BadRequest",

+ "message": "Could not execute skill because the Web Api request failed."

+ },

+ "warnings": []

+ }

+ ]

+}

+```

+### Get the status of an ingestion job

+```console

+curl -i -X GET https://YOUR_RESOURCE_NAME.openai.azure.com/openai/extensions/on-your-data/ingestion-jobs/YOUR_JOB_NAME?api-version=2023-10-01-preview \

+-H "api-key: YOUR_API_KEY"

+```

+#### Example response body

+```json

+{

+ "id": "test-1",

+ "dataRefreshIntervalInMinutes": 10,

+ "completionAction": "cleanUpAssets",

+ "status": "succeeded",

+ "warnings": []

+}

+```

+- Fine-tuning access requires **Cognitive Services OpenAI Contributor**.

+- If you do not already have access to view quota, and deploy models in Azure OpenAI Studio you will require [additional permissions](../how-to/role-based-access-control.md).

+All built-in plugins are supported, so the [CoreDNS hosts][coredns hosts] plugin is available to customize /etc/hosts as well.

+1. Create a file named `corednsms.yaml` and paste the following example configuration. Make sure to update the IP addresses and hostnames with the values for your own environment.

+ ```yaml

+ apiVersion: v1

+ kind: ConfigMap

+ metadata:

+ name: coredns-custom # this is the name of the configmap you can overwrite with your changes

+ namespace: kube-system

+ data:

+ test.override: | # you may select any name here, but it must end with the .override file extension

+ hosts {

+ 10.0.0.1 example1.org

+ 10.0.0.2 example2.org

+ 10.0.0.3 example3.org

+ fallthrough

+ }

+ ```

+2. Create the ConfigMap using the [`kubectl apply configmap`][kubectl-apply] command and specify the name of your YAML manifest.

+ ```console

+ kubectl apply -f corednsms.yaml

+ ```

+3. To reload the ConfigMap and enable Kubernetes Scheduler to restart CoreDNS without downtime, perform a rolling restart using [`kubectl rollout restart`][kubectl-rollout].

+ ```console

+ kubectl -n kube-system rollout restart deployment coredns

+ ```

+* AKS uses an admission controller to inject the FQDN as an environment variable to all deployments under kube-system and gatekeeper-system. This ensures all system communication between nodes and API server uses the API server FQDN and not the API server IP. You can get the same behavior on your own pods, in any namespace, by annotating the pod spec with an annotation named `kubernetes.azure.com/set-kube-service-host-fqdn`. If that annotation is present, AKS will set the KUBERNETES_SERVICE_HOST variable to the domain name of the API server instead of the in-cluster service IP. This is useful in cases where the cluster egress is via a layer 7 firewall.

+* If you have an app or solution that needs to talk to the API server, you must either add an **additional** network rule to allow **TCP communication to port 443 of your API server's IP** **OR** , if you have a layer 7 firewall configured to allow traffic to the API Server's domain name, set `kubernetes.azure.com/set-kube-service-host-fqdn` in your pod specs.

+AKS automatically stops upgrade operations consisting of a minor version change if deprecated APIs are detected. This feature alerts you with an error message if it detects usage of APIs that are deprecated in the targeted version.

+> This method requires you to use the Azure CLI version 2.53 or later. This method isn't recommended, as deprecated APIs in the targeted Kubernetes version may not work long term. We recommend to removing them as soon as possible after the upgrade completes.

+* **Avoid logging request/response body for Azure Monitor, Application Insights, and Event Hubs** - You can configure API request logging for Azure Monitor or Application Insights using diagnostic settings. The diagnostic settings allow you to log the request/response body at various stages of the request execution. For APIs that implement SSE, this can cause unexpected buffering which can lead to problems. Diagnostic settings for Azure Monitor and Application Insights configured at the global/All APIs scope apply to all APIs in the service. You can override the settings for individual APIs as needed. When logging to Event Hubs, you configure the scope and amount of context information for request/response logging by using the [log-to-eventhubs](api-management-howto-log-event-hubs.md#configure-log-to-eventhub-policy). For APIs that implement SSE, ensure you have disabled request/response body logging for Azure Monitor, Application Insights, and Event Hubs.

+ * You may use a plan created using either the Network DDoS protection SKU or IP DDoS Protection SKU. See [Azure DDoS Protection SKU Comparison](../ddos-protection/ddos-protection-sku-comparison.md).

+ token-value="expression returning the token as a string (alternatively, use header-name or query-parameter attribute to specify token)"

+### Certificate renewal

+The certificate used by the gateway-required virtual network integration has a lifespan of 8 years. If you have apps with gateway-required virtual network integrations that live longer you will have to renew the certificate. You can validate if your certificate has expired or has less than 6 month to expiry by visiting the VNet Integration page in Azure portal.

+You can renew your certificate when the portal shows a near expiry or expired certificate. To renew the certificate you need to disconnect and reconnect the virtual network. Reconnecting will cause a brief outage in connectivity between your app and your virtual network. Your app isn't restarted, but the loss of connectivity could cause your site to not function properly.

+You need to create an "ini" file to add your settings to. In this example, we use "extensions.ini". There are no file editors such as Vi, Vim, or Nano so you'll use echo to add the settings to the file. Change the "upload_max_filesize" from 2M to 50M. Use the following command to add the setting and create an "extensions.ini" file if one doesn't already exist.

+4. For the App Setting Name, enter "PHP_INI_SCAN_DIR" and for value, enter "/home/site/wwwroot/ini".

+| Poland Central | ✅ | ✅ | |

+ Title: Enable logging in Azure Attestation

+description: Enable logging in Azure Attestation

+# Enable logging in Azure Attestation

+After you create one or more Azure Attestation providers, you'll likely want to monitor how and when your resources are accessed, and by whom. You can do this by enabling logging for Microsoft Azure Attestation, which saves information in an Azure storage account and/or log analytics workspace you provide.

+## What is logged

+- All authenticated REST API requests, including failed requests because of access permissions, system errors, or bad requests.

+- Operations on the attestation provider, including setting of attestation policy and attest operations.

+- Unauthenticated requests that result in a 401 response. Examples are requests that lack a bearer token, are malformed or expired, or have an invalid token.

+## Prerequisites

+To complete this tutorial, you will need an Azure Attestation provider. You can create a new provider using one of these methods:

+- [Create an attestation provider using the Azure CLI](quickstart-azure-cli.md)

+- [Create an attestation provider using Azure PowerShell](quickstart-powershell.md)

+- [Create an attestation provider using the Azure portal](quickstart-portal.md)

+You will also need a destination for your logs. This can be an existing or new Azure storage account and/or Log Analytics workspace. You can create a new Azure storage account using one of these methods:

+- [Create a storage account using the Azure CLI](../storage/common/storage-account-create.md)

+- [Create a storage account using Azure PowerShell](../storage/common/storage-account-create.md)

+- [Create a storage account using the Azure portal](../storage/common/storage-account-create.md)

+You can create a new Log Analytics workspace using one of these methods:

+- [Create a Log Analytics workspace using the Azure CLI](../azure-monitor/logs/quick-create-workspace.md)

+- [Create a Log Analytics workspace using Azure PowerShell](../azure-monitor/logs/quick-create-workspace.md)

+- [Create a Log Analytics workspace the Azure portal](../azure-monitor/logs/quick-create-workspace.md)

+ ## Enable logging

+ You can enable logging for Azure Attestation by using the Azure PowerShell, or the Azure portal.

+ ### Using PowerShell with storage account as destination

+```powershell

+ Connect-AzAccount

+ Set-AzContext -Subscription "<Subscription id>"

+ $attestationProviderName="<Name of the attestation provider>"

+ $attestationResourceGroup="<Name of the resource Group>"

+ $attestationProvider=Get-AzAttestation -Name $attestationProviderName -ResourceGroupName $attestationResourceGroup

+ $storageAccount=New-AzStorageAccount -ResourceGroupName $attestationProvider.ResourceGroupName -Name "<Storage Account Name>" -SkuName Standard_LRS -Location "<Location>"

+ Set-AzDiagnosticSetting -ResourceId $attestationProvider.Id -StorageAccountId $storageAccount.Id -Enabled $true

+```

+ When logging is enabled, logs are automatically created for you in **Containers** section of the specified storage account. Please expect some delay for the logs to appear in containers section.

+ ### Using portal

+To configure diagnostic settings in the Azure portal, follow these steps:

+1. From the Resource pane menu, select **Diagnostic settings**, and then **Add diagnostic setting**

+2. Under **Category groups**, select both **audit** and **allLogs**.

+3. If Azure Log Analytics is the destination, select **Send to Log Analytics workspace** and choose your subscription and workspace from the drop-down menus. You might also select **Archive to a storage account** and choose your subscription and storage account from the drop-down menus.

+4. When you have selected your desired options, selectΓÇ»**Save**.

+## Access your logs from storage account

+When logging is enabled, upto three containers will be automatically created in your specified storage account: **insights-logs-operational, insights-logs-auditevent and insights-logs-notprocessed**. Please expect some delay for the logs to appear in containers section.

+**insights-logs-notprocessed** includes logs related to malformed requests. **insights-logs-auditevent** was created to provide early access to logs for customers using VBS. To view the logs, you have to download blobs.

+### Using PowerShell

+With Azure PowerShell, useΓÇ»[Get-AzStorageBlob](/powershell/module/az.storage/get-azstorageblob). To list all the blobs in this container, enter:

+```powershell

+$operationalBlob= Get-AzStorageBlob -Container " insights-logs-operational" -Context $storageAccount.Context

+$operationalBlob.Name

+```

+From the output of the Azure PowerShell cmdlet, you can see that the names of the blobs are in the following format:ΓÇ»

+```

+resourceId=<ARM resource ID>/y=<year>/m=<month>/d=<day of month>/h=<hour>/m=<minute>/filename.json.

+```

+The date and time values use Coordinated Universal Time.

+### Using portal

+To access logs in the Azure portal, follow these steps:

+1. Open your storage account and click on **Containers** from resource pane menu

+2. Select **insights-logs-operational** and follow the navigation shown in the below screenshot to locate a json file and view the logs

+[  ](./media/view-logs-expanded.png#lightbox)

+## Use Azure Monitor logs

+You can use Azure Monitor logs to review activity in Azure Attestation resources. In Azure Monitor logs, you use log queries to analyze data and get the information you need. For more information, see [Monitoring Azure Attestation](monitor-logs.md)

+## Next steps

+- For information on how to interpret logs, seeΓÇ»[Azure Attestation logging](view-logs.md)

+- To learn more about using Azure Monitor for analyzing Azure Attestation logs, seeΓÇ»[Monitoring Azure Attestation](monitor-logs.md).

+ Title: Azure Attestation monitoring data reference

+description: Azure Attestation monitoring data reference

+# Data reference of Azure Attestation logs

+The section below provides reference to the details of Azure Attestation logs. See [Monitor Azure Attestation](monitor-logs.md) for details on collecting and analyzing monitoring data for Azure Attestation.

+## Resource logs

+This section lists the types of resource logs you can collect for Azure Attestation. For full details, seeΓÇ»[Azure Attestation logging](view-logs.md).

+## Azure Monitor Logs tables

+This section refers to all the Azure Monitor Logs Attestation tables relevant to Azure Attestation and available for query by Log Analytics.

+For a reference of all Azure Monitor Logs / Log Analytics tables, including information about what columns are available for Azure Attestation see the [Azure Monitor Log Table Reference](/azure/azure-monitor/reference/tables/tables-resourcetype).

+## Diagnostics tables

+Azure Attestation uses the [Azure Activity](/azure/azure-monitor/reference/tables/azureactivity) and [Azure Attestation Diagnostics](/azure/azure-monitor/reference/tables/azureattestationdiagnostics) tables to store resource log information.

+ Title: Monitor Azure Attestation

+description: Monitoring Azure Attestation

+# Monitor Azure Attestation

+This article describes the monitoring data generated by Azure Attestation and steps to analyze the same. Azure Attestation uses [Azure Monitor](../azure-monitor/overview.md).ΓÇ» If you are unfamiliar with the features of Azure Monitor common to all Azure services that use it, readΓÇ»[Monitoring Azure resources with Azure Monitor](../azure-monitor/essentials/monitor-azure-resource.md).

+## Monitoring data

+Azure Attestation collects the same kind of monitoring data as other Azure resources that are described inΓÇ»[Monitoring data from Azure resources](../azure-monitor/essentials/monitor-azure-resource.md).

+See Azure [Attestation Monitoring data reference](../attestation/logs-data-reference.md) for detailed information on the monitoring logs generated by Azure Attestation.

+## Collection and routing

+Activity logs are collected and stored automatically, but can be routed to other locations by using a diagnostic setting. Resource Logs are not collected and stored until you create a diagnostic setting and route them to one or more locations. More details can be found [here](../azure-monitor/essentials/diagnostic-settings.md)

+To create a diagnostic setting for Azure Attestation, seeΓÇ»[Azure Attestation logging](../attestation/enable-logging.md).

+## Analyze logs using log analytics

+Log Analytics is a tool in the Azure portal that's used to edit and run log queries against data in the Azure Monitor Logs store. To leverage log analytics where you can run complex queries, select log analytics workspace as one of the destinations while creating the diagnostic setting.

+Once the diagnostic setting is created, when you select Logs from the Azure Monitor menu, Log Analytics is opened with the query scope set to the current attestation provider. This means that log queries will only include data from that resource. See [Log query scope and time range in Azure Monitor Log Analytics](../azure-monitor/logs/scope.md) for details.

+Here are some queries that you can enter into the Log search bar to help you monitor your Key Vault resources. These queries work with the [new language](../azure-monitor/logs/log-query-overview.md).

+- Are there any authorization failures?

+- Are there any policy configuration failures?

+- Are there any slow requests?

+- Have there been any changes to attestation policy?

+- Who is calling this attestation provider?

+- How active has this Attestation provider been?

+## Next steps

+- For information on how to interpret logs, seeΓÇ»[Azure Attestation logging](../attestation/view-logs.md)

+When logging is enabled, up to three containers might be automatically created for you in your specified storage account: **insights-logs-auditevent, insights-logs-operational, insights-logs-notprocessed**. It is recommended to only use **insights-logs-operational** and **insights-logs-notprocessed**. **insights-logs-auditevent** was created to provide early access to logs for customers using VBS. Future enhancements to logging will occur in the **insights-logs-operational** and **insights-logs-notprocessed**.

+- [How to enable Microsoft Azure Attestation logging](enable-logging.md)

+[Azure Data Studio](/azure-data-studio/what-is-azure-data-studio) provides an experience similar to the Azure portal for viewing information about your Azure Arc resources. These views are called **dashboards** and have a layout and options similar to what you could see about a given resource in the Azure portal, but give you the flexibility of seeing that information locally in your environment in cases where you don't have a connection available to Azure.

+- Download [Azure Data Studio](/azure-data-studio/download-azure-data-studio)

+From your domain joined Windows-based client machine or a Linux-based domain aware machine, you can use `sqlcmd` utility, or open [SQL Server Management Studio](/sql/ssms/download-sql-server-management-studio-ssms) or [Azure Data Studio (ADS)](/azure-data-studio/download-azure-data-studio) to connect to the Azure Arc-enabled SQL Managed Instance using AD authentication.

+You can use the PostgreSQL Instance endpoint to connect to the PostgreSQL server from your favorite tool: [Azure Data Studio](/azure-data-studio/download-azure-data-studio), [pgcli](https://www.pgcli.com/) psql, pgAdmin, etc.

+| Azure Data Studio | Yes | Rich experience tool for connecting to and querying a variety of databases including Azure SQL, SQL Server, PostrgreSQL, and MySQL. Extensions to Azure Data Studio provide an administration experience for Azure Arc-enabled data services. | [Install](/azure-data-studio/download-azure-data-studio) |

+| [Azure Data Studio](/azure-data-studio/what-is-azure-data-studio) | Yes |

+The following improvements are available in [Azure Data Studio](/azure-data-studio/download-azure-data-studio).

+Install or update to the latest version of [Arc extension for Azure Data Studio](/azure-data-studio/extensions/azure-arc-extension).

+Upgrading takes your Arc resource bridge to the next appliance version, which might not be the latest available appliance version. Multiple upgrades could be needed to reach the minimum n-3 supported version. You can check your appliance version by checking the Azure resource of your Arc resource bridge.

+Currently, some private cloud providers differ in how they handle Arc resource bridge upgrades.

+For Arc-enabled VMware, both cloud-managed upgrade and manual upgrade are supported.

+[Azure Arc VM management (preview) on Azure Stack HCI](/azure-stack/hci/manage/azure-arc-vm-management-overview) supports upgrade of an Arc resource bridge on Azure Stack HCI, version 22H2 up until Arc resource bridge version 1.0.14 and `az arcappliance` CLI extension version 0.2.33. These upgrades can be done through manual upgrade or a support request for cloud-managed upgrade. For additional upgrades afterwards, you must transition to Azure Stack HCI, version 23H2 (preview). In version 23H2 (preview), the LCM tool manages upgrades across all components as a "validated recipe" package. For more information, visit the [Arc VM management FAQ page](/azure-stack/hci/manage/azure-arc-vms-faq).

+For Arc-enabled SCVMM, the upgrade feature isn't available yet. Review the steps for [performing the disaster recovery operation](/azure/azure-arc/system-center-virtual-machine-manager/disaster-recovery), then delete the appliance VM from SCVMM and perform the recovery steps.  This deploys a new resource bridge and reconnect pre-existing Azure resources.

+The Arc resource bridge version is tied to the versions of underlying components used in the appliance image, such as the Kubernetes version. When there is a change in the appliance image, the Arc resource bridge version gets incremented. This generally happens when a new `az arcappliance` CLI extension version is released. A new extension is typically released on a monthly cadence at the end of the month. For detailed release info, refer to the [Arc resource bridge release notes](https://github.com/Azure/ArcResourceBridge/releases) on GitHub.

+Incremental summaries uploaded to Azure Fluid Relay can't exceed 28 MB in size. If the size of the document grows above 95 MB, subsequent client load or join requests will fail. For more information, see [Fluid Framework Summarizer](https://fluidframework.com/docs/concepts/summarizer).

+Setting up change tracking for use with the Azure SQL trigger requires two steps. These steps can be completed from any SQL tool that supports running queries, including [Visual Studio Code](/sql/tools/visual-studio-code/mssql-extensions), [Azure Data Studio](/azure-data-studio/download-azure-data-studio) or [SQL Server Management Studio](/sql/ssms/download-sql-server-management-studio-ssms).

+1. [Create and activate a virtual environment](./create-first-function-cli-python.md?tabs=macos%2Cbash%2Cazure-cli&pivots=python-mode-decorators#create-venv).

+1. [Create and activate a virtual environment](./create-first-function-cli-python.md?tabs=macos%2Cbash%2Cazure-cli&pivots=python-mode-decorators#create-venv)

+1. [Create and activate a virtual environment](create-first-function-cli-python.md?tabs=macos%2Cbash%2Cazure-cli&pivots=python-mode-decorators#create-venv).

+1. [Create and activate a virtual environment](create-first-function-cli-python.md?tabs=macos%2Cbash%2Cazure-cli&pivots=python-mode-decorators#create-venv).

+1. [Create and activate a virtual environment](create-first-function-cli-python.md?tabs=macos%2Cbash%2Cazure-cli&pivots=python-mode-decorators#create-venv).

+1. [Create and activate a virtual environment](create-first-function-cli-python.md?tabs=macos%2Cbash%2Cazure-cli&pivots=python-mode-decorators#create-venv).

+1. [Create and activate a virtual environment](create-first-function-cli-python.md?tabs=macos%2Cbash%2Cazure-cli&pivots=python-mode-decorators#create-venv).

+1. [Create and activate a virtual environment](create-first-function-cli-python.md?tabs=macos%2Cbash%2Cazure-cli&pivots=python-mode-decorators#create-venv).

+1. [Create and activate a virtual environment](create-first-function-cli-python.md?tabs=macos%2Cbash%2Cazure-cli&pivots=python-mode-decorators#create-venv).

+{

+ |Override query time range| If you want the alert evaluation period to be different than the query time range, enter a time range here.<br> The alert time range is limited to a maximum of two days. Even if the query contains an **ago** command with a time range of longer than two days, the two-day maximum time range is applied. For example, even if the query text contains **ago(7d)**, the query only scans up to two days of data. If the query requires more data than the alert evaluation you can change the time range manually. If the query contains **ago** command, it will be changed automatically to 2 days (48 hours).|

+> [OpenCensus Python SDK is deprecated](https://opentelemetry.io/blog/2023/sunsetting-opencensus/), but Microsoft supports it until retirement on September 30, 2024. We now recommend the [OpenTelemetry-based Python offering](./opentelemetry-enable.md?tabs=python) and provide [migration guidance](./opentelemetry-python-opencensus-migrate.md?tabs=aspnetcore).

+- Add an additional Data Collection Rule Association (DCRA) with the relevant Data Collection Rule (DCR). This associates the DCR with the cluster. You must replace `<dcraName>`:

+Use the [az storage account management-policy create](/cli/azure/storage/account/management-policy#az-storage-account-management-policy-create) command to create a lifecycle management policy. You must still set the retention in your diagnostic settings to *0*. See the Azure portal section above for more information.

+The sample policy definition file below sets the retention for all blobs in the container *insights-activity-logs* for the given subscription ID. For more information, see [Lifecycle management policy definition](../../storage/blobs/lifecycle-management-overview.md#lifecycle-management-policy-definition).

+* When you restore a backup to a new volume, you can configure the new volume with Basic or Standard network features.

+* When you change the network features option of existing volumes from Basic to Standard network features, access to existing Basic networking volumes might be lost if your UDR or NSG implementations prevent the Basic networking volumes from connecting to DNS and domain controllers. You might also lose the ability to update information, such as the site name, in the Active Directory connector if all volumes canΓÇÖt communicate with DNS and domain controllers. For guidance about UDRs and NSGs, see [Configure network features for an Azure NetApp Files volume](azure-netapp-files-network-topologies.md#udrs-and-nsgs).

+## readEnvironmentVariable

+- To learn about creating Bicep files, see [file](./file.md).

+- App Service apps with virtual network integration cannot be moved. Remove the virtual network integration and reconnect it after the move.

+> | dnsForwardingRuleset | resource group | 1-80 | Alphanumerics, underscores and hyphens.<br><br>Start with alphanumeric. End alphanumeric. |

+> | dnsResolvers | resource group | 1-80 | Alphanumerics, underscores and hyphens.<br><br>Start with alphanumeric. End alphanumeric. |

+> | dnsResolvers / inboundEndpoints | resource group | 1-80 | Alphanumerics, underscores and hyphens.<br><br>Start with alphanumeric. End alphanumeric. |

+> | dnsResolvers / outboundEndpoints | resource group | 1-80 | Alphanumerics, underscores and hyphens.<br><br>Start with alphanumeric. End alphanumeric. |

+## Certificate rotation

+If you don't specify a secret version when creating custom certificate, Azure SignalR Service periodically checks latest version in Key Vault. When a new version is observed, it's automatically applied. The delay is usually within 1 hour.

+Alternatively, you can also pin custom certificate to a specific secret version in Key Vault. When you need to apply a new certificate, you can edit the secret version and then update custom certificate proactively.

+- You can configure replication by using [SQL Server Management Studio](/sql/ssms/download-sql-server-management-studio-ssms). You can also do so by running Transact-SQL statements on the publisher, by using either SQL Server Management Studio or [Azure Data Studio](/azure-data-studio/download-azure-data-studio).

+- [Azure Data Studio](/azure-data-studio/download-azure-data-studio)

+To connect to an instance of Azure SQL Edge by using Azure Data Studio on a Windows, macOS or Linux machine, see [Azure Data Studio](/azure-data-studio/quickstart-sql-server).

+ - Use [SQL Database Project Extension - Azure Data Studio](/azure-data-studio/extensions/sql-database-project-extension-getting-started) to [create a new database project or export an existing database](/azure-data-studio/extensions/sql-database-project-extension-getting-started)

+- Install [Azure Data Studio](/azure-data-studio/download-azure-data-studio).

+ 1. Open [New Notebook](/azure-data-studio/notebooks/sql-kernel) connected to the Python 3 Kernel.

+- [Azure Data Studio](/azure-data-studio/what-is-azure-data-studio) - A free, downloadable, cross platform database tool for data professional using the Microsoft family of on-premises and cloud data platforms on Windows, macOS, and Linux.

+1. Install [Azure Data Studio](/azure-data-studio/download-azure-data-studio/)

+1. Open Azure Data Studio and configure Python for notebooks. For details, see [Configure Python for Notebooks](/azure-data-studio/notebooks/notebooks-python-kernel). This step can take several minutes.

+- Use [SQL Server Management Studio](/sql/ssms/download-sql-server-management-studio-ssms/) or [Azure Data Studio](/azure-data-studio/download-azure-data-studio//) to connect to SQL Edge. Run a SQL script to create the database and table.

+ Yes, you can select multiple clusters at the time of creating the datastore. Additional clusters may be added or removed after the initial creation as well.

+- **Can a single Azure NetApp Files datastore be added to multiple clusters within different Azure VMware Solution SDDCs?**

+ - **Destination Storage:** Remote datastore for the protected VMs, and in an Azure VMware Solution private cloud, which can be a vSAN datastore or an [Azure NetApp Files datastore](attach-azure-netapp-files-to-azure-vmware-solution-hosts.md).

+ Title: Migrate Microsoft SQL Server Always On Availablity Group to Azure VMware Solution

+description: Learn how to migrate Microsoft SQL Server Always On Availability Group to Azure VMware Solution.

+This scenario was validated using the following editions and configurations:

+- Microsoft SQL Server (2019 and 2022)

+- Windows Server (2019 and 2022) Data Center edition

+- Windows Server and SQL Server were configured following best practices and recommendations from Microsoft and VMware.

+- The on-premises source infrastructure was VMware vSphere 7.0 Update 3 and VMware vSAN running on Dell PowerEdge servers and Intel Optane P4800X SSD NVMe devices.

+## Certificate rotation

+If you don't specify a secret version when creating custom certificate, Azure Web PubSub Service periodically checks latest version in Key Vault. When a new version is observed, it's automatically applied. The delay is usually within 1 hour.

+Alternatively, you can also pin custom certificate to a specific secret version in Key Vault. When you need to apply a new certificate, you can edit the secret version and then update custom certificate proactively.

+* [What is Azure DNS](../dns/dns-overview.md)

+[Manage TLS](/windows-server/security/tls/manage-tls) for cipher suite order enforcement and

+[TLS registry settings](/windows-server/security/tls/tls-registry-settings) for SSL/TLS version

+| | Set custom display name for the callee when making a call offer to a Microsoft Teams user | Only on Microsoft Teams desktop and web client | Only on Microsoft Teams desktop and web client |

+ Title: Azure Communication Services support for Managed Identity

+description: Learn about using Managed Identity with Azure Communication Services

+# How to use Managed Identity with Azure Communication Services

+Azure Communication Services (ACS) is a fully managed communication platform that enables developers to build real-time communication features into their applications. By using Managed Identity with Azure Communication Services, you can simplify the authentication process for your application, while also increasing its security. This document covers how to use Managed Identity with Azure Communication Services.

+## Using Managed Identity with ACS

+ACS supports using Managed Identity to authenticate with the service. By using Managed Identity, you can eliminate the need to manage your own access tokens and credentials.

+Your ACS resource can be assigned two types of identity:

+1. A **System Assigned Identity** which is tied to your resource and is deleted when your resource is deleted.

+ Your resource can only have one system-assigned identity.

+2. A **User Assigned Identity** which is an Azure resource that can be assigned to your ACS resource. This identity isn't deleted when your resource is deleted. Your resource can have multiple user-assigned identities.

+To use Managed Identity with ACS, follow these steps:

+1. Grant your Managed Identity access to the Communication Services resource. This assignment can be through the Azure portal, Azure CLI and the Azure Communication Management SDKs.

+2. Use the Managed Identity to authenticate with ACS. Authentication can be done through the Azure SDKs or REST APIs that support Managed Identity.

+--

+## Add a system-assigned identity

+# [Azure portal](#tab/portal)

+1. In the left navigation of your app's page, scroll down to the **Settings** group.

+2. Select **Identity**.

+3. Within the **System assigned** tab, switch **Status** to **On**. Select **Save**.

+ :::image type="content" source="../media/managed-identity/managed-identity-system-assigned.png" alt-text="Screenshot that shows how to enable system assigned managed identity." lightbox="../media/managed-identity/managed-identity-system-assigned.png" :::

+# [Azure CLI](#tab/cli)

+Run the `az communication identity assign` command to assign a system-assigned identity:

+```azurecli-interactive

+az communication identity assign --system-assigned --name myApp --resource-group myResourceGroup

+```

+--

+## Add a user-assigned identity

+Assigning a user-assigned identity to your ACS resource requires that you first create the identity and then add its resource identifier to your Communication service resource.

+# [Azure portal](#tab/portal)

+First, you need to create a user-assigned managed identity resource.

+1. Create a user-assigned managed identity resource according to [these instructions](~/articles/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md#create-a-user-assigned-managed-identity).

+2. In the left navigation for your app's page, scroll down to the **Settings** group.

+3. Select **Identity**.

+4. Select **User assigned** > **Add**.

+5. Search for the identity you created earlier, select it, and select **Add**.

+ :::image type="content" source="../media/managed-identity/managed-identity-user-assigned.png" alt-text="Screenshot that shows how to enable user assigned managed identity." lightbox="../media/managed-identity/managed-identity-user-assigned.png" :::

+# [Azure CLI](#tab/cli)

+1. Create a user-assigned identity.

+ ```azurepowershell-interactive

+ az identity create --resource-group <group-name> --name <identity-name>

+ ```

+2. Run the `az communication identity assign` command to assign a user-assigned identity:

+```azurecli-interactive

+az communication identity assign --name myApp --resource-group myResourceGroup --user-assigned <identity-id>

+```

+--

+## Managed Identity using ACS management SDKs

+Managed Identity can also be assigned to your ACS resource using the Azure Communication Management SDKs.

+This assignment can be achieved by introducing the identity property in the resource definition either on creation or when updating the resource.

+# [.NET](#tab/dotnet)

+You can assign your managed identity to your ACS resource using the Azure Communication Management SDK for .NET by setting the `Identity` property on the `CommunicationServiceResourceData `.

+For example:

+```csharp

+public async Task CreateResourceWithSystemAssignedManagedIdentity()

+{

+ ArmClient armClient = new ArmClient(new DefaultAzureCredential());

+ SubscriptionResource subscription = await armClient.GetDefaultSubscriptionAsync();

+ //Create Resource group

+ ResourceGroupCollection rgCollection = subscription.GetResourceGroups();

+ // With the collection, we can create a new resource group with an specific name

+ string rgName = "myRgName";

+ AzureLocation location = AzureLocation.WestUS2;

+ ArmOperation<ResourceGroupResource> lro = await rgCollection.CreateOrUpdateAsync(WaitUntil.Completed, rgName, new ResourceGroupData(location));

+ ResourceGroupResource resourceGroup = lro.Value;

+ // get resource group collection

+ CommunicationServiceResourceCollection collection = resourceGroup.GetCommunicationServiceResources();

+ string communicationServiceName = "myCommunicationService";

+

+ // Create Communication Service Resource

+ var identity = new ManagedServiceIdentity(ManagedServiceIdentityType.SystemAssigned);

+ CommunicationServiceResourceData data = new CommunicationServiceResourceData("global")

+ {

+ DataLocation = "UnitedStates",

+ Identity = identity

+ };

+ var communicationServiceLro = await collection.GetCommunicationServiceResources().CreateOrUpdateAsync(WaitUntil.Completed, communicationServiceName, data);

+ var resource = communicationServiceLro.Value;

+}

+```

+For more information on using the .NET Management SDK, see [Azure Communication Management SDK for .NET](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/communication/Azure.ResourceManager.Communication/README.md).

+For more information specific to managing your resource instance, see [Managing your Communication Service Resource instance](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/communication/Azure.ResourceManager.Communication/samples/Sample1_ManagingCommunicationService.md)

+# [JavaScript](#tab/javascript)

+For Node.js apps and JavaScript functions, samples on how to create or update your ACS resource with a managed identity can be found in the [Azure Communication Management Developer Samples for JavaScript](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/communication/arm-communication/samples-dev/communicationServicesCreateOrUpdateSample.ts)

+For more information on using the JavaScript Management SDK, see [Azure Communication Management SDK for JavaScript](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/communication/arm-communication/README.md)

+# [Python](#tab/python)

+For Python apps and functions, Code Samples on how to create or update your ACS resource with a managed identity can be found in the [Azure Communication Management Developer Samples for Python](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/communication/azure-mgmt-communication/generated_samples/communication_services/create_or_update_with_system_assigned_identity.py)

+For more information on using the python Management SDK, see [Azure Communication Management SDK for Python](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/communication/azure-mgmt-communication/README.md)

+# [Java](#tab/java)

+For Java apps and functions, Code Samples on how to create or update your ACS resource with a managed identity can be found in the [Azure Communication Management Developer Samples for Java](https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/communication/azure-resourcemanager-communication/src/samples/java/com/azure/resourcemanager/communication/generated/CommunicationServicesCreateOrUpdateSamples.java).

+For more information on using the java Management SDK, see [Azure Communication Management SDK for Java](https://github.com/Azure/azure-sdk-for-jav)

+# [GoLang](#tab/go)

+For Golang apps and functions, Code Samples on how to create or update your ACS resource with a managed identity can be found in the [Azure Communication Management Developer Samples for Golang](https://github.com/Azure/azure-sdk-for-go/blob/main/sdk/resourcemanager/communication/armcommunication/services_client_example_test.go).

+For more information on using the golang Management SDK, see [Azure Communication Management SDK for Golang](https://github.com/Azure/azure-sdk-for-go/blob/main/sdk/resourcemanager/communication/armcommunication/README.md)

+--

+> [!NOTE]

+> A resource can have both system-assigned and user-assigned identities at the same time. In this case, the `type` property would be `SystemAssigned,UserAssigned`.

+>

+>Removing all managed identity assignments from a resource can also be acheived by specifying the `type` property as `None`.

+## Next steps

+Now that you have learned how to enable Managed Identity with Azure Communication Services. Consider implementing this feature in your own applications to simplify your authentication process and improve security.

+- [Managed Identities](~/articles/active-directory/managed-identities-azure-resources/overview.md)

+- [Manage user-assigned managed identities](~/articles/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md)

+You can take a look at [voice and video calling events](../../event-grid/communication-services-voice-video-events.md) available using Event Grid.

+* [The Azure Event Grid topic](../../event-grid/custom-event-quickstart-portal.md): Create an Azure Event Grid topic in your Azure subscription, it's used to send events when incoming calls occur.

+After you have deployed Azure Communications Gateway and connected it to your core network, you need to connect it to Microsoft Phone System. You also need to onboard to the Operator Connect or Teams Phone Mobile environments.

+After you have deployed Azure Communications Gateway and connected it to your core network, you need to connect it to Microsoft Phone System.

+- Configure the SIP trunks to Azure Communications Gateway in your tenant to support PIDF-LO. You typically set this configuration when you [set up Direct Routing support](connect-teams-direct-routing.md#connect-your-tenant-to-azure-communications-gateway).

+## ELIN support for Direct Routing (preview)

+ELIN (Emergency Location Identifier Number) is the traditional method for signaling dynamic emergency location information for networks that don't support PIDF-LO. With Direct Routing, the Microsoft Phone System can add an ELIN (a phone number) representing the location to the message body. If ELIN support (preview) is configured, Azure Communications Gateway replaces the caller's number with this phone number when forwarding the call to your network. The Public Safety Answering Point (PSAP) can then look up this number to identify the location of the caller.

+> [!IMPORTANT]

+> If you require ELIN support (preview), discuss your requirements with a Microsoft representative.

+### Microsoft Phone System media bypass support (preview)

+Azure Communications Gateway has Preview support for Direct Routing media bypass. Direct Routing media bypass allows media to flow directly between Azure Communications Gateway and Microsoft Teams clients in some scenarios instead of always sending it through the Microsoft Phone System. Media continues to flow through Azure, because both Azure Communications Gateway and Microsoft Phone System are located in Azure.

+If you believe that media bypass support (preview) would be useful for your deployment, discuss your requirements with a Microsoft representative.

+Before you can launch your Microsoft Teams Direct Routing service, you and your onboarding team must:

+- [Integrate with Azure Communications Gateway's Provisioning API](integrate-with-provisioning-api.md)

+The [Azure Cosmos DB Migration for MongoDB extension](/azure-data-studio/extensions/database-migration-for-mongo-extension) in Azure Data Studio helps you assess a MongoDB workload for migrating to Azure Cosmos DB for MongoDB. You can use this extension to run an end-to-end assessment on your workload and find out the actions that you may need to take to seamlessly migrate your workloads on Azure Cosmos DB. During the assessment of a MongoDB endpoint, the extension reports all the discovered resources.

+> Database Migration Assistant is a preliminary legacy utility meant to assist you with the pre-migration steps. Microsoft recommends you to use the [Azure Cosmos DB Migration for MongoDB extension](/azure-data-studio/extensions/database-migration-for-mongo-extension) for all pre-migration steps.

+The [Azure Cosmos DB Migration for MongoDB extension](/azure-data-studio/extensions/database-migration-for-mongo-extension) in Azure Data Studio helps you assess a MongoDB workload for migrating to Azure Cosmos DB for MongoDB. You can use this extension to run an end-to-end assessment on your workload and find out the actions that you may need to take to seamlessly migrate your workloads on Azure Cosmos DB. During the assessment of a MongoDB endpoint, the extension reports all the discovered resources.

+This article helps you set up your Azure subscription to pay by wire transfer.

+This article applies to you if you are:

+- A customer with a Microsoft Customer Agreement (MCA)

+- A customer who signed up for Azure through the Azure website (for a Microsoft Online Services Program account, also called pay-as-you-go account).

+If you signed up for Azure through a Microsoft representative, then your default payment method is already set to *wire transfer*, so these steps aren't needed.

+When you switch to pay by wire transfer, you must pay your bill within 30 days of the invoice date by wire transfer.

+Users with a Microsoft Customer Agreement must always submit a request [Submit a request to set up pay by wire transfer](#submit-a-request-to-set-up-pay-by-wire-transfer) to Azure support to enable pay by wire transfer.

+Customers who have a Microsoft Online Services Program (pay-as-you-go) account can use the Azure portal to [Request to pay by wire transfer](#request-to-pay-by-wire-transfer).

+ - Country/region:

+ 1. In the left menu, select **Properties**. On the properties page, you should see your billing account ID shown as a GUID ID value. It's your Commerce Account ID.

+If we need to run a credit check because of the amount of credit that you need, you're sent a credit check application. We might ask you to provide your companyΓÇÖs audited financial statements. If no financial information is provided or if the information isn't strong enough to support the amount of credit limit required, we might ask for a security deposit or a standby letter of credit to approve your credit check request.

+Use the following steps to switch your Azure subscription to pay by wire transfer. *Once you switch to payment by wire transfer, you can't switch back to a credit card*.

+Using the following steps to switch a billing profile to wire transfer. Only the person who signed up for Azure can change the default payment method of a billing profile.

+When your account is approved for wire transfer payment, the instructions for payment can be found on the invoice.

+You might experience an issue when you try to sign up for a new account in the Microsoft Azure portal. This short guide walks you through the sign-up process and discusses some common issues at each step.

+Although the sign-up verification process is typically quick, it might take up to four minutes for a verification code to be delivered.

+Virtual or prepaid credit cards aren't accepted as payment for Azure subscriptions. To see what else might cause your card to be declined, see [Troubleshoot a declined card at Azure sign-up](./troubleshoot-declined-card.md).

+You might see a small, temporary verification hold on your credit card account after you sign up. This hold is removed within three to five days. If you're worried about managing costs, read more about [Analyzing unexpected charges](../understand/analyze-unexpected-charges.md).

+ - If you can't verify your status, you can get help by creating a [Microsoft for Startups support request](https://support.microsoft.com/supportrequestform/354fe60a-ba6d-92ad-208a-6a41387aa9d8).

+ - Sign in to the [Cloud Partner Program portal](https://mspartner.microsoft.com/Pages/Locale.aspx) to verify your eligibility status. If you have the appropriate [Cloud Platform Competencies](https://mspartner.microsoft.com/pages/membership/cloud-platform-competency.aspx), you might be eligible for other benefits.

+1. [Log Analytics Tutorial](../azure-monitor/logs/log-analytics-tutorial.md)

+1. Open [SQL Server Management Studio (SSMS)](/sql/ssms/download-sql-server-management-studio-ssms) or [Azure Data Studio](/azure-data-studio/download-azure-data-studio), and connect to your SQL Server database.

+1. Open [SQL Server Management Studio (SSMS)](/sql/ssms/download-sql-server-management-studio-ssms) or [Azure Data Studio](/azure-data-studio/download-azure-data-studio), and connect to your SQL Server database.

+An **optional** step where you can assign IP pools for the virtual network used by Kubernetes pods.

+> [!NOTE]

+> SAP customers can skip this step.

+ - For more information about witness in the cloud, see [Configure cloud witness](azure-stack-edge-gpu-manage-cluster.md#configure-cloud-witness).

+- You can update to 2303 from 2207 or later, and then install 2309.

+- Use 10G-BASET RJ-45 network cables (CAT-5e or CAT-6) to connect to Port1 and Port2. They can operate at either 1Gb/s or 10Gb/s.

+Multi-region support | There is currently limited support for API security insights for APIs published in Azure API Management multi-region deployments. Security insights, including data classifications, assessments of inactive APIs, unauthenticated APIs, and external APIs, is limited to supporting API traffic to the primary region (no support for security insights for secondary regions). All security detections and subsequently generated security alerts will work for API traffic sent to both primary and secondary regions.

+This article is relevant for commercial Defender for IoT customers. If you're a government cusetomer, contact your Microsoft sales representative for more information.

+The [Azure SQL Migration extension for Azure Data Studio](/azure-data-studio/extensions/azure-sql-migration-extension) helps you to assess your database requirements, get the right-sized SKU recommendations for Azure resources, and migrate your SQL Server database to Azure.

+- [Download and install Azure Data Studio](/azure-data-studio/download-azure-data-studio).

+- [Install the Azure SQL Migration extension](/azure-data-studio/extensions/azure-sql-migration-extension) from Azure Data Studio Marketplace.

+| SQL Server | Azure SQL DB | [SQL Database Projects extension](/azure-data-studio/extensions/sql-database-project-extension)<br/>[DMA](/sql/dm)<br/>[DMA](/sql/dma/dma-overview)<br/>[Cloudamize*](https://www.cloudamize.com/) | [Cloudamize*](https://www.cloudamize.com/)<br/>[Qlik*](https://www.qlik.com/us/products/qlik-replicate)<br/>[Striim*](https://www.striim.com/partners/striim-and-microsoft-azure/) |

+| Amazon RDS for SQL Server| Azure SQL DB | [SQL Database Projects extension](/azure-data-studio/extensions/sql-database-project-extension)<br/>[DMA](/sql/dm)<br/>[DMA](/sql/dma/dma-overview)| [Qlik*](https://www.qlik.com/us/products/qlik-replicate)<br/>[Striim*](https://www.striim.com/partners/striim-and-microsoft-azure/) |

+- **Recommendation**: Make sure the target database schema was created before starting the migration. For more information on how to deploy the target database schema, see [SQL Database Projects extension](/azure-data-studio/extensions/sql-database-project-extension)

+- **Recommendation**: Make sure the target database schema was created before starting the migration. For more information on how to deploy the target database schema, see [SQL Database Projects extension](/azure-data-studio/extensions/sql-database-project-extension).

+- For an overview and installation of the Azure SQL migration extension, see [Azure SQL migration extension for Azure Data Studio](/azure-data-studio/extensions/azure-sql-migration-extension)

+The [Azure SQL Migration extension for Azure Data Studio](/azure-data-studio/extensions/azure-sql-migration-extension) brings together a simplified assessment, recommendation, and migration experience that delivers the following capabilities:

+ > If your target is Azure SQL Database you have to migrate database schema from source to target using [SQL Server dacpac extension](/azure-data-studio/extensions/sql-server-dacpac-extension) or, [SQL Database Projects extension](/azure-data-studio/extensions/sql-database-project-extension) for Azure Data Studio.

+Learn how to use the unified experience in [Azure SQL Migration extension for Azure Data Studio](/azure-data-studio/extensions/azure-sql-migration-extension). Helps you to assess your database requirements, get the right-sized SKU recommendations for Azure resources, and migrate your SQL Server database to Azure.

+> If your target is Azure SQL Database, make sure you deploy the database schema before you begin the migration. You can use tools like the [SQL Server dacpac extension](/azure-data-studio/extensions/sql-server-dacpac-extension) or the [SQL Database Projects extension](/azure-data-studio/extensions/sql-database-project-extension) for Azure Data Studio.

+(4) **Azure Data Studio**: Download and install the [Azure SQL Migration extension for Azure Data Studio](/azure-data-studio/extensions/azure-sql-migration-extension).

+- Learn how to install the [Azure SQL Migration extension for Azure Data Studio](/azure-data-studio/extensions/azure-sql-migration-extension).

+- [Download and install Azure Data Studio](/azure-data-studio/download-azure-data-studio).

+- [Install the Azure SQL Migration extension](/azure-data-studio/extensions/azure-sql-migration-extension) from Azure Data Studio Marketplace.

+- [Download and install Azure Data Studio](/azure-data-studio/download-azure-data-studio).

+- [Install the Azure SQL Migration extension](/azure-data-studio/extensions/azure-sql-migration-extension) from Azure Data Studio Marketplace.

+- Migrate the database schema from source to target by using the [SQL Server dacpac extension](/azure-data-studio/extensions/sql-server-dacpac-extension) or the [SQL Database Projects extension](/azure-data-studio/extensions/sql-database-project-extension) in Azure Data Studio.

+> Make sure to migrate the database schema from source to target by using the [SQL Server dacpac extension](/azure-data-studio/extensions/sql-server-dacpac-extension) or the [SQL Database Projects extension](/azure-data-studio/extensions/sql-database-project-extension) in Azure Data Studio before selecting the list of tables to migrate.

+> Make sure to migrate the database schema from source to target by using the [SQL Server dacpac extension](/azure-data-studio/extensions/sql-server-dacpac-extension) or the [SQL Database Projects extension](/azure-data-studio/extensions/sql-database-project-extension) in Azure Data Studio before selecting the list of tables to migrate.

+- Migrate the database schema from source to target by using the [SQL Server dacpac extension](/azure-data-studio/extensions/sql-server-dacpac-extension) or the [SQL Database Projects extension](/azure-data-studio/extensions/sql-database-project-extension) in Azure Data Studio.

+> Make sure to migrate the database schema from source to target by using the [SQL Server dacpac extension](/azure-data-studio/extensions/sql-server-dacpac-extension) or the [SQL Database Projects extension](/azure-data-studio/extensions/sql-database-project-extension) in Azure Data Studio before selecting the list of tables to migrate.

+ > Make sure to migrate the database schema from source to target by using the [SQL Server dacpac extension](/azure-data-studio/extensions/sql-server-dacpac-extension) or the [SQL Database Projects extension](/azure-data-studio/extensions/sql-database-project-extension) in Azure Data Studio before selecting the list of tables to migrate.

+- [Download and install Azure Data Studio](/azure-data-studio/download-azure-data-studio).

+- [Install the Azure SQL Migration extension](/azure-data-studio/extensions/azure-sql-migration-extension) from Azure Data Studio Marketplace.

+* [Download and install Azure Data Studio](/azure-data-studio/download-azure-data-studio)

+* [Install the Azure SQL migration extension](/azure-data-studio/extensions/azure-sql-migration-extension) from the Azure Data Studio marketplace

+- [Download and install Azure Data Studio](/azure-data-studio/download-azure-data-studio).

+- [Install the Azure SQL Migration extension](/azure-data-studio/extensions/azure-sql-migration-extension) from Azure Data Studio Marketplace.

+* [Download and install Azure Data Studio](/azure-data-studio/download-azure-data-studio)

+* [Install the Azure SQL migration extension](/azure-data-studio/extensions/azure-sql-migration-extension) from the Azure Data Studio marketplace

+You can use the [Azure SQL Migration extension for Azure Data Studio](/azure-data-studio/extensions/azure-sql-migration-extension) to help you migrate TDE-enabled databases (preview) from an on-premises instance of SQL Server to Azure SQL.

+- [Download and install Azure Data Studio](/azure-data-studio/download-azure-data-studio).

+- [Install the Azure SQL Migration extension](/azure-data-studio/extensions/azure-sql-migration-extension) from Azure Data Studio Marketplace.

+When you use [CLI](create-view-manage-system-topics-cli.md), [REST](/rest/api/eventgrid/controlplane-preview/event-subscriptions/create-or-update), or [Azure Resource Manager template](create-view-manage-system-topics-arm.md), you can choose either of the above methods.

+description: Learn how to use Azure Firewall Manager to configure Azure DDoS Protection Plan

+1. For **DDoS protection plan**, select **Enable**.

+ > [!NOTE]

+ > If you're using public IP address ranges for private networks in a virtual network or an on-premises branch, you need to explicitly specify these IP address prefixes. Select the **Private Traffic Prefixes** section and then add them alongside the RFC1918 address prefixes.

+7. Under **Inter-hub**, select **Enabled** to enable the Virtual WAN routing intent feature. Routing intent is the mechanism through which you can configure Virtual WAN to route branch-to-branch (on-premises to on-premises) traffic via Azure Firewall deployed in the Virtual WAN Hub. For more information regarding prerequisites and considerations associated with the routing intent feature, see [Routing Intent documentation](../virtual-wan/how-to-routing-policies.md).

+8. Select **Save**.

+9. Select **OK** on the **Warning** dialog.

+ $azfw = Get-AzFirewall -Name "<firewall-name>" -ResourceGroupName "<resource-group-name>"

+- [Learn more about Azure Firewall Premium features](premium-features.md)

+| Features and optimizations | Front Door Standard | Front Door Premium | Front Door Classic | Azure CDN Standard Microsoft | Azure CDN Standard Edgio | Azure CDN Premium Edgio |

+| Supported TLS Versions | TLS1.2, TLS1.0 | TLS1.2, TLS1.0 | TLS1.2, TLS1.0 | TLS 1.2, TLS 1.0/1.1 | TLS 1.2, TLS 1.3 | TLS 1.2, TLS 1.3 |

+* Learn how about the [Azure Front Door architecture](front-door-routing-architecture.md).

+* If using PowerShell, you need the [AZ Module](/powershell/azure/).

+From a command prompt, enter the following commands to create a working environment:

+ This command creates a directory named `hbaseapp` at the current location, which contains a basic Maven project. The second command changes the working directory to `hbaseapp`. The third command creates a new directory, `conf`, which can be used later. The `hbaseapp` directory contains the following items:

+2. Remove the generated example code. Delete the generated test and application files `AppTest.java`, and `App.java` by entering the following commands:

+For a full reference of the pom.xml file, see https://maven.apache.org/pom.html. Open `pom.xml` by entering the following command:

+Enter the following command to create and open a new file `CreateTable.java`. Select **Yes** at the prompt to create a new file.

+Then copy and paste the following Java code into the new file. Then close the file.

+Enter the following command to create and open a new file `SearchByEmail.java`. Select **Yes** at the prompt to create a new file.

+Then copy and paste the following Java code into the new file. Then close the file.

+Enter the following command to create and open a new file `DeleteTable.java`. Select **Yes** at the prompt to create a new file.

+Then copy and paste the following Java code into the new file. Then close the file.

+3. Register the modules with Azure PowerShell. Open a new Azure PowerShell window and edit the following command by replacing `CLUSTERNAME` with the name of your cluster. Then enter the following commands:

+Azure HDInsight has the following known issues:

+| HDInsight component | Issue description |

+||-|

+| Kafka | [Kafka 2.4.1 has validation error in ARM templates](#kafka-241-has-validation-error-in-arm-templates) |

+| Spark | [Conda version regression in recent HDInsight release](#conda-version-regression-in-recent-hdinsight-release)|

+| Platform | [Cluster reliability issue](#cluster-reliability-issue) observed with Azure HDInsight clusters using images older than March 2022|

+## Known issues summary

+### Kafka 2.4.1 has validation error in ARM templates

+**Issue published date**: October, 13 2023

+When submitting cluster creation requests using ARM templates, Runbooks, PowerShell, Azure CLI, and other automation tools, you might receive a BadRequest error message if you specify clusterType="Kafka", HDI version = "5.0" and Kafka version = "2.4.1".

+#### Troubleshooting steps

+When using [templates or automation tools](/azure/hdinsight/hdinsight-hadoop-provision-linux-clusters#cluster-setup-methods) to create HDInsight Kafka clusters, choose componentVersion = "2.4". This enables you to successfully create a Kafka 2.4.1 cluster in HDInsight 5.0.

+#### Resources

+- [Create HDInsight clusters using automation](/azure/hdinsight/hdinsight-hadoop-provision-linux-clusters#cluster-setup-methods)

+- [Supported HDInsight versions](/azure/hdinsight/hdinsight-component-versioning#supported-hdinsight-versions)

+- [HDInsight Kafka cluster](/azure/hdinsight/kafka/apache-kafka-introduction)

+### Conda version regression in recent HDInsight release

+**Issue published date**: October, 13 2023

+In the latest Azure HDInsight release, the conda version was mistakenly downgraded to version 4.2.9. This regression is fixed in an upcoming release, but currently it can impact Spark job execution and result in script action failures. Conda 4.3.30 is the expected version in 5.0 and 5.1 clusters, so follow the steps to mitigate the issue.

+<!--/issueDescription-->

+#### Recommended Steps

+1. SSH to any VM in the cluster.

+2. Switch to the root user: `sudo su`

+3. Check the conda version: `/usr/bin/anaconda/bin/conda info`

+4. If the version is 4.2.9, run the following [script action](/azure/hdinsight/hdinsight-hadoop-customize-cluster-linux#script-action-to-a-running-cluster) on all nodes to upgrade the cluster to conda version 4.3.30:

+ `https://hdiconfigactions2.blob.core.windows.net/hdi-sre-workspace/conda_update_4_3_30_patch.sh`

+#### Recommended Documents

+- [Script action to a running cluster](/azure/hdinsight/hdinsight-hadoop-customize-cluster-linux#script-action-to-a-running-cluster)

+- [Safely manage Python environment on Azure HDInsight using Script Action](/azure/hdinsight/spark/apache-spark-python-package-installation)

+- [Supported HDInsight versions](/azure/hdinsight/hdinsight-component-versioning#supported-hdinsight-versions)

+### Cluster reliability issue

+**Issue published date**: October, 13 2023

+As part of the proactive reliability management of Azure HDInsight, we recently came across a potential reliability issue on HDInsight clusters that use images dated February 2022 or older.

+#### Issue Background

+In HDInsight images dated prior to March 2022, a known bug was discovered on one particular AzLinux build. The `waagent`, a lightweight process that manages virtual machines, was unstable and resulted in VM outages. HDInsight clusters that consumed the AzLinux build have experienced service outages, job failures, and adverse effects on features like IPSec and Autoscale.

+#### Required Action

+If your cluster was created prior to February 2022, we advise rebuilding your cluster with the latest HDInsight image by November 10, 2023. Cluster images dated prior to March 2022 will not be supported beyond this date. These images will not receive security updates, bug fixes, or patches, leaving them highly susceptible to vulnerabilities.

+> [!IMPORTANT]

+> ItΓÇÖs recommended to keep your clusters updated to the latest HDInsight version on a regular basis. Using clusters based on the latest HDInsight image ensures that clusters have the latest operating system patches, security patches, bug fixes, library versions, and minimizes risk and potential security vulnerabilities.

+>

+#### FAQ

+##### What happens in the case of a VM outage in the HDInsight clusters that use these impacted HDInsight images?

+Recovery of such Virtual Machines is not straight-forward restarts and could result in several hours of outage with a mandatory manual intervention from the Microsoft support team.

+##### Is this issue rectified in latest HDInsight images?

+Yes, we've fixed this issue on the HDInsight images dated March 1, 2022 or later. It is advised to move to the latest stable version to ensure SLA and service reliability.

+#### How do we determine the date of the HDInsight image our clusters are built on?

+The last 10 digits in your image version indicate the date and time of HDInsight image. For example, if your cluster image is ΓÇ£5.0.3000.1.2208310943ΓÇ¥ indicates that the date of your image is 31 August 2022. Learn how to [verify your HDInsight image version.](/azure/hdinsight/view-hindsight-cluster-image-version)

+#### Resources

+- [Create HDInsight clusters using automation](/azure/hdinsight/hdinsight-hadoop-provision-linux-clusters#cluster-setup-methods)

+- [Supported HDInsight versions](/azure/hdinsight/hdinsight-component-versioning#supported-hdinsight-versions)

+- [HDInsight Kafka cluster](/azure/hdinsight/kafka/apache-kafka-introduction)

+- [Verify your HDInsight image version](/azure/hdinsight/view-hindsight-cluster-image-version)

+| Issue ID | Area |Title | Issues publish date| Status |

+> The minimum headnode size for Interactive Query clusters is Standard_D13_v2. For more information, see the [Azure Virtual Machine Sizing Chart](../../cloud-services/cloud-services-sizes-specs.md#dv2-series).

+The block cache is the read cache. The `hfile.block.cache.size` parameter controls block cache size. The default value is 0.4, which is 40 percent of the total region server memory. Larger the block cache size, faster will be random reads.

+All edits are stored in the memory buffer, called a *Memstore*. This buffer increases the total amount of data that can be written to disk in a single operation. It also speeds access to the recent edits. The Memstore size defines the following two parameters:

+The `hbase.client.scanner.caching` setting defines the number of rows read from disk when the `next` method is called on a scanner. The default value is 100. The higher the number, the fewer the remote calls made from the client to the region server, resulting in faster scans. However, this setting increase memory pressure on the client.

+HBase stores data in an internal file format, called `HFile`. The property `hbase.hregion.max.filesize` defines the size of a single `HFile` for a region. A region is split into two regions if the sum of all `HFiles` in a region is greater than this setting.

+* The `hbase.hregion.memstore.block.multiplier` defines the HBase region block multiplier. The default value is 4. The maximum allowed is 8.

+The `hbase.regionserver.global.memstore.upperLimit` and `hbase.regionserver.global.memstore.lowerLimit` parameters defines Memstore size. Setting these values equal to each other reduces pauses during writes (also causing more frequent flushing) and results in increased write performance.

+The property `hbase.hregion.memstore.mslab.enabled` defines Memstore local allocation buffer usage. When enabled (true), this setting prevents heap fragmentation during heavy write operation. The default value is true.

+Azure Machine Learning simplifies and accelerates the building, training, and deployment of machine learning models. In automated machine learning (AutoML), you start with training data that has a defined target feature. Iterate through combinations of algorithms and feature selections automatically select the best model for your data based on the training scores. HDInsight allows customers to provision clusters with hundreds of nodes. AutoML running on Spark in an HDInsight cluster allows users to use compute capacity across these nodes to run training jobs in a scale-out fashion, and to run multiple training jobs in parallel. It allows users to run AutoML experiments while sharing the compute with their other big data workloads.

+* For more information on using Azure Machine Learning Automated ML capabilities, see [New automated machine learning capabilities in Azure Machine Learning](https://azure.microsoft.com/blog/new-automated-machine-learning-capabilities-in-azure-machine-learning-service/)

+By default, Azure HDInsight clusters accept TLS 1.2 connections on public HTTPS endpoints. You can control the minimum TLS version supported on the gateway nodes during cluster creation using either the Azure portal, or a Resource Manager template. For the portal, select the TLS version from the **Security + networking** tab during cluster creation. For a Resource Manager template at deployment time, use the **minSupportedTlsVersion** property. For a sample template, see [HDInsight minimum TLS 1.2 Quickstart template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.hdinsight/hdinsight-minimum-tls/azuredeploy.json). This property supports one value: "1.2," which correspond to TLS 1.2+.

+HDInsight can run Pig Latin jobs by using various methods. Use the following table to decide which method is right for you, then follow the link for a walkthrough.

+|OperationDuration|Int|The time it took to complete this request in seconds. Note : This value is always set to 0, due to a known issue

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+description: In this article, you learn the concepts of DICOM change feed.

+The API exposes two `GET` endpoints for interacting with the change feed. A typical flow for consuming the change feed is provided in the [Usage](#usage) section.

+limit | int | The maximum value of the sequence number relative to the offset. For example, if the offset is 10 and the limit is 5, then the maximum sequence number returned is 15. | `10` | `1` | `100` |

+ * For example, if querying every hour, a query for the change feed might look like `/changefeed?startTime=2023-05-10T16:00:00Z&endTime=2023-05-10T17:00:00Z`

+ * If starting from the beginning, the change feed query might omit the `startTime` to read all of the changes up to, but excluding, the `endTime`

+ * For example: `/changefeed?endTime=2023-05-10T17:00:00Z`

+2. Based on the `limit` (if provided), an application continues to query for more pages of change events if the number of returned events is equal to the `limit` (or default) by updating the offset on each subsequent query

+ * For example, if the `limit` is `100`, and 100 events are returned, then the subsequent query would include `offset=100` to fetch the next "page" of results. The queries demonstrate the pattern:

+To use the DICOM&reg; service, users and applications need to prove their identity and permissions by getting an access token. An access token is a string that identifies a user or an application and grants them permission to access a resource. Using access tokens enhances security by preventing unauthorized access and reducing the need for repeated authentication.

+This article details how to get started using DICOM&reg; data in analytics workloads with Azure Data Factory and Microsoft Fabric.

+1. In the Azure Data Factory Studio, select **Manage** from the navigation menu. Under **Connections** select **Linked services** and then select **New**.

+2. On the New linked service panel, search for "REST". Select the **REST** tile and then **Continue**.

+4. In the **Base URL** field, enter the Service URL for your DICOM service. For example, a DICOM service named `contosoclinic` in the `contosohealth` workspace will have the Service URL `https://contosohealth-contosoclinic.dicom.azurehealthcareapis.com`.

+6. For **AAD resource**, enter `https://dicom.healthcareapis.azure.com`. Note, this URL is the same for all DICOM service instances.

+1. In the Azure Data Factory Studio, select **Manage** from the navigation menu. Under **Connections** select **Linked services** and then select **New**.

+2. On the New linked service panel, search for "Azure Data Lake Storage Gen2". Select the **Azure Data Lake Storage Gen2** tile and then **Continue**.

+1. Select **Author** from the navigation menu. In the **Factory Resources** pane, select the plus (+) to add a new resource. Select **Pipeline** and then **Template gallery** from the menu.

+2. In the Template gallery, search for "DICOM". Select the **Copy DICOM Metadata Changes to ADLS Gen2 in Delta Format** tile and then **Continue**.

+Pipelines are scheduled by _triggers_. There are different types of triggers including _schedule triggers_, which allow pipelines to be triggered on a wall-clock schedule, and _manual triggers_, which trigger pipelines on demand. In this example, a _tumbling window trigger_ is used to periodically run the pipeline given a starting point and regular time interval. For more information about triggers, see the [pipeline execution and triggers article](../../data-factory/concepts-pipeline-execution-triggers.md).

+1. Select **Author** from the navigation menu. Select the pipeline for the DICOM service and select **Add trigger** and **New/Edit** from the menu bar.

+6. Expand the **Advanced** section and enter a **Delay** of **15 minutes**. This will allow any pending operations at the end of an hour to complete before processing.

+8. Select **Ok** to continue configuring the trigger run parameters.

+4. Select **Save** to create the new trigger. Be sure to select **Publish** on the menu bar to begin your trigger running on the defined schedule.

+After the trigger is published, it can be triggered manually using the **Trigger now** option. If the start time was set for a value in the past, the pipeline will start immediately.

+1. Navigate to the lakehouse created in the prerequisites. In the **Explorer** view, select the triple-dot menu (...) next to the **Tables** folder.

+7. Enter a **Shortcut Name** that represents the data created by the Azure Data Factory pipeline. For example, for the `instance` Delta table, the shortcut name should probably be **instance**.

+Once the tables have been created in the lakehouse, they can be queried from [Microsoft Fabric notebooks](/fabric/data-engineering/how-to-use-notebook). Notebooks may be created directly from the lakehouse by selecting **Open Notebook** from the menu bar.

+After a few seconds, the results of the query should appear in a table beneath the cell like (the time might be longer if this is the first Spark query in the session as the Spark context will need to be initialized).

+* [How to use Microsoft Fabric notebooks](/fabric/data-engineering/how-to-use-notebook)

+

+This article outlines the basic steps to get started with the DICOM&reg; service in [Azure Health Data Services](../healthcare-apis-overview.md).

+As a prerequisite, you need an Azure subscription and permissions to create Azure resource groups and to deploy Azure resources. You can follow all the steps, or skip some if you have an existing environment. Also, you can combine all the steps and complete them in PowerShell, Azure CLI, and REST API scripts. You need a workspace to provision a DICOM service. A FHIR&reg; service is optional and is needed only if you connect imaging data with electronic health records of the patient via DICOMcast.

+## Create a workspace in your Azure subscription

+The DICOM service is secured by a Microsoft Entra ID that can't be disabled. To access the service API, you must create a client application that's also referred to as a service principal in Microsoft Entra ID and grant it with the right permissions.

+You can perform, create, read (search), update, or delete (CRUD) transactions against the DICOM service in your applications or by using tools such as Postman, REST Client, cURL, and Python. Because the DICOM service is secured by default, you must obtain an access token and include it in your transaction request.

+[Deploy DICOM service using the Azure portal](deploy-dicom-services-in-azure.md)

+The DICOM&reg; service is a cloud-based solution that enables healthcare organizations to store, manage, and exchange medical imaging data securely and efficiently with any DICOMweb-enabled systems or applications. The DICOM service is part of [Azure Health Data Services](../healthcare-apis-overview.md).

+To effectively treat patients, research treatments, diagnose illnesses, or get an overview of a patient's health history, organizations need to integrate data across several sources. The DICOM service enables imaging data to persist in the Microsoft cloud and allows it to reside with electronic health records (EHR) and healthcare device (IoT) data in the same Azure subscription.

+FHIR&reg; supports integration of other types of data directly, or through references. With the DICOM service, organizations are able to store references to imaging data in FHIR and enable queries that cross clinical and imaging datasets. This capability enables organizations to deliver better healthcare. For example:

+- **Image back-up**. Research institutions, clinics, imaging centers, veterinary clinics, pathology institutions, retailers, or organizations can use the DICOM service to back up their images with unlimited storage and access. There's no need to deidentify PHI data because the service is validated for PHI compliance.

+# Pull DICOM changes using the change feed

+DICOM&reg; The change feed offers customers the ability to go through the history of the DICOM service and act on the create and delete events in the service. This how-to guide describes how to consume Change Feed.

+## Next steps

+For information, see the [DICOM service overview](dicom-services-overview.md).

+This article describes our open-source projects on GitHub that provide source code and instructions to connect DICOM&reg; service with other tools, services, and products.

+[Deploy DICOM service to Azure](deploy-dicom-services-in-azure.md)

+|`OperationDuration` | Int| The time it took to complete this request, in seconds. Note: This collumn value is always 0 due to a known issue|

+Azure Health Data Services is a cloud-based solution that helps you collect, store, and analyze health data from different sources and formats. It supports various healthcare standards, such as FHIR&reg; and DICOM&reg;, and converts data from legacy or proprietary device formats to FHIR.

+[Workspace overview](workspace-overview.md)

+[Create a workspace](healthcare-apis-quickstart.md)

+1. Download the [Azure Data Studio *system* installer for Windows](https://go.microsoft.com/fwlink/?linkid=2127432). To find installers for other supported operating systems, go to the [Azure Data Studio](/azure-data-studio/download-azure-data-studio) download page.

+| 4 | [Default outbound access](../virtual-network/ip-services/default-outbound-access.md) | Implicit | No | Worst |

+## Before invoking an endpoint

+To successfully invoke a batch endpoint and create jobs, ensure you have the following:

+* You have permissions to run a batch endpoint deployment. Read [Authorization on batch endpoints](how-to-authenticate-batch-endpoint.md) to know the specific permissions needed.

+* You have a valid Microsoft Entra ID token representing a security principal to invoke the endpoint. This principal can be a user principal or a service principal. In any case, once an endpoint is invoked, a batch deployment job is created under the identity associated with the token. For testing purposes, you can use your own credentials for the invocation as mentioned below.

+ # [Azure CLI](#tab/cli)

+

+ Use the Azure CLI to log in using either interactive or device code authentication:

+

+ ```azurecli

+ az login

+ ```

+

+ # [Python](#tab/sdk)

+

+ Use the Azure Machine Learning SDK for Python to log in:

+

+ ```python

+ from azure.ai.ml import MLClient

+ from azure.identity import DefaultAzureCredentials

+

+ ml_client = MLClient.from_config(DefaultAzureCredentials())

+ ```

+

+ If running outside of Azure Machine Learning compute, you need to indicate the workspace where the endpoint is deployed:

+

+ ```python

+ from azure.ai.ml import MLClient

+ from azure.identity import DefaultAzureCredentials

+

+ subscription_id = "<subscription>"

+ resource_group = "<resource-group>"

+ workspace = "<workspace>"

+

+ ml_client = MLClient(DefaultAzureCredentials(), subscription_id, resource_group, workspace)

+ ```

+

+ # [REST](#tab/rest)

+

+ The simplest way to get a valid token for your user account is to use the Azure CLI. In a console, run the following command:

+

+ ```azurecli

+ az account get-access-token --resource https://ml.azure.com --query "accessToken" --output tsv

+ ```

+

+ > [!TIP]

+ > When working with REST, we recommend invoking batch endpoints using a service principal. See [Running jobs using a service principal (REST)](how-to-authenticate-batch-endpoint.md?tabs=rest#running-jobs-using-a-service-principal) to learn how to get a token for a Service Principal using REST.

+

+

+ To learn more about how to authenticate with multiple type of credentials read [Authorization on batch endpoints](how-to-authenticate-batch-endpoint.md).

+* The **compute cluster** where the endpoint is deployed has access to read the input data.

+ > [!TIP]

+ > If you are using a credential-less data store or external Azure Storage Account as data input, ensure you [configure compute clusters for data access](how-to-authenticate-batch-endpoint.md#configure-compute-clusters-for-data-access). **The managed identity of the compute cluster** is used **for mounting** the storage account. The identity of the job (invoker) is still used to read the underlying data allowing you to achieve granular access control.

+Batch endpoints support two types of inputs:

+* [Data inputs](#data-inputs), which are pointers to a specific storage location or Azure Machine Learning asset.

+* [Literal inputs](#literal-inputs), which are literal values (like numbers or strings) that you want to pass to the job.

+The number and type of inputs and outputs depend on the [type of batch deployment](concept-endpoints-batch.md#batch-deployments). Model deployments always require 1 data input and produce 1 data output. Literal inputs are not supported. However, pipeline component deployments provide a more general construct to build endpoints. You can indicate any number of inputs (data and literal) and outputs.

+| [Model deployment](concept-endpoints-batch.md#model-deployments) | 1 | [Data inputs](#data-inputs) | 1 | [Data outputs](#data-outputs) |

+> Inputs and outputs are always named. Those names serve as keys to indentify them and pass the actual value during invocation. For model deployments, since they always require 1 input and output, the name is ignored during invocation. You can assign the name its best describe your use case, like "sales_estimation".

+### Data inputs

+* [Azure Machine Learning Data Assets](#input-data-from-a-data-asset), including Folder (`uri_folder`) and File (`uri_file`).

+* [Azure Machine Learning Data Stores](#input-data-from-data-stores), including Azure Blob Storage, Azure Data Lake Storage Gen1, and Azure Data Lake Storage Gen2.

+* [Azure Storage Accounts](#input-data-from-azure-storage-accounts), including Azure Data Lake Storage Gen1, Azure Data Lake Storage Gen2, and Azure Blob Storage.

+* Local data folders/files (Azure Machine Learning CLI or Azure Machine Learning SDK for Python). However, that operation will result in the local data to be uploaded to the default Azure Machine Learning Data Store of the workspace you are working on.

+### Literal inputs

+Literal inputs refer to inputs that can be represented and resolved at invocation time, like strings, numbers, and boolean values. You typically use literal inputs to pass parameters to your endpoint as part of a pipeline component deployment. Batch endpoints support the following literal types:

+- `string`

+- `boolean`

+- `float`

+- `integer`

+Literal inputs are only supported in Pipeline Component deployments. See [Create jobs with literal inputs](#create-jobs-with-literal-inputs) to learn how to indicate them.

+### Data outputs

+Data outputs refer to the location where the results of a batch job should be placed. Outputs are identified by name and Azure Machine Learning automatically assign a unique path to each named output. However, you can indicate another path if required. Batch Endpoints only support writing outputs in blob Azure Machine Learning data stores.

+## Create jobs with data inputs

+The following examples show how to create jobs taking data inputs from [data assets](#input-data-from-a-data-asset), [data stores](#input-data-from-data-stores), and [Azure Storage Accounts](#input-data-from-azure-storage-accounts).

+### Input data from a data asset

+1. Create the input or request:

+1. Run the endpoint:

+### Input data from data stores

+1. Create the input or request:

+1. Run the endpoint:

+### Input data from Azure Storage Accounts

+> Check the section [configure compute clusters for data access](how-to-authenticate-batch-endpoint.md#configure-compute-clusters-for-data-access) to learn more about additional configuration required to successfully read data from storage accoutns.

+1. Create the input or request:

+1. Run the endpoint:

+## Create jobs with literal inputs

+Pipeline component deployments can take literal inputs. The following example shows how to indicate an input named `score_mode`, of type `string`, with a value of `append`:

+## Create jobs with data outputs

+## Invoke a specific deployment

+Batch endpoints can host multiple deployments under the same endpoint. The default endpoint is used unless the user indicates otherwise. You can change the deployment that is used as follows:

+# [Azure CLI](#tab/cli)

+

+Use the argument `--deployment-name` or `-d` to indicate the name of the deployment:

+```azurecli

+az ml batch-endpoint invoke --name $ENDPOINT_NAME --deployment-name $DEPLOYMENT_NAME --input $INPUT_DATA

+```

+# [Python](#tab/sdk)

+Use the parameter `deployment_name` to indicate the name of the deployment:

+```python

+job = ml_client.batch_endpoints.invoke(

+ endpoint_name=endpoint.name,

+ deployment_name=deployment.name,

+ inputs={

+ "heart_dataset": input,

+ }

+)

+```

+# [REST](#tab/rest)

+Add the header `azureml-model-deployment` to your request, including the name of the deployment you want to invoke.

+__Request__

+

+```http

+POST jobs HTTP/1.1

+Host: <ENDPOINT_URI>

+Authorization: Bearer <TOKEN>

+Content-Type: application/json

+azureml-model-deployment: DEPLOYMENT_NAME

+```

+* [Customize outputs in model deployments batch deployments](how-to-deploy-model-custom-output.md).

+* [Create a custom scoring pipeline with inputs and outputs](how-to-use-batch-scoring-pipeline.md).

+> The identity used for invoking a batch endpoint may not be used to read the underlying data depending on how the data store is configured. Please see [Configure compute clusters for data access](#configure-compute-clusters-for-data-access) for more details.

+You can use managed identities to invoke batch endpoint and deployments. Notice that this manage identity doesn't belong to the batch endpoint, but it is the identity used to execute the endpoint and hence create a batch job. Both user assigned and system assigned identities can be use in this scenario.

+On resources configured for managed identities for Azure resources, you can sign in using the managed identity. Signing in with the resource's identity is done through the `--identity` flag. For more details, see [Sign in with Azure CLI](/cli/azure/authenticate-azure-cli).

+## Configure compute clusters for data access

+Batch endpoints ensure that only authorized users are able to invoke batch deployments and generate jobs. However, depending on how the input data is configured, other credentials might be used to read the underlying data. Use the following table to understand which credentials are used:

+| Data input type | Credential in store | Credentials used | Access granted by |

+||||-|

+| Data store | Yes | Data store's credentials in the workspace | Access key or SAS |

+| Data asset | Yes | Data store's credentials in the workspace | Access Key or SAS |

+| Data store | No | Identity of the job + Managed identity of the compute cluster | RBAC |

+| Data asset | No | Identity of the job + Managed identity of the compute cluster | RBAC |

+| Azure Blob Storage | Not apply | Identity of the job + Managed identity of the compute cluster | RBAC |

+| Azure Data Lake Storage Gen1 | Not apply | Identity of the job + Managed identity of the compute cluster | POSIX |

+| Azure Data Lake Storage Gen2 | Not apply | Identity of the job + Managed identity of the compute cluster | POSIX and RBAC |

+For those items in the table where **Identity of the job + Managed identity of the compute cluster** is displayed, the managed identity of the compute cluster is used **for mounting** and configuring storage accounts. However, the identity of the job is still used to read the underlying data allowing you to achieve granular access control. That means that in order to successfully read data from storage, the managed identity of the compute cluster where the deployment is running must have at least [Storage Blob Data Reader](../role-based-access-control/built-in-roles.md#storage-blob-data-reader) access to the storage account.

+To configure the compute cluster for data access, follow these steps:

+1. Go to [Azure Machine Learning studio](https://ml.azure.com).

+1. Navigate to __Compute__, then __Compute clusters__, and select the compute cluster your deployment is using.

+1. Assign a managed identity to the compute cluster:

+ 1. In the __Managed identity__ section, verify if the compute has a managed identity assigned. If not, select the option __Edit__.

+

+ 1. Select __Assign a managed identity__ and configure it as needed. You can use a System-Assigned Managed Identity or a User-Assigned Managed Identity. If using a System-Assigned Managed Identity, it is named as "[workspace name]/computes/[compute cluster name]".

+ 1. Save the changes.

+ :::image type="content" source="media/how-to-authenticate-batch-endpoint/guide-manage-identity-cluster.gif" alt-text="Animation showing the steps to assign a managed identity to a cluster.":::

+1. Go to the [Azure portal](https://portal.azure.com) and navigate to the associated storage account where the data is located. If your data input is a Data Asset or a Data Store, look for the storage account where those assets are placed.

+1. Assign Storage Blob Data Reader access level in the storage account:

+ 1. Go to the section __Access control (IAM)__.

+ 1. Select the tab __Role assignment__, and then click on __Add__ > __Role assignment__.

+ 1. Look for the role named __Storage Blob Data Reader__, select it, and click on __Next__.

+ 1. Click on __Select members__.

+ 1. Look for the managed identity you have created. If using a System-Assigned Managed Identity, it is named as __"[workspace name]/computes/[compute cluster name]"__.

+ 1. Add the account, and complete the wizard.

+

+ :::image type="content" source="media/how-to-authenticate-batch-endpoint/guide-manage-identity-assign.gif" alt-text="Animation showing the steps to assign the created managed identity to the storage account.":::

+

+1. Your endpoint is ready to receive jobs and input data from the selected storage account.

+> Please do not use embedded newlines in csv files unless you register the data as an MLTable. Embedded newlines in csv files might cause misaligned field values when you read the data. MLTable has this parameter [`support_multi_line`](../machine-learning/reference-yaml-mltable.md?view=azureml-api-2&preserve-view=true#read-transformations)in `read_delimited` transformation to interpret quoted line breaks as one record.

+The component output port should have the following signature.

+ | signature name | type | description |

+ ||||

+ | signal_metrics | mltable | The ml table that contains the computed metrics. The schema is defined in the signal_metrics schema section in the next section. |

+

+#### signal_metrics schema

+ production_data:

+ type: uri_folder

+ path: azureml:my_production_data:1

+ - metric_name: std_deviation

+To enable users to quickly get started with code based finetuning, we have published samples (both Python notebooks and CLI examples) to the azureml-examples git repo -

+ - **Fix**: Azure OpenAI failed to create. This is due to quota issues, make sure you have enough quota for the deployment. The default quota for fine-tuned models is 2 deployment per customer.

+ - **Fix**: Unable to create the resource. You either aren't in correct region, or you have exceeded the maximum limit of three Azure OpenAI resources. You need to delete an existing Azure OpenAI resource or you need to make sure you created a workspace in one of the [supported regions](../ai-services/openai/concepts/models.md#model-summary-table-and-region-availability).

+- **Finetuning job Failed**

+ - **Fix**: Currently, only a maximum of 10 workspaces can be designated for a particular subscription for new fine tunable models. If a user creates more workspaces, they will get access to the models, but their jobs will fail. Try to limit number of workspaces per subscription to 10.

+ - mlflow== 2.4.1

+ - azureml-mlflow==1.51.0

+ :::image type="content" source="./media/tutorial-discover-spring-boot/troubleshoot.png" alt-text="Screenshot of Appliances screen.":::

+armclient get /subscriptions/<subscription>/resourceGroups/<resourceGroup> /providers/Microsoft.Kubernetes/connectedClusters/<applianceName>/Providers/Microsoft.KubernetesConfiguration/extensions/credential-sync-agent?api-version=2022-03-01

+11. Go to the Key Vault, go to access policies, select the Principal ID from list and check the permissions it has OR create a new access policy specifically for the Principal ID you found by running the command.

+**Error Code** | **Action**

+- | -

+**404** | Check if the credentials exist on the Key Vault. Ensure that the extension identity for <Microsoft.ConnectedCredentials> has required permissions to delete the credentials from the Key Vault.

+**406** | Ensure that the extension identity for <Microsoft.ConnectedCredentials> has the required permissions to access the credentials on the Key Vault.

+**407** | Check the firewall rules on the Key Vault, allow access from the appliance IP address and retry the operation.

+**413** | Ensure that the Key Vault is accessible from the appliance on-premises and the extension identity for <Microsoft.ConnectedCredentials> has required permissions to perform operations on secrets stored in Key Vault.

+**415** | Ensure that the extension identity for <Microsoft.ConnectedCredentials> has required permissions to access the credentials on the Key Vault.

+**416** | Check if the credentials exist on the Key Vault. Ensure that the extension identity for <Microsoft.ConnectedCredentials> has purge permissions on the Key Vault.

+**418** | Check if the credentials exist on the Key Vault. Ensure that the extension identity for <Microsoft.ConnectedCredentials> has required permissions to delete the credentials from Key Vault.

+## Operator error

+**Error code** | **Error Message** | **Possible Causes**| **Remediation**

+- | -| - | -

+400 | An internal error occurred. | The operation failed due to an unhandled error. | Retry the operation. If the issue persists, contact Support.

+401 | An attempt to update the resource specification faulted. | The operator service account might not have permissions to modify the custom resource. | Review permissions granted to the operator service account making sure it has privileges to update the custom resource, and retry the operation.

+402 | The transfer mode provided is not valid or supported. | The transfer mode used during credential resource creation isn't supported. | Review the transfer mode ensuring it is valid and supported, and retry the operation.

+403 | Failed to save credentials on the Kubernetes-based appliance. | The service account `connectedcredentials-sa` of the appliance operator <Microsoft.ConnectedCredentials> might not have required permissions to save credentials on the Kubernetes cluster. | Retry the operation after granting the required access to the appliance operator service account.

+404 | Failed to delete credentials from Key Vault (after syncing them to on-premises appliance).| The extension identity for <Microsoft.ConnectedCredentials> might not have required permissions to delete the credentials from Key Vault. | Check if the credentials exist on the Key Vault. Ensure that the extension identity for <Microsoft.ConnectedCredentials> has required permissions to delete the credentials from Key Vault.

+405 | Failed to access the secret on the Key Vault. | The Key Vault cannot be found as it could have been deleted. | Check if the Key Vault exists. If it exists, retry the operation after some time, else recreate a Key Vault with the same name and in the same Subscription and Resource Group as the Azure Migrate project.

+406 | Failed to access the secret on the Key Vault.| The extension identity for <Microsoft.ConnectedCredentials> might not have required permissions to access the credentials on the Key Vault. | Ensure that the extension identity for <Microsoft.ConnectedCredentials> has required permissions to access the credentials on the Key Vault.

+407 | Failed to connect with the endpoint of Key Vault. | The firewall rules associated with the Key Vault could be restricting access. | Check the firewall rules on the Key Vault, allow access from the appliance IP address and retry the operation.

+408 | Failed to access secret on Key Vault due to a conflicting operation.| The secret was modified by another operation causing a conflict in accessing the secret.| Ensure no other appliance extension on a different Kubernetes cluster is accessing secrets on the same Key Vault.

+409 | An attempt to access the secret on the Key Vault faulted because of the unsupported region. | Unsupported region. | Ensure the region is supported by the Key Vault, and retry the operation.

+410 | An attempt to access the secret faulted because of unsupported SKU. | Unsupported SKU. | Ensure the SKU is supported by the Key Vault and is valid, and retry the operation.

+411 | An attempt to access the secret faulted because the resource group is found to be missing.|Resource group is deleted. | Ensure the resource group exists and is valid, and retry the operation.

+412 | An attempt to access the secret faulted because the access was denied. | The Certificate associated with the extension's identity is expired. | NA

+413 | Failed to access the secret on Key Vault due to an unknown error. | Key Vault access policies and network access rules are not configured properly.| The Key Vault access or network policies might not be configured properly. Ensure that the Key Vault is accessible from the appliance on-premises and the extension identity for <Microsoft.ConnectedCredentials> has required permissions to perform operations on secrets stored in Key Vault.

+414 | Failed to access the secret on Key Vault as it couldn't be found. | The secret could have been deleted while the operation was in progress. | Check if the secret exists in the Key Vault. If it doesn't exist, delete the existing credentials, and add it again.

+415 | Failed to access the secret on the Key Vault. | The extension identity for <Microsoft.ConnectedCredentials> might not have required permissions to access the credentials on the Key Vault. | Ensure that the extension identity for Microsoft.ConnectedCredentials has required permissions to access the credentials on the Key Vault.

+416 | Failed to delete credentials from Key Vault (after syncing them to on-premises appliance). | The extension identity for <Microsoft.ConnectedCredentials> might not have required permissions to delete the credentials from Key Vault. | Check if the credentials exist on the Key Vault. Ensure that the extension identity for <Microsoft.ConnectedCredentials> has purge permissions on the Key Vault. If the Key Vault has been enabled with purge protection, secret will be automatically cleaned up after the purge protection window.

+417 | Failed to access the secret on the Key Vault. | The Key Vault can't be found as it could have been deleted.| Check if the Key Vault exists. If it exists, then retry the operation after some time, else recreate a Key Vault with the same name and in the same Subscription and Resource Group as the Azure Migrate project.

+418 | Failed to purge a deleted secret from the Key Vault. | The secret delete operation might not have completed.| Check if the credentials exist on the Key Vault. Ensure that the extension identity for <Microsoft.ConnectedCredentials> has required permissions to delete the credentials from Key Vault.

+## Supported geographies

+|**Geography**|

+|-|

+|Asia Pacific|

+|Korea|

+|Japan|

+|United States|

+|Europe|

+|United Kingdom|

+|Canada|

+|Australia|

+|France|

+1. Select the project where you have set up the Azure Migrate appliance as part of the prerequisites.

+1. You see a message above Azure Migrate: Discovery and assessment tile to onboard a Kubernetes-based appliance to enable discovery of Spring Boot applications.

+ :::image type="content" source="./media/tutorial-discover-spring-boot/discover-banner-inline.png" alt-text="Screenshot shows the banner for discovery and assessment of web apps." lightbox="./media/tutorial-discover-spring-boot/discover-banner-expanded.png":::

+5. You can proceed by selecting the link on the message, which helps you get started with onboarding Kubernetes-based appliance.

+

+ > [!Note]

+ > We recommend you choose a Kubernetes cluster with disk encryption for its services. [Learn more](#encryption-at-rest) about encrypting data at rest in Kubernetes.

+ :::image type="content" source="./media/tutorial-discover-spring-boot/onboard-kubernetes-inline.png" alt-text="Screenshot displays the Onboard Kubernetes appliance screen." lightbox="./media/tutorial-discover-spring-boot/onboard-kubernetes-expanded.png":::

+6. In Step 1: Set up an appliance, select **Bring your own Kubernetes cluster** - You must bring your own Kubernetes cluster running on-premises, connect it to Azure Arc and use the installer script to set up the appliance.

+#### Bring your own Kubernetes cluster

+1. In **Step 2: Choose connected cluster**, you need to select an existing Azure Arc connected cluster from your subscription. If you do not have an existing connected cluster, you can Arc enable a Kubernetes cluster running on-premises by following the steps [here](../azure-arc/kubernetes/quickstart-connect-cluster.md?tabs=azure-cli).

+ > You can only select an existing connected cluster, deployed in the same region as that of your Azure Migrate project.

+ :::image type="content" source="./media/tutorial-discover-spring-boot/choose-cluster-inline.png" alt-text="Screenshot displays Choose cluster option in the Onboard Kubernetes appliance screen." lightbox="./media/tutorial-discover-spring-boot/choose-cluster-expanded.png":::

+2. In Step 3: Provide appliance details for Azure Migrate, the appliance name is prepopulated, but you can choose to provide your own friendly name to the appliance.

+3. You can select a Key Vault from the drop-down or **Create new** Key Vault. This Key Vault is used to process the credentials provided in the project to start discovery of Spring Boot applications.

+ > The Key Vault can be chosen or created in the same subscription and region as that of the Azure Migrate project. When creating/selecting a Key Vault, make sure that purge protection is disabled else there will be issues in processing of credentials through the Key Vault.

+4. After providing the appliance name and Key Vault, select **Generate script** to generate an installer script that you can copy and paste on a Linux server on-premises. Before executing the script, ensure that you meet the following prerequisites on the Linux server:

+ **Hardware configuration required** | 6 GB RAM, with 30 GB storage on root volume, 4 Core CPU

+#### Connect using an outbound proxy server

+If your machine is behind an outbound proxy server, requests must be routed via the outbound proxy server. Follow these steps to provide proxy settings:

+1. Open the terminal on the server and execute the following command setup environment variables as a root user:

+ `sudo su -`

+2. On the deployment machine, set the environment variables needed for `deploy.sh` to use the outbound proxy server:

+ ```

+ export HTTP_PROXY=ΓÇ¥<proxy-server-ip-address>:<port>ΓÇ¥

+ export HTTPS_PROXY=ΓÇ¥<proxy-server-ip-address>:<port>ΓÇ¥

+ export NO_PROXY=ΓÇ¥ΓÇ¥

+ ```

+3. If your proxy uses a certificate, provide the absolute path to the certificate.

+ `export PROXY_CERT=ΓÇ¥ΓÇ¥`

+> [!Note]

+> The machine uses proxy details while installing the required prerequisites to run the `deploy.sh` script . It won't override the proxy settings of the Azure Arc-enabled Kubernetes cluster.

+> - This script needs to be run after you connect to a Linux machine on its terminal that meets the networking prerequisites and OS compatibility.

+> - Ensure that you have curl installed on the server. For Ubuntu, you can install it using the command `sudo apt-get install curl`, and for other OS (RHEL/Centos), you can use the `yum install curl` command.

+> [!Important]

+> Don't edit the script unless you want to clean up the setup.

+##### Reinstallation

+If you encounter any issue during script execution, you need to run the script in *delete* mode by adding the following after line #19 in the `deploy.sh` script:

+`export DELETE= ΓÇ£trueΓÇ¥`

+## Encryption at rest

+As you're bringing your own Kubernetes cluster, there's a shared responsibility to ensure that the secrets are secured.

+- We recommend you choose a Kubernetes cluster with disk encryption for its services.

+- [Learn more](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/) about encrypting data at rest in Kubernetes.

+ :::image type="content" source="./media/tutorial-discover-spring-boot/pending-action-inline.png" alt-text="Screenshot displays the Pending action option." lightbox="./media/tutorial-discover-spring-boot/pending-action-expanded.png":::

+4. Find the Kubernetes-based appliance that you have set up and select **Credentials unavailable** status to configure the appliance.

+ :::image type="content" source="./media/tutorial-discover-spring-boot/appliances-inline.png" alt-text="Screenshot displays the details of the appliance." lightbox="./media/tutorial-discover-spring-boot/appliances-expanded.png":::

+ :::image type="content" source="./media/tutorial-discover-spring-boot/manage-appliances-inline.png" alt-text="Screenshot displays the Manage credentials option." lightbox="./media/tutorial-discover-spring-boot/manage-appliances-expanded.png":::

+ > [!Note]

+ > - The credentials added on the portal are processed via the Azure Key Vault chosen in the initial steps of onboarding the Kubernetes-based appliance. The credentials are then synced (saved in an encrypted format) to the Kubernetes cluster on the appliance and removed from the Azure Key Vault.

+ > - After the credentials have been successfully synced, they would be used for discovery of the specific workload in the next discovery cycle.

+ > [!Note]

+ > You can add/update credentials any time by navigating to **Azure Migrate: Discovery and assessment** > **Overview** > **Manage** > **Appliances** page, selecting **Manage credentials** from the options available in the Kubernetes-based appliance.

+## Overview of Discovery results

+The **Discovered servers** screen provides the following information:

+- Displays all running Spring Boot workloads on your server-based environment.

+- Lists the basic information of each server in a table format.

+Select any web app to view its details. The **Web apps** screen provides the following information:

+- Provides a comprehensive view of each Spring Boot process on each server.

+- Displays the detailed information of each process, including:

+ - JDK version and Spring Boot version.

+ - Environment variable names and JVM options that are configured.

+ - Application configuration and certificate files in use.

+ - Location of JAR file for the process on the server.

+ - Static content locations and binding ports.

+ When working with multiple databases across data platforms and cloud deployment models, performing the most common tasks on all your databases using a single tool enhances productivity several fold. With the MySQL extension for Azure Data Studio, you can now connect to and modify MySQL databases along with your other databases, taking advantage of the modern editor experience and capabilities in Azure Data Studio, such as IntelliSense, code snippets, source control integration, native Jupyter Notebooks, an integrated terminal, and more. Use this new tooling with any MySQL server hosted on-premises, on virtual machines, on managed MySQL in other clouds, and on Azure Database for MySQL ΓÇô Flexible Server. [Learn more](/azure-data-studio/quickstart-mysql).

+* For Single Server instance with **SSL enabled**, ensure you have all three certificates (**[BaltimoreCyberTrustRoot](https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem), [DigiCertGlobalRootG2 Root CA](https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem) and [DigiCertGlobalRootCA Root CA](https://dl.cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem)**) available in the trusted root store. Additionally, if you have the certificate pinned to the connection string create a combined CA certificate with all three certificates before scheduled auto-migration to ensure business continuity post-migration.

+- If the Azure Database for MySQL - Single Server instance has server parameter 'lower_case_table_names' set to 2 and your application used partition tables, MySQL Import will result in corrupted partition tables. The recommendation is to set 'lower_case_table_names' to 1 for your Azure Database for MySQL - Single Server instance in order to proceed with corruption-free MySQL Import operation.

+3. Test the private link connection for the PostgreSQL server using any available client. The following example uses [Azure Data studio](/azure-data-studio/download-azure-data-studio) to do the operation.

+3. Test the private link connection for the PostgreSQL server using any available client. In the example below I have used [Azure Data studio](/azure-data-studio/download-azure-data-studio) to do the operation.

+1. Select the signal you want the alert to be based on and follow the rest of the create instructions. For more information on alert options and setting actions groups used for notification, please refer to [the Azure Monitor alerts create and edit documentation](../azure-monitor/alerts/alerts-create-new-alert-rule.md?tabs=metric).

+- [Learn more about Azure Monitor alerts](../azure-monitor/alerts/alerts-overview.md).

+description: Establish high availability for SAP NetWeaver on Azure Virtual Machines Red Hat Enterprise Linux (RHEL) with NFS on Azure Files.

+# High availability for SAP NetWeaver on VMs on RHEL with NFS on Azure Files

+This article describes how to deploy and configure virtual machines (VMs), install the cluster framework, and install a high-availability (HA) SAP NetWeaver system by using [NFS on Azure Files](../../storage/files/files-nfs-protocol.md). The example configurations use VMs that run on Red Hat Enterprise Linux (RHEL).

+ * A list of Azure VM sizes that are supported for the deployment of SAP software.

+ * Important capacity information for Azure VM sizes.

+ * Supported SAP software and operating system (OS) and database combinations.

+ * Required SAP kernel version for Windows and Linux on Microsoft Azure.

+* SAP Note [2002167] has recommended OS settings for Red Hat Enterprise Linux 7.x.

+* SAP Note [2772999] has recommended OS settings for Red Hat Enterprise Linux 8.x.

+* SAP Note [2009879] has SAP HANA Guidelines for Red Hat Enterprise Linux.

+* SAP Note [1999351] has more troubleshooting information for the Azure Enhanced Monitoring Extension for SAP.

+* [SAP Netweaver in Pacemaker cluster](https://access.redhat.com/articles/3150081)

+* General RHEL documentation:

+ * [Configuring ASCS/ERS for SAP NetWeaver with Standalone Resources in RHEL 7.5](https://access.redhat.com/articles/3569681)

+To deploy the SAP NetWeaver application layer, you need shared directories like `/sapmnt/SID` and `/usr/sap/trans` in the environment. Additionally, when you deploy an HA SAP system, you need to protect and make highly available file systems like `/sapmnt/SID` and `/usr/sap/SID/ASCS`.

+Now you can place these file systems on [NFS on Azure Files](../../storage/files/files-nfs-protocol.md). NFS on Azure Files is an HA storage solution. This solution offers synchronous zone-redundant storage (ZRS) and is suitable for SAP ASCS/ERS instances deployed across availability zones. You still need a Pacemaker cluster to protect single point of failure components like SAP NetWeaver central services (ASCS/SCS).

+| ABAP SAP central services (ASCS) | 00 |

+| ABAP SAP central services (ASCS) | 02 |

+| Additional application server (AAS) | 03 |

+ This diagram shows a typical SAP NetWeaver HA architecture. The `sapmnt` and `saptrans` file systems are deployed on NFS shares on Azure Files. The SAP central services are protected by a Pacemaker cluster. The clustered VMs are behind an instance of Azure Load Balancer. The NFS shares are mounted through private endpoints.

+This document assumes that you already deployed an [Azure virtual network](../../virtual-network/virtual-networks-overview.md), subnet, and resource group.

+1. Deploy your VMs. Choose a [suitable deployment type](./sap-high-availability-architecture-scenarios.md#comparison-of-different-deployment-types-for-sap-workload). You can deploy VMs in availability zones, if the Azure region supports zones, or in availability sets. If you need more IP addresses for your VMs, deploy and attach a second NIC. Don't add secondary IP addresses to the primary NIC. [Azure Load Balancer Floating IP doesn't support this scenario](../../load-balancer/load-balancer-multivip-overview.md#limitations).

+1. For your virtual IPs, deploy and configure an instance of [Load Balancer](../../load-balancer/load-balancer-overview.md). We recommend that you use a [Standard load balancer](../../load-balancer/quickstart-load-balancer-standard-public-portal.md).

+ 1. Configure two front-end IPs. One is for ASCS (`10.90.90.10`) and one is for ERS (`10.90.90.9`).

+ 1. Create a back-end pool and add both VMs, which will be part of the cluster.

+ 1. Create the health probe for ASCS. The probe port is `62000`. Create the probe port for ERS. The ERS probe port is `62101`. When you configure the Pacemaker resources later on, you must use matching probe ports.

+ 1. Configure the load-balancing rules for ASCS and ERS. Select the corresponding front IPs, health probes, and the back-end pool. Select HA ports, increase the idle timeout to 30 minutes, and enable floating IP.

+NFS on Azure Files runs on top of [Azure Files premium storage][afs-azure-doc]. Before you set up NFS on Azure Files, see [How to create an NFS share](../../storage/files/storage-files-how-to-create-nfs-shares.md?tabs=azure-portal).

+* [Zone-redundant storage (ZRS)](../../storage/common/storage-redundancy.md#zone-redundant-storage), which replicates your data synchronously across the three [availability zones](../../availability-zones/az-overview.md) in the region.

+Check if your selected Azure region offers NFS 4.1 on Azure Files with the appropriate redundancy. Review the [availability of Azure Files by Azure region][afs-avail-matrix] under **Premium Files Storage**. If your scenario benefits from ZRS, [verify that premium file shares with ZRS are supported in your Azure region](../../storage/common/storage-redundancy.md#zone-redundant-storage).

+We recommend that you access your Azure Storage account through an [Azure private endpoint](../../storage/files/storage-files-networking-endpoints.md?tabs=azure-portal). Make sure to deploy the Azure Files storage account endpoint and the VMs, where you need to mount the NFS shares, in the same Azure virtual network or peered Azure virtual networks.

+1. Deploy an Azure Files storage account named `sapafsnfs`. In this example, we use ZRS. If you're not familiar with the process, see [Create a storage account](../../storage/files/storage-how-to-create-file-share.md?tabs=azure-portal#create-a-storage-account) for the Azure portal.

+1. On the **Basics** tab, use these settings:

+ 1. For **Performance**, select **Premium**.

+ 1. For **Premium account type**, select **FileStorage**.

+ 1. For **Replication**, select **zone redundancy (ZRS)**.

+1. Select **Next**.

+1. On the **Advanced** tab, clear **Require secure transfer for REST API Operations**. If you don't clear this option, you can't mount the NFS share to your VM. The mount operation will time out.

+1. Select **Next**.

+1. In the **Networking** section, configure these settings:

+ 1. Under **Private endpoint**, select **Add private endpoint**.

+1. On the **Create private endpoint** pane, select your **Subscription**, **Resource group**, and **Location**.

+ Under **Networking**, for **Virtual network**, select the virtual network and subnet to use. Again, you can use the virtual network where your SAP VMs are or a peered virtual network.

+1. On the **Networking** tab again, select **Next**.

+1. On the **Data protection** tab, keep all the default settings.

+1. Select **Review + create** to validate your configuration.

+1. Wait for the validation to finish. Fix any issues before you continue.

+1. On the **Review + create** tab, select **Create**.

+1. Select or search for **Storage accounts**.

+1. On the **Storage accounts** page, select **sapafsnfs**.

+1. On the resource menu for **sapafsnfs**, under **Data storage**, select **File shares**.

+1. On the **File shares** page, select **File share**.

+ 1. Select an appropriate share size. For example, **128 GB**. Consider the size of the data stored on the share and IOPS and throughput requirements. For more information, see [Azure file share targets](../../storage/files/storage-files-scale-targets.md#azure-file-share-scale-targets).

+ 1. Select **NFS** as the protocol.

+ 1. Select **No root Squash**. Otherwise, when you mount the shares on your VMs, you can't see the file owner or group.

+> The preceding share size is only an example. Make sure to size your shares appropriately. Size is not only based on the size of the of data stored on the share but also based on the requirements for IOPS and throughput. For more information, see [Azure file share targets](../../storage/files/storage-files-scale-targets.md#azure-file-share-scale-targets).

+* The minimum share size is 100 GiB. You only pay for the [capacity of the provisioned shares](../../storage/files/understanding-billing.md#provisioned-model).

+* Size your NFS shares not only based on capacity requirements but also on IOPS and throughput requirements. For more information, see [Azure file share targets](../../storage/files/storage-files-scale-targets.md#azure-file-share-scale-targets).

+* Test the workload to validate your sizing and ensure that it meets your performance targets. To learn how to troubleshoot performance issues with NFS on Azure Files, see [Troubleshoot Azure file share performance](../../storage/files/files-troubleshoot-performance.md).

+* If your SAP system has a heavy batch jobs load, you might have millions of job logs. If the SAP batch job logs are stored in the file system, pay special attention to the sizing of the `sapmnt` share. As of SAP_BASIS 7.52, the default behavior for the batch job logs is to be stored in the database. For more information, see [Job log in the database][2360818].

+* Deploy a separate `sapmnt` share for each SAP system.

+* Don't use the `sapmnt` share for any other activity, such as interfaces, or `saptrans`.

+* Don't use the `saptrans` share for any other activity, such as interfaces, or `sapmnt`.

+* Avoid consolidating the shares for too many SAP systems in a single storage account. There are also [storage account performance scale targets](../../storage/files/storage-files-scale-targets.md#storage-account-scale-targets). Be careful not to exceed the limits for the storage account, too.

+* In general, don't consolidate the shares for more than five SAP systems in a single storage account. This guideline helps avoid exceeding the storage account limits and simplifies performance analysis.

+* In general, avoid mixing shares like `sapmnt` for nonproduction and production SAP systems in the same storage account.

+* We recommend that you deploy on RHEL 8.4 or higher to benefit from [NFS client improvements](../../storage/files/files-troubleshoot-linux-nfs.md#ls-hangs-for-large-directory-enumeration-on-some-kernels).

+* If you're deploying your VMs across availability zones, use a [storage account with ZRS](../../storage/common/storage-redundancy.md#zone-redundant-storage) in the Azure regions that support ZRS.

+## Set up (A)SCS

+### Deploy Azure Load Balancer via the Azure portal

+After you deploy the VMs for your SAP system, create a load balancer. Then, use the VMs in the back-end pool.

+1. Create an internal, Standard instance of Load Balancer.

+ 1. Create the front-end IP addresses.

+ 1. IP address 10.90.90.10 for the ASCS:

+ 1. Open the load balancer, select the front-end IP pool, and select **Add**.

+ 1. Enter the name of the new front-end IP pool (for example, **frontend.NW1.ASCS**).

+ 1. Set the **Assignment** to **Static** and enter the IP address (for example, **10.90.90.10**).

+ 1. Select **OK**.

+ 1. IP address 10.90.90.9 for the ASCS ERS:

+ * Repeat the preceding steps under "a" to create an IP address for the ERS (for example, **10.90.90.9** and **frontend.NW1.ERS**).

+ 1. Create a single back-end pool:

+ 1. Enter the name of the new back-end pool (for example, **backend.NW1**).

+ 1. Select **NIC** for **Backend Pool Configuration**.

+ 1. Select **Add a virtual machine**.

+ 1. Select the VMs of the ASCS cluster.

+ 1. Select **Add**.

+ 1. Select **Save**.

+ 1. Create the health probes.

+ 1. Port 620**00** for ASCS:

+ 1. Open the load balancer, select **Health probes**, and select **Add**.

+ 1. Enter the name of the new health probe (for example, **health.NW1.ASCS**).

+ 1. Select **TCP** as the protocol and the port 620**00** and keep **Interval 5**.

+ 1. Select **OK**.

+ 1. Port 621**01** for ASCS ERS:

+ * Repeat the preceding steps under "c" to create a health probe for the ERS (for example, 621**01** and **health.NW1.ERS**).

+ 1. Create load-balancing rules.

+ 1. Create a back-end pool for the ASCS:

+ 1. Open the load balancer, select **Load-balancing rules**, and select **Add**.

+ 1. Enter the name of the new load balancer rule (for example, **lb.NW1.ASCS**).

+ 1. Select the front-end IP address for ASCS, the back-end pool, and the health probe you created earlier (for example, **frontend.NW1.ASCS**, **backend.NW1**, and **health.NW1.ASCS**).

+ 1. Select **HA ports**.

+ 1. Increase the idle timeout to **30 minutes**.

+ 1. Make sure to enable **Floating IP**.

+ 1. Select **OK**.

+ * Repeat the preceding steps to create load-balancing rules for ERS (for example, **lb.NW1.ERS**).

+> Floating IP isn't supported on a NIC secondary IP configuration in load-balancing scenarios. For more information, see [Load Balancer limitations](../../load-balancer/load-balancer-multivip-overview.md#limitations). If you need another IP address for the VM, deploy a second NIC.

+> When VMs without public IP addresses are placed in the back-end pool of an internal (no public IP address) Standard instance of Load Balancer, there's no outbound internet connectivity unless more configuration is performed to allow routing to public endpoints. For more information on how to achieve outbound connectivity, see [Public endpoint connectivity for virtual machines using Azure Standard Load Balancer in SAP high-availability scenarios](./high-availability-guide-standard-load-balancer-outbound-connections.md).

+> Don't enable TCP timestamps on Azure VMs placed behind Load Balancer. Enabling TCP timestamps causes the health probes to fail. Set the parameter **net.ipv4.tcp_timestamps** to **0**. For more information, see [Load Balancer health probes](../../load-balancer/load-balancer-custom-probe-overview.md).

+### Create a Pacemaker cluster

+Follow the steps in [Set up Pacemaker on Red Hat Enterprise Linux in Azure](high-availability-guide-rhel-pacemaker.md) to create a basic Pacemaker cluster for this (A)SCS server.

+### Prepare for an SAP NetWeaver installation

+The following items are prefixed with:

+- **[A]**: Applicable to all nodes

+- **[1]**: Only applicable to node 1

+- **[2]**: Only applicable to node 2

+1. **[A]** Set up hostname resolution.

+ You can either use a DNS server or modify the `/etc/hosts` file on all nodes. This example shows how to use the `/etc/hosts` file. Replace the IP address and the hostname in the following commands:

+ Insert the following lines to `/etc/hosts`. Change the IP address and hostname to match your environment.

+1. **[A]** Install the NFS client and other requirements.

+1. **[1]** Create the SAP directories on the NFS share.

+ Mount the NFS share **sapnw1** temporarily on one of the VMs, and create the SAP directories that will be used as nested mount points.

+1. **[A]** Create the shared directories.

+1. **[A]** Check the version of `resource-agents-sap`.

+ Make sure that the version of the installed `resource-agents-sap` package is at least `3.9.5-124.el7`.

+1. **[A]** Add mount entries.

+1. **[A]** Configure the SWAP file.

+ Restart the agent to activate the change.

+1. **[A]** Configure RHEL.

+ Configure RHEL as described in SAP Note [2002167] for RHEL 7.x, SAP Note [2772999] for RHEL 8.x, or SAP Note [3108316] for RHEL 9.x.

+### Install SAP NetWeaver ASCS/ERS

+1. **[1]** Configure the cluster default properties.

+1. **[1]** Create a virtual IP resource and health probe for the ASCS instance.

+ Make sure that the cluster status is okay and that all resources are started. Which node the resources are running on isn't important.

+1. **[1]** Install SAP NetWeaver ASCS.

+ Install SAP NetWeaver ASCS as the root on the first node by using a virtual hostname that maps to the IP address of the load balancer front-end configuration for the ASCS, for example, **sapascs** and **10.90.90.10**, and the instance number that you used for the probe of the load balancer, for example, **00**.

+ You can use the `sapinst` parameter `SAPINST_REMOTE_ACCESS_USER` to allow a nonroot user to connect to `sapinst`.

+1. **[1]** Create a virtual IP resource and health probe for the ERS instance.

+ Make sure that the cluster status is okay and that all resources are started. Which node the resources are running on isn't important.

+1. **[2]** Install SAP NetWeaver ERS.

+ Install SAP NetWeaver ERS as the root on the second node by using a virtual hostname that maps to the IP address of the load balancer front-end configuration for the ERS, for example, **sapers** and **10.90.90.9**, and the instance number that you used for the probe of the load balancer, for example, **01**.

+ You can use the `sapinst` parameter `SAPINST_REMOTE_ACCESS_USER` to allow a nonroot user to connect to `sapinst`.

+1. **[1]** Adapt the ASCS/SCS and ERS instance profiles.

+ * ASCS/SCS profile:

+ ```bash

+ sudo vi /sapmnt/NW1/profile/NW1_ASCS00_sapascs

+ # Change the restart command to a start command

+ #Restart_Program_01 = local $(_EN) pf=$(_PF)

+ Start_Program_01 = local $(_EN) pf=$(_PF)

+ # Add the keep alive parameter, if using ENSA1

+ enque/encni/set_so_keepalive = true

+ ```

+ For both ENSA1 and ENSA2, make sure that the `keepalive` OS parameters are set as described in SAP Note [1410736](https://launchpad.support.sap.com/#/notes/1410736).

+ * ERS profile:

+ ```bash

+ sudo vi /sapmnt/NW1/profile/NW1_ERS01_sapers

+ # Change the restart command to a start command

+ #Restart_Program_00 = local $(_ER) pf=$(_PFL) NR=$(SCSID)

+ Start_Program_00 = local $(_ER) pf=$(_PFL) NR=$(SCSID)

+ # remove Autostart from ERS profile

+ # Autostart = 1

+ ```

+1. **[A]** Configure Keep Alive.

+ The communication between the SAP NetWeaver application server and the ASCS/SCS is routed through a software load balancer. The load balancer disconnects inactive connections after a configurable timeout. To prevent this action, set a parameter in the SAP NetWeaver ASCS/SCS profile, if you're using ENSA1. Change the Linux system `keepalive` settings on all SAP servers for both ENSA1 and ENSA2. For more information, see SAP Note [1410736][1410736].

+1. **[A]** Update the `/usr/sap/sapservices` file.

+ To prevent the start of the instances by the `sapinit` startup script, all instances managed by Pacemaker must be commented out from the `/usr/sap/sapservices` file.

+1. **[1]** Create the SAP cluster resources.

+ If you use enqueue server 1 architecture (ENSA1), define the resources as shown here:

+ SAP introduced support for enqueue server 2, including replication, as of SAP NW 7.52. Starting with ABAP Platform 1809, enqueue server 2 is installed by default. See SAP Note [2630416](https://launchpad.support.sap.com/#/notes/2630416) for enqueue server 2 support.

+ If you use enqueue server 2 architecture ([ENSA2](https://help.sap.com/viewer/cff8531bc1d9416d91bb6781e628d4e0/1709%20001/en-US/6d655c383abf4c129b0e5c8683e7ecd8.html)), install resource agent resource-agents-sap-4.1.1-12.el7.x86_64 or newer and define the resources as shown here:

+ If you're upgrading from an older version and switching to enqueue server 2, see SAP Note [2641322](https://launchpad.support.sap.com/#/notes/2641322).

+ > The timeouts in the preceding configuration are only examples and might need to be adapted to the specific SAP setup.

+ Make sure that the cluster status is okay and that all resources are started. Which node the resources are running on isn't important.

+1. **[1]** Run the following step to configure `priority-fencing-delay` (applicable only as of pacemaker-2.0.4-6.el8 or higher).

+ > If you have a two-node cluster, you have the option to configure the `priority-fencing-delay` cluster property. This property introduces additional delay in fencing a node that has higher total resource priority when a split-brain scenario occurs. For more information, see [Can Pacemaker fence the cluster node with the fewest running resources?](https://access.redhat.com/solutions/5110521).

+ > The property `priority-fencing-delay` is applicable for pacemaker-2.0.4-6.el8 version or higher. If you set up `priority-fencing-delay` on an existing cluster, make sure to clear the `pcmk_delay_max` setting in the fencing device.

+1. **[A]** Add firewall rules for ASCS and ERS on both nodes.

+ Some databases require that the database instance installation runs on an application server. Prepare the application server VMs to be able to use them in these cases.

+ The following steps assume that you install the application server on a server different from the ASCS/SCS and HANA servers. Otherwise, some of the steps (like configuring hostname resolution) aren't needed.

+ The following items are prefixed with:

+ - **[A]**: Applicable to both PAS and AAS

+ - **[P]**: Only applicable to PAS

+ - **[S]**: Only applicable to AAS

+1. **[A]** Set up hostname resolution.

+ You can either use a DNS server or modify the `/etc/hosts` file on all nodes. This example shows how to use the `/etc/hosts` file. Replace the IP address and the hostname in the following commands:

+ Insert the following lines to `/etc/hosts`. Change the IP address and hostname to match your environment.

+1. **[A]** Create the `sapmnt` directory.

+1. **[A]** Install the NFS client and other requirements.

+1. **[A]** Add mount entries.

+1. **[A]** Configure the SWAP file.

+ Restart the agent to activate the change.

+## Install the database

+In this example, SAP NetWeaver is installed on SAP HANA. You can use every supported database for this installation. For more information on how to install SAP HANA in Azure, see [High availability of SAP HANA on Azure VMs on Red Hat Enterprise Linux][sap-hana-ha]. For a list of supported databases, see SAP Note [1928533][1928533].

+Install the SAP NetWeaver database instance as a root by using a virtual hostname that maps to the IP address of the load balancer front-end configuration for the database.

+You can use the `sapinst` parameter `SAPINST_REMOTE_ACCESS_USER` to allow a nonroot user to connect to `sapinst`.

+1. **[A]** Prepare the application server.

+ Follow the steps in the previous section [SAP NetWeaver application server preparation](#sap-netweaver-application-server-preparation) to prepare the application server.

+1. **[A]** Install the SAP NetWeaver application server.

+ You can use the `sapinst` parameter `SAPINST_REMOTE_ACCESS_USER` to allow a nonroot user to connect to `sapinst`.

+1. **[A]** Update the SAP HANA secure store.

+ Run the following command to list the entries as `<sapsid>adm`.

+ All entries should be listed and look similar to:

+ In this example, the IP address of the default entry points to the VM, not the load balancer. Change the entry to point to the virtual hostname of the load balancer. Make sure to use the same port and database name. For example, use `30313` and `NW1` in the sample output.

+Thoroughly test your Pacemaker cluster. For more information, see [Execute the typical failover tests](./high-availability-guide-rhel.md#test-the-cluster-setup).

+* To deploy a cost-optimization scenario where the PAS and AAS instance is deployed with SAP NetWeaver HA cluster on RHEL, see [Install SAP dialog instance with SAP ASCS/SCS high-availability VMs on RHEL](high-availability-guide-rhel-with-dialog-instance.md).

+* See [HA for SAP NW on Azure VMs on RHEL for SAP applications multi-SID guide](./high-availability-guide-rhel-multi-sid.md).

+* See [Azure Virtual Machines planning and implementation for SAP][planning-guide].

+* See [Azure Virtual Machines deployment for SAP][deployment-guide].

+* See [Azure Virtual Machines DBMS deployment for SAP][dbms-guide].

+* To learn how to establish HA and plan for disaster recovery of SAP HANA on Azure (large instances), see [SAP HANA (large instances) high availability and disaster recovery on Azure](../../virtual-machines/workloads/sap/hana-overview-high-availability-disaster-recovery.md).

+* To learn how to establish HA and plan for disaster recovery of SAP HANA on Azure VMs, see [High availability of SAP HANA on Azure Virtual Machines][sap-hana-ha].

+* NFS on Azure Files - [Azure VMs high availability for SAP NW on RHEL with NFS on Azure Files](high-availability-guide-rhel-nfs-azure-files.md#prepare-for-an-sap-netweaver-installation)

+ Create a swap file as defined in [Create a SWAP file for an Azure Linux VM](/troubleshoot/azure/virtual-machines/create-swap-file-linux-vm)

+| [**Exhaustive K-Nearest Neighbors (KNN)**](vector-search-overview.md#eknn) | Vector search | Exhaustive K-Nearest Neighbors (KNN) is a new scoring algorithm for similarity search in vector space. It performs an exhaustive search for the nearest neighbors, useful for situations where high recall is more important than query performance. | Available in the 2023-10-01-Preview REST API. |

+Vectors can overcome the limitations of traditional keyword-based search by using machine learning models to capture the meaning of words and phrases in context, rather than relying solely on lexical analysis and matching of individual query terms. By capturing the intent of the query, vector search can return more relevant results that match the user's needs, even if the exact terms aren't present in the document.

+Additionally, vector search can be applied to different types of content, such as images and videos, not just text. This enables new search experiences such as multi-modal search or cross-language search in multi-lingual applications.

+*Embeddings* are a specific type of vector representation of content or a query, created by machine learning models that capture the semantic meaning of text or representations of other content such as images. Natural language machine learning models are trained on large amounts of data to identify patterns and relationships between words. During training, they learn to represent any input as a vector of real numbers in an intermediary step called the *encoder*. After training is complete, these language models can be modified so the intermediary vector representation becomes the model's output. The resulting embeddings are high-dimensional vectors, where words with similar meanings are closer together in the vector space, as explained in [Understand embeddings (Azure OpenAI)](/azure/ai-services/openai/concepts/understand-embeddings).

+In order to create effective embeddings for vector search, it's important to take input size limitations into account. We recommend following the [guidelines for chunking data](vector-search-how-to-chunk-documents.md) before generating embeddings. This best practice ensures that the embeddings accurately capture the relevant information and enable more efficient vector search.

+<a name="eknn"></a>

+### Nearest neighbors search

+In vector search, the search engine searches through the vectors within the embedding space to identify those that are near to the query vector. This technique is called *nearest neighbor search*. Nearest neighbors help quantify the similarity between items. A high degree of vector similarity indicates that the original data was similar too. To facilitate fast nearest neighbor search, the search engine will perform optimizations or employ data structures or data partitioning to reduce the search space. Each vector search algorithm will have different approaches to this problem, trading off different characteristics such as latency, throughput, recall, and memory. To compute similarity, similarity metrics provide the mechanism for computing this distance.

+Azure Cognitive Search currently supports the following algorithms:

+Within an index definition, you can specify one or more algorithms, and then for each vector field specify which algorithm to use:

+Algorithm parameters that are used to initialize the index during index creation are immutable and can't be changed after the index is built. Some parameters that affect the query-time characteristics might be modified.

+In addition, fields that specify HNSW algorithm also support exhaustive knn search using the [query request](vector-search-how-to-query.md) parameter `"exhaustive": true`. The opposite isn't true however. If a field is indexed for `exhaustiveKnn`, you can't use HNSW in the query because the additional data structures that enable efficient search donΓÇÖt exist.

+Approximate Nearest Neighbor search (ANN) is a class of algorithms for finding matches in vector space. This class of algorithms employs different data structures or data partitioning methods to significantly reduce the search space to accelerate query processing.

+ANN algorithms sacrifice some accuracy, but offer scalable and faster retrieval of approximate nearest neighbors, which makes them ideal for balancing accuracy against efficiency in modern information retrieval applications. You can adjust the parameters of your algorithm to fine-tune the recall, latency, memory, and disk footprint requirements of your search application.

+Azure Cognitive Search uses HNSW for its ANN algorithm.

+<!-- > [!NOTE]

+> To address this challenge, approximate nearest neighbor (ANN) search methods are used to trade off recall for speed. These methods can efficiently find a small set of candidate vectors that are similar to the query vector and have high likelihood to be in the globally most similar neighbors. Each algorithm has a different approach to reducing the total number of vectors comparisons, but they all share the ability to balance accuracy and efficiency by tweaking the algorithm configuration parameters. -->

+ Title: Vector relevance and ranking

+description: Explains the concepts behind vector relevance, scoring, including how matches are found in vector space and ranked in search results.

+# Relevance and ranking in vector search

+In vector query execution, the search engine looks for similar vectors to find the best candidates to return in search results. Depending on how you indexed the vector content, the search for relevant matches is either exhaustive, or constrained to near neighbors for faster processing. Once candidates are found, similarity metrics are used to score each result based on the strength of the match. This article explains the algorithms used to determine relevance and the similarity metrics used for scoring.

+## Determine relevance in vector search

+The algorithms that determine relevance are exhaustive k-nearest neighbors (KNN) and Hierarchical Navigable Small World (HNSW).

+Exhaustive KNN performs a brute-force search that enables users to search the entire vector space for matches that are most similar to the query. It does this by calculating the distances between all pairs of data points and finding the exact `k` nearest neighbors for a query point.

+HNSW is an algorithm used for efficient approximate nearest neighbor (ANN) search in high-dimensional spaces. It organizes data points into a hierarchical graph structure that enables fast neighbor queries by navigating through the graph while maintaining a balance between search accuracy and computational efficiency.

+Only fields marked as `searchable` in the index, or as `searchFields` in the query, are used for searching and scoring. Only fields marked as `retrievable`, or fields specified in `select` in the query, are returned in search results, along with their search score.

+### When to use exhaustive KNN

+This algorithm is intended for scenarios where high recall is of utmost importance, and users are willing to accept the trade-offs in search performance. Because it's computationally intensive, use exhaustive KNN for small to medium datasets, or when precision requirements outweigh query performance considerations.

+Another use is to build a dataset to evaluate approximate nearest neighbor algorithm recall. Exhaustive KNN can be used to build the ground truth set of nearest neighbors.

+Exhaustive KNN support is available through [2023-10-01-Preview REST API](/rest/api/searchservice/search-service-api-versions#2023-10-01-Preview) and in Azure SDK client libraries that target that REST API version.

+### When to use HNSW

+HNSW is recommended for most scenarios due to its efficiency when searching over larger data sets. Internally, HNSW creates extra data structures for faster search. However, you aren't locked into using them on every search. HNSW has several configuration parameters that can be tuned to achieve the throughput, latency, and recall objectives for your search application. For example, at query time, you can specify options for exhaustive search, even if the vector field is indexed for HNSW.

+## How nearest neighbor search works

+Vector queries execute against an embedding space consisting of vectors generated from the same embedding model. Generally, the input value within a query request is fed into the same machine learning model that generated embeddings in the vector index. The output is a vector in the same embedding space. Since similar vectors are clustered close together, finding matches is equivalent to finding the vectors that are closest to the query vector, and returning the associated documents as the search result.

+When vector fields are indexed for exhaustive KNN, the query executes against "all neighbors". For fields indexed for HNSW, the search engine uses an HNSW graph to search over a subset of nodes within the vector index.

+### Creating the HNSW graph

+A similarity metric measures the distance between neighboring vectors.

+| `cosine` | This metric measures the angle between two vectors, and isn't affected by differing vector lengths. Mathematically, it calculates the angle between two vectors. Cosine is the similarity metric used by [Azure OpenAI embedding models](/azure/ai-services/openai/concepts/understand-embeddings#cosine-similarity), so if you're using Azure OpenAI, specify `cosine` in the vector configuration.|

+| `dotProduct` | This metric measures both the length of each pair of two vectors, and the angle between them. Mathematically, it calculates the products of vectors' magnitudes and the angle between them. For normalized vectors, this is identical to `cosine` similarity, but slightly more performant. |

+| `euclidean` | (also known as `l2 norm`) This metric measures the length of the vector difference between two vectors. Mathematically, it calculates the Euclidean distance between two vectors, which is the l2-norm of the difference of the two vectors. |

+## Scores in a vector search results

+Whenever results are ranked, **`@search.score`** property contains the value used to order the results.

+| Search method | Parameter | Scoring algorithm | Range |

+||--|-|-|

+| vector search | `@search.score` | HNSW or KNN algorithm, using the similarity metric specified in the algorithm configuration. | 0.333 - 1.00 (Cosine) |

+| [**Exhaustive K-Nearest Neighbors (KNN)**](vector-search-overview.md#eknn) | Feature | Exhaustive K-Nearest Neighbors (KNN) is a new scoring algorithm for similarity search in vector space. It performs an exhaustive search for the nearest neighbors, useful for situations where high recall is more important than query performance. Available in the 2023-10-01-Preview REST API only. |

+| **References** | [Authentication Scenarios for Microsoft Entra ID](../../active-directory/develop/authentication-vs-authorization.md), [Microsoft Entra code Samples](/azure/active-directory/azuread-dev/sample-v1-code), [Microsoft Entra developer's guide](../../active-directory/develop/index.yml) |

+description: Technical overview of Customer Lockbox for Microsoft Azure, which provides control over cloud provider access when Microsoft might need to access customer data.

+Most operations, support, and troubleshooting performed by Microsoft personnel and sub-processors do not require access to customer data. In those rare circumstances where such access is required, Customer Lockbox for Microsoft Azure provides an interface for customers to review and approve or reject customer data access requests. It is used in cases where a Microsoft engineer needs to access customer data, whether in response to a customer-initiated support ticket or a problem identified by Microsoft.

+## Supported services

+The following services are currently supported for Customer Lockbox:

+- Azure API Management

+- Azure App Service

+- Azure Cognitive Search

+- Azure Cognitive Services

+- Azure Container Registry

+- Azure Data Box

+- Azure Data Explorer

+- Azure Data Factory

+- Azure Data Manager for Energy

+- Azure Database for MySQL