+A Group Managed Service Account (gMSA) is a managed domain account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other administrators. It also extends this functionality over multiple servers. Azure AD Connect cloud sync supports and recommends the use of a Group Managed Service Account for running the agent. For more information on a Group Managed Service Account, see [Group Managed Service Accounts](how-to-prerequisites.md#group-managed-service-accounts).

+To upgrade an existing agent to use the Group Managed Service Account created during installation, update the agent service to the latest version by running AADConnectProvisioningAgent.msi. Now run through the installation wizard again and provide the credentials to create the account when prompted.

+## Installing against US government cloud

+By default, the Azure Active Directory (Azure AD) Connect provisioning agent installs against the default Azure cloud environment. If you're installing the agent for use in the US government, follow these steps:

+- In step #7 above, instead of select **Open file**, go to start run and navigate to the **AADConnectProvisioningAgentSetup.exe** file. In the run box, after the executable, enter **ENVIRONMENTNAME=AzureUSGovernment** and select **Ok**.

+ [](media/how-to-install/new-install-12.png#lightbox)

+To enable MD5 for password hash synchronization, perform the following steps:

+```xml

+<configuration>

+ <runtime>

+ <enforceFIPSPolicy enabled="false"/>

+ </runtime>

+</configuration>

+

+In this scenario, there's an existing forest synced using Azure AD Connect sync to an Azure AD tenant. And you have a new forest that you want to sync to the same Azure AD tenant. You'll set up cloud sync for the new forest.

+1. Identify a domain-joined host server running Windows Server 2012 R2 or greater with minimum of 4-GB RAM and .NET 4.7.1+ runtime

+2. If there's a firewall between your servers and Azure AD, configure the following items:

+ - For certificate validation, unblock the following URLs: **mscrl.microsoft.com:80**, **crl.microsoft.com:80**, **ocsp.msocsp.com:80**, and **www\.microsoft.com:80**. Since these URLs are used for certificate validation with other Microsoft products, you may already have these URLs unblocked.

+If you're using the [Basic AD and Azure environment](tutorial-basic-ad-azure.md) tutorial, it would be DC1. To install the agent, follow these steps:

+## Verify agent installation

+## Configure Azure AD Connect cloud sync

+ Use the following steps to configure provisioning

+1. Sign in to the Azure AD portal.

+2. Select **Azure Active Directory**

+3. Select **Azure AD Connect**

+4. Select **Manage cloud sync**

+ 

+5. Select **New Configuration**

+ 

+7. On the configuration screen, enter a **Notification email**, move the selector to **Enable** and select **Save**.

+ 

+ 

+You'll now verify that the users that you had in our on-premises directory have been synchronized and now exist in our Azure AD tenant. This process may take a few hours to complete. To verify users are synchronized, do the following:

+4. Verify that you see the new users in our tenant

+2. Sign in with a user account that was created in our new tenant. You'll need to sign in using the following format: (user@domain.onmicrosoft.com). Use the same password that the user uses to sign in on-premises.

+ 

+

+1. Ensure that you're running Azure AD Connect sync version 1.4.32.0 or later and have configured the sync rules as documented.

+1. When piloting, you'll be removing a test OU or group from Azure AD Connect sync scope. Moving objects out of scope leads to deletion of those objects in Azure AD.

+ - User objects, the objects in Azure AD are soft-deleted and can be restored.

+ - Group objects, the objects in Azure AD are hard-deleted and can't be restored.

+

+ A new link type has been introduced in Azure AD Connect sync, which will prevent the deletion in a piloting scenario.

+1. Ensure that the objects in the pilot scope have ms-ds-consistencyGUID populated so cloud sync hard matches the objects.

+1. This configuration is for advanced scenarios. Ensure that you follow the steps documented in this tutorial precisely.

+Azure AD Connect sync synchronizes changes occurring in your on-premises directory using a scheduler. In order to modify and add custom rules, you want to disable the scheduler so that synchronizations won't run while you're working making the changes. To stop the scheduler, use the following steps:

+ 1. Launch the synchronization editor from the application menu in desktop as shown below:

+

+ 

+ 2. Select **Inbound** from the drop-down list for Direction and select **Add new rule**.

+ 

+ 3. On the **Description** page, enter the following and select **Next**:

+ - **Name:** Give the rule a meaningful name

+ - **Description:** Add a meaningful description

+ - **Connected System:** Choose the AD connector that you're writing the custom sync rule for

+ - **Connected System Object Type:** User

+ - **Metaverse Object Type:** Person

+ - **Link Type:** Join

+ - **Precedence:** Provide a value that is unique in the system

+ - **Tag:** Leave this empty

+ 

+ 4. On the **Scoping filter** page, enter the OU or security group that you want the pilot based off. To filter on OU, add the OU portion of the distinguished name. This rule will be applied to all users who are in that OU. So, if DN ends with "OU=CPUsers,DC=contoso,DC=com, you would add this filter. Then select **Next**.

+ 

+ 5. On the **Join** rules page, select **Next**.

+ 6. On the **Transformations** page, add a Constant transformation: flow True to cloudNoFlow attribute. Select **Add**.

+ 

+ 1. Select **Outbound** from the drop-down list for Direction and select **Add rule**.

+ 

+ 2. On the **Description** page, enter the following and select **Next**:

+ - **Name:** Give the rule a meaningful name

+ - **Description:** Add a meaningful description

+ - **Connected System:** Choose the Azure AD connector that you're writing the custom sync rule for

+ - **Connected System Object Type:** User

+ - **Metaverse Object Type:** Person

+ - **Link Type:** JoinNoFlow

+ - **Precedence:** Provide a value that is unique in the system<br>

+ - **Tag:** Leave this empty

+ 

+ 3. On the **Scoping filter** page, choose **cloudNoFlow** equal **True**. Then select **Next**.

+ 

+ 4. On the **Join** rules page, select **Next**.

+ 5. On the **Transformations** page, select **Add**.

+Same steps need to be followed for all object types (user, group and contact).

+## Install the Azure AD Connect provisioning agent

+If you're using the [Basic AD and Azure environment](tutorial-basic-ad-azure.md) tutorial, it would be CP1. To install the agent, follow these steps:

+## Configure Azure AD Connect cloud sync

+Use the following steps to configure provisioning:

+1. Sign-in to the Azure AD portal.

+2. Select **Azure Active Directory**

+3. Select **Azure AD Connect**

+4. Select **Manage cloud sync**

+ 

+5. Select **New Configuration**

+ 

+6. On the configuration screen, enter a **Notification email**, move the selector to **Enable** and select **Save**.

+ 

+7. Under **Configure**, select **All users** to change the scope of the configuration rule.

+ 

+

+8. On the right, change the scope to include the specific OU you created "OU=CPUsers,DC=contoso,DC=com".

+ 

+

+9. Select **Done** and **Save**.

+ 

+You'll now verify that the users that you had in our on-premises directory have been synchronized and now exist in out Azure AD tenant. This process may take a few hours to complete. To verify users are provisioning by cloud sync, follow these steps:

+3. Select on **Azure AD Connect**

+4. Select on **Manage cloud sync**

+5. Select on **Logs** button

+Azure AD Connect sync synchronizes changes occurring in your on-premises directory using a scheduler. Now that you've modified the rules, you can restart the scheduler. Use the following steps:

+Once the scheduler is enabled, Azure AD Connect will stop exporting any changes on objects with `cloudNoFlow=true` in the metaverse, unless any reference attribute (such as `manager`) is being updated. In case there's any reference attribute update on the object, Azure AD Connect will ignore the `cloudNoFlow` signal and export all updates on the object.

+In case the pilot doesn't work as expected, you can go back to the Azure AD Connect sync setup by following the steps below:

+

+If you're using the [Basic AD and Azure environment](tutorial-basic-ad-azure.md) tutorial, it would be DC1. To install the agent, follow these steps:

+All other subscription types are deleted only through the [subscription cancellation](../../cost-management-billing/manage/cancel-azure-subscription.md#cancel-a-subscription-in-the-azure-portal) process. In other words, you can't delete a subscription directly unless it's a free trial or pay-as-you-go subscription. However, after you cancel a subscription, you can create an [Azure support request](https://go.microsoft.com/fwlink/?linkid=2083458) and ask to have the subscription deleted immediately.

+1. In the [Azure portal](https://portal.azure.com/), search for **Marketplace** on the top search bar. In the results, under **Services**, select **Marketplace**.

+[Azure Portal]: https://portal.azure.com/#create/Microsoft.Support/Parameters/%7B%0D%0A%09%22subId%22%3A+%22%22%2C%0D%0A%09%22pesId%22%3A+%225a3a423f-8667-9095-1770-0a554a934512%22%2C%0D%0A%09%22supportTopicId%22%3A+%2280ea0df7-5108-8e37-2b0e-9737517f0b96%22%2C%0D%0A%09%22contextInfo%22%3A+%22AksLabelDeprecationMarch22%22%2C%0D%0A%09%22caller%22%3A+%22Microsoft_Azure_ContainerService+%2B+AksLabelDeprecationMarch22%22%2C%0D%0A%09%22severity%22%3A+%223%22%0D%0A%7D

+1. To start creating the WordPress site, browse to [https://portal.azure.com/#create/WordPress.WordPress](https://portal.azure.com/#create/WordPress.WordPress).

+You can use Azure Policy to deploy the Azure Monitor agent VM extension at-scale to machines in your environment, and maintain configuration compliance. This is accomplished by using either the [**Configure Linux Arc-enabled machines to run Azure Monitor Agent**](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F845857af-0333-4c5d-bbbc-6076697da122) or the [**Configure Windows Arc-enabled machines to run Azure Monitor Agent**](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F94f686d6-9a24-4e19-91f1-de937dc171a4) policy definition.

+The Azure Maps C# SDK supports functionality available in the [Azure Maps Rest API][Rest API], like searching for an address, routing between different coordinates, and getting the geo-location of a specific IP address. This article introduces the C# REST SDK with examples to help you get started building location-aware applications in C# that incorporate the power of Azure Maps.

+## Create and authenticate a MapsSearchClient

+The client object used to access the Azure Maps Search APIs require either an `AzureKeyCredential` object to authenticate when using an Azure Maps subscription key or a `TokenCredential` object with the Azure Maps client ID when authenticating using Azure Active Directory (Azure AD). For more information on authentication, see [Authentication with Azure Maps][authentication].

+### Using an Azure AD credential

+You can authenticate with Azure AD using the [Azure Identity library][Identity library .NET]. To use the [DefaultAzureCredential][defaultazurecredential.NET] provider, you'll need to install the Azure Identity client library for .NET:

+```powershell

+dotnet add package Azure.Identity

+```

+You'll need to register the new Azure AD application and grant access to Azure Maps by assigning the required role to your service principal. For more information, see [Host a daemon on non-Azure resources][Host daemon]. During this process you'll get an Application (client) ID, a Directory (tenant) ID, and a client secret. Copy these values and store them in a secure place. You'll need them in the following steps.

+Set the values of the Application (client) ID, Directory (tenant) ID, and client secret of your Azure AD application, and the map resourceΓÇÖs client ID as environment variables:

+| Environment Variable | Description |

+|-||

+| AZURE_CLIENT_ID | Application (client) ID in your registered application |

+| AZURE_CLIENT_SECRET | The value of the client secret in your registered application |

+| AZURE_TENANT_ID | Directory (tenant) ID in your registered application |

+| MAPS_CLIENT_ID | The client ID in your Azure Map resource |

+Now you can create environment variables in PowerShell to store these values:

+```powershell

+$Env:AZURE_CLIENT_ID="Application (client) ID"

+$Env:AZURE_CLIENT_SECRET="your client secret"

+$Env:AZURE_TENANT_ID="your Directory (tenant) ID"

+$Env:MAPS_CLIENT_ID="your Azure Maps client ID"

+```

+After setting up the environment variables, you can use them in your program to instantiate the `AzureMapsSearch` client:

+```csharp

+using System;

+using Azure.Identity;

+using Azure.Maps.Search;

+var credential = new DefaultAzureCredential();

+var clientId = Environment.GetEnvironmentVariable("MAPS_CLIENT_ID");

+var client = new MapsSearchClient(credential, clientId);

+```

+> [!IMPORTANT]

+> The other environment variables created above, while not used in the code sample here, are required by `DefaultAzureCredential()`. If you do not set these environment variables correctly, using the same naming conventions, you will get run-time errors. For example, if your `AZURE_CLIENT_ID` is missing or invalid you will get an `InvalidAuthenticationTokenTenant` error.

+### Using a subscription key credential

+You can authenticate with your Azure Maps subscription key. Your subscription key can be found in the **Authentication** section in the Azure Maps account as shown in the following screenshot:

+Now you can create environment variables in PowerShell to store the subscription key:

+```powershell

+$Env:SUBSCRIPTION_KEY="your subscription key"

+```

+Once your environment variable is created, you can access it in your code:

+```csharp

+using System;

+using Azure;

+using Azure.Maps.Search;

+// Use Azure Maps subscription key authentication

+var subscriptionKey = Environment.GetEnvironmentVariable("SUBSCRIPTION_KEY") ?? string.Empty;

+var credential = new AzureKeyCredential(subscriptionKey);

+var client = new MapsSearchClient(credential);

+```

+using System;

+var subscriptionKey = Environment.GetEnvironmentVariable("SUBSCRIPTION_KEY") ?? string.Empty;

+var credential = new AzureKeyCredential(subscriptionKey);

+The above code snippet demonstrates how to create a `MapsSearchClient` object using your Azure credentials, then uses its [FuzzySearch][FuzzySearch] method, passing in the point of interest (POI) name "_Starbucks_" and coordinates _GeoPosition(-122.31, 47.61)_. This all gets wrapped up by the SDK and sent to the Azure Maps REST endpoints. When the search results are returned, they're written out to the screen using `Console.WriteLine`.

+var subscriptionKey = Environment.GetEnvironmentVariable("SUBSCRIPTION_KEY") ?? string.Empty;

+var credential = new AzureKeyCredential(subscriptionKey);

+var client = new MapsSearchClient(credential);

+using system;

+var subscriptionKey = Environment.GetEnvironmentVariable("SUBSCRIPTION_KEY") ?? string.Empty;

+var credential = new AzureKeyCredential(subscriptionKey);

+var client = new MapsSearchClient(credential);

+[search-api]: /dotnet/api/azure.maps.search

+[Identity library .NET]: /dotnet/api/overview/azure/identity-readme?view=azure-dotnet

+[defaultazurecredential.NET]: /dotnet/api/overview/azure/identity-readme?view=azure-dotnet#defaultazurecredential

+[NuGet]: https://www.nuget.org/

+| Service Name  | npm package  | Samples  |

+| [Route][js route readme] | [@azure-rest/maps-route][js route package] | [route samples][js route sample] |

+[js route readme]: https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/maps/maps-route-rest/README.md

+[js route package]: https://www.npmjs.com/package/@azure-rest/maps-route

+[js route sample]: https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/maps/maps-route-rest/samples/v1-beta

+Download the [applicationinsights-agent-3.4.4.jar](https://github.com/microsoft/ApplicationInsights-Java/releases/download/3.4.4/applicationinsights-agent-3.4.4.jar) file.

+Add `-javaagent:"path/to/applicationinsights-agent-3.4.4.jar"` to your application's JVM args.

+ - Or you can create a configuration file named `applicationinsights.json`. Place it in the same directory as `applicationinsights-agent-3.4.4.jar` with the following content:

+Add the JVM arg `-javaagent:"path/to/applicationinsights-agent-3.4.4.jar"` somewhere before `-jar`, for example:

+java -javaagent:"path/to/applicationinsights-agent-3.4.4.jar" -jar <myapp.jar>

+If you're using the *exec* form, add the parameter `-javaagent:"path/to/applicationinsights-agent-3.4.4.jar"` to the parameter list somewhere before the `"-jar"` parameter, for example:

+ENTRYPOINT ["java", "-javaagent:path/to/applicationinsights-agent-3.4.4.jar", "-jar", "<myapp.jar>"]

+If you're using the *shell* form, add the JVM arg `-javaagent:"path/to/applicationinsights-agent-3.4.4.jar"` somewhere before `-jar`, for example:

+ENTRYPOINT java -javaagent:"path/to/applicationinsights-agent-3.4.4.jar" -jar <myapp.jar>

+JAVA_OPTS="$JAVA_OPTS -javaagent:path/to/applicationinsights-agent-3.4.4.jar"

+CATALINA_OPTS="$CATALINA_OPTS -javaagent:path/to/applicationinsights-agent-3.4.4.jar"

+If the file `<tomcat>/bin/setenv.sh` already exists, then modify that file and add `-javaagent:path/to/applicationinsights-agent-3.4.4.jar` to `CATALINA_OPTS`.

+set CATALINA_OPTS=%CATALINA_OPTS% -javaagent:path/to/applicationinsights-agent-3.4.4.jar

+set "CATALINA_OPTS=%CATALINA_OPTS% -javaagent:path/to/applicationinsights-agent-3.4.4.jar"

+If the file `<tomcat>/bin/setenv.bat` already exists, just modify that file and add `-javaagent:path/to/applicationinsights-agent-3.4.4.jar` to `CATALINA_OPTS`.

+Locate the file `<tomcat>/bin/tomcat8w.exe`. Run that executable and add `-javaagent:path/to/applicationinsights-agent-3.4.4.jar` to the `Java Options` under the `Java` tab.

+Add `-javaagent:path/to/applicationinsights-agent-3.4.4.jar` to the existing `JAVA_OPTS` environment variable in the file `JBOSS_HOME/bin/standalone.conf` (Linux) or `JBOSS_HOME/bin/standalone.conf.bat` (Windows):

+ JAVA_OPTS="-javaagent:path/to/applicationinsights-agent-3.4.4.jar -Xms1303m -Xmx1303m ..."

+Add `-javaagent:path/to/applicationinsights-agent-3.4.4.jar` to the existing `jvm-options` in `JBOSS_HOME/domain/configuration/host.xml`:

+ <option value="-javaagent:path/to/applicationinsights-agent-3.4.4.jar"/>

+-javaagent:path/to/applicationinsights-agent-3.4.4.jar

+Add `-javaagent:path/to/applicationinsights-agent-3.4.4.jar` to the existing `jvm-options` in `glassfish/domains/domain1/config/domain.xml`:

+ -javaagent:path/to/applicationinsights-agent-3.4.4.jar>

+-javaagent:path/to/applicationinsights-agent-3.4.4.jar

+-javaagent:path/to/applicationinsights-agent-3.4.4.jar

+By default, Application Insights Java 3.x expects the configuration file to be named `applicationinsights.json`, and to be located in the same directory as `applicationinsights-agent-3.4.4.jar`.

+If you specify a relative path, it will be resolved relative to the directory where `applicationinsights-agent-3.4.4.jar` is located.

+If you specify a relative path, it's resolved relative to the directory where `applicationinsights-agent-3.4.4.jar` is located.

+`applicationinsights-agent-3.4.4.jar` is located.

+-javaagent:path/to/applicationinsights-agent-3.4.4.jar

+For a sample application, we'll use an [ASP.NET Core MVC application](https://github.com/AaronMaxwell/AzureCafe) that targets `net6.0`. However, you can apply these instructions to all ASP.NET Core applications. If you're using the [Worker Service](/aspnet/core/fundamentals/host/hosted-services#worker-service-template), use the instructions from [here](./worker-service.md).

+The following table lists the available curated visualizations and information about them. **Most** of the list below can be found in the [Insights hub in the Azure portal](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/more). The table uses the same grouping as portal.

+| [Table-level Azure RBAC](#set-table-level-read-access-preview) | Optional permissions that define specific data types in the workspace that you can access. Apply to all users no matter your access mode or access control mode. |

+| What is the scope of permissions? | Workspace.<br>Users with access to the workspace can query all logs in the workspace from tables they have permissions to. See [Set table-level read access](./manage-access.md#set-table-level-read-access-preview). | Azure resource.<br>Users can query logs for specific resources, resource groups, or subscriptions they have access to in any workspace, but they can't query logs for other resources. |

+* **Require workspace permissions**. This control mode doesn't allow granular Azure RBAC. To access the workspace, the user must be [granted permissions to the workspace](#azure-rbac) or to [specific tables](#set-table-level-read-access-preview).

+## Set table-level read access (preview)

+1. Create a custom role that grants users permission to execute queries in the Log Analytics workspace, based on the built-in Azure Monitor Logs **Reader** role:

+ 1. On the **Basics** tab of the screen, enter a **Custom role name** value and, optionally, provide a description.

+ "PrincipalId": "<user_object_ID>",

+ "RoleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",

+ - `<user_object_ID>` is the object ID of the user to which you want to grant table read access.

+[Azure custom roles](../../role-based-access-control/custom-roles.md) let you grant access to specific tables in the workspace, although we recommend defining [table-level read access](#set-table-level-read-access-preview) as described above.

+[Table-level RBAC](manage-access.md#set-table-level-read-access-preview): With table-level RBAC, you can grant or deny access to specific tables in the workspace. In this way, you can implement granular permissions required for specific situations in your environment.

+- **Metric alerts** - See [Supported resources for metric alerts in Azure Monitor](alerts/alerts-metric-near-real-time.md).

+- **Prometheus metrics** - See [Prometheus metrics overview](essentials/prometheus-metrics-overview.md#enable).

+- **Resource logs** - See [Supported categories for Azure Monitor resource logs](essentials/resource-logs-categories.md).

+To cancel a support plan, see [Cancel a support plan](../../cost-management-billing/manage/cancel-azure-subscription.md#cancel-a-subscription-in-the-azure-portal).

+1. Create the [Logic App](https://portal.azure.com/#create/Microsoft.LogicApp). We create a Logic App in the same region as the Azure Video Indexer region (recommended but not required). We call the logic app `UploadIndexVideosApp`.

+* Sign in to the [Azure portal](https://portal.azure.com/).

+11. There are two ways to refresh data: ad hoc and scheduled. Simply click **Refresh Now** to refresh the data. Check Power BI documentation for more information about the scheduled refresh option.

+* To learn more about Azure Cosmos DB, see the [Azure Cosmos DB documentation landing page](../index.yml).

+* Shut down your services. Go to the [All resources](https://portal.azure.com/?flight=1#blade/HubsExtension/Resources/resourceType/Microsoft.Resources%2Fresources) page, and **Stop** any running virtual machines, applications, or other services.

+* Delete all resources and all resource groups.

+ * To later delete a subscription, you must first delete all resources associated with the subscription.

+> After you cancel your subscription, you'll receive a final invoice for the usage that you incurred in the last billing cycle.

+If you cancel an Azure Support plan, you're billed for the rest of the month. Cancelling a support plan doesn't result in a prorated refund. For more information, see [Azure support plans](https://azure.microsoft.com/support/plans/).

+## Cancel a subscription in the Azure portal

+Depending on your environment, the cancel subscription experience allows you to cancel a subscription, turn off auto-renewal for an associated support plan, and stop all Azure subscription resources.

+If you have a support plan associated with the subscription, it's shown in the cancellation process. Otherwise, it isn't shown.

+If you have any Azure resources associated with the subscription, they're shown in the cancellation process. Otherwise, they're not shown.

+A billing account owner uses the following steps to cancel a subscription.

+A subscription owner can navigate in the Azure portal to **Subscriptions** and then start at step 3.

+1. In the Azure portal, navigate to Cost Management + Billing.

+1. In the left menu under **Products + services**, select **All billing subscriptions**. If you a support plan, it's shown in the list.

+ :::image type="content" source="./media/cancel-azure-subscription/all-billing-subscriptions.png" alt-text="Screenshot showing all billing subscriptions." lightbox="./media/cancel-azure-subscription/all-billing-subscriptions.png" :::

+1. Select the subscription that you want to cancel.

+1. At the top of page, select **Cancel**.

+1. If you have any resources associated with the subscription, they're shown on the page. At the top of the page, select **Cancel subscription**.

+ :::image type="content" source="./media/cancel-azure-subscription/cancel-subscription.png" alt-text="Screenshot showing the subscription properties where you select Cancel subscription." lightbox="./media/cancel-azure-subscription/cancel-subscription.png" :::

+1. Select a reason for cancellation.

+1. If you have a support plan and no other subscriptions use it, select **Turn off auto-renew**. If other subscriptions use the support plan, clear the option.

+1. If you have any running resources associated with the subscription, you must select **Turn off resources**. Ensure that you have already backed up any data that you want to keep.

+1. Select **Cancel subscription**.

+ :::image type="content" source="./media/cancel-azure-subscription/cancel-subscription-final.png" alt-text="Screenshot showing the Cancel subscription window options." lightbox="./media/cancel-azure-subscription/cancel-subscription-final.png" :::

+After the subscription is canceled, you'll see a notification that the cancellation is complete. If you have any outstanding charges that haven't been invoiced yet, you'll see their estimated charges. If you have any outstanding credits that haven't been applied to your invoice, you'll see the estimated credits that will get applied to your invoice. For more information about data update frequency, see [Cost and usage data updates and retention](../costs/understand-cost-mgt-data.md#cost-and-usage-data-updates-and-retention).

+> [!NOTE]

+> Partners can suspend or cancel a subscription if requested by a customer or in cases of nonpayment or fraud. For more information, see [Suspend or cancel a subscription](/partner-center/create-a-new-subscription#suspend-or-cancel-a-subscription).

+After you cancel, your services are disabled. That means your virtual machines are de-allocated, temporary IP addresses are freed, and storage is read-only. Here's an example of the cancellation window.

+After your subscription is canceled, Microsoft waits 30 - 90 days before permanently deleting your data in case you need to access it, or if you change your mind. We don't charge you for keeping the data. To learn more, see [Microsoft Trust Center - How we manage your data](https://go.microsoft.com/fwLink/p/?LinkID=822930&clcid=0x409).

+The **Delete subscription** option isn't available until at least 15 minutes after you cancel your subscription.

+>[!NOTE]

+> 90 days after you cancel a subscription, the subscription is automatically deleted.

+The only subscription types that you can manually delete are free trial and pay-as-you-go subscriptions. All other subscription types are deleted only through the [subscription cancellation](#cancel-a-subscription-in-the-azure-portal) process. In other words, you can't delete a subscription directly unless it's a free trial or pay-as-you-go subscription. However, after you cancel a subscription, you can create an [Azure support request](https://go.microsoft.com/fwlink/?linkid=2083458) to ask to have the subscription deleted immediately.

+1. Select **Reactivate**.

+ :::image type="content" source="./media/subscription-disabled/reactivate-sub.png" alt-text="Screenshot that shows Confirm reactivation." :::

+|Clouds:|:::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/yes-icon.png"::: National (Azure Government, Azure China 21Vianet) <br> <br> Software inventory is not currently supported on the National cloud.|

+Software inventory can be enabled either using the agentless scanner or with the agent based Microsoft Defender for Endpoint integration.

+If you've already enabled the integration with Microsoft Defender for Endpoint and enabled Microsoft Defender for Servers, you'll have access to the software inventory.

+| Source Code Management | [Azure DevOps](https://portal.azure.com/#home) |

+Defender for DevOps allows you to manage your connected environments and provides your security teams with a high level overview of discovered issues that may exist within them through the [Defender for DevOps console](https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/DevOpsSecurity).

+We don't recommend that you exclude storage accounts from Defender for Storage because attackers can use any opening in order to compromise your environment. If you want to optimize your Azure costs and remove storage accounts that you feel are low risk from Defender for Storage, you can use the [Price Estimation Workbook](https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/28) in the Azure portal to evaluate the cost savings.

+| (Preview) [Code repositories should have code scanning findings resolved](https://portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsWithRulesBlade/assessmentKey/c68a8c2a-6ed4-454b-9e37-4b7654f2165f/showSecurityCenterCommandBar~/false) | Defender for DevOps has found vulnerabilities in code repositories. To improve the security posture of the repositories, it is highly recommended to remediate these vulnerabilities. (No related policy) | Medium |

+| (Preview) [Code repositories should have secret scanning findings resolved](https://portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsWithRulesBlade/assessmentKey/4e07c7d0-e06c-47d7-a4a9-8c7b748d1b27/showSecurityCenterCommandBar~/false) | Defender for DevOps has found a secret in code repositories.  This should be remediated immediately to prevent a security breach.  Secrets found in repositories can be leaked or discovered by adversaries, leading to compromise of an application or service. For Azure DevOps, the Microsoft Security DevOps CredScan tool only scans builds on which it has been configured to run. Therefore, results may not reflect the complete status of secrets in your repositories. (No related policy) | High |

+| (Preview) [Code repositories should have Dependabot scanning findings resolved](https://portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/822425e3-827f-4f35-bc33-33749257f851/showSecurityCenterCommandBar~/false) | Defender for DevOps has found vulnerabilities in code repositories. To improve the security posture of the repositories, it is highly recommended to remediate these vulnerabilities. (No related policy) | Medium |

+| (Preview) [Code repositories should have infrastructure as code scanning findings resolved](https://portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/2ebc815f-7bc7-4573-994d-e1cc46fb4a35/showSecurityCenterCommandBar~/false) | (Preview) Code repositories should have infrastructure as code scanning findings resolved | Medium |

+| (Preview) [GitHub repositories should have code scanning enabled](https://portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/6672df26-ff2e-4282-83c3-e2f20571bd11/showSecurityCenterCommandBar~/false) | GitHub uses code scanning to analyze code in order to find security vulnerabilities and errors in code. Code scanning can be used to find, triage, and prioritize fixes for existing problems in your code. Code scanning can also prevent developers from introducing new problems. Scans can be scheduled for specific days and times, or scans can be triggered when a specific event occurs in the repository, such as a push. If code scanning finds a potential vulnerability or error in code, GitHub displays an alert in the repository. A vulnerability is a problem in a project's code that could be exploited to damage the confidentiality, integrity, or availability of the project. (No related policy) | Medium |

+| (Preview) [GitHub repositories should have secret scanning enabled](https://portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/1a600c61-6443-4ab4-bd28-7a6b6fb4691d/showSecurityCenterCommandBar~/false) | GitHub scans repositories for known types of secrets, to prevent fraudulent use of secrets that were accidentally committed to repositories. Secret scanning will scan the entire Git history on all branches present in the GitHub repository for any secrets. Examples of secrets are tokens and private keys that a service provider can issue for authentication. If a secret is checked into a repository, anyone who has read access to the repository can use the secret to access the external service with those privileges. Secrets should be stored in a dedicated, secure location outside the repository for the project. (No related policy) | High |

+| (Preview) [GitHub repositories should have Dependabot scanning enabled](https://portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/92643c1f-1a95-4b68-bbd2-5117f92d6e35/showSecurityCenterCommandBar~/false) | GitHub sends Dependabot alerts when it detects vulnerabilities in code dependencies that affect repositories. A vulnerability is a problem in a project's code that could be exploited to damage the confidentiality, integrity, or availability of the project or other projects that use its code. Vulnerabilities vary in type, severity, and method of attack. When code depends on a package that has a security vulnerability, this vulnerable dependency can cause a range of problems. (No related policy) | Medium |

+When vulnerabilities are detected, Defender for Cloud generates the following security recommendation listing the detected issues: [Running container images should have vulnerability findings resolved](https://portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/KubernetesRuntimeVisibilityRecommendationDetailsBlade/assessmentKey/41503391-efa5-47ee-9282-4eff6131462c/showSecurityCenterCommandBar~/false).

+Defender for Containers relies on the Defender profile/extension for several features. The Defender profile/extension doesn't support the ability to ingest data through Private Link. You can disable public access for ingestion, so that only machines that are configured to send traffic through Azure Monitor Private Link can send data to that workstation. You can configure a private link by navigating to **`your workspace`** > **Network Isolation** and setting the Virtual networks access configurations to **No**.

+Defender for Containers relies on the Defender profile/extension for several features. The Defender profile/extension doesn't support the ability to ingest data through Private Link. You can disable public access for ingestion, so that only machines that are configured to send traffic through Azure Monitor Private Link can send data to that workstation. You can configure a private link by navigating to **`your workspace`** > **Network Isolation** and setting the Virtual networks access configurations to **No**.

+Defender for Containers relies on the Defender profile/extension for several features. The Defender profile/extension doesn't support the ability to ingest data through Private Link. You can disable public access for ingestion, so that only machines that are configured to send traffic through Azure Monitor Private Link can send data to that workstation. You can configure a private link by navigating to **`your workspace`** > **Network Isolation** and setting the Virtual networks access configurations to **No**.

+Defender for Containers relies on the Defender profile/extension for several features. The Defender profile/extension doesn't support the ability to ingest data through Private Link. You can disable public access for ingestion, so that only machines that are configured to send traffic through Azure Monitor Private Link can send data to that workstation. You can configure a private link by navigating to **`your workspace`** > **Network Isolation** and setting the Virtual networks access configurations to **No**.

+**Estimated date for change: November 2022**

+The recommendation [`Lambda functions should have a dead-letter queue configured`](https://portal.azure.com/#view/Microsoft_Azure_Security/AwsRecommendationDetailsBlade/assessmentKey/dcf10b98-798f-4734-9afd-800916bf1e65/showSecurityCenterCommandBar~/false) is set to be deprecated.

+The recommendation [`Diagnostic logs in Virtual Machine Scale Sets should be enabled`](https://portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/961eb649-3ea9-f8c2-6595-88e9a3aeedeb/showSecurityCenterCommandBar~/false) is set to be deprecated.

+The related [policy definition](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7c1b1214-f927-48bf-8882-84f0af6588b1) will also be deprecated from any standards displayed in the regulatory compliance dashboard.

+ |Workflow automation for security alerts |[Deploy Workflow Automation for Microsoft Defender for Cloud alerts](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff1525828-9a90-4fcf-be48-268cdd02361e)|f1525828-9a90-4fcf-be48-268cdd02361e|

+ |Workflow automation for security recommendations |[Deploy Workflow Automation for Microsoft Defender for Cloud recommendations](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F73d6ab6c-2475-4850-afd6-43795f3492ef)|73d6ab6c-2475-4850-afd6-43795f3492ef|

+ |Workflow automation for regulatory compliance changes|[Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F509122b9-ddd9-47ba-a5f1-d0dac20be63c)|509122b9-ddd9-47ba-a5f1-d0dac20be63c|

+- [Deploy Workflow Automation for Microsoft Defender for Cloud alerts](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff1525828-9a90-4fcf-be48-268cdd02361e)

+- [Deploy Workflow Automation for Microsoft Defender for Cloud recommendations](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F73d6ab6c-2475-4850-afd6-43795f3492ef)

+- [Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F509122b9-ddd9-47ba-a5f1-d0dac20be63c)

+| Message | CEF:0 <br />Microsoft Defender for IoT/CyberX <br />Sensor name <br />Sensor version <br />Microsoft Defender for IoT Alert <br />Alert title <br />Integer indication of severity. 1=**Warning**, 4=**Minor**, 8=**Major**, or 10=**Critical**.<br />msg= The message of the alert. <br />protocol= The protocol of the alert. <br />severity= **Warning**, **Minor**, **Major**, or **Critical**. <br />type= **Protocol Violation**, **Policy Violation**, **Malware**, **Anomaly**, or **Operational**. <br />UUID= UUID of the alert (Optional) <br /> start= The time that the alert was detected. <br />Might vary from the time of the syslog server machine, and depends on the time-zone configuration of the forwarding rule. <br />src_ip= IP address of the source device. (Optional) <br />src_mac= MAC address of the source device. (Optional) <br />dst_ip= IP address of the destination device. (Optional)<br />dst_mac= MAC address of the destination device. (Optional)<br />cat= The alert group associated with the alert. |

+For more information, see [What is a Defender for IoT committed device?](architecture.md#what-is-a-defender-for-iot-committed-device)

+1. Open the gallery you want to attach to the dev center from the [Azure portal](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2Fgalleries). You can also search for Azure Compute Galleries to find your gallery.

+Before you create a Defender EASM resource group, we recommend that you are familiar with how to access and use the [Microsoft Azure portal](https://portal.azure.com/) and read the [Defender EASM Overview article](index.md) for key context on the product. You will need:

+ Title: SMART on FHIR - Azure API for FHIR

+# SMART on FHIR overview

+<!>

+ Title: SMART on FHIR - Azure Health Data Services

+description: This tutorial describes how to use a proxy to enable SMART on FHIR applications with the FHIR service.

+# SMART on FHIR

+[SMART on FHIR](https://docs.smarthealthit.org/) is a set of open specifications to integrate partner applications with FHIR servers and electronic medical records systems that have Fast Healthcare Interoperability Resources (FHIR&#174;) interfaces. One of the main purposes of the specifications is to describe how an application should discover authentication endpoints for an FHIR server and start an authentication sequence.

+Authentication is based on OAuth2. But because SMART on FHIR uses parameter naming conventions that arenΓÇÖt immediately compatible with Azure Active Directory (Azure AD), the Azure API for FHIR has a built-in Azure AD SMART on FHIR proxy that enables a subset of the SMART on FHIR launch sequences. Specifically, the proxy enables the [EHR launch sequence](https://hl7.org/fhir/smart-app-launch/#ehr-launch-sequence).

+This tutorial describes how to use the proxy to enable SMART on FHIR applications with FHIR Service.

+## Prerequisites

+- An instance of the FHIR Service

+- [.NET Core 2.2](https://dotnet.microsoft.com/download/dotnet-core/2.2)

+## Configure Azure AD registrations

+SMART on FHIR requires that `Audience` has an identifier URI equal to the URI of the FHIR service. The standard configuration of the FHIR service uses an `Audience` value of `https://azurehealthcareapis.com`. However, you can also set a value matching the specific URL of your FHIR service (for example `https://MYFHIRAPI.fhir.azurehealthcareapis.com`). This is required when working with the SMART on FHIR proxy.

+You'll also need a client application registration. Most SMART on FHIR applications are single-page JavaScript applications. So you should follow the instructions for configuring a [public client application in Azure AD](register-public-azure-ad-client-app.md).

+After you complete these steps, you should have:

+- A FHIR server with the audience set to `https://MYFHIRAPI.fhir.azurehealthcareapis.com`, where `MYFHIRAPI` is the name of your FHIR service instance.

+- A public client application registration. Make a note of the application ID for this client application.

+### Set admin consent for your app

+To use SMART on FHIR, you must first authenticate and authorize the app. The first time you use SMART on FHIR, you also must get administrative consent to let the app access your FHIR resources.

+If you don't have an ownership role in the app, contact the app owner and ask them to grant admin consent for you in the app.

+If you do have administrative privileges, complete the following steps to grant admin consent to yourself directly. (You also can grant admin consent to yourself later when you're prompted in the app.) You can complete the same steps to add other users as owners, so they can view and edit this app registration.

+To add yourself or another user as owner of an app:

+1. In the Azure portal, go to Azure Active Directory.

+2. In the left menu, select **App Registration**.

+3. Search for the app registration you created, and then select it.

+4. In the left menu, under **Manage**, select **Owners**.

+5. Select **Add owners**, and then add yourself or the user you want to have admin consent.

+6. Select **Save**.

+## Enable the SMART on FHIR proxy

+Enable the SMART on FHIR proxy in the **Authentication** settings for your FHIR instance by selecting the **SMART on FHIR proxy** check box.

+Enable CORS : Because most SMART on FHIR applications are single-page JavaScript apps, you need to [enable cross-origin resource sharing (CORS)](configure-cross-origin-resource-sharing.md)

+Configure the reply URL: The SMART on FHIR proxy acts as an intermediary between the SMART on FHIR app and Azure AD. The authentication reply (the authentication code) must go to the SMART on FHIR proxy instead of the app itself. The proxy then forwards the reply to the app.

+Because of this two-step relay of the authentication code, you need to set the reply URL (callback) for your Azure AD client application to a URL that is a combination of the reply URL for the SMART on FHIR proxy and the reply URL for the SMART on FHIR app. The combined reply URL takes this form:

+```http

+https://MYFHIRAPI.azurehealthcareapis.com/AadSmartOnFhirProxy/callback/aHR0cHM6Ly9sb2NhbGhvc3Q6NTAwMS9zYW1wbGVhcHAvaW5kZXguaHRtbA

+```

+In that reply, `aHR0cHM6Ly9sb2NhbGhvc3Q6NTAwMS9zYW1wbGVhcHAvaW5kZXguaHRtbA` is a URL-safe, base64-encoded version of the reply URL for the SMART on FHIR app. For the SMART on FHIR app launcher, when the app is running locally, the reply URL is `https://localhost:5001/sampleapp/https://docsupdatetracker.net/index.html`.

+You can generate the combined reply URL by using a script like this:

+```PowerShell

+$replyUrl = "https://localhost:5001/sampleapp/https://docsupdatetracker.net/index.html"

+$fhirServerUrl = "https://MYFHIRAPI.azurewebsites.net"

+$bytes = [System.Text.Encoding]::UTF8.GetBytes($ReplyUrl)

+$encodedText = [Convert]::ToBase64String($bytes)

+$encodedText = $encodedText.TrimEnd('=');

+$encodedText = $encodedText.Replace('/','_');

+$encodedText = $encodedText.Replace('+','-');

+$newReplyUrl = $FhirServerUrl.TrimEnd('/') + "/AadSmartOnFhirProxy/callback/" + $encodedText

+```

+Add the reply URL to the public client application that you created earlier for Azure AD

+<!>

+## Get a test patient

+To test the FHIR service and the SMART on FHIR proxy, you'll need to have at least one patient in the database. If you've not interacted with the API yet, and you don't have data in the database, see [Access the FHIR service using Postman](./../fhir/use-postman.md) to load a patient. Make a note of the ID of a specific patient.

+## Download the SMART on FHIR app launcher

+The open-source [FHIR Server for Azure repository](https://github.com/Microsoft/fhir-server) includes a simple SMART on FHIR app launcher and a sample SMART on FHIR app. In this tutorial, use this SMART on FHIR launcher locally to test the setup.

+You can clone the GitHub repository and go to the application by using these commands:

+```PowerShell

+git clone https://github.com/Microsoft/fhir-server

+cd fhir-server/samples/apps/SmartLauncher

+```

+The application needs a few configuration settings, which you can set in `appsettings.json`:

+```json

+{

+ "FhirServerUrl": "https://MYFHIRAPI.fhir.azurehealthcareapis.com",

+ "ClientId": "APP-ID",

+ "DefaultSmartAppUrl": "/sampleapp/launch.html"

+}

+```

+We recommend that you use the `dotnet user-secrets` feature:

+```PowerShell

+dotnet user-secrets set FhirServerUrl https://MYFHIRAPI.fhir.azurehealthcareapis.com

+dotnet user-secrets set ClientId <APP-ID>

+```

+Use this command to run the application:

+```PowerShell

+dotnet run

+```

+## Test the SMART on FHIR proxy

+After you start the SMART on FHIR app launcher, you can point your browser to `https://localhost:5001`, where you should see the following screen:

+

+When you enter **Patient**, **Encounter**, or **Practitioner** information, you'll notice that the **Launch context** is updated. When you're using the FHIR service, the launch context is simply a JSON document that contains information about patient, practitioner, and more. This launch context is base64 encoded and passed to the SMART on FHIR app as the `launch` query parameter. According to the SMART on FHIR specification, this variable is opaque to the SMART on FHIR app and passed on to the identity provider.

+The SMART on FHIR proxy uses this information to populate fields in the token response. The SMART on FHIR app *can* use these fields to control which patient it requests data for and how it renders the application on the screen. The SMART on FHIR proxy supports the following fields:

+* `patient`

+* `encounter`

+* `practitioner`

+* `need_patient_banner`

+* `smart_style_url`

+These fields are meant to provide guidance to the app, but they don't convey any security information. A SMART on FHIR application can ignore them.

+Notice that the SMART on FHIR app launcher updates the **Launch URL** information at the bottom of the page. Select **Launch** to start the sample app, and you should see something like this sample:

+

+Inspect the token response to see how the launch context fields are passed on to the app.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+3. To create a device within your IoT Hub to use to send a test message, select **…**, and then select **Create Device**. For this example, we'll be creating a device named **iot-001**. You'll create a device name of your own choosing.

+You also can use the [quotas page](https://portal.azure.com/#view/Microsoft_Azure_Capacity/QuotaMenuBlade/~/overview) in the Azure portal to check your current quotas and request increases.

+To retrieve your module connection string, navigate to your [IoT hub](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Devices%2FIotHubs) then select **Devices**. Find and select **myFirstDevice** to open it and then select **myFirstModule** to open it. In **Module Identity Details**, copy the **Connection string (primary key)** and save it for the console app.

+- If `get-logs` isn't producing any logs, it usually means that the container has failed to start. To debug this issue, try [deploying locally](#deploy-locally) instead.

+[sandbox-environment]: https://portal.azure.com/#view/Microsoft_Azure_CreateUIDef/SandboxBlade

+1. Sign in to [Azure portal](https://portal.azure.com/#home). Make sure youΓÇÖre signed in to the Azure tenant you submitted the offer to.

+1. Browse to [https://portal.azure.com/#create/WordPress.WordPress](https://portal.azure.com/#create/WordPress.WordPress), or search for "WordPress" in the Azure Marketplace.

+> Try the new [Topology (Preview)](network-insights-topology.md) experience which offers visualization of Azure resources for ease of inventory management and monitoring network at scale. Leverage it to visualize resources and their dependencies across subscriptions, regions and locations. [Click](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/overview) to navigate to the experience.

+1. Go to the Azure portal [portal.azure.com](https://portal.azure.com/)

+Combine [resource-context RBAC](resource-context-rbac.md) and [table-level RBAC](../azure-monitor/logs/manage-access.md#set-table-level-read-access-preview) to provide your teams with a wide range of access options that should support most use cases.

+It may be necessary to 'Grant admin consent' for the 'API permissions' being configured. Navigate to [Azure App registrations](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps) blade and add name of cluster to the filter. For both registrations, open 'API permissions', and select 'Grant admin consent for' if available.

+In the Azure portal, open the [Service Fabric Clusters](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.ServiceFabric%2Fclusters) pane.

+The [Service Health portal](https://portal.azure.com/#view/Microsoft_Azure_Health/AzureHealthBrowseBlade/~/serviceIssues) is part of the [Service Health service](overview.md). The portal provides you with a customizable dashboard which tracks the health of your Azure services in the regions where you use them. In this dashboard, you can track active events like ongoing service issues, upcoming planned maintenance, or relevant health advisories. When events become inactive, they get placed in your health history for up to 90 days. Finally, you can use the Service Health dashboard to create and manage service health alerts which proactively notify you when service issues are affecting you.

+The [Service Health portal](https://portal.azure.com/#view/Microsoft_Azure_Health/AzureHealthBrowseBlade/~/serviceIssues) tracks four types of health events that may impact your resources:

+- Sign in to the [Azure portal](https://portal.azure.com/#home)

+> To view live formula of these costs, open the **Cool vs Archive** tab of this [workbook](https://azure.github.io/Storage/docs/backup-and-archive/azure-archive-storage-cost-estimation/azure-archive-storage-cost-estimation.xlsx). You can modify the values in that worksheet to estimate your costs.

+|Resource |France Central |Southeast Asia |West US 2 |

+|||||

+|Maximum number of Elastic SAN that can be deployed per subscription per region |5 |5 |5 |

+|Maximum total capacity (TiB) |100 |100 |600 |

+|Maximum base capacity (TiB) |100 |100 |400 |

+|Minimum total capacity (TiB) |1 |1 |1 |

+|Maximum total IOPS |500,000 |500,000 |2,000,000 |

+|Maximum total throughput (MB/s) |8,000 |8,000 |32,000 |

+ZRS is only available in France Central and West US 2.

+|Resource |France Central |West US 2 |

+|||||

+|Maximum number of Elastic SAN that can be deployed per subscription per region |5 |5 |

+|Maximum total capacity (TiB) |200 |200 |

+|Maximum base capacity (TiB) |100 |100 |

+|Minimum total capacity (TiB) |1 |1 |

+|Maximum total IOPS |500,000 |500,000 |

+|Maximum total throughput (MB/s) |8,000 |8,000 |

+ 1. For **Input alias**, enter **entrystream**.

+ 2. Choose **Select Event Hub from your subscriptions**.

+ 3. For **Subscription**, select your Azure subscription.

+ 2. Choose **Select Blob storage/ADLS Gen2 from your subscriptions**.

+ 3. For **Subscription**, select your Azure subscription.

+ - For technical issues, please [create a support ticket](https://portal.azure.com/#create/Microsoft.Support).

+- Personal, where each session host is assigned to an individual user. Personal host pools provide dedicated desktops to end-users that optimize environments for performance and data separation.

+- Pooled, where user sessions can be load balanced to any session host in the host pool. There can be multiple user sessions on a single session host. Pooled host pools provide a shared remote experience to end-users, which ensures lower costs costs and greater efficiency.

+The following table goes into more detail about the features each type of host pool has:

+|Feature|Personal host pools|Pooled host pools|

+||||

+|Load balancing| User sessions are always load balanced to the session host the user is assigned to. If the user isn't currently assigned to a session host, the user session is load balanced to the next available session host in the host pool. | User sessions are load balanced to session hosts in the host pool based on user session count. You can choose which [load balancing algorithm](host-pool-load-balancing.md) to use: breadth-first or depth-first. |

+|Maximum session limit| One. | As many as the user wants. |

+|User assignment process| Customers can either directly assign users to session hosts or choose to have users automatically assigned to the first available session host. Users always have sessions on the session hosts they are assigned to. | Users aren't assigned to session hosts. After a user signs out and signs back in, their user session might get load balanced to a different session host. |

+|Scaling|None. | [Autoscale](autoscale-scaling-plan.md) for pooled host pools turns VMs on and off based on the capacity thresholds and schedules the customer defines. |

+|Updates|Updated with Windows Updates, [System Center Configuration Manager (SCCM)](configure-automatic-updates.md), or other software distribution configuration tools.|Updated by redeploying session hosts from updated images instead of traditional updates.|

+|User data| Each user only ever uses one session host, so they can store their user profile data in drive C on the operating system (OS) disk of the VM. | Users can connect to different session hosts every time they connect, so they should store their user profile data in FSLogix. |

+ Title: Manage session hosts with Microsoft Intune - Azure Virtual Desktop

+# Manage session hosts with Microsoft Intune

+We recommend using [Microsoft Intune](https://www.microsoft.com/endpointmanager) to manage your Azure Virtual Desktop environment. Microsoft Intune is a unified management platform that includes Microsoft Configuration Manager and Microsoft Intune.

+## Microsoft Configuration Manager

+Microsoft Configuration Manager versions 1906 and later can manage your domain-joined and Hybrid Azure Active Directory (Azure AD)-joined session hosts. For more information, see [Supported OS versions for clients and devices for Configuration Manager](/mem/configmgr/core/plan-design/configs/supported-operating-systems-for-clients-and-devices#azure-virtual-desktop).

+For Windows 11 and Windows 10 multi-session hosts, Intune supports both device-based configurations on Windows 11 and Windows 10 and user-scope configurations on Windows 11. User-scope configurations for Windows 10 are currently in preview. To learn more about using Intune to manage multi-session hosts, see [Using Azure Virtual Desktop multi-session with Intune](/mem/intune/fundamentals/windows-virtual-desktop-multi-session).

+> Managing Azure Virtual Desktop session hosts using Intune is currently supported in the Azure Public and [Azure Government clouds](/enterprise-mobility-security/solutions/ems-intune-govt-service-description).

+[Microsoft Intune licenses](https://microsoft.com/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing) are included with most Microsoft 365 subscriptions.

+ Title: Use a disk encryption set across Azure AD tenants

+# Encrypt managed disks with cross-tenant customer-managed keys

+ - The VMs with **Uses managed disks** set to **No** on the [Azure portal's VM pane](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.ClassicCompute%2FVirtualMachines) are all the affected VMs within the subscription.

+1. For technical questions, issues, and help with adding subscriptions to the allowlist, [contact support](https://portal.azure.com/#create/Microsoft.Support/Parameters/%7B%22pesId%22:%226f16735c-b0ae-b275-ad3a-03479cfa1396%22,%22supportTopicId%22:%228a82f77d-c3ab-7b08-d915-776b4ff64ff4%22%7D).

+- [Azure Migration Support](https://portal.azure.com/#create/Microsoft.Support/Parameters/%7B%22pesId%22:%226f16735c-b0ae-b275-ad3a-03479cfa1396%22,%22supportTopicId%22:%221135e3d0-20e2-aec5-4ef0-55fd3dae2d58%22%7D): Dedicated support team for technical assistance during migration.

+1. Select **All services** in the left pane. Search for and select **Resource Graph Explorer**, or connect directly to the [Resource Graph Explorer](https://portal.azure.com/#view/HubsExtension/ArgQueryBlade)

+This quickstart shows you how to use the Azure Virtual Network NAT service. You'll create a NAT gateway to provide outbound connectivity for a virtual machine in Azure.

+Use [az network vnet subnet create](/cli/azure/network/vnet/subnet#az-network-vnet-subnet-create) to create an Azure Bastion subnet.

+ :::image type="content" source="./media/quickstart-create-nat-gateway-portal/find-public-ip.png" alt-text="Discover public IP address of NAT gateway" border="true":::

+ :::image type="content" source="./media/quickstart-create-nat-gateway-portal/my-ip.png" alt-text="Internet Explorer showing external outbound IP" border="true":::

+This quickstart shows you how to use the Azure Virtual Network NAT service. You'll create a NAT gateway to provide outbound connectivity for a virtual machine in Azure.

+## Create a NAT gateway

+Before you deploy the NAT gateway resource and the other resources, a resource group is required to contain the resources deployed. In the following steps, you'll create a resource group, NAT gateway resource, and a public IP address. You can use one or more public IP address resources, public IP prefixes, or both.

+For information more about public IP prefixes and a NAT gateway, see [Manage NAT gateway](/azure/virtual-network/nat-gateway/manage-nat-gateway?tabs=manage-nat-portal#add-or-remove-a-public-ip-prefix)

+2. In the search box at the top of the portal, enter **NAT gateway**. Select **NAT gateways** in the search results.

+3. Select **+ Create**.

+4. In **Create network address translation (NAT) gateway**, enter or select this information in the **Basics** tab:

+ | Subscription | Select your Azure subscription. |

+ | NAT gateway name | Enter **myNATgateway** |

+ | Region | Select **West Europe** |

+ | Availability Zone | Select **No Zone**. |

+ | Idle timeout (minutes) | Enter **10**. |

+ For information about availability zones and NAT gateway, see [NAT gateway and availability zones](/azure/virtual-network/nat-gateway/nat-availability-zones).

+5. Select the **Outbound IP** tab, or select the **Next: Outbound IP** button at the bottom of the page.

+6. In the **Outbound IP** tab, enter or select the following information:

+ | **Setting** | **Value** |

+ | -- | |

+ | Public IP addresses | Select **Create a new public IP address**. </br> In **Name**, enter **myPublicIP**. </br> Select **OK**. |

+7. Select the **Review + create** tab, or select the blue **Review + create** button at the bottom of the page.

+8. Select **Create**.

+## Virtual network

+Before you deploy a virtual machine and can use your NAT gateway, you need to create the virtual network. This virtual network will contain the virtual machine created in later steps.

+1. In the search box at the top of the portal, enter **Virtual network**. Select **Virtual networks** in the search results.

+2. Select **Create**.

+3. In **Create virtual network**, enter or select this information in the **Basics** tab:

+ | Subscription | Select your Azure subscription |

+ | Name | Enter **myVNet** |

+ | Region | Select **(Europe) West Europe** |

+4. Select the **IP Addresses** tab or select the **Next: IP Addresses** button at the bottom of the page.

+5. Accept the default IPv4 address space of **10.1.0.0/16**.

+6. In the subnet section in **Subnet name**, select the **default** subnet.

+7. In **Edit subnet**, enter this information:

+ | Setting | Value |

+ |--|-|

+ | Subnet name | Enter **mySubnet** |

+ | Subnet address range | Enter **10.1.0.0/24** |

+ | **NAT GATEWAY** |

+ | NAT gateway | Select **myNATgateway**. |

+8. Select **Save**.

+9. Select the **Security** tab.

+10. Under **BastionHost**, select **Enable**. Enter this information:

+ | Setting | Value |

+ |--|-|

+ | Bastion name | Enter **myBastionHost** |

+ | AzureBastionSubnet address space | Enter **10.1.1.0/26** |

+ | Public IP Address | Select **Create new**. </br> For **Name**, enter **myBastionIP**. </br> Select **OK**. |

+11. Select the **Review + create** tab or select the **Review + create** button.

+12. Select **Create**.

+It can take a few minutes for the deployment of the virtual network to complete. Proceed to the next steps when the deployment completes.

+1. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines** in the search results.

+2. Select **+ Create** > **Azure virtual machine**.

+ | Security type | Select **Standard**. |

+ | Image | Select **Windows Server 2022 Datacenter: Azure Edition - Gen2**. |

+ | Size | Select a size. |

+ | Subnet | Select **mySubnet (10.1.0.0/24)**. |

+In this section, you'll test the NAT gateway. You'll first discover the public IP of the NAT gateway. You'll then connect to the test virtual machine and verify the outbound connection through the NAT gateway.

+1. In the search box at the top of the portal, enter **Public IP**. Select **Public IP addresses** in the search results.

+2. Select **myPublicIP**.

+3. Make note of the public IP address:

+ :::image type="content" source="./media/quickstart-create-nat-gateway-portal/find-public-ip.png" alt-text="Discover public IP address of NAT gateway" border="true":::

+4. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines** in the search results.

+5. Select **myVM**.

+4. On the **Overview** page, select **Connect**, then **Bastion**.

+6. Enter the username and password entered during VM creation. Select **Connect**.

+7. Open **Microsoft Edge** on **myTestVM**.

+ :::image type="content" source="./media/quickstart-create-nat-gateway-portal/my-ip.png" alt-text="Internet Explorer showing external outbound IP" border="true":::

+This quickstart shows you how to use the Azure Virtual Network NAT service. You'll create a NAT gateway to provide outbound connectivity for a virtual machine in Azure.

+ :::image type="content" source="./media/quickstart-create-nat-gateway-portal/find-public-ip.png" alt-text="Discover public IP address of NAT gateway" border="true":::

+ :::image type="content" source="./media/quickstart-create-nat-gateway-portal/my-ip.png" alt-text="Internet Explorer showing external outbound IP" border="true":::