-

-* Microsoft Graph

-* PowerShell - `Get-AzureADServicePrincipal -All:$true`

-For more information, see [Get-AzureADServicePrincipal](/powershell/module/azuread/get-azureadserviceprincipal)

-| Detect the user who consented to a multi-tenant app, and detect illicit consent grants to a multi-tenant app | - Run the following PowerShell to find multi-tenant apps <br>`Get-AzureADServicePrincipal -All:$true ? {$_.Tags -eq WindowsAzureActiveDirectoryIntegratedApp"}`</br> - Disable user consent </br> - Allow user consent from verified publishers, for selected permissions (recommended) </br> - Configure them in the user context </br> - Use their tokens to trigger the service principal|

-1. For **State**, click **Microsoft managed** or **Enabled**. In the following screenshot, the registration campaign is **Microsoft managed**. That setting allows Microsoft to set the default value to be either Enabled or Disabled. From Sept. 25 to Oct. 20, 2023, the Microsoft managed value for the registration campaing will change to **Enabled** for voice call and text message users across all tenants. For more information, see [Protecting authentication methods in Azure Active Directory](concept-authentication-default-enablement.md).

-description: How to get started with your Microsoft Entra Permissions Management free trial

-# Trial user guide: Microsoft Entra Permissions Management

-Welcome to the Microsoft Entra Permissions Management trial user guide!

-This user guide is a simple guide to help you make the most of your free trial, including the Permissions Management Cloud Infrastructure Assessment to help you identify and remediate the most critical permission risks across your multicloud infrastructure. Using the suggested steps in this user guide from the Microsoft Identity team, you'll learn how Permissions Management can assist you to protect all your users and data.

-## What is Permissions Management?

-Permissions Management is a cloud infrastructure entitlement management (CIEM) solution that provides comprehensive visibility into permissions assigned to all identities including both workload and user identities, actions, and resources across multicloud infrastructures in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). Permissions Management detects, automatically right-sizes, and continuously monitors unused and excessive permissions.

-Permissions Management helps your organization tackle cloud permissions by enabling the capabilities to continuously discover, remediate and monitor the activity of every unique user and workload identity operating in the cloud, alerting security and infrastructure teams to areas of unexpected or excessive risk.

-

-## Step 1: Set-up Permissions Management

-Before you enable Permissions Management in your organization:

-If the above points are met, continue with the following steps:

-1. [Enabling Permissions Management on your Microsoft Entra tenant](../cloud-infrastructure-entitlement-management/onboard-enable-tenant.md#how-to-enable-permissions-management-on-your-azure-ad-tenant)

-2. Use the **Data Collectors** dashboard in Permissions Management to configure data collection settings for your authorization system. [Configure data collection settings](../cloud-infrastructure-entitlement-management/onboard-enable-tenant.md#configure-data-collection-settings).

- Note that for each cloud platform, you will have 3 options for onboarding:

- **Option 1 (Recommended): Automatically manage** ΓÇô this option allows subscriptions to be automatically detected and monitored without additional configuration.

- **Option 2**: **Enter authorization systems** - you have the ability to specify only certain subscriptions to manage and monitor with MEPM (up to 100 per collector).

- **Option 3**: **Select authorization systems** - this option detects all subscriptions that are accessible by the Cloud Infrastructure Entitlement Management application.

- For information on how to onboard an AWS account, Azure subscription, or GCP project into Permissions Management, select one of the following articles and follow the instructions:

- - [Onboard an AWS account](../cloud-infrastructure-entitlement-management/onboard-aws.md)

- - [Onboard a Microsoft Azure subscription](../cloud-infrastructure-entitlement-management/onboard-azure.md)

- - [Onboard a GCP project](../cloud-infrastructure-entitlement-management/onboard-gcp.md)

-3. [Enable or disable the controller after onboarding is complete](../cloud-infrastructure-entitlement-management/onboard-enable-controller-after-onboarding.md)

-4. [Add an account/subscription/project after onboarding is complete](../cloud-infrastructure-entitlement-management/onboard-add-account-after-onboarding.md)

- **Actions to try:**

-

- - [View roles/policies and requests for permission](../cloud-infrastructure-entitlement-management/ui-remediation.md#view-and-create-rolespolicies)

- - [View information about roles/ policies](../cloud-infrastructure-entitlement-management/ui-remediation.md#view-and-create-rolespolicies)

- - [View information about active and completed tasks](../cloud-infrastructure-entitlement-management/ui-tasks.md)

- - [Create a role/policy](../cloud-infrastructure-entitlement-management/how-to-create-role-policy.md)

- - [Clone a role/policy](../cloud-infrastructure-entitlement-management/how-to-clone-role-policy.md)

- - [Modify a role/policy](../cloud-infrastructure-entitlement-management/how-to-modify-role-policy.md)

- - [Delete a role/policy](../cloud-infrastructure-entitlement-management/how-to-delete-role-policy.md)

- - [Attach and detach policies for Amazon Web Services (AWS) identities](../cloud-infrastructure-entitlement-management/how-to-attach-detach-permissions.md)

- - [Add and remove roles and tasks for Microsoft Azure and Google Cloud Platform (GCP) identities](../cloud-infrastructure-entitlement-management/how-to-add-remove-role-task.md)

- - [Revoke access to high-risk and unused tasks or assign read-only status for Microsoft Azure and Google Cloud Platform (GCP) identities](../cloud-infrastructure-entitlement-management/how-to-revoke-task-readonly-status.md)

- - [Create or approve a request for permissions](../cloud-infrastructure-entitlement-management/how-to-create-approve-privilege-request.md) Request permissions on-demand for one-time use or on a schedule. These permissions will automatically be revoked at the end of the requested period.

-## Step 2: Discover & assess

-Improve your security posture by getting comprehensive and granular visibility to enforce the principle of least privilege access across your entire multicloud environment. The Permissions Management dashboard gives you an overview of your permission profile and locates where the riskiest identities and resources are across your digital estate.

-The dashboard leverages the Permission Creep Index, which is a single and unified metric, ranging from 0 to 100, that calculates the gap between permissions granted and permissions used over a specific period. The higher the gap, the higher the index and the larger the potential attack surface. The Permission Creep Index only considers high-risk actions, meaning any action that can cause data leakage, service disruption degradation, or security posture change. Permissions Management creates unique activity profiles for each identity and resource which are used as a baseline to detect anomalous behaviors.

-1. [View risk metrics in your authorization system](../cloud-infrastructure-entitlement-management/ui-dashboard.md#view-metrics-related-to-avoidable-risk) in the Permissions Management Dashboard. This information is available for Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).

- 1. View metrics related to avoidable risk - these metrics allow the Permission Management administrator to identify areas where they can reduce risks related to the principle of least permissions. Information includes [the Permissions Creep Index (PCI)](../cloud-infrastructure-entitlement-management/ui-dashboard.md#the-pci-heat-map) and [Analytics Dashboard](../cloud-infrastructure-entitlement-management/usage-analytics-home.md).

-

- 1. Understand the [components of the Permissions Management Dashboard.](../cloud-infrastructure-entitlement-management/ui-dashboard.md#components-of-the-permissions-management-dashboard)

-

-2. View data about the activity in your authorization system

- 1. [View user data on the PCI heat map](../cloud-infrastructure-entitlement-management/product-dashboard.md#view-user-data-on-the-pci-heat-map).

- > [!NOTE]

- > The higher the PCI, the higher the risk.

-

- 2. [View information about users, roles, resources, and PCI trends](../cloud-infrastructure-entitlement-management/product-dashboard.md#view-information-about-users-roles-resources-and-pci-trends)

- 3. [View identity findings](../cloud-infrastructure-entitlement-management/product-dashboard.md#view-identity-findings)

- 4. [View resource findings](../cloud-infrastructure-entitlement-management/product-dashboard.md#view-resource-findings)

-3. [Configure your settings for data collection](../cloud-infrastructure-entitlement-management/product-data-sources.md) - use the **Data Collectors** dashboard in Permissions Management to view and configure settings for collecting data from your authorization systems.

-4. [View organizational and personal information](../cloud-infrastructure-entitlement-management/product-account-settings.md) - the **Account settings** dashboard in Permissions Management allows you to view personal information, passwords, and account preferences.

-5. [Select group-based permissions settings](../cloud-infrastructure-entitlement-management/how-to-create-group-based-permissions.md)

-6. [View information about identities, resources and tasks](../cloud-infrastructure-entitlement-management/usage-analytics-home.md) - the **Analytics** dashboard displays detailed information about:

- 1. **Users**: Tracks assigned permissions and usage by users. For more information, see View analytic information about users.

- 2. **Groups**: Tracks assigned permissions and usage of the group and the group members. For more information, see View analytic information about groups

- 3. **Active Resources**: Tracks resources that have been used in the last 90 days. For more information, see View analytic information about active resources

- 4. **Active Tasks**: Tracks tasks that have been performed in the last 90 days. For more information, see View analytic information about active tasks

- 5. **Access Keys**: Tracks the permission usage of access keys for a given user. For more information, see View analytic information about access keys

- 6. **Serverless Functions**: Tracks assigned permissions and usage of the serverless functions for AWS only. For more information, see View analytic information about serverless functions

- System administrators can use this information to make decisions about granting permissions and reducing risk on unused permissions.

-## Step 3: Remediate & manage

-Right-size excessive and/or unused permissions in only a few clicks. Avoid any errors caused by manual processes and implement automatic remediation on all unused permissions for a predetermined set of identities and on a regular basis. You can also grant new permissions on-demand for just-in-time access to specific cloud resources.

-There are two facets to removing unused permissions: least privilege policy creation (remediation) and permissions-on-demand. With remediation, an administrator can create policies that remove unused permissions (also known as right-sizing permissions) to achieve least privilege across their multicloud environment.

- The dashboard includes six subtabs:

- - **Roles/Policies**: Use this subtab to perform Create Read Update Delete (CRUD) operations on roles/policies.

- - **Role/Policy Name** ΓÇô Displays the name of the role or the AWS policy

- - Note: An exclamation point (!) circled in red means the role or AWS policy has not been used.

- - Role Type ΓÇô Displays the type of role or AWS policy

- - **Permissions**: Use this subtab to perform Read Update Delete (RUD) on granted permissions.

- - **Role/Policy Template**: Use this subtab to create a template for roles/policies template.

- - **Requests**: Use this subtab to view approved, pending, and processed Permission on Demand (POD) requests.

- - **My Requests**: Use this tab to manage lifecycle of the POD request either created by you or needs your approval.

- - **Settings**: Use this subtab to select **Request Role/Policy Filters**, **Request Settings**, and **Auto-Approve** settings.

-**Best Practices for Remediation:**

-**Best Practices for Permissions On-demand:**

- **Actions to try:**

- - [Manage users](../cloud-infrastructure-entitlement-management/ui-user-management.md#manage-users)

- - [Manage groups](../cloud-infrastructure-entitlement-management/ui-user-management.md#manage-groups)

- - [Select group-based permissions settings](../cloud-infrastructure-entitlement-management/how-to-create-group-based-permissions.md)

-## Step 4: Monitor & alert

-Prevent data breaches caused by misuse and malicious exploitation of permissions with anomaly and outlier detection that alerts on any suspicious activity. Permissions Management continuously updates your Permission Creep Index and flags any incident, then immediately informs you with alerts via email. To further support rapid investigation and remediation, you can generate context-rich forensic reports around identities, actions, and resources.

- **Actions to try:**

-

- - [Use a query to view information](../cloud-infrastructure-entitlement-management/ui-audit-trail.md)

- - [Create a custom query](../cloud-infrastructure-entitlement-management/how-to-create-custom-queries.md)

- - [Generate an on-demand report from a query](../cloud-infrastructure-entitlement-management/how-to-audit-trail-results.md)

- - [Filter and query user activity](../cloud-infrastructure-entitlement-management/product-audit-trail.md)

-Use the **Activity triggers** dashboard to view information and set alerts and triggers.

- Our customizable machine learning-powered anomaly and outlier detection alerts will notify you of any suspicious activity such as deviations in usage profiles or abnormal access times. Alerts can be used to alert on permissions usage, access to resources, indicators of compromise, insider threats, or to track previous incidents.

- **Actions to try**

- - [View information about alerts and alert triggers](../cloud-infrastructure-entitlement-management/ui-triggers.md)

- - [Create and view activity alerts and alert triggers](../cloud-infrastructure-entitlement-management/how-to-create-alert-trigger.md)

- - [Create and view rule-based anomaly alerts and anomaly triggers](../cloud-infrastructure-entitlement-management/product-rule-based-anomalies.md)

- - [Create and view statistical anomalies and anomaly triggers](../cloud-infrastructure-entitlement-management/product-statistical-anomalies.md)

- - [Create and view permission analytics triggers](../cloud-infrastructure-entitlement-management/product-permission-analytics.md)

-**Best Practices for Custom Alerts:**

- - Examples:

- Example: Any activity done by root:

- 

- Alert for monitoring any direct Azure role assignment

- 

- Example: Alert for monitoring any action on Azure resources

- 

- Example: BreakGlass users should be used for emergency access only.

- 

- To support rapid remediation, you can set up security reports to be delivered at custom intervals. Permissions Management has various types of system report types available that capture specific sets of data by cloud infrastructure (AWS, Azure, GCP), by account/subscription/project, and more. Reports are fully customizable and can be delivered via email at pre-configured intervals.

- These reports enable you to:

- - Make timely decisions.

- - Analyze trends and system/user performance.

- - Identify trends in data and high-risk areas so that management can address issues more quickly and improve their efficiency.

- - Automate data analytics in an actionable way.

- - Ensure compliance with audit requirements for periodic reviews of **who has access to what,**

- - Look at views into **Separation of Duties** for security hygiene to determine who has admin permissions.

- - See data for **identity governance** to ensure inactive users are decommissioned because they left the company or to remove vendor accounts that have been left behind, old consultant accounts, or users who as parts of the Joiner/Mover/Leaver process have moved onto another role and are no longer using their access. Consider this a fail-safe to ensure dormant accounts are removed.

- - Identify over-permissioned access to later use the Remediation to pursue **Zero Trust and least privileges.**

- **Example of Permissions Management Analytics Report**

- > [!div class="mx-imgBorder"]

- > :::image type="content" source="media/permissions-management-trial-user-guide/permissions-management-report-example.png" alt-text="Example of Permissions Management Analytics Report." lightbox="media/permissions-management-trial-user-guide/permissions-management-report-example.png":::

-

- **Actions to try**

- - [View system reports in the Reports dashboard](../cloud-infrastructure-entitlement-management/product-reports.md)

- - [View a list and description of system reports](../cloud-infrastructure-entitlement-management/all-reports.md)

- - [Generate and view a system report](../cloud-infrastructure-entitlement-management/report-view-system-report.md)

- - [Create, view, and share a custom report](../cloud-infrastructure-entitlement-management/report-create-custom-report.md)

- - [Generate and download the Permissions analytics report](../cloud-infrastructure-entitlement-management/product-permissions-analytics-reports.md)

-**Key Reports to Monitor:**

-## Next steps

-For more information about Permissions Management, see:

-**Microsoft Learn**: [Permissions management](../cloud-infrastructure-entitlement-management/index.yml).

-**Datasheet:** <https://aka.ms/PermissionsManagementDataSheet>

-**Solution Brief:** <https://aka.ms/PermissionsManagementSolutionBrief>

-**White Paper:** <https://aka.ms/CIEMWhitePaper>

-**Infographic:** <https://aka.ms/PermissionRisksInfographic>

-**Security paper:** [2021 State of Cloud Permissions Risks](https://scistorageprod.azureedge.net/assets/2021%20State%20of%20Cloud%20Permission%20Risks.pdf?sv=2019-07-07&sr=b&sig=Sb17HibpUtJm2hYlp6GYlNngGiSY5GcIs8IfpKbRlWk%3D&se=2022-05-27T20%3A37%3A22Z&sp=r)

-**Permissions Management Glossary:** <https://aka.ms/PermissionsManagementGlossary>

-If you get an **Insufficient privileges to complete the operation** error when you call the API, the tenant administrator needs to grant permissions to the application. See step 6 of Register the client app above.

-You'll typically see an error that looks like this error:

- Welcome to the Microsoft Authentication Library For Javascript -

-## June 2023

-### New articles

-### Updated articles

-#### Method 2: Use Event Viewer to examine Microsoft Entra analytic and operational logs

-1. In the console tree, expand **Applications and Services Logs** > **Microsoft** > **Windows** > **Microsoft Entra ID**. The **Operational** and **Analytic** child nodes appear.

-1. In the console tree, select the **Analytic** node to view Microsoft Entra ID-related analytic events.

-1. In the list of analytic events, search for Event IDs 1006 and 1007. Event ID 1006 denotes the beginning of the PRT acquisition flow, and Event ID 1007 denotes the end of the PRT acquisition flow. All events in the **Microsoft Entra ID** logs (both **Analytic** and **Operational**) that occurred between Event ID 1006 and Event ID 1007 are logged as part of the PRT acquisition flow. The following table shows an example event listing.

-If you create accounts for your external partners in your on-premises directory (for example, you create an account with a sign-in name of "msullivan" for an external user named Maria Sullivan in your partners.contoso.com domain), you can now sync these accounts to the cloud. Specifically, you can use [Microsoft Entra Connect](../hybrid/connect/whatis-azure-ad-connect.md) to sync the partner accounts to the cloud, which creates a user account with UserType = Guest. This enables your partner users to access cloud resources using the same credentials as their local accounts, without giving them more access than they need.

-> See also how to [invite internal users to B2B collaboration](invite-internal-users.md). With this feature, you can invite internal guest users to use B2B collaboration, regardless of whether you've synced their accounts from your on-premises directory to the cloud. Once the user accepts the invitation to use B2B collaboration, they'll be able to use their own identities and credentials to sign in to the resources you want them to access. You wonΓÇÖt need to maintain passwords or manage account lifecycles.

-### Public Preview - Managing and Changing Passwords in My Security Info

-**Type:** New feature

-**Service category:** My Profile/Account

-**Product capability:** End User Experiences

-The My Security Info management portal ([My Sign-Ins | Security Info | Microsoft.com](https://mysignins.microsoft.com/security-info)) will now support an improved end user experience of managing passwords. Users are able to change their password, and users capable of multifactor authentication (MFA) are able to update their passwords without providing their current password.

-### General Availability - Authenticator on Android is FIPS 140 compliant

-**Type:** New feature

-**Service category:** Microsoft Authenticator App

-**Product capability:** User Authentication

-Authenticator version and higher on Android version will be FIPS 140 compliant for all Azure AD authentications using push multi-factor authentications (MFA), Passwordless Phone Sign-In (PSI), and time-based one-time passcodes (TOTP). No changes in configuration are required in the Authenticator app or Azure portal to enable this capability. For more information, see: [Authentication methods in Microsoft Entra ID - Microsoft Authenticator app](../authentication/concept-authentication-authenticator-app.md).

-By selecting an alert you will be provided with additional information as well as steps you can take to resolve the alert and links to additional documentation.

-description: Learn how to use Azure Monitor workbooks for analyzing identity logs in Microsoft Entra ID reports.

-For more information on the Log Analytics RBAC roles, see [Azure built-in roles](../../role-based-access-control/built-in-roles.md#log-analytics-contributor)

-## How to access Azure Workbooks for Microsoft Entra ID

- 

- 

- 

-1. When you're done editing the workbook, select the **Save As** to save your workbook with a new name.

-1. In the **Save As** window:

- - Provide a **Title**, **Subscription**, **Resource Group** (you must have the ability to save a workbook for the selected Resource Group), and **Location**.

-## Next steps

-description: Learn about Microsoft Entra workbooks.

-Workbooks are found in Microsoft Entra ID and in Azure Monitor. The concepts, processes, and best practices are the same for both types of workbooks. Workbooks for Microsoft Entra ID, however, cover only those identity management scenarios that are associated with Microsoft Entra ID. Sign-ins, Conditional Access, multifactor authentication, and Identity Protection are scenarios included in Azure Workbook for Microsoft Entra ID.

- 

-| September | 99.999% | 99.998% | |

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

-As an IT Pro, you want the right information about authentication prompts in your environment so that you can detect unexpected prompts and investigate further. Providing you with this type of information is the goal of the **authentication prompts analysis workbook**.

-This article provides you with an overview of this workbook.

-Overprompting users can affect your user's productivity and often leads users getting phished for MFA. To be clear, MFA is essential! We are not talking about if you should require MFA but how frequently you should prompt your users.

-

-

-In many environments, the most used apps are business productivity apps. Anything that isnΓÇÖt expected should be investigated. The charts below show authentication prompts by application.

-The prompts by application list view shows additional information such as timestamps, and request IDs that help with investigations.

-If data isn't showing up or seems to be showing up incorrectly, confirm that you have set the **Log Analytics Workspace** and **Subscriptions** on the proper resources.

-

-If the visuals are taking too much time to load, try reducing the Time filter to 24 hours or less.

-

-## Next steps

-This article provides you with an overview of this workbook.

-

-## Sections

-The workbook has four sections:

-

-## Next steps

-This article provides you with an overview of this workbook.

-Tenant administrators who are making changes to policies governing cross-tenant access can use this workbook to visualize and review existing access activity patterns before making policy changes. For example, you can identify the apps your users are accessing in external organizations so that you don't inadvertently block critical business processes. Understanding how external users access resources in your tenant (inbound access) and how users in your tenant access resources in external tenants (outbound access) will help ensure you have the right cross-tenant policies in place.

-This workbook has four sections:

-Under **Step 1**, the external tenant list shows all the tenants that have had inbound or outbound activity with your tenant. When you select an external tenant in the table, the remaining sections update with information about outbound and inbound activity for that tenant.

-[  ](./media/workbook-cross-tenant-access-activity/cross-tenant-workbook-step-1.png#lightbox)

-The table under **Step 2** summarizes all outbound and inbound sign-in activity for the selected tenant, including the number of successful sign-ins and the reasons for failed sign-ins. You can select **Outbound activity** or **Inbound activity** to update the remaining sections of the workbook with the type of activity you want to view.

-

-Under **Step 3**, the table lists the applications that are being accessed across tenants. If you selected **Outbound activity** in the previous section, the table shows the applications in external tenants that are being accessed by your users. If you selected **Inbound activity**, you'll see the list of your applications that are being accessed by external users. You can select a row to find out which users are accessing that application.

-

-The table in **Step 4** displays the list of users who are accessing the application you selected.

-

-## Next steps

-This article gives you an overview of this workbook.

-The sign-ins using legacy authentication workbook lets you see all legacy authentication sign-ins in your environment so you can find and migrate critical workflows to more secure authentication methods before you shut off legacy authentication.

-

-

-

-## Next steps

-The Multifactor Authentication Gaps workbook helps with identifying user sign-ins and applications that are not protected by multi-factor authentication requirements. This workbook:

-* Identifies user sign-ins not protected by multi-factor authentication requirements.

-## Summary

-The summary widget provides a detailed look at sign-ins related to multifactor authentication.

-### Sign-ins not protected by MFA requirement by applications

-* **Number of users signing-in not protected by multi-factor authentication requirement by application:** This widget provides a time based bar-graph representation of the number of user sign-ins not protected by MFA requirement by applications.

-* **Percent of users signing-in not protected by multi-factor authentication requirement by application:** This widget provides a time based bar-graph representation of the percentage of user sign-ins not protected by MFA requirement by applications.

-* **Select an application and user to learn more:** This widget groups the top users signed in without MFA requirement by application. By selecting the application, it will list the user names and the count of sign-ins without MFA.

-### Sign-ins not protected by MFA requirement by users

-* **Sign-ins not protected by multi-factor auth requirement by user:** This widget shows top user and the count of sign-ins not protected by MFA requirement.

-* **Top users with high percentage of authentications not protected by multi-factor authentication requirements:** This widget shows users with top percentage of authentications that are not protected by MFA requirements.

-### Sign-ins not protected by MFA requirement by Operating Systems

-* **Number of sign-ins not protected by multi-factor authentication requirement by operating system:** This widget provides time based bar graph of sign-in counts that are not protected by MFA by operating system of the devices.

-* **Percent of sign-ins not protected by multi-factor authentication requirement by operating system:** This widget provides time based bar graph of sign-in percentages that are not protected by MFA by operating system of the devices.

-### Sign-ins not protected by MFA requirement by locations

-* **Number of sign-ins not protected by multi-factor authentication requirement by location:** This widget shows the sign-ins counts that are not protected by MFA requirement in map bubble chart on the world map.

-## How to import the workbook

-1. Navigate to **Identity** > **Monitoring & health** > **Workbooks**.

-1. Select the **Apply** button. The workbook will take a few moments to populate.

-This article provides you with an overview of this workbook.

-## Next steps

-This article provides you with an overview of this workbook.

-If your organization is new to Azure monitor workbooks, you need to integrate your Microsoft Entra sign-in and audit logs with Azure Monitor before accessing the workbook. This integration allows you to store, and query, and visualize your logs using workbooks for up to two years. Only sign-in and audit events created after Azure Monitor integration will be stored, so the workbook won't contain insights prior to that date. Learn more about the prerequisites to Azure Monitor workbooks for Microsoft Entra ID. If you've previously integrated your Microsoft Entra sign-in and audit logs with Azure Monitor, you can use the workbook to assess past information.

-

-This section includes a breakdown of the AppOnly permissions grants to existing service principals. Admins should investigate any instances of excessive high permissions being granted, including, but not limited to, Exchange Online, Microsoft Graph and Azure AD Graph.

-

-**Use:**

-

-## Next steps

-description: Learn how to automatically provision and de-provision user accounts from Microsoft Entra ID to Amazon Business.

-This tutorial describes the steps you need to perform in both Amazon Business and Microsoft Entra ID to configure automatic user provisioning. When configured, Microsoft Entra ID automatically provisions and de-provisions users and groups to [Amazon Business](https://www.amazon.com/b2b/info/amazon-business?layout=landing) using the Microsoft Entra provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Microsoft Entra ID](../app-provisioning/user-provisioning.md).

-* An Amazon Business tenant.

-* A user account in Amazon Business with Admin permissions.

-Contact Amazon Business support to configure Amazon Business to support provisioning with Microsoft Entra ID.

-Add Amazon Business from the Microsoft Entra application gallery to start managing provisioning to Amazon Business. If you have previously setup Amazon Business for SSO you can use the same application. However it's recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).

-* When assigning users and groups to Amazon Business, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add additional roles.

-1. Under the **Admin Credentials** section, input your Amazon Business Tenant URL, Authorization Endpoint and Token Endpoint. Click **Test Connection** to ensure Microsoft Entra ID can connect to Amazon Business. If the connection fails, ensure your Amazon Business account has Admin permissions and try again.

-Microsoft Entra Workload ID has three premium features that require a license.

-1. Customer will need to license enterprise applications or service principals ONLY if they set up Conditional Access policies or use Identity Protection for them.

-2. Customers don't need to license applications at all, even if they are using Conditional Access policies.

-3. Customers will need to license managed identities, only when they set up access reviews for managed identities.

-Virtual machines that don't have replication enabled to another region aren't resilient to regional outages. Replicating the machines drastically reduce any adverse business impact during the time of an Azure region outage. We highly recommend enabling replication of all the business critical virtual machines from the below list so that in an event of an outage, you can quickly bring up your machines in remote Azure region.

-Your Virtual Machine Scale Sets will start receiving package content from RHUI4 servers on October 12, 2023. If you're allowing RHUI 3 IPs [https://aka.ms/rhui-server-list] via firewall and proxy, allow the new RHUI 4 IPs [https://aka.ms/rhui-server-list] to continue receiving RHEL package updates.

-Your Virtual Machine Scale Sets will start receiving package content from RHUI4 servers on October 12, 2023. If you're allowing RHUI 3 IPs [https://aka.ms/rhui-server-list] via firewall and proxy, allow the new RHUI 4 IPs [https://aka.ms/rhui-server-list] to continue receiving RHEL package updates.

-We have identified that your Virtual Machine might be running a version of Check Point image that has been known to lose network connectivity in the event of a platform servicing operation. We recommend that you upgrade to a newer version of the image. Contact Check Point for further instructions on how to upgrade your image.

-Cluster has one or more node pools using a non-recommended burstable VM SKU. With burstable VMs, full vCPU capability 100% is unguaranteed. Please make sure B-series VM's are not used in Production environment.

-Based on our internal monitoring, we have observed significant replication lag on your replica server. This lag is occurring because the replica server is replaying relay logs on a table that lacks a primary key. To ensure that the replica server can effectively synchronize with the primary and keep up with changes, we highly recommend adding primary keys to the tables in the primary server and subsequently recreating the replica server.

-Our internal monitoring system has identified significant replication lag on the High Availability standby server. This lag is primarily caused by the standby server replaying relay logs on a table that lacks a primary key. To address this issue and adhere to best practices, it is recommended to add primary keys to all tables. Once this is done, proceed to disable and then re-enable High Availability to mitigate the problem.

-Our internal telemetry indicates that your PostgreSQL server may have inactive logical replication slots. THIS NEEDS IMMEDIATE ATTENTION. Inactive logical replication can result in degraded server performance and unavailability due to WAL file retention and buildup of snapshot files. To improve performance and availability, we STRONGLY recommend that you IMMEDIATELY either delete the inactive replication slots, or start consuming the changes from these slots so that the slots' Log Sequence Number (LSN) advances and is close to the current LSN of the server.

-Our internal telemetry indicates that your PostgreSQL flexible server may have inactive logical replication slots. THIS NEEDS IMMEDIATE ATTENTION. Inactive logical replication slots can result in degraded server performance and unavailability due to WAL file retention and buildup of snapshot files. To improve performance and availability, we STRONGLY recommend that you IMMEDIATELY either delete the inactive replication slots, or start consuming the changes from these slots so that the slots' Log Sequence Number (LSN) advances and is close to the current LSN of the server.

-This is when two or more devices are trying to connect to the IoT Hub using the same device ID credentials. When the second device (B) connects, it causes the first one (A) to become disconnected. Then (A) attempts to reconnect again, which causes (B) to get disconnected.

-Your Device Update for IoT Hub Instance is using an outdated version of the SDK. We recommend upgrading to the latest version for the latest fixes, performance improvements, and new feature capabilities.

-We have detected that your IoT Hub has exceeded its daily message quota. Consider adding units or increasing the SKU level to prevent this in the future.

-Your Azure Cosmos DB account is using an old version of the SDK. We recommend upgrading to the latest version for the latest fixes, performance improvements, and new feature capabilities.

-Your Azure Cosmos DB account is using an outdated version of the SDK. We recommend upgrading to the latest version for the latest fixes, performance improvements, and new feature capabilities.

-Your Azure Cosmos DB nonpartitioned collections are approaching their provisioned storage quota. Migrate these collections to new collections with a partition key definition so that they can automatically be scaled out by the service.

-Your Azure Cosmos DB for MongoDB account is eligible to upgrade to version 4.0. Upgrading to v4.0 can reduce your storage costs by up to 55% and your query costs by up to 45% by leveraging a new storage format. Numerous additional features such as multi-document transactions are also included in v4.0.

-Based on their names and configuration, we have detected the Azure Cosmos DB accounts below as being potentially used for production workloads. These accounts currently run in a single Azure region. You can increase their availability by configuring them to span at least two Azure regions.

-Migrate your database account to a new database account to take advantage of Azure Cosmos DB for MongoDB v4.0. Upgrading to v4.0 can reduce your storage costs by up to 55% and your query costs by up to 45% by leveraging a new storage format. Numerous additional features such as multi-document transactions are also included in v4.0. When upgrading, you must also migrate the data in your existing account to a new account created using version 4.0. Azure Data Factory or Studio 3T can assist you in migrating your data.

-We found a high number of metadata operations on your account. Your data in Azure Cosmos DB, including metadata about your databases and collections is distributed across partitions. Metadata operations have a system-reserved request unit (RU) limit. Avoid being rate limited from metadata operations by using static Azure Cosmos DB client instances in your code and caching the names of databases and collections.

-There is a critical bug in version 2.6.13 and lower of the Azure Cosmos DB Async Java SDK v2 causing errors when a Global logical sequence number (LSN) greater than the Max Integer value is reached. This happens transparent to you by the service after a large volume of transactions occur in the lifetime of an Azure Cosmos DB container. Note: This is a critical hotfix for the Async Java SDK v2, however we still highly recommend you migrate to the [Java SDK v4](../cosmos-db/sql/sql-api-sdk-java-v4.md).

-There is a critical bug in version 4.15 and lower of the Azure Cosmos DB Java SDK v4 causing errors when a Global logical sequence number (LSN) greater than the Max Integer value is reached. This happens transparent to you by the service after a large volume of transactions occur in the lifetime of an Azure Cosmos DB container.

-You have recently invoked the Azure Fluid Relay service with an old client library. Your Azure Fluid Relay client library should now be upgraded to the latest version to ensure your application remains operational. Upgrading provides the most up-to-date functionality, as well as enhancements in performance and stability. For more information on the latest version to use and how to upgrade, see the following article.

-HDInsight service is applying an important certificate related update to your cluster. However, one or more policies in your subscription are preventing HDInsight service from creating or modifying network resources (Load balancer, Network Interface and Public IP address) associated with your clusters and applying this update. Take actions to allow HDInsight service to create or modify network resources (Load balancer, Network interface and Public IP address) associated with your clusters before January 13, 2021 05:00 PM UTC. The HDInsight team is performing updates between January 13, 2021 05:00 PM UTC and January 16, 2021 05:00 PM UTC. Failure to apply this update may result in your clusters becoming unhealthy and unusable.

-The HDInsight service has attempted to apply a critical certificate update on all your running clusters. However, one or more policies in your subscription are preventing HDInsight service from creating or modifying network resources (Load balancer, Network Interface and Public IP address) associated with your clusters and applying this update. Remove or update your policy assignment to allow HDInsight service to create or modify network resources (Load balancer, Network interface and Public IP address) associated with your clusters before January 21, 2021 05:00 PM UTC. The HDInsight team is performing updates between January 21, 2021 05:00 PM UTC and January 23, 2021 05:00 PM UTC. To verify the policy update, you can try to create network resources (Load balancer, Network interface and Public IP address) in the same resource group and Subnet where your cluster is in. Failure to apply this update may result in your clusters becoming unhealthy and unusable. You can also drop and recreate your cluster before January 25, 2021 to prevent the cluster from becoming unhealthy and unusable. The HDInsight service sends another notification if we failed to apply the update to your clusters.

-Your media account is about to hit its quota limits. Review current usage of Assets, Content Key Policies and Stream Policies for the media account. To avoid any disruption of service, you should request quota limits to be increased for the entities that are closer to hitting quota limit. You can request quota limits to be increased by opening a ticket and adding relevant details to it. Don't create additional Azure Media accounts in an attempt to obtain higher limits.

-We have detected that your ExpressRoute gateway only has 1 ExpressRoute circuit associated to it. Connect one or more additional circuits to your gateway to ensure peering location redundancy and resiliency

-We have detected that your ExpressRoute circuit isn't currently being monitored by ExpressRoute Monitor on Network Performance Monitor. ExpressRoute monitor provides end-to-end monitoring capabilities including: Loss, latency, and performance from on-premises to Azure and Azure to on-premises

-Try to avoid overriding the hostname when configuring Application Gateway. Having a different domain on the frontend of Application Gateway than the one which is used to access the backend can potentially lead to cookies or redirect urls being broken. Note that this might not be the case in all situations and that certain categories of backends (like REST APIs) in general are less sensitive to this. Make sure the backend is able to deal with this or update the Application Gateway configuration so the hostname does not need to be overwritten towards the backend. When used with App Service, attach a custom domain name to the Web App and avoid use of the `*.azurewebsites.net` host name towards the backend.

-In response to Log4j 2 vulnerability (CVE-2021-44228), Azure Web Application Firewall (WAF) RuleSet CRS 3.1/3.2 has been updated on your Application Gateway to help provide additional protection from this vulnerability. The rules are available under Rule 944240 and no action is needed to enable this.

-1) Upgrade Log4j 2 to version 2.15.0 on your backend servers. If upgrade isn't possible, follow the system property guidance link below.

-2) Take advantage of WAF Core rule sets (CRS) by upgrading to WAF SKU

-Soft delete helps you retain your backup data in the Recovery Services vault for an additional duration after deletion, giving you an opportunity to retrieve it before it's permanently deleted.

-you're close to exceeding your available storage quota. Add additional partitions if you need more storage. After exceeding storage quota, you can still query, but indexing operations no longer work.

-As previously announced, Azure Data Lake Storage Gen1 will be retired on February 29, 2024. We highly recommend migrating your data lake to Azure Data Lake Storage Gen2, which offers advanced capabilities specifically designed for big data analytics and is built on top of Azure Blob Storage.

-After enabling Soft Delete, deleted data transitions to a soft deleted state instead of being permanently deleted. When data is overwritten, a soft deleted snapshot is generated to save the state of the overwritten data. You can configure the amount of time soft deleted data is recoverable before it permanently expires.

-We identified the below thread resulted in an unhandled exception for your App and application code should be fixed to prevent impact to application availability. A crash happens when an exception in your code terminates the process.

-We identified your application is running in 32-bit and the memory is reaching the 2GB limit.

-Consider switching to 64-bit processes so you can take advantage of the additional memory available in your Web Worker role. This action triggers a web app restart, so schedule accordingly.

- <td>40 K</td>

-|`punctuationMode`|Specifies how to handle punctuation in recognition results. Accepted values are `None` to disable punctuation, `Dictated` to imply explicit (spoken) punctuation, `Automatic` to let the decoder deal with punctuation, or `DictatedAndAutomatic` to use dictated and automatic punctuation. The default value is `DictatedAndAutomatic`.|

- apiVersion: v1

- metadata:

- name: mypod

- spec:

- containers:

- - name: mypod

- image: mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine

- resources:

- requests:

- cpu: 100m

- memory: 128Mi

- limits:

- cpu: 250m

- memory: 256Mi

- volumeMounts:

- - mountPath: /mnt/azure

- name: volume

- volumes:

- - name: volume

- persistentVolumeClaim:

- claimName: my-azurefile

-| skip-nodes-with-local-storage | If true, cluster autoscaler doesn't delete nodes with pods with local storage, for example, EmptyDir or HostPath | false |

-[kubernetes-cluster-autoscaler]: https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler

- * For Linux node pools, the length must be between 1-12 characters.

-| `vm.vfs_cache_pressure` | 1 - 500 | 100 | This percentage value controls the tendency of the kernel to reclaim the memory, which is used for caching of directory and inode objects. |

-* Deploy the containerized application to an AKS cluster using the Open Liberty Operator.

-The Open Liberty Operator simplifies the deployment and management of applications running on Kubernetes clusters. With the Open Liberty Operator, you can also perform more advanced operations, such as gathering traces and dumps.

-export LOGIN_SERVER=<Azure_Container_Registery_Login_Server_URL>

-export REGISTRY_NAME=<Azure_Container_Registery_Name>

-export USER_NAME=<Azure_Container_Registery_Username>

-export PASSWORD=<Azure_Container_Registery_Password>

-Now, we upload the built image to the ACR created in the offer.

-Throughout this guide, you will need to define several variables.

-$apimServiceName = "ContosoApi" # API Management service instance name, must be globally unique

-$resGroupName = "apim-appGw-RG" # Resource group name that will hold all assets

-$appgwName = "apim-app-gw" # The name of the Application Gateway

- "NSG-APPGW" -SecurityRules $appGwRule1, $appGwRule2

- "NSG-APIM" -SecurityRules $apimRule1, $apimRule2, $apimRule3, $apimRule4

-1. Create a virtual network named **appgwvnet** in resource group **apim-appGw-RG** for the West US region. Use the prefix 10.0.0.0/16 with subnets 10.0.0.0/24 and 10.0.1.0/24.

- $vnet = New-AzVirtualNetwork -Name "appgwvnet" -ResourceGroupName $resGroupName `

-Currently, only PowerShell and Python 2 runbooks are supported as Pre/Post scripts. Other runbook types like Python 3, Graphical, PowerShell Workflow, Graphical PowerShell Workflow are currently not supported as Pre/Post scripts.

-# GitOps Flux v2 configurations with AKS and Azure Arc-enabled Kubernetes

-Azure provides configuration management capability using GitOps in Azure Kubernetes Service (AKS) and Azure Arc-enabled Kubernetes clusters.

-GitOps on Azure Arc-enabled Kubernetes or Azure Kubernetes Service uses [Flux](https://fluxcd.io/docs/), a popular open-source tool set. Flux provides support for common file sources (Git and Helm repositories, Buckets, Azure Blob Storage) and template types (YAML, Helm, and Kustomize). Flux also supports [multi-tenancy](#multi-tenancy) and deployment dependency management, among [other features](https://fluxcd.io/docs/).

-### Version support

-The most recent version of the Flux v2 extension (`microsoft.flux`) and the two previous versions (N-2) are supported. We generally recommend that you use the [most recent version](extensions-release.md#flux-gitops) of the extension. Starting with `microsoft.flux` version 1.7.0, ARM64-based clusters are supported.

-> [!NOTE]

-> If you have been using Flux v1, we recommend [migrating to Flux v2](conceptual-gitops-flux2.md#migrate-from-flux-v1) as soon as possible.

->

-> Support for Flux v1-based cluster configuration resources created prior to January 1, 2024 will end on [May 24, 2025](https://azure.microsoft.com/updates/migrate-your-gitops-configurations-from-flux-v1-to-flux-v2-by-24-may-2025/). Starting on January 1, 2024, you won't be able to create new Flux v1-based cluster configuration resources.

-In this tutorial, we use an example GitOps configuration with two kustomizations, so that you can see how one kustomization can have a dependency on another. You can add more kustomizations and dependencies as needed, depending on your scenario.

- 1. In **Source type**, select **Git Repository.**

-1. In the **Kustomizations** section, create two kustomizations: `infrastructure` and `staging`. These kustomizations are Flux resources, each associated with a path in the repository, that represent the set of manifests that Flux should reconcile to the cluster.

-Select the name of a configuration to view more details such as the configuration's status, properties, and source. You can then select **Configuration objects** to view all of the objects that were created to enable the GitOps configuration. This lets you quickly see the compliance state and other details about each object.

-This feature is enabled by default for Javascript and the headers are automatically included when the hosting page domain is the same as the domain the requests are sent to (for example, the hosting page is `example.com` and the Ajax requests are sent to `example.com`). To change the distributed tracing mode, use the [`distributedTracingMode` configuration field](./javascript-sdk-configuration.md#sdk-configuration). AI_AND_W3C is provided by default for backward compatibility with any legacy services instrumented by Application Insights.

-#### Troubleshooting

-This section offers troubleshooting tips for common issues related to the uploading of source maps to your Azure Storage account blob container.

-##### Required Azure role-based access control settings on your blob container

-Any user on the portal who uses this feature must be assigned at least as a [Storage Blob Data Reader][storage blob data reader] to your blob container. Assign this role to anyone who might use the source maps through this feature.

-> [!NOTE]

-> Depending on how the container was created, this role might not have been automatically assigned to you or your team.

-##### Source map not found

-1. Verify that the corresponding source map is uploaded to the correct blob container.

-1. Verify that the source map file is named after the JavaScript file it maps to and uses the suffix `.map`.

-

- For example, `/static/js/main.4e2ca5fa.chunk.js` searches for the blob named `main.4e2ca5fa.chunk.js.map`.

-1. Check your browser's console to see if any errors were logged. Include this information in any support ticket.

-## Virtual machines

-## Container insights

-### Design checklist

-> [!div class="checklist"]

-> - Configure agent collection to remove unneeded data.

-> - Modify settings for collection of metric data.

-> - Limit Prometheus metrics collected.

-> - Configure Basic Logs.

-### Configuration recommendations

-| Recommendation | Benefit |

-|:|:|

-| Configure agent collection to remove unneeded data. | Analyze the data collected by Container insights as described in [Controlling ingestion to reduce cost](containers/container-insights-cost.md#control-ingestion-to-reduce-cost) and adjust your configuration to stop collection of data in ContainerLogs you don't need. |

-| Modify settings for collection of metric data. | You can reduce your costs by modifying the default collection settings Container insights uses for the collection of metric data. See [Enable cost optimization settings](containers/container-insights-cost-config.md) for details on modifying both the frequency that metric data is collected and the namespaces that are collected. |

-| Limit Prometheus metrics collected. | If you configured Prometheus metric scraping, then follow the recommendations at [Controlling ingestion to reduce cost](containers/container-insights-cost.md#prometheus-metrics-scraping) to optimize your data collection for cost. |

-| Configure Basic Logs. | [Convert your schema to ContainerLogV2](containers/container-insights-logging-v2.md) which is compatible with Basic logs and can provide significant cost savings as described in [Controlling ingestion to reduce cost](containers/container-insights-cost.md#configure-basic-logs). |

-Multi-line logging is a preview feature and can be enabled by setting **enabled** flag to "true" under the `[log_collection_settings.enable_multiline_logs]` section in the the [config map](https://github.com/microsoft/Docker-Provider/blob/ci_prod/kubernetes/container-azm-ms-agentconfig.yaml)

-

-## Log queries

-You can use [log queries](log-query-overview.md) in [Log Analytics](log-analytics-overview.md) if you need deeper analysis into your collected data. Each table in a Log Analytics workspace has the following standard columns that can assist you in analyzing billable data:

-## Data volume by solution

-**Billable data volume by solution over the past month**

-```kusto

-Usage

-| where TimeGenerated > ago(32d)

-| where StartTime >= startofday(ago(31d)) and EndTime < startofday(now())

-| where IsBillable == true

-| summarize BillableDataGB = sum(Quantity) / 1000. by bin(StartTime, 1d), Solution

-| render columnchart

-```

-## Data volume by computer

-You can analyze the amount of billable data collected from a virtual machine or a set of virtual machines. The **Usage** table doesn't have the granularity to show data volumes for specific virtual machines, so these queries use the [find operator](/azure/data-explorer/kusto/query/findoperator) to search all tables that include a computer name. The **Usage** type is omitted because this query is only for analytics of data trends.

-> [!WARNING]

-> Use [find](/azure/data-explorer/kusto/query/findoperator?pivots=azuremonitor) queries sparingly because scans across data types are [resource intensive](./query-optimization.md#query-details-pane) to execute. If you don't need results per subscription, resource group, or resource name, use the [Usage](/azure/azure-monitor/reference/tables/usage) table as in the preceding queries.

-**Billable data volume by computer for the last full day**

-```kusto

-find where TimeGenerated between(startofday(ago(1d))..startofday(now())) project _BilledSize, _IsBillable, Computer, Type

-| where _IsBillable == true and Type != "Usage"

-| extend computerName = tolower(tostring(split(Computer, '.')[0]))

-| summarize BillableDataBytes = sum(_BilledSize) by computerName

-| sort by BillableDataBytes desc nulls last

-```

-**Count of billable events by computer for the last full day**

-```kusto

-find where TimeGenerated between(startofday(ago(1d))..startofday(now())) project _IsBillable, Computer, Type

-| where _IsBillable == true and Type != "Usage"

-| extend computerName = tolower(tostring(split(Computer, '.')[0]))

-| summarize eventCount = count() by computerName

-| sort by eventCount desc nulls last

-```

-## Data volume by Azure resource, resource group, or subscription

-## Querying for data volumes excluding known free data types

- >It's _not_ recommended nor required to add the Azure NetApp Files AD admin account to the AD domain groups listed above. Nor is it recommended or required to grant `msDS-SupportedEncryptionTypes` write permission to the Azure NetApp Files AD admin account.

- --parameters exampleString='inline string' exampleArray='("value1", "value2")'

-| Microsoft.DevOps | [Azure DevOps](/azure/devops/) |

-| microsoft.visualstudio | [Azure DevOps](/azure/devops/) |

-> The current version of VMware Site Recovery Manager (SRM) in Azure VMware Solution is 8.5.0.3.

-|Canada|

-|Puerto Rico|

-|United Kingdom|

-|United States|

-|**Description**|Toll free numbers are telephone numbers with distinct three-digit codes that can be used for business to consumer communication without any charge to the consumer| Short codes are 5-6 digit numbers used for business to consumer messaging such as alerts, notifications, and marketing | Alphanumeric Sender IDs are displayed as a custom alphanumeric phrase like the companyΓÇÖs name (CONTOSO, MyCompany) on the recipient handset. Alphanumeric sender IDs can be used for a variety of use cases like one-time passcodes, marketing alerts, and flight status notifications. |

-|**Supported Destinations**| United States, Canada, Puerto Rico| United States | Germany, Netherlands, United Kingdom, Australia, France, Switzerland, Sweden, Italy, Spain, Denmark, Ireland, Portugal, Poland, Austria, Lithuania, Latvia, Estonia |

-To enable alphanumeric sender ID, go to your Communication Services resource on the [Azure portal](https://portal.azure.com).

-## Enable alphanumeric sender ID

-Navigate to the Alphanumeric Sender ID blade in the resource menu and click on "Enable Alphanumeric Sender ID" button to enable alphanumeric sender ID service. If the enable button is not available for your subscription and your [subscription address](../../concepts/numbers/sub-eligibility-number-capability.md) is supported for alphanumeric sender ID, [create a support ticket](https://aka.ms/ACS-Support).

-Confirm that you have [!INCLUDE [project-synergy-nmp-permissions](includes/communications-gateway-nmp-project-synergy-permissions.md)] permissions for the Project Synergy enterprise application and **Reader** access to the Azure portal for your subscription. If you don't have these permissions, ask your administrator to set them up by following [Set up user roles for Azure Communications Gateway](provision-user-roles.md).

-## 1. Go to your Communications Gateway resource

-## 2. Select an enterprise customer to manage

-## 3. Manage numbers for the enterprise

- * If you followed [2. Select an enterprise customer to manage](#2-select-an-enterprise-customer-to-manage), select **Manage numbers** from the menu.

-## 4. View civic addresses for an enterprise

- * If you followed [2. Select an enterprise customer to manage](#2-select-an-enterprise-customer-to-manage), select **Civic addresses** from the menu.

-## 1. Understand the user roles required for Azure Communications Gateway

-|Using the Number Management Portal| [!INCLUDE [project-synergy-nmp-permissions](includes/communications-gateway-nmp-project-synergy-permissions.md)] roles for the Project Synergy enterprise application and **Reader** access to the Azure portal for your subscription|

-## 2. Configure user roles

-### 2.1 Prepare to assign a user role

-### 2.2 Assign a user role

-1. Follow the steps in [Assign a user role using the Azure portal](../role-based-access-control/role-assignments-portal.md) to assign the permissions you determined in [1. Understand the user roles required for Azure Communications Gateway](#1-understand-the-user-roles-required-for-azure-communications-gateway).

-##### [Javascript SDK v4](#tab/javascript-v4)

-##### [Javascript SDK v4](#tab/javascript-v4)

-##### [Javascript SDK v4](#tab/javascript-v4)

-##### [Javascript SDK v4](#tab/javascript-v4)

-##### [Javascript SDK v4](#tab/javascript-v4)

-### Query a vector index by using $search

-description: This article helps you to understand and concepts about optimizing your cloud costs with AI-powered functionality in Cost Management.

-# Understand and optimize your cloud costs with AI-powered functionality in Cost Management

-Today, we're pleased to announce the preview of Microsoft Cost Management's new AI-powered functionality. This interactive experience, available through the Azure portal, provides users with quick analysis, insights, and recommendations to help them better understand, analyze, manage, and forecast their cloud costs and bills.

-description: This article helps you better understand data that's included in Cost Management and how frequently it's processed, collected, shown, and closed.

-_┬│ Historical data for credit-based and pay-in-advance subscriptions might not match your invoice. See [Historical data may not match invoice](#historical-data-might-not-match-invoice) below._

-| Azure service usage (including deleted resources)⁵ | Unbilled services (e.g., free tier resources) |

-Please note Cost Management data only includes the usage and purchases from services and resources that are actively running. Cost data is historical and will include resources, resource groups, and subscriptions that have been stopped, deleted, or cancelled and may not reflect the same resources, resource groups, and subscriptions you see in other tools, like Azure Resource Manager or Azure Resource Graph, which only show the current resources that are deployed in your subscriptions. Not all resources emit usage and therefore may not be represented in the cost data. Similarly, some resources are not tracked by Azure Resource Manager and may not be represented in subscription resources.

-* Enterprise Agreement (EA) subscriptions ΓÇô If the billing month ends on March 31, estimated charges are updated up to 72 hours later. In this example, by midnight (UTC) April 4.

-After your billing period ends and your invoice is created, it can take up to 48 hours later for the usage data to get finalized. If the usage file isn't ready, you'll see a message on the Invoices page in the Azure portal stating `Your usage and charges file is not ready`. After the usage file is available, you can download it.

-Once cost and usage data becomes available in Cost Management, it will be retained for at least seven years. Only the last 13 months are available from the portal. For historical data before 13 months, please use [Exports](tutorial-export-acm-data.md) or the [Cost Details API](../automate/usage-details-best-practices.md#cost-details-api).

-<!--## Known issues in this release

-|**1.**|Need known issues in 2303 |-->

-Due to the retirement of Azure API for FHIR after April 1, 2025 customers will not be able to create new deployments of Azure API of FHIR. Until April 1, 2025 new deployments are allowed.

-AHDS FHIR service offers a rich set of capabilities such as:

-SMART on FHIR (Enhanced) provides more capabilities than SMART on FHIR proxy, and meets requirements in the SMART on FHIR Implementation Guide (v 1.0.0) and §170.315(g)(10) Standardized API for patient and population services criterion.

-description: Create or modify a Direct peering using the Azure portal.

- >[!NOTE]

- >Once a subscription and resource group have been selected for the peering resource, it cannot be moved to another subscription or resource group.

-## Next steps

-## Next steps

-## Next steps

-## Next steps

-All traffic to a key vault for all three functions (authentication, management, and data plane access) goes over HTTPS: port 443. However, there will occasionally be HTTP (port 80) traffic for CRL. Clients that support OCSP shouldn't reach CRL, but may occasionally reach [http://cdp1.public-trust.com/CRL/Omniroot2025.crl](http://cdp1.public-trust.com/CRL/Omniroot2025.crl).

->[!NOTE]

-> This method is **NOT recommended** for production workloads as it adds risk of exhausting ports. Please refrain from using this method for production workloads to avoid potential connection failures.

-Default outbound access is when An Azure resource is allocated a minimal number of ports for outbound. This access occurs when the resource meets any of the following conditions:

-Some other examples of default outbound access are:

- conda_file="../model-1/environment/conda.yml",

-[Get started with RAG using a prompt flow sample (preview)](how-to-use-pipelines-prompt-flow.md)

-### [Optional] Enable Intel® Extension for Scikit-Learn optimizations for more performance on Intel hardware

-Want to speed up your scikit-learn scripts on Intel hardware? Try enabling [Intel® Extension for Scikit-Learn](https://www.intel.com/content/www/us/en/developer/tools/oneapi/scikit-learn.html) in your training script. Intel® Extension for Scikit-Learn is already installed in the Azure Machine Learning curated environment used in this tutorial, so no additional installation is needed.

-To learn more about Intel® Extension for Scikit-Learn, visit the package's [documentation](https://intel.github.io/scikit-learn-intelex/).

-If you want to use Intel® Extension for Scikit-Learn as part of the training script described above, you can enable the performance optimizations by adding the two lines of code to the top of the script file, as shown below.

-```python

-%%writefile {train_src_dir}/main.py

-import os

-import argparse

-# Import and enable Intel Extension for Scikit-learn optimizations

-# where possible

-from sklearnex import patch_sklearn

-patch_sklearn()

-import pandas as pd

-import mlflow

-import mlflow.sklearn

-from sklearn.ensemble import GradientBoostingClassifier

-from sklearn.metrics import classification_report

-from sklearn.model_selection import train_test_split

-def main():

- """Main function of the script."""

- # input and output arguments

- parser = argparse.ArgumentParser()

- parser.add_argument("--data", type=str, help="path to input data")

- parser.add_argument("--test_train_ratio", type=float, required=False, default=0.25)

- parser.add_argument("--n_estimators", required=False, default=100, type=int)

- parser.add_argument("--learning_rate", required=False, default=0.1, type=float)

- parser.add_argument("--registered_model_name", type=str, help="model name")

- args = parser.parse_args()

-

- # Start Logging

- mlflow.start_run()

- # enable autologging

- mlflow.sklearn.autolog()

- ###################

- #<prepare the data>

- ###################

- print(" ".join(f"{k}={v}" for k, v in vars(args).items()))

- print("input data:", args.data)

-

- credit_df = pd.read_csv(args.data, header=1, index_col=0)

- mlflow.log_metric("num_samples", credit_df.shape[0])

- mlflow.log_metric("num_features", credit_df.shape[1] - 1)

- train_df, test_df = train_test_split(

- credit_df,

- test_size=args.test_train_ratio,

- )

- ####################

- #</prepare the data>

- ####################

- ##################

- #<train the model>

- ##################

- # Extracting the label column

- y_train = train_df.pop("default payment next month")

- # convert the dataframe values to array

- X_train = train_df.values

- # Extracting the label column

- y_test = test_df.pop("default payment next month")

- # convert the dataframe values to array

- X_test = test_df.values

- print(f"Training with data of shape {X_train.shape}")

- clf = GradientBoostingClassifier(

- n_estimators=args.n_estimators, learning_rate=args.learning_rate

- )

- clf.fit(X_train, y_train)

- y_pred = clf.predict(X_test)

- print(classification_report(y_test, y_pred))

- ###################

- #</train the model>

- ###################

- ##########################

- #<save and register model>

- ##########################

- # Registering the model to the workspace

- print("Registering the model via MLFlow")

- mlflow.sklearn.log_model(

- sk_model=clf,

- registered_model_name=args.registered_model_name,

- artifact_path=args.registered_model_name,

- )

- # Saving the model to a file

- mlflow.sklearn.save_model(

- sk_model=clf,

- path=os.path.join(args.registered_model_name, "trained_model"),

- )

- ###########################

- #</save and register model>

- ###########################

-

- # Stop Logging

- mlflow.end_run()

-if __name__ == "__main__":

- main()

-```

- -- If a SID needs to be specified, add here

- DECLARE @SID NVARCHAR(MAX) = N'';

- -- If a SID needs to be specified, add here

- CREATE LOGIN [evaluator]

- WITH PASSWORD = '<provide a strong password>'

- , SID = @SID

- PRINT N'Created login [evaluator] with SID = '+@SID

- -- If a SID needs to be specified, add here

- DECLARE @SID NVARCHAR(MAX) = N'';

- -- If a SID needs to be specified, add here

- CREATE LOGIN [evaluator]

- WITH PASSWORD = '<provide a strong password>'

- , SID = @SID

- SELECT @SID = N'0x'+CONVERT(NVARCHAR, sid, 2) FROM sys.syslogins where name = 'evaluator'

- PRINT N'Created login [evaluator] with SID = '+@SID

- -- If a SID needs to be specified, add here

- DECLARE @SID NVARCHAR(MAX) = N'';

- -- If a SID needs to be specified, add here

- DECLARE @SID NVARCHAR(MAX) = N'';

- CREATE LOGIN [evaluator]

- WITH PASSWORD = '<provide a strong password>'

- , SID = @SID

- SELECT @SID = N'0x'+CONVERT(NVARCHAR, sid, 2) FROM sys.syslogins where name = 'evaluator'

- PRINT N'Created login [evaluator] with SID = '+@SID

-This article helps you understand the **Accelerated Connections** feature. When Accelerated Connections is enabled on the virtual network interface (vNIC) with Accelerated Networking, networking performance is improved. This high-performance feature is available on Network Virtual Appliances (NVAs) deployed from Azure Marketplace and offers competitive performance in Connections Per Second (CPS) optimization, along with improvements to handling large amounts of simultaneous connections. To access this feature during limited GA, use the [sign-up form](https://go.microsoft.com/fwlink/?linkid=2223706).

-> This feature is currently in limited general availability (GA), and customer sign-up is needed to use it.

-Accelerated Connections supports the workloads that can send large amounts of active connections simultaneously. It supports these connections bursts with negligible degradation to VM throughput, latency or connections per second performance. The data path for the network traffic is highly optimized to offload the Software-defined networks (SDN) policies evaluation. The goal is to eliminate any bottlenecks in the cloud implementation and networking performance.

-Accelerated Connections is implemented at the network interface level to allow maximum flexibility of network capacity. Multiple vNICs can be configured with this enhancement, the number depends on the supported VM family. Network Virtual Appliances (NVAs) on Azure Marketplace will be the first workloads to leverage this technology.

-Network Virtual Appliances (NVAs) with most large scale solutions requiring v-firewall, v-switch, load balancers and other critical network features would experience higher CPS performance with Accelerated Connections.

-**Diagram 1**

-* Increased Connections Per Second (CPS)

-* Consistent active connections

-* Increased CPU capacity/stability for high traffic network optimized VM

-* Reduced jitter

-* Decreased CPU utilization

-* During limited GA, this feature is only available on Resource Groups created after sign-up.

-* This feature can be enabled and is supported on new deployments using an Azure Resource Manager (ARM) template and preview instructions.

-* Detaching and attaching a network interface on a running VM isn't supported as other Azure features.

-* Marketplace portal isn't supported for the limited GA.

-* This feature is free during the limited GA, and chargeable after GA.

-* The data path tags should be added to the vNIC properties.

-* You've signed up for the limited GA using the [sign-up form](https://go.microsoft.com/fwlink/?linkid=2223706).

-Azure Orbital Ground Station uses three different types of resources:

-Follow these steps to increase your storage size.

-6. click **Save**.

-7. You receive a notification that storage autogrow is in progress.

-## Next steps

-| [Threat Monitoring and Response Automation with Microsoft Security Services for SAP](#microsoft-security-for-sap) | Learn how to best secure your SAP workload with Microsoft Defender for Cloud and the [SAP certified](https://www.sap.com/dmc/exp/2013_09_adpd/enEN/#/solutions?id=s:33db1376-91ae-4f36-a435-aafa892a88d8) Microsoft Sentinel solution. Prevent incidents from happening, detect and respond to threats in real-time. |

-description: Enable search-as-you-type query actions in Azure Cognitive Search by creating suggesters and formulating requests that autocomplete a search box with finished terms or phrases. You can also return suggested matches.

-# Add autocomplete and suggestions to client apps using Azure Cognitive Search

-To implement these experiences in Azure Cognitive Search, you will need:

-+ A *suggester* definition that's embedded in the index schema.

-+ A *query* specifying [Autocomplete](/rest/api/searchservice/autocomplete) or [Suggestions](/rest/api/searchservice/suggestions) API on the request.

-+ A *UI control* to handle search-as-you-type interactions in your client app. We recommend using an existing JavaScript library for this purpose.

-The remainder of this article is focused on queries and client code. It uses JavaScript and C# to illustrate key points. REST API examples are used to concisely present each operation. For links to end-to-end code samples, see [Next steps](#next-steps).

-> Network limits do not apply when a tiered file is accessed.

-> [!NOTE]

-> If an AAD login has a connection open for more than 1 hour at time of query execution, any query that relies on AAD will fail. This includes querying storage using AAD pass-through and statements that interact with AAD (like CREATE EXTERNAL PROVIDER). This affects every tool that keeps connections open, like in query editor in SSMS and ADS. Tools that open new connections to execute a query, like Synapse Studio, are not affected.

-> You can restart SSMS or connect and disconnect in ADS to mitigate this issue.

-To connect and query with Visual Studio, see [Query with Visual Studio](../sql-data-warehouse/sql-data-warehouse-query-visual-studio.md?context=/azure/synapse-analytics/context/context). To learn more about authentication options, see [Authentication to Synapse SQL](sql-authentication.md?tabs=provisioned).

-This error can occur when the authentication method is user identity, which is also known as Azure AD pass-through, and the Azure AD access token expires.

-This error can occur when the authentication method is user identity, which is also known as Azure AD pass-through, and the Azure AD access token expires.

-| `*.prod.warm.ingest.monitor.core.windows.net` | 443 | Agent traffic<br /><br />[Diagnostic output](diagnostics-log-analytics.md) | AzureMonitor |

-| `*.prod.warm.ingest.monitor.core.usgovcloudapi.net` | 443 | Agent traffic<br /><br />[Diagnostic output](diagnostics-log-analytics.md) | AzureMonitor |

-To monitor B-series specific credit metrics, customers can utilize the Azure monitor data platform, see [Overview of metrics in Microsoft Azure](../../azure-monitor/data-platform.md). Azure monitor data platform can be accessed via Azure portal and other orchestration paths, and via programmatic API calls to Azure monitor.

-Via Azure monitor data platform, customers can access B-series credit model specific metrics such as 'CPU Credits Consumed', 'CPU Credits Remaining' and 'Percentage CPU' for their given B-series size in real time.

-description: Enable Trusted Launch on existing Azure VMs.

-# Enable Trusted Launch on existing Azure VMs

-Azure Virtual Machines supports enabling Trusted Launch on existing [Azure Generation 2](generation-2.md) VMs by upgrading to [Trusted launch](trusted-launch.md) security type.

-> Enabling Trusted Launch on existing virtual machines (VMs) is currently not supported for following scenarios:

-> - Azure Virtual Machine Scale Sets (VMSS) Uniform & Flex is currently not supported.

- - [Trusted Launch supported size family](trusted-launch.md#virtual-machines-sizes)

- - [Trusted Launch supported OS Image](trusted-launch.md#operating-systems-supported). For custom OS image or disks, the base image should be **Trusted Launch capable**.

-## Enable Trusted Launch on existing VM

-This section steps through using the Azure CLI to enable Trusted Launch on existing Azure Generation 2 VM.

-3. Enable Trusted Launch by setting `--security-type` to `TrustedLaunch`.

-> [!NOTE]

->

-> - After enabling Trusted Launch, currently virtual machine cannot be rolled back to security type **Standard** (Non-Trusted Launch configuration).

-> - **vTPM** is enabled by default.

-> - **Secure Boot** is recommended to be enabled (not enabled by default) if you are not using custom unsigned kernel or drivers. Secure Boot preserves boot integrity and enables foundational security for VM.

-6. Start the upgraded Trusted Launch VM and ensure that it has started successfully and verify that you are able to log in to the VM using either RDP (for Windows VM) or SSH (for Linux VM).

-This section steps through using the Azure PowerShell to enable Trusted Launch on existing Azure Generation 2 VM.

-3. Enable Trusted Launch by setting `--security-type` to `TrustedLaunch`.

-> [!NOTE]

->

-> - After enabling Trusted Launch, currently virtual machine cannot be rolled back to security type **Standard** (Non-Trusted Launch configuration).

-> - **vTPM** is enabled by default.

-> - **Secure Boot** is recommended to be enabled (not enabled by default) if you are not using custom unsigned kernel or drivers. Secure Boot preserves boot integrity and enables foundational security for VM.

-6. Start the upgraded Trusted Launch VM and ensure that it has started successfully and verify that you are able to log in to the VM using either RDP (for Windows VM) or SSH (for Linux VM).

-This section steps through using an ARM template to enable Trusted Launch on existing Azure Generation 2 VM.

- "vmsToMigrate": {

- "description": "Specifies the list of Gen2 virtual machines to be migrated to Trusted Launch."

- "name": "[parameters('vmsToMigrate').virtualMachines[copyIndex()].vmName]",

- "location": "[parameters('vmsToMigrate').virtualMachines[copyIndex()].location]",

- "secureBootEnabled": "[parameters('vmsToMigrate').virtualMachines[copyIndex()].secureBootEnabled]",

- "count": "[length(parameters('vmsToMigrate').virtualMachines)]"

- "vmsToMigrate": {

-secureBootEnabled | Enable secure boot with Trusted Launch security type | true

-> [!NOTE]

->

-> - After enabling Trusted Launch, currently virtual machine cannot be rolled back to security type **Standard** (Non-Trusted Launch configuration).

-> - **vTPM** is enabled by default.

-> - **Secure Boot** is recommended to be enabled (not enabled by default) if you are not using custom unsigned kernel or drivers. Secure Boot preserves boot integrity and enables foundational security for VM.

-6. Start the upgraded Trusted Launch VM and ensure that it has started successfully and verify that you are able to log in to the VM using either RDP (for Windows VM) or SSH (for Linux VM).

-**(Recommended)** Post-Upgrades enable [Boot Integrity Monitoring](trusted-launch.md#microsoft-defender-for-cloud-integration) to monitor the health of the VM using Microsoft Defender for Cloud.

-Learn more about [trusted launch](trusted-launch.md) and review [frequently asked questions](trusted-launch-faq.md)

-$nic.IpConfigurations.publicipaddress.id = $null

-Internet routing preference is available in all regions except:

-* Australia Central

-* Austria East

-* Brazil Southeast

-* Germany Central

-* Germany NorthEast

-* Norway West

-* Sweden Central

-* West US 3

-You can configure and deploy all WAF policies by using the Azure portal, REST APIs, Azure Resource Manager templates, and Azure PowerShell. You can also configure and manage Azure WAF policies at scale by using Firewall Manager integration (preview). For more information, see [Use Azure Firewall Manager to manage Azure Web Application Firewall policies (preview)](../shared/manage-policies.md).

-Monitoring for a WAF on Azure Front Door is integrated with Azure Monitor to track alerts and easily monitor traffic trends.