+## Update certificate user IDs using Microsoft Graph queries

+PATCH the user object certificateUserIds value for a given userId

+#### Request body:

+```http

+PATCH https://graph.microsoft.us/v1.0/users/{id}

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(authorizationInfo,department)/$entity",

+ "department": "Accounting",

+ "authorizationInfo": {

+ "certificateUserIds": [

+ "X509:<PN>123456789098765@mil"

+ ]

+ }

+}

+```

+> App passwords don't work with Conditional Access based multi-factor authentication policies and modern authentication. App passwords only work with legacy authentication protocols such as IMAP and SMTP.

+ Title: LDAP Authentication and Azure Multi-Factor Authentication Server - Azure Active Directory

+By default, the Azure Multi-Factor Authentication Server is configured to import or synchronize users from Active Directory. However, it can be configured to bind to different LDAP directories, such as an ADAM directory, or specific Active Directory domain controller. When connected to a directory via LDAP, the Azure Multi-Factor Authentication Server can act as an LDAP proxy to perform authentications. Azure Multi-Factor Authentication Server can also use LDAP bind as a RADIUS target to pre-authenticate IIS users, or for primary authentication in the Azure Multi-Factor Authentication user portal.

+> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication (MFA) requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-azure-mfa-user-authentication.md) to the cloud-based Azure Multi-Factor Authentication service by using the latest Migration Utility included in the most recent [Azure Multi-Factor Authentication Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure Multi-Factor Authentication Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).

+> To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Azure Multi-Factor Authentication](tutorial-enable-azure-mfa.md).

+7. Check the **Require Azure Multi-Factor Authentication user match** box if all users have been or will be imported into the Server and subject to two-step verification. If a significant number of users haven't yet been imported into the Server and/or are exempt from two-step verification, leave the box unchecked. See the MFA Server help file for additional information on this feature.

+Repeat these steps to add more LDAP clients.

+When the **Use LDAP unique identifier attribute for matching usernames** radio button is selected, the Azure Multi-Factor Authentication Server attempts to resolve each username to a unique identifier in the LDAP directory. An LDAP search is performed on the Username attributes defined in the Directory Integration > Attributes tab. When a user authenticates, the username is resolved to the unique identifier in the LDAP directory. The unique identifier is used for matching the user in the Azure Multi-Factor Authentication data file. This allows for case-insensitive comparisons, and long and short username formats.

+* Configure your appliance, server, or application to authenticate via LDAP to the Azure Multi-Factor Authentication Server as though it were your LDAP directory. Use the same settings that you normally use to connect directly to your LDAP directory, but use the Azure Multi-Factor Authentication Server for the server name or IP address.

+* Configure the LDAP timeout to 30-60 seconds to provide enough time to validate the user's credentials with the LDAP directory, perform the second-step verification, receive their response, and respond to the LDAP access request.

+ Title: IIS Authentication and Azure Multi-Factor Authentication Server - Azure Active Directory

+Use the IIS Authentication section of the Azure Multi-Factor Authentication (MFA) Server to enable and configure IIS authentication for integration with Microsoft IIS web applications. The Azure Multi-Factor Authentication Server installs a plug-in that can filter requests being made to the IIS web server to add Azure Multi-Factor Authentication. The IIS plug-in provides support for Form-Based Authentication and Integrated Windows HTTP Authentication. Trusted IPs can also be configured to exempt internal IP addresses from two-factor authentication.

+> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication (MFA) requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-azure-mfa-user-authentication.md) to the cloud-based Azure Multi-Factor Authentication service by using the latest Migration Utility included in the most recent [Azure Multi-Factor Authentication Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure Multi-Factor Authentication Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).

+> To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Azure Multi-Factor Authentication](tutorial-enable-azure-mfa.md).

+>>

+5. Check the **Require Multi-Factor Authentication user match** box if all users have been or will be imported into the Server and subject to multi-factor authentication. If a significant number of users haven't yet been imported into the Server and/or will be exempt from multi-factor authentication, leave the box unchecked.

+6. If the page variables can't be detected automatically, click **Specify Manually** in the Auto-Configure Form-Based Website dialog box.

+10. Check the **Require Azure Multi-Factor Authentication user match** box if all users have been or will be imported into the Server and subject to multi-factor authentication. If a significant number of users haven't yet been imported into the Server and/or will be exempt from multi-factor authentication, leave the box unchecked.

+To secure an IIS web application that uses Integrated Windows HTTP authentication, install the Azure Multi-Factor Authentication Server on the IIS web server, then configure the Server with the following steps:

+5. Adjust the Idle timeout and Maximum session times if the default isn't sufficient.

+6. Check the **Require Multi-Factor Authentication user match** box if all users have been or will be imported into the Server and subject to multi-factor authentication. If a significant number of users haven't yet been imported into the Server and/or will be exempt from multi-factor authentication, leave the box unchecked.

+1. If running on IIS 6, click the **ISAPI** tab. Select the website that the web application is running under (for example, Default Web Site) to enable the Azure Multi-Factor Authentication ISAPI filter plug-in for that site.

+The Trusted IPs allows users to bypass Azure Multi-Factor Authentication for website requests originating from specific IP addresses or subnets. For example, you may want to exempt users from Azure Multi-Factor Authentication while logging in from the office. In that case, you can specify the office subnet as a Trusted IPs entry. To configure Trusted IPs, use the following procedure:

+For Chrome support in **Windows 10 Creators Update (version 1703)** or later, install the [Windows Accounts](https://chrome.google.com/webstore/detail/windows-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji) or [Office](https://chrome.google.com/webstore/detail/office/ndjpnladcallmjemlbaebfadecfhkepb) extensions. These extensions are required when a Conditional Access policy requires device-specific details.

+- Learn about permission and consent ( [v1.0](../azuread-dev/v1-permissions-consent.md), [v2.0](permissions-consent-overview.md)).

+Two of the most commonly referenced app registration settings are:

+# Consent experience for applications in Azure Active Directory

+In this article, you'll learn about the Azure Active Directory (Azure AD) application consent user experience. You'll then be able to intelligently manage applications for your organization and/or develop applications with a more seamless consent experience.

+| 5 | Publisher name and verification | The blue "verified" badge means that the app publisher has verified their identity using a Microsoft Partner Network account and has completed the verification process. If the app is publisher verified, the publisher name is displayed. If the app isn't publisher verified, "Unverified" is displayed instead of a publisher name. For more information, read about [Publisher Verification](publisher-verification-overview.md). Selecting the publisher name displays more app info as available, such as the publisher name, publisher domain, date created, certification details, and reply URLs. |

+| 8 | Permissions | This list contains the permissions being requested by the client application. Users should always evaluate the types of permissions being requested to understand what data the client application will be authorized to access on their behalf if they accept. As an application developer it's best to request access, to the permissions with the least privilege. |

+## Common scenarios and consent experiences

+The following section describes the common scenarios and the expected consent experience for each of them.

+### App requires a permission that the user has the right to grant

+In this consent scenario, the user accesses an app that requires a permission set that is within the user's scope of authority. The user is directed to the user consent flow.

+Admins will see an additional control on the traditional consent prompt that will allow to give consent on behalf of the entire tenant. The control will be defaulted to off, so only when admins explicitly check the box will consent be granted on behalf of the entire tenant. The check box will only show for the Global Admin role, so Cloud Admin and App Admin won't see this checkbox.

+### App requires a permission that the user has no right to grant

+In this consent scenario, the user accesses an app that requires at least one permission that is outside the user's scope of authority.

+Non-admin users will be blocked from granting consent to the application, and they'll be told to ask their admin for access to the app. If admin consent workflow is enabled in the user's tenant, non-admin users are able to submit a request for admin approval from the consent prompt. For more information on admin consent workflow, see [Admin consent workflow](../manage-apps/admin-consent-workflow-overview.md).

+### User is directed to the admin consent flow

+In this consent scenario, the user navigates to or is directed to the admin consent flow.

+Non-admin users will be blocked from granting consent to the application, and they'll be told to ask their admin for access to the app.

+### Admin consent through the Azure portal

+In this scenario, an administrator consents to all of the permissions that an application requests, which can include delegated permissions on behalf of all users in the tenant. The Administrator grants consent through the **API permissions** page of the application registration in the [Azure portal](https://portal.azure.com).

+ :::image type="content" source="./media/consent-framework/grant-consent.png" alt-text="Screenshot of explicit admin consent through the Azure portal." lightbox="./media/consent-framework/grant-consent.png":::

+All users in that tenant won't see the consent dialog unless the application requires new permissions. To learn which administrator roles can consent to delegated permissions, see [Administrator role permissions in Azure AD](../roles/permissions-reference.md).

+ > [!IMPORTANT]

+ > Granting explicit consent using the **Grant permissions** button is currently required for single-page applications (SPA) that use MSAL.js. Otherwise, the application fails when the access token is requested.

+## Common Issues

+This section outlines the common issues with the consent experience and possible troubleshooting tips.

+- 403 error

+ - Is this a [delegated scenario](permissions-consent-overview.md)? What permissions does a user have?

+ - Are necessary permissions added to use the endpoint?

+ - Check the [token](https://jwt.ms/) to see if it has necessary claims to call the endpoint.

+ - What permissions have been consented to? Who consented?

+- User is unable to consent

+ - Check if tenant admin has disabled user consent for your organization

+ - Confirm if the permissions you requesting are admin-restricted permissions.

+- User is still blocked even after admin has consented

+ - Check if [static permissions](consent-types-developer.md) are configured to be a superset of permissions requested dynamically.

+ - Check if user assignment is required for the app.

+## Troubleshoot known errors

+For troubleshooting steps, see [Unexpected error when performing consent to an application](../manage-apps/application-sign-in-unexpected-user-consent-error.md).

+ Title: Microsoft identity platform developers' guide to requesting permissions through consent

+description: Learn how developers can request for permissions through consent in the Microsoft identity platform endpoint.

+# Requesting permissions through consent

+Applications in the Microsoft identity platform rely on consent in order to gain access to necessary resources or APIs. Different types of consent are better for different application scenarios. Choosing the best approach to consent for your app will help it be more successful with users and organizations.

+In this article, you'll learn about the different types of consent and how to request permissions for your application through consent.

+## Static user consent

+In the static user consent scenario, you must specify all the permissions it needs in the app's configuration in the Azure portal. If the user (or administrator, as appropriate) hasn't granted consent for this app, then Microsoft identity platform will prompt the user to provide consent at this time.

+Static permissions also enable administrators to consent on behalf of all users in the organization.

+While relying on static consent and a single permissions list keeps the code nice and simple, it also means that your app will request all of the permissions it might ever need up front. This can discourage users and admins from approving your app's access request.

+## Incremental and dynamic user consent

+With the Microsoft identity platform endpoint, you can ignore the static permissions defined in the application registration information in the Azure portal. Instead, you can request permissions incrementally. You can ask for a bare minimum set of permissions upfront and request more over time as the customer uses additional application features. To do so, you can specify the scopes your application needs at any time by including the new scopes in the `scope` parameter when [requesting an access token](#requesting-individual-user-consent) - without the need to pre-define them in the application registration information. If the user hasn't yet consented to new scopes added to the request, they'll be prompted to consent only to the new permissions. Incremental, or dynamic consent, only applies to delegated permissions and not to application permissions.

+Allowing an application to request permissions dynamically through the `scope` parameter gives developers full control over your user's experience. You can also front load your consent experience and ask for all permissions in one initial authorization request. If your application requires a large number of permissions, you can gather those permissions from the user incrementally as they try to use certain features of the application over time.

+> [!IMPORTANT]

+> Dynamic consent can be convenient, but presents a big challenge for permissions that require admin consent. The admin consent experience in the **App registrations** and **Enterprise applications** blades in the portal doesn't know about those dynamic permissions at consent time. We recommend that a developer list all the admin privileged permissions that are needed by the application in the portal. This enables tenant admins to consent on behalf of all their users in the portal, once. Users won't need to go through the consent experience for those permissions on sign in. The alternative is to use dynamic consent for those permissions. To grant admin consent, an individual admin signs in to the app, triggers a consent prompt for the appropriate permissions, and selects **consent for my entire org** in the consent dialogue.

+## Requesting individual user consent

+In an [OpenID Connect or OAuth 2.0](active-directory-v2-protocols.md) authorization request, an application can request the permissions it needs by using the `scope` query parameter. For example, when a user signs in to an app, the application sends a request like the following example. (Line breaks are added for legibility).

+```HTTP

+GET https://login.microsoftonline.com/common/oauth2/v2.0/authorize?

+client_id=6731de76-14a6-49ae-97bc-6eba6914391e

+&response_type=code

+&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F

+&response_mode=query

+&scope=

+https%3A%2F%2Fgraph.microsoft.com%2Fcalendars.read%20

+https%3A%2F%2Fgraph.microsoft.com%2Fmail.send

+&state=12345

+```

+The `scope` parameter is a space-separated list of delegated permissions that the application is requesting. Each permission is indicated by appending the permission value to the resource's identifier (the application ID URI). In the request example, the application needs permission to read the user's calendar and send mail as the user.

+After the user enters their credentials, the Microsoft identity platform checks for a matching record of *user consent*. If the user hasn't consented to any of the requested permissions in the past, and if the administrator hasn't consented to these permissions on behalf of the entire organization, the Microsoft identity platform asks the user to grant the requested permissions.

+In the following example, the `offline_access` ("Maintain access to data you have given it access to") permission and `User.Read` ("Sign you in and read your profile") permission are automatically included in the initial consent to an application. These permissions are required for proper application functionality. The `offline_access` permission gives the application access to refresh tokens that are critical for native apps and web apps. The `User.Read` permission gives access to the `sub` claim. It allows the client or application to correctly identify the user over time and access rudimentary user information.

+When the user approves the permission request, consent is recorded. The user doesn't have to consent again when they later sign in to the application.

+## Requesting consent for an entire tenant through admin consent

+Requesting consent for an entire tenant requires admin consent. Admin consent done on behalf of an organization requires the static permissions registered for the app. Set those permissions in the app registration portal if you need an admin to give consent on behalf of the entire organization.

+### Admin Consent for Delegated Permissions

+When your application requests [delegated permissions that require admin consent](scopes-oidc.md#admin-restricted-permissions), the user receives an error message that says they're unauthorized to consent to your app's permissions. The user is required to ask their admin for access to the app. If the admin grants consent for the entire tenant, the organization's users don't see a consent page for the application unless the previously granted permissions are revoked or the application requests for a new permission incrementally.

+Administrators using the same application will see the admin consent prompt. The admin consent prompt provides a checkbox that allows them to grant the application access to the requested data on behalf of the users for the entire tenant. For more information on the user and admin consent experience, see [Application consent experience](application-consent-experience.md).

+Examples of delegated permissions for Microsoft Graph that require admin consent are:

+- Read all user's full profiles by using User.Read.All

+- Write data to an organization's directory by using Directory.ReadWrite.All

+- Read all groups in an organization's directory by using Groups.Read.All

+To view the full list of Microsoft graph permissions, see [Microsoft graph permissions reference](/graph/permissions-reference).

+You can also configure permissions on your own resources to require admin consent. For more information on how to add scopes that require admin consent, see [Add a scope that requires admin consent](quickstart-configure-app-expose-web-apis.md#add-a-scope-requiring-admin-consent).

+Some organizations may change the default user consent policy for the tenant. When your application requests access to permissions they're evaluated against these policies. The user may need to request admin consent even when not required by default. To learn how administrators manage consent policies for applications, see [Manage app consent policies](../manage-apps/manage-app-consent-policies.md).

+>[!NOTE]

+>In requests to the authorization, token or consent endpoints for the Microsoft Identity platform, if the resource identifier is omitted in the scope parameter, the resource is assumed to be Microsoft Graph. For example, scope=User.Read is equivalent to `https://graph.microsoft.com/User.Read`.

+### Admin Consent for Application permissions

+Application permissions always require admin consent. Application permissions don't have a user context and the consent grant isn't done on behalf of any specific user. Instead, the client application is granted permissions directly, these types of permissions are used only by daemon services and other non-interactive applications that run in the background. Administrators need to configure the permissions upfront and [grant admin consent](../manage-apps/grant-admin-consent.md) through the Azure portal.

+### Admin consent for Multi-tenant applications

+In case the application requesting the permission is a multi-tenant application, its application registration only exists in the tenant where it was created, therefore permissions can't be configured in the local tenant. If the application requests permissions that require admin consent, the administrator needs to consent on behalf of the users. To consent to these permissions, the administrators need to log in to the application themselves, so the admin consent sign-in experience is triggered. To learn how to set up the admin consent experience for multi-tenant applications, see [Enable multi-tenant log-ins](howto-convert-app-to-be-multi-tenant.md#understand-user-and-admin-consent-and-make-appropriate-code-changes)

+An administrator can grant consent for an application with the following options.

+### Recommended: Sign the user into your app

+Typically, when you build an application that requires admin consent, the application needs a page or view in which the admin can approve the app's permissions. This page can be:

+- Part of the app's sign-up flow.

+- Part of the app's settings.

+- A dedicated "connect" flow.

+In many cases, it makes sense for the application to show the "connect" view only after a user has signed in with a work Microsoft account or school Microsoft account.

+When you sign the user into your app, you can identify the organization to which the admin belongs before you ask them to approve the necessary permissions. Although this step isn't strictly necessary, it can help you create a more intuitive experience for your organizational users.

+To sign the user in, follow the [Microsoft identity platform protocol tutorials](active-directory-v2-protocols.md).

+### Request the permissions in the app registration portal

+In the app registration portal, applications can list the permissions they require, including both delegated permissions and application permissions. This setup allows the use of the `.default` scope and the Azure portal's **Grant admin consent** option.

+In general, the permissions should be statically defined for a given application. They should be a superset of the permissions that the application will request dynamically or incrementally.

+> [!NOTE]

+>Application permissions can be requested only through the use of [`.default`](scopes-oidc.md#the-default-scope). So if your application needs application permissions, make sure they're listed in the app registration portal.

+To configure the list of statically requested permissions for an application:

+1. Go to your application in the <a href="https://go.microsoft.com/fwlink/?linkid=2083908" target="_blank">Azure portal - App registrations</a> quickstart experience.

+1. Select an application, or [create an app](quickstart-register-app.md) if you haven't already.

+1. On the application's **Overview** page, under **Manage**, select **API Permissions** > **Add a permission**.

+1. Select **Microsoft Graph** from the list of available APIs. Then add the permissions that your application requires.

+1. Select **Add Permissions**.

+### Successful response

+If the admin approves the permissions for your app, the successful response looks like this:

+```HTTP

+GET http://localhost/myapp/permissions?tenant=a8990e1f-ff32-408a-9f8e-78d3b9139b95&state=state=12345&admin_consent=True

+```

+| Parameter | Description |

+| | |

+| `tenant` | The directory tenant that granted your application the permissions it requested, in GUID format. |

+| `state` | A value included in the request that also will be returned in the token response. It can be a string of any content you want. The state is used to encode information about the user's state in the application before the authentication request occurred, such as the page or view they were on. |

+| `admin_consent` | Will be set to `True`. |

+After you've received a successful response from the admin consent endpoint, your application has gained the permissions it requested. Next, you can request a token for the resource you want.

+#### Error response

+If the admin doesn't approve the permissions for your app, the failed response looks like this:

+```HTTP

+GET http://localhost/myapp/permissions?error=permission_denied&error_description=The+admin+canceled+the+request

+```

+| Parameter | Description |

+| | |

+| `error` | An error code string that can be used to classify types of errors that occur. It can also be used to react to errors. |

+| `error_description` | A specific error message that can help a developer identify the root cause of an error. |

+## Using permissions after consent

+After the user consents to permissions for your app, your application can acquire access tokens that represent the app's permission to access a resource in some capacity. An access token can be used only for a single resource. But encoded inside the access token is every permission that your application has been granted for that resource. To acquire an access token, your application can make a request to the Microsoft identity platform token endpoint, like this:

+```HTTP

+POST common/oauth2/v2.0/token HTTP/1.1

+Host: https://login.microsoftonline.com

+Content-Type: application/json

+{

+ "grant_type": "authorization_code",

+ "client_id": "6731de76-14a6-49ae-97bc-6eba6914391e",

+ "scope": "https://microsoft.graph.com/Mail.Read https://microsoft.graph.com/mail.send",

+ "code": "AwABAAAAvPM1KaPlrEqdFSBzjqfTGBCmLdgfSTLEMPGYuNHSUYBrq...",

+ "redirect_uri": "https://localhost/myapp",

+ "client_secret": "zc53fwe80980293klaj9823" // NOTE: Only required for web apps

+}

+```

+You can use the resulting access token in HTTP requests to the resource. It reliably indicates to the resource that your application has the proper permission to do a specific task.

+For more information about the OAuth 2.0 protocol and how to get access tokens, see the [Microsoft identity platform endpoint protocol reference](active-directory-v2-protocols.md).

+## Next steps

+- [Consent experience](application-consent-experience.md)

+- [ID tokens](id-tokens.md)

+- [Access tokens](access-tokens.md)

+ Title: Microsoft identity platform delegated access scenario

+description: Learn about delegated access in the Microsoft identity platform endpoint.

+# Understanding delegated access

+When a user signs into an app and uses it to access some other resource, like Microsoft Graph, the app will first need to ask for permission to access this resource on the userΓÇÖs behalf. This common scenario is called delegated access.

+> [!VIDEO https://learn-video.azurefd.net/vod/player?show=one-dev-minute&ep=how-do-delegated-permissions-work]

+## Why should I use delegated access?

+People frequently use different applications to access their data from cloud services. For example, someone might want to use a favorite PDF reader application to view files stored in their OneDrive. Another example can be a companyΓÇÖs line-of-business application that might retrieve shared information about their coworkers so they can easily choose reviewers for a request. In such cases, the client application, the PDF reader, or the companyΓÇÖs request approval tool needs to be authorized to access this data on behalf of the user who signed into the application.

+Use delegated access whenever you want to let a signed-in user work with their own resources or resources they can access. Whether itΓÇÖs an admin setting up policies for their entire organization or a user deleting an email in their inbox, all scenarios involving user actions should use delegated access.

+In contrast, delegated access is usually a poor choice for scenarios that must run without a signed-in user, like automation. It may also be a poor choice for scenarios that involve accessing many usersΓÇÖ resources, like data loss prevention or backups. Consider using [application-only access](permissions-consent-overview.md) for these types of operations.

+## Requesting scopes as a client app

+Your app will need to ask the user to grant a specific scope, or set of scopes, for the resource app you want to access. Scopes may also be referred to as delegated permissions. These scopes describe which resources and operations your app wants to perform on the userΓÇÖs behalf. For example, if you want your app to show the user a list of recently received mail messages and chat messages, you might ask the user to consent to the Microsoft Graph `Mail.Read` and `Chat.Read` scopes.

+Once your app has requested a scope, a user or admin will need to grant the requested access. Consumer users with Microsoft Accounts, like Outlook.com or Xbox Live accounts, can always grant scopes for themselves. Organizational users with Azure AD accounts may or may not be able to grant scopes, depending on their organizationΓÇÖs settings. If an organizational user can't consent to scopes directly, they'll need to ask their organizationΓÇÖs administrator to consent for them.

+Always follow the principle of least privilege: you should never request scopes that your app doesnΓÇÖt need. This principle helps limit the security risk if your app is compromised and makes it easier for administrators to grant your app access. For example, if your app only needs to list the chats a user belongs to but doesnΓÇÖt need to show the chat messages themselves, you should request the more limited Microsoft Graph `Chat.ReadBasic` scope instead of `Chat.Read`. For more information about openID scopes, see [OpenID scopes](scopes-oidc.md).

+## Designing and publishing scopes for a resource service

+If youΓÇÖre building an API and want to allow delegated access on behalf of users, youΓÇÖll need to create scopes that other apps can request. These scopes should describe the actions or resources available to the client. You should consider developer scenarios when designing your scopes.

+## How does delegated access work?

+The most important thing to remember about delegated access is that both your client app and the signed-in user need to be properly authorized. Granting a scope isn't enough. If either the client app doesnΓÇÖt have the right scope, or the user doesnΓÇÖt have sufficient rights to read or modify the resource, then the call will fail.

+- **Client app authorization** - Client apps are authorized by granting scopes. When a client app is granted a scope by a user or admin to access some resource, that grant will be recorded in Azure AD. All delegated access tokens that are requested by the client to access the resource on behalf of the relevant user will then contain those scopesΓÇÖ claim values in the `scp` claim. The resource app checks this claim to determine whether the client app has been granted the correct scope for the call.

+- **User authorization** - Users are authorized by the resource youΓÇÖre calling. Resource apps may use one or more systems for user authorization, such as [role-based access control](custom-rbac-for-developers.md), ownership/membership relationships, access control lists, or other checks. For example, Azure AD checks that a user has been assigned to an app management or general admin role before allowing them to delete an organizationΓÇÖs applications, but also allows all users to delete applications that they own. Similarly, SharePoint Online service checks that a user has appropriate owner or reader rights over a file before allowing that user to open it.

+## Delegated access example ΓÇô OneDrive via Microsoft Graph

+Consider the following example:

+Alice wants to use a client app to open a file protected by a resource API, Microsoft Graph. For user authorization, the OneDrive service will check whether the file is stored in AliceΓÇÖs drive. If itΓÇÖs stored in another userΓÇÖs drive, then OneDrive will deny AliceΓÇÖs request as unauthorized, since Alice doesn't have the right to read other usersΓÇÖ drives.

+For client app authorization, OneDrive will check whether the client making the call has been granted the `Files.Read` scope on behalf of the signed-in user. In this case, the signed-in user is Alice. If `Files.Read` hasnΓÇÖt been granted to the app for Alice, then OneDrive will also fail the request.

+| GET /drives/{id}/files/{id} | Client app granted `Files.Read` scope for Alice | Client app not granted `Files.Read` scope for Alice |

+| -- | -- | -- |

+| The document is in AliceΓÇÖs OneDrive. | 200 ΓÇô Access granted. | 403 - Unauthorized. Alice (or her admin) hasnΓÇÖt allowed this client to read her files. |

+| The document is in another userΓÇÖs OneDrive*. | 403 - Unauthorized. Alice doesnΓÇÖt have rights to read this file. Even though the client has been granted `Files.Read` it should be denied when acting on AliceΓÇÖs behalf. | 403 ΓÇô Unauthorized. Alice doesnΓÇÖt have rights to read this file, and the client isnΓÇÖt allowed to read files she has access to either. |

+The example given is simplified to illustrate delegated authorization. The production OneDrive service supports many other access scenarios, such as shared files.

+## Next steps

+- [Open connect scopes](scopes-oidc.md)

+- [RBAC roles](custom-rbac-for-developers.md)

+- [Microsoft Graph permissions reference](/graph/permissions-reference)

+Another approach is to use Azure Active Directory (Azure AD) groups and group claims as shown in the [active-directory-aspnetcore-webapp-openidconnect-v2](https://aka.ms/groupssample) code sample on GitHub. Azure AD groups and application roles aren't mutually exclusive; they can be used together to provide even finer-grained access control.

+You define app roles by using the [Azure portal](https://portal.azure.com) during the [app registration process](quickstart-register-app.md). App roles are defined on an application registration representing a service, app or API. When a user signs in to the application, Azure AD emits a `roles` claim for each role that the user or service principal has been granted. This can be used to implement claim-based authorization. App roles can be assigned [to a user or a group of users](../manage-apps/add-application-portal-assign-users.md). App roles can also be assigned to the service principal for another application, or [to the service principal for a managed identity](../managed-identities-azure-resources/how-to-assign-app-role-managed-identity-powershell.md).

+App roles are declared using App roles UI in the Azure portal:

+If you're implementing app role business logic in an app-calling-API scenario, you have two app registrations. One app registration is for the app, and a second app registration is for the API. In this case, define the app roles and assign them to the user or group in the app registration of the API. When the user authenticates with the app and requests an ID token to call the API, a roles claim is included in the ID token. Your next step is to add code to your web API to check for those roles when the API is called.

+- `IIdentityLogger` is the logging implementation used by MSAL.NET to produce logs for debugging or health check purposes. Logs are only sent if logging is enabled.

+- `PiiLoggingEnabled` enables you to log personal and organizational data (PII) if set to true. By default, this parameter is set to false, so that your application doesn't log personal data.

+### IIdentityLogger Interface

+```CSharp

+namespace Microsoft.IdentityModel.Abstractions

+ public interface IIdentityLogger

+ {

+ //

+ // Summary:

+ // Checks to see if logging is enabled at given eventLogLevel.

+ //

+ // Parameters:

+ // eventLogLevel:

+ // Log level of a message.

+ bool IsEnabled(EventLogLevel eventLogLevel);

+ //

+ // Summary:

+ // Writes a log entry.

+ //

+ // Parameters:

+ // entry:

+ // Defines a structured message to be logged at the provided Microsoft.IdentityModel.Abstractions.LogEntry.EventLogLevel.

+ void Log(LogEntry entry);

+ }

+> [!NOTE]

+> Partner libraries (`Microsoft.Identity.Web`, `Microsoft.IdentityModel`) provide implementations of this interface already for various environments (in particular ASP.NET Core)

+### IIdentityLogger Implementation

+The following code snippets are examples of such an implementation. If you use the .NET core configuration, environment variable driven logs levels can be provided for free, in addition to the configuration file based log levels.

+#### Log level from configuration file

+It's highly recommended to configure your code to use a configuration file in your environment to set the log level as it will enable your code to change the MSAL logging level without needing to rebuild or restart the application. This is critical for diagnostic purposes, enabling us to quickly gather the required logs from the application that is currently deployed and in production. Verbose logging can be costly so it's best to use the *Information* level by default and enable verbose logging when an issue is encountered. [See JSON configuration provider](https://docs.microsoft.com/aspnet/core/fundamentals/configuration#json-configuration-provider) for an example on how to load data from a configuration file without restarting the application.

+#### Log Level as Environment Variable

+Another option we recommended is to configure your code to use an environment variable on the machine to set the log level as it will enable your code to change the MSAL logging level without needing to rebuild the application. This is critical for diagnostic purposes, enabling us to quickly gather the required logs from the application that is currently deployed and in production.

+See [EventLogLevel](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/dev/src/Microsoft.IdentityModel.Abstractions/EventLogLevel.cs) for details on the available log levels.

+Example:

+```CSharp

+ class MyIdentityLogger : IIdentityLogger

+ {

+ public EventLogLevel MinLogLevel { get; }

+ public TestIdentityLogger()

+ {

+ //Try to pull the log level from an environment variable

+ var msalEnvLogLevel = Environment.GetEnvironmentVariable("MSAL_LOG_LEVEL");

+ if (Enum.TryParse(msalEnvLogLevel, out EventLogLevel msalLogLevel))

+ {

+ MinLogLevel = msalLogLevel;

+ }

+ else

+ {

+ //Recommended default log level

+ MinLogLevel = EventLogLevel.Informational;

+ }

+ }

+ public bool IsEnabled(EventLogLevel eventLogLevel)

+ {

+ return eventLogLevel <= MinLogLevel;

+ }

+ public void Log(LogEntry entry)

+ {

+ //Log Message here:

+ Console.WriteLine(entry.message);

+ }

+ }

+```

+Using `MyIdentityLogger`:

+```CSharp

+ MyIdentityLogger myLogger = new MyIdentityLogger(logLevel);

+ var app = ConfidentialClientApplicationBuilder

+ .Create(TestConstants.ClientId)

+ .WithClientSecret("secret")

+ .WithExperimentalFeatures() //Currently an experimental feature, will be removed soon

+ .WithLogging(myLogger, piiLogging)

+ .Build();

+```

+description: Learn the foundational concepts and scenarios around consent and permissions in the Microsoft identity platform

+As an application developer, you must identify how your application will access data. The application can use delegated access, acting on behalf of a signed-in user, or app-only access, acting only as the application's own identity.

+In this access scenario, a user has signed into a client application. The client application accesses the resource on behalf of the user. Delegated access requires delegated permissions. Both the client and the user must be authorized separately to make the request. For more information about the delegated access scenario, see [delegated access scenario](delegated-access-primer.md).

+For the client app, the correct delegated permissions must be granted. Delegated permissions can also be referred to as scopes. Scopes are permissions for a given resource that represent what a client application can access on behalf of the user.For more information about scopes, see [scopes and permissions](v2-permissions-and-consent.md#scopes-and-permissions).

+For the user, the authorization relies on the privileges that the user has been granted for them to access the resource. For example, the user could be authorized to access directory resources by [Azure Active Directory (Azure AD) role-based access control (RBAC)](../roles/custom-overview.md) or to access mail and calendar resources by Exchange Online RBAC. For more information on RBAC for applications, see [RBAC for applications](custom-rbac-for-developers.md).

+### App-only access (Access without a user)

+App-only access uses app roles instead of delegated scopes. When granted through consent, app roles may also be called applications permissions. For app-only access, the client app must be granted appropriate app roles of the resource app it's calling in order to access the requested data. For more information about assigning app roles to client applications, see [Assigning app roles to applications](howto-add-app-roles-in-azure-ad-apps.md#assign-app-roles-to-applications).

+**Delegated permissions** are used in the delegated access scenario. They're permissions that allow the application to act on a user's behalf. The application will never be able to access anything the signed in user themselves couldn't access.

+**Application permissions**, sometimes called app roles are used in the app-only access scenario, without a signed-in user present. The application will be able to access any data that the permission is associated with. For example, an application granted the Files.Read.All application permission will be able to read any file in the tenant. Only an administrator or owner of the service principal can consent to application permissions.

+There are other ways in which applications can be granted authorization for app-only access. For example, an application can be assigned an Azure AD RBAC role.

+### Comparison of delegated and application permissions

+| <!-- No header--> | Delegated permissions | Application permissions |

+|--|--|--|

+| Types of apps | Web / Mobile / single-page app (SPA) | Web / Daemon |

+| Access context | Get access on behalf of a user | Get access without a user |

+| Who can consent | - Users can consent for their data <br> - Admins can consent for all users | Only admin can consent |

+| Other names | - Scopes <br> - OAuth2 permission scopes | - App roles <br> - App-only permissions |

+| Result of consent (specific to Microsoft Graph) | [oAuth2PermissionGrant](/graph/api/resources/oauth2permissiongrant) | [appRoleAssignment](/graph/api/resources/approleassignment) |

+One way that applications are granted permissions is through consent. Consent is a process where users or admins authorize an application to access a protected resource. For example, when a user attempts to sign into an application for the first time, the application can request permission to see the user's profile and read the contents of the user's mailbox. The user sees the list of permissions the app is requesting through a consent prompt. Other scenarios where users may see a consent prompt include:

+- When previously granted consent is revoked.

+- When the application is coded to specifically prompt for consent during every sign-in.

+- When the application uses incremental or dynamic consent to ask for some permissions upfront and more permission later as needed.

+User consent happens when a user attempts to sign into an application. The user provides their sign-in credentials. These credentials are checked to determine whether consent has already been granted. If no previous record of user or admin consent for the required permissions exists, the user is shown a consent prompt, and asked to grant the application the requested permissions. In many cases, an admin may be required to grant consent on behalf of the user.

+Depending on the permissions they require, some applications might require an administrator to be the one who grants consent. For example, application permissions and many high-privilege delegated permissions can only be consented to by an administrator. Administrators can grant consent for themselves or for the entire organization. For more information about user and admin consent, see [user and admin consent overview](../manage-apps/consent-and-permissions-overview.md).

+- [Delegated access scenario](delegated-access-primer.md)

+- [OpenID connect scopes](scopes-oidc.md)

+The pattern for acquiring tokens for APIs with [MSAL.js](https://github.com/AzureAD/microsoft-authentication-library-for-js) is to first attempt a silent token request by using the `acquireTokenSilent` method. When this method is called, the library first checks the cache in browser storage to see if a non-expired access token exists and returns it. If no access token is found for the given parameters, it will throw an `InteractionRequiredAuthError`, which should be handled with an interactive token request method (`acquireTokenPopup` or `acquireTokenRedirect`). If an access token is found but it's expired, it attempts to use its refresh token to get a fresh access token. If the refresh token's 24-hour lifetime has also expired, MSAL.js will open a hidden iframe to silently request a new authorization code by leveraging the existing active session with Azure AD (if any), which will then be exchanged for a fresh set of tokens (access _and_ refresh tokens). For more information about single sign-on (SSO) session and token lifetime values in Azure AD, see [Token lifetimes](active-directory-configurable-token-lifetimes.md). For more information on MSAL.js cache lookup policy, see: [Acquiring an Access Token](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/acquire-token.md#acquiring-an-access-token).

+ Title: Microsoft identity platform scopes and permissions

+description: Learn about openID connect scopes and permissions in the Microsoft identity platform endpoint.

+# Scopes and permissions in the Microsoft identity platform

+The Microsoft identity platform implements the [OAuth 2.0](active-directory-v2-protocols.md) authorization protocol. OAuth 2.0 is a method through which a third-party app can access web-hosted resources on behalf of a user. Any web-hosted resource that integrates with the Microsoft identity platform has a resource identifier, or *application ID URI*.

+In this article, you'll learn about scopes and permissions in the identity platform.

+The following list shows are some examples of Microsoft web-hosted resources:

+- Microsoft Graph: `https://graph.microsoft.com`

+- Microsoft 365 Mail API: `https://outlook.office.com`

+- Azure Key Vault: `https://vault.azure.net`

+The same is true for any third-party resources that have integrated with the Microsoft identity platform. Any of these resources also can define a set of permissions that can be used to divide the functionality of that resource into smaller chunks. As an example, [Microsoft Graph](https://graph.microsoft.com) has defined permissions to do the following tasks, among others:

+- Read a user's calendar

+- Write to a user's calendar

+- Send mail as a user

+Because of these types of permission definitions, the resource has fine-grained control over its data and how API functionality is exposed. A third-party app can request these permissions from users and administrators, who must approve the request before the app can access data or act on a user's behalf.

+When a resource's functionality is chunked into small permission sets, third-party apps can be built to request only the permissions that they need to perform their function. Users and administrators can know what data the app can access. And they can be more confident that the app isn't behaving with malicious intent. Developers should always abide by the principle of least privilege, asking for only the permissions they need for their applications to function.

+In OAuth 2.0, these types of permission sets are called *scopes*. They're also often referred to as *permissions*. In the Microsoft identity platform, a permission is represented as a string value. An app requests the permissions it needs by specifying the permission in the `scope` query parameter. Identity platform supports several well-defined [OpenID Connect scopes](#openid-connect-scopes) and resource-based permissions (each permission is indicated by appending the permission value to the resource's identifier or application ID URI). For example, the permission string `https://graph.microsoft.com/Calendars.Read` is used to request permission to read users calendars in Microsoft Graph.

+In requests to the authorization server, for the Microsoft Identity platform, if the resource identifier is omitted in the scope parameter, the resource is assumed to be Microsoft Graph. For example, `scope=User.Read` is equivalent to `https://graph.microsoft.com/User.Read`.

+## Admin-restricted permissions

+Permissions in the Microsoft identity platform can be set to admin restricted. For example, many higher-privilege Microsoft Graph permissions require admin approval. If your app requires admin-restricted permissions, an organization's administrator must consent to those scopes on behalf of the organization's users. The following section gives examples of these kinds of permissions:

+- Read all user's full profiles by using `User.Read.All`

+- Write data to an organization's directory by using `Directory.ReadWrite.All`

+- Read all groups in an organization's directory by using `Groups.Read.All`

+> [!NOTE]

+>In requests to the authorization, token or consent endpoints for the Microsoft Identity platform, if the resource identifier is omitted in the scope parameter, the resource is assumed to be Microsoft Graph. For example, `scope=User.Read` is equivalent to `https://graph.microsoft.com/User.Read`.

+Although a consumer user might grant an application access to this kind of data, organizational users can't grant access to the same set of sensitive company data. If your application requests access to one of these permissions from an organizational user, the user receives an error message that says they're not authorized to consent to your app's permissions.

+If the application requests application permissions and an administrator grants these permissions this grant isn't done on behalf of any specific user. Instead, the client application is granted permissions *directly*. These types of permissions should only be used by daemon services and other non-interactive applications that run in the background. For more information on the direct access scenario, see [Access scenarios in the Microsoft identity platform](permissions-consent-overview.md).

+For a step by step guide on how to expose scopes in a web API, see [Configure an application to expose a web API](quickstart-configure-app-expose-web-apis.md).

+## OpenID Connect scopes

+The Microsoft identity platform implementation of OpenID Connect has a few well-defined scopes that are also hosted on Microsoft Graph: `openid`, `email`, `profile`, and `offline_access`. The `address` and `phone` OpenID Connect scopes aren't supported.

+If you request the OpenID Connect scopes and a token, you'll get a token to call the [UserInfo endpoint](userinfo.md).

+### openid

+If an app signs in by using [OpenID Connect](active-directory-v2-protocols.md), it must request the `openid` scope. The `openid` scope appears on the work account consent page as the **Sign you in** permission.

+By using this permission, an app can receive a unique identifier for the user in the form of the `sub` claim. The permission also gives the app access to the UserInfo endpoint. The `openid` scope can be used at the Microsoft identity platform token endpoint to acquire ID tokens. The app can use these tokens for authentication.

+### email

+The `email` scope can be used with the `openid` scope and any other scopes. It gives the app access to the user's primary email address in the form of the `email` claim.

+The `email` claim is included in a token only if an email address is associated with the user account, which isn't always the case. If your app uses the `email` scope, the app needs to be able to handle a case in which no `email` claim exists in the token.

+### profile

+The `profile` scope can be used with the `openid` scope and any other scope. It gives the app access to a large amount of information about the user. The information it can access includes, but isn't limited to, the user's given name, surname, preferred username, and object ID.

+For a complete list of the `profile` claims available in the `id_tokens` parameter for a specific user, see the [`id_tokens` reference](id-tokens.md).

+### offline_access

+The [`offline_access` scope](https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess) gives your app access to resources on behalf of the user for an extended time. On the consent page, this scope appears as the **Maintain access to data you have given it access to** permission.

+When a user approves the `offline_access` scope, your app can receive refresh tokens from the Microsoft identity platform token endpoint. Refresh tokens are long-lived. Your app can get new access tokens as older ones expire.

+> [!NOTE]

+> This permission currently appears on all consent pages, even for flows that don't provide a refresh token (such as the [implicit flow](v2-oauth2-implicit-grant-flow.md)). This setup addresses scenarios where a client can begin within the implicit flow and then move to the code flow where a refresh token is expected.

+On the Microsoft identity platform (requests made to the v2.0 endpoint), your app must explicitly request the `offline_access` scope, to receive refresh tokens. So when you redeem an authorization code in the [OAuth 2.0 authorization code flow](active-directory-v2-protocols.md), you'll receive only an access token from the `/token` endpoint.

+The access token is valid for a short time. It usually expires in one hour. At that point, your app needs to redirect the user back to the `/authorize` endpoint to get a new authorization code. During this redirect, depending on the type of app, the user might need to enter their credentials again or consent again to permissions.

+For more information about how to get and use refresh tokens, see the [Microsoft identity platform protocol reference](active-directory-v2-protocols.md).

+## The .default scope

+The `.default` scope is used to refer generically to a resource service (API) in a request, without identifying specific permissions. If consent is necessary, using `.default` signals that consent should be prompted for all required permissions listed in the application registration (for all APIs in the list).

+The scope parameter value is constructed by using the identifier URI for the resource and `.default`, separated by a forward slash (`/`). For example, if the resource's identifier URI is `https://contoso.com`, the scope to request is `https://contoso.com/.default`. For cases where you must include a second slash to correctly request the token, see the [section about trailing slashes](#trailing-slash-and-default).

+Using `scope={resource-identifier}/.default` is functionally the same as `resource={resource-identifier}` on the v1.0 endpoint (where `{resource-identifier}` is the identifier URI for the API, for example `https://graph.microsoft.com` for Microsoft Graph).

+The `.default` scope can be used in any OAuth 2.0 flow and to initiate [admin consent](v2-admin-consent.md). Its use is required in the [On-Behalf-Of flow](v2-oauth2-on-behalf-of-flow.md) and [client credentials flow](v2-oauth2-client-creds-grant-flow.md).

+Clients can't combine static (`.default`) consent and dynamic consent in a single request. So `scope=https://graph.microsoft.com/.default Mail.Read` results in an error because it combines scope types.

+### .default when the user has already given consent

+The `.default` scope parameter only triggers a consent prompt if consent hasn't been granted for any delegated permission between the client and the resource, on behalf of the signed-in user.

+If consent exists, the returned token contains all scopes granted for that resource for the signed-in user. However, if no permission has been granted for the requested resource (or if the `prompt=consent` parameter has been provided), a consent prompt is shown for all required permissions configured on the client application registration, for all APIs in the list.

+For example, if the scope `https://graph.microsoft.com/.default` is requested, your application is requesting an access token for the Microsoft Graph API. If at least one delegated permission has been granted for Microsoft Graph on behalf of the signed-in user, the sign-in will continue and all Microsoft Graph delegated permissions that have been granted for that user will be included in the access token. If no permissions have been granted for the requested resource (Microsoft Graph, in this example), then a consent prompt will be presented for all required permissions configured on the application, for all APIs in the list.

+#### Example 1: The user, or tenant admin, has granted permissions

+In this example, the user or a tenant administrator has granted the `Mail.Read` and `User.Read` Microsoft Graph permissions to the client.

+If the client requests `scope=https://graph.microsoft.com/.default`, no consent prompt is shown, regardless of the contents of the client application's registered permissions for Microsoft Graph. The returned token contains the scopes `Mail.Read` and `User.Read`.

+#### Example 2: The user hasn't granted permissions between the client and the resource

+In this example, the user hasn't granted consent between the client and Microsoft Graph, nor has an administrator. The client has registered for the permissions `User.Read` and `Contacts.Read`. It has also registered for the Azure Key Vault scope `https://vault.azure.net/user_impersonation`.

+When the client requests a token for `scope=https://graph.microsoft.com/.default`, the user sees a consent page for the Microsoft Graph `User.Read` and `Contacts.Read` scopes, and for the Azure Key Vault `user_impersonation` scope. The returned token contains only the `User.Read` and `Contacts.Read` scopes, and it can be used only against Microsoft Graph.

+#### Example 3: The user has consented, and the client requests more scopes

+In this example, the user has already consented to `Mail.Read` for the client. The client has registered for the `Contacts.Read` scope.

+The client first performs a sign-in with `scope=https://graph.microsoft.com/.default`. Based on the `scopes` parameter of the response, the application's code detects that only `Mail.Read` has been granted. The client then initiates a second sign-in using `scope=https://graph.microsoft.com/.default`, and this time forces consent using `prompt=consent`. If the user is allowed to consent for all the permissions that the application registered, they'll be shown the consent prompt. (If not, they'll be shown an error message or the [admin consent request](../manage-apps/configure-admin-consent-workflow.md) form.) Both `Contacts.Read` and `Mail.Read` will be in the consent prompt. If consent is granted and the sign-in continues, the token returned is for Microsoft Graph, and contains `Mail.Read` and `Contacts.Read`.

+### Using the .default scope with the client

+In some cases, a client can request its own `.default` scope. The following example demonstrates this scenario.

+The scenario accommodates some legacy clients that are moving from Azure AD Authentication Library (ADAL) to the Microsoft Authentication Library (MSAL). This setup *shouldn't* be used by new clients that target the Microsoft identity platform.

+```http

+// Line breaks are for legibility only.

+GET https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize

+ ?response_type=token //Code or a hybrid flow is also possible here

+ &client_id=9ada6f8a-6d83-41bc-b169-a306c21527a5

+ &scope=9ada6f8a-6d83-41bc-b169-a306c21527a5/.default

+ &redirect_uri=https%3A%2F%2Flocalhost

+ &state=1234

+```

+This code example produces a consent page for all registered permissions if the preceding descriptions of consent and `.default` apply to the scenario. Then the code returns an `id_token`, rather than an access token.

+### Client credentials grant flow and .default

+Another use of `.default` is to request app roles (also known as application permissions) in a non-interactive application like a daemon app that uses the [client credentials](v2-oauth2-client-creds-grant-flow.md) grant flow to call a web API.

+To define app roles (application permissions) for a web API, see [Add app roles in your application](howto-add-app-roles-in-azure-ad-apps.md).

+Client credentials requests in your client service *must* include `scope={resource}/.default`. Here, `{resource}` is the web API that your app intends to call, and wishes to obtain an access token for. Issuing a client credentials request by using individual application permissions (roles) is *not* supported. All the app roles (application permissions) that have been granted for that web API are included in the returned access token.

+To grant access to the app roles you define, including granting admin consent for the application, see [Configure a client application to access a web API](quickstart-configure-app-access-web-apis.md).

+### Trailing slash and .default

+Some resource URIs have a trailing forward slash, for example, `https://contoso.com/` as opposed to `https://contoso.com`. The trailing slash can cause problems with token validation. Problems occur primarily when a token is requested for Azure Resource Manager (`https://management.azure.com/`). In this case, a trailing slash on the resource URI means the slash must be present when the token is requested. So when you request a token for `https://management.azure.com/` and use `.default`, you must request `https://management.azure.com//.default` (notice the double slash!). In general, if you verify that the token is being issued, and if the token is being rejected by the API that should accept it, consider adding a second forward slash and trying again.

+## Next steps

+- [Requesting permissions through consent in the identity platform](consent-types-developer.md)

+- [ID tokens in the Microsoft identity platform](id-tokens.md)

+- [Access tokens in the Microsoft identity platform](access-tokens.md)

+Most applications require access to protected data, and the owner of that data needs to [consent](consent-types-developer.md) to that access. Consent can be granted in several ways, including by a tenant administrator who can consent for *all* users in an Azure AD tenant, or by the application users themselves who can grant access.

+The information in an ID token is a superset of the information available on UserInfo endpoint. Because you can get an ID token at the same time you get a token to call the UserInfo endpoint, we suggest getting the user's information from the token instead of calling the UserInfo endpoint. Using the ID token instead of calling the UserInfo endpoint eliminates up to two network requests, reducing latency in your application.

+Static permissions also enable administrators to [consent on behalf of all users](#requesting-consent-for-an-entire-tenant) in the organization.

+The `.default` scope can be used in any OAuth 2.0 flow and to initiate [admin consent](v2-admin-consent.md). Its use is required in the [On-Behalf-Of flow](v2-oauth2-on-behalf-of-flow.md) and [client credentials flow](v2-oauth2-client-creds-grant-flow.md).

+If consent does exist, the returned token contains all scopes granted for that resource for the signed-in user. However, if no permission has been granted for the requested resource (or if the `prompt=consent` parameter has been provided), a consent prompt is shown for all required permissions configured on the client application registration, for all APIs in the list.

+## October 2022

+### Updated articles

+- [Access Azure AD protected resources from an app in Google Cloud](workload-identity-federation-create-trust-gcp.md)

+- [Configure an app to trust an external identity provider](workload-identity-federation-create-trust.md)

+- [Configure a user-assigned managed identity to trust an external identity provider (preview)](workload-identity-federation-create-trust-user-assigned-managed-identity.md)

+- [Configuration requirements and troubleshooting tips for Xamarin Android with MSAL.NET](msal-net-xamarin-android-considerations.md)

+- [Customize claims emitted in tokens for a specific app in a tenant](active-directory-claims-mapping.md)

+- [Desktop app that calls web APIs: Acquire a token using Device Code flow](scenario-desktop-acquire-token-device-code-flow.md)

+- [Desktop app that calls web APIs: Acquire a token using integrated Windows authentication](scenario-desktop-acquire-token-integrated-windows-authentication.md)

+- [Desktop app that calls web APIs: Acquire a token using Username and Password](scenario-desktop-acquire-token-username-password.md)

+- [Making your application multi-tenant](howto-convert-app-to-be-multi-tenant.md)

+- [Microsoft identity platform and OAuth 2.0 On-Behalf-Of flow](v2-oauth2-on-behalf-of-flow.md)

+- [Prompt behavior with MSAL.js](msal-js-prompt-behavior.md)

+- [Quickstart: Register an application with the Microsoft identity platform](quickstart-register-app.md)

+- [Tutorial: Sign in users and call the Microsoft Graph API from a JavaScript single-page application](tutorial-v2-javascript-spa.md)

+- [Tutorial: Sign in users and call the Microsoft Graph API from a React single-page app (SPA) using auth code flow](tutorial-v2-react.md)

+> If your organization uses proxy servers that intercept SSL traffic for scenarios like data loss prevention or Azure AD tenant restrictions, ensure that traffic to `https://device.login.microsoftonline.com` is excluded from TLS break-and-inspect. Failure to exclude this URL may cause interference with client certificate authentication, cause issues with device registration, and device-based Conditional Access.

+## October 2022

+### Updated articles

+- [Tutorial: Bulk invite Azure AD B2B collaboration users](tutorial-bulk-invite.md)

+- [Quickstart: Add a guest user and send an invitation](b2b-quickstart-add-guest-users-portal.md)

+- [Define custom attributes for user flows](user-flow-add-custom-attributes.md)

+- [Create dynamic groups in Azure Active Directory B2B collaboration](use-dynamic-groups.md)

+- [Properties of an Azure Active Directory B2B collaboration user](user-properties.md)

+- [Authentication and Conditional Access for External Identities](authentication-conditional-access.md)

+- [Leave an organization as an external user](leave-the-organization.md)

+- [Azure Active Directory External Identities: What's new](whats-new-docs.md)

+- [Federation with SAML/WS-Fed identity providers for guest users](direct-federation.md)

+- [Example: Configure SAML/WS-Fed based identity provider federation with AD FS](direct-federation-adfs.md)

+- [The elements of the B2B collaboration invitation email - Azure Active Directory](invitation-email-elements.md)

+- [Configure Microsoft cloud settings for B2B collaboration (Preview)](cross-cloud-settings.md)

+- [Add Microsoft account (MSA) as an identity provider for External Identities](microsoft-account.md)

+- [How users in your organization can invite guest users to an app](add-users-information-worker.md)

+- Disable Soft Matching on your tenant. Soft Matching is a great feature to help transfering source of autority for existing cloud managed objects to Azure AD Connect, but it comes with certain security risks. If you do not require it, you should [disable Soft Matching](how-to-connect-syncservice-features.md#blocksoftmatch).

+- Disable Hard Match Takeover. Hard match takeover allows Azure AD Connect to take control of a cloud managed object and changing the source of authority for the object to Active Directory. Once the source of authority of an object is taken over by Azure AD Connect, changes made to the Active Directory object that is linked to the Azure AD object will overwrite the original Azure AD data - including the password hash, if Password Hash Sync is enabled. An attacker could use this capability to take over control of cloud managed objects. To mitigate this risk, [disable hard match takeover](https://learn.microsoft.com/powershell/module/msonline/set-msoldirsyncfeature?view=azureadps-1.0#example-3-block-cloud-object-takeover-through-hard-matching-for-the-tenant).

+ Title: Overview of user and admin consent

+description: Learn about the fundamental concepts of user and admin consent in Azure AD

+# User and admin consent in Azure Active Directory

+In this article, youΓÇÖll learn the foundational concepts and scenarios around user and admin consent in Azure Active Directory (Azure AD).

+Consent is a process where users can grant permission for an application to access a protected resource. To indicate the level of access required, an application requests the API permissions it requires. For example, an application can request the permission to see a signed-in user's profile and read the contents of the user's mailbox.

+Consent can be initiated in various ways. For example, users can be prompted for consent when they attempt to sign in to an application for the first time. Depending on the permissions they require, some applications might require an administrator to be the one who grants consent.

+## User consent

+A user can authorize an application to access some data at the protected resource, while acting as that user. The permissions that allow this type of access are called "delegated permissions."

+User consent is usually initiated when a user signs in to an application. After the user has provided sign-in credentials, they're checked to determine whether consent has already been granted. If no previous record of user or admin consent for the required permissions exists, the user is directed to the consent prompt window to grant the application the requested permissions.

+User consent by non-administrators is possible only in organizations where user consent is allowed for the application and for the set of permissions the application requires. If user consent is disabled, or if users aren't allowed to consent for the requested permissions, they won't be prompted for consent. If users are allowed to consent and they accept the requested permissions, the consent is recorded and they usually don't have to consent again on future sign-ins to the same application.

+### User consent settings

+Users are in control of their data. A Privileged Administrator can configure whether non-administrator users are allowed to grant user consent to an application. This setting can take into account aspects of the application and the application's publisher, and the permissions being requested.

+As an administrator, you can choose whether user consent is allowed. If you choose to allow user consent, you can also choose what conditions must be met before an application can be consented to by a user.

+By choosing which application consent policies apply for all users, you can set limits on when users are allowed to grant consent to applications and on when theyΓÇÖll be required to request administrator review and approval. The Azure portal provides the following built-in options:

+- *You can disable user consent*. Users can't grant permissions to applications. Users continue to sign in to applications they've previously consented to or to applications that administrators have granted consent to on their behalf, but they won't be allowed to consent to new permissions to applications on their own. Only users who have been granted a directory role that includes the permission to grant consent can consent to new applications.

+- *Users can consent to applications from verified publishers or your organization, but only for permissions you select*. All users can consent only to applications that were published by a [verified publisher](../develop/publisher-verification-overview.md) and applications that are registered in your tenant. Users can consent only to the permissions that you've classified as *low impact*. You must [classify permissions](configure-permission-classifications.md) to select which permissions users are allowed to consent to.

+- *Users can consent to all applications*. This option allows all users to consent to any permissions that don't require admin consent, for any application.

+For most organizations, one of the built-in options will be appropriate. Some advanced customers might want more control over the conditions that govern when users are allowed to consent. These customers can [create custom app consent policy](manage-app-consent-policies.md#create-a-custom-app-consent-policy) and configure those policies to apply to user consent.

+## Admin consent

+During admin consent, a Privileged Administrator may grant an application access on behalf of other users (usually, on behalf of the entire organization). Also during admin consent, applications or services provide direct access to an API, which can be used by the application if there's no signed-in user.

+When your organization purchases a license or subscription for a new application, you might proactively want to set up the application so that all users in the organization can use it. To avoid the need for user consent, an administrator can grant consent for the application on behalf of all users in the organization.

+After an administrator grants admin consent on behalf of the organization, users aren't usually prompted for consent for that application. In certain cases, a user might be prompted for consent even after consent was granted by an administrator. An example might be if an application requests another permission that the administrator hasn't already granted.

+Granting admin consent on behalf of an organization is a sensitive operation, potentially allowing the application's publisher access to significant portions of the organization's data, or the permission to do highly privileged operations. Examples of such operations might be role management, full access to all mailboxes or all sites, and full user impersonation.

+Before you grant tenant-wide admin consent, ensure that you trust the application and the application publisher, for the level of access you're granting. If you aren't confident that you understand who controls the application and why the application is requesting the permissions, do *not* grant consent.

+For step-by-step guidance on whether to grant an application admin consent, see [Evaluating a request for tenant-wide admin consent](manage-consent-requests.md#evaluate-a-request-for-tenant-wide-admin-consent).

+For step-by-step instructions for granting tenant-wide admin consent from the Azure portal, see [Grant tenant-wide admin consent to an application](grant-admin-consent.md).

+### Grant consent on behalf of a specific user

+Instead of granting consent for an entire organization, an admin can also use the [Microsoft Graph API](/graph/use-the-api) to grant consent to delegated permissions on behalf of a single user. For a detailed example that uses Microsoft Graph PowerShell, see [Grant consent on behalf of a single user by using PowerShell](manage-consent-requests.md).

+### Limit user access to an application

+User access to applications can still be limited, even when tenant-wide admin consent has been granted. Configure the applicationΓÇÖs properties to require user assignment to limit user access to the application. For more information, see [Methods for assigning users and groups](assign-user-or-group-access-portal.md).

+For a broader overview, including how to handle other complex scenarios, see [Use Azure AD for application access management](what-is-access-management.md).

+## Admin consent workflow

+The admin consent workflow gives users a way to request admin consent for applications when they aren't allowed to consent themselves. When the admin consent workflow is enabled, users are presented with an "Approval required" window for requesting admin approval for access to the application.

+After users submit the admin consent request, the admins who have been designated as reviewers receive a notification. The users are notified after a reviewer has acted on their request. For step-by-step instructions for configuring the admin consent workflow by using the Azure portal, see [configure the admin consent workflow](configure-admin-consent-workflow.md).

+### How users request admin consent

+After the admin consent workflow is enabled, users can request admin approval for an application that they're unauthorized to consent to. Here are the steps in the process:

+1. A user attempts to sign in to the application.

+1. An **Approval required** message appears. The user types a justification for needing access to the application and then selects "Request approval."

+1. A **Request sent** message confirms that the request was submitted to the admin. If the user sends several requests, only the first request is submitted to the admin.

+1. The user receives an email notification when the request is approved, denied, or blocked.

+## Next steps

+- [Configure user consent settings](configure-user-consent.md)

+- [Configure the admin consent workflow](configure-admin-consent-workflow.md)

+## October 2022

+### Updated articles

+- [Configure how users consent to applications](configure-user-consent.md)

+- [Tutorial: Configure F5 BIG-IP Access Policy Manager for Kerberos authentication](f5-big-ip-kerberos-advanced.md)

+- [Tutorial: Configure F5 BIG-IP Easy Button for Kerberos single sign-on](f5-big-ip-kerberos-easy-button.md)

+- [Tutorial: Configure F5 BIG-IP Easy Button for header-based and LDAP single sign-on](f5-big-ip-ldap-header-easybutton.md)

+- [Tutorial: Migrate your applications from Okta to Azure Active Directory](migrate-applications-from-okta-to-azure-active-directory.md)

+- [Tutorial: Configure Secure Hybrid Access with Azure Active Directory and Silverfort](silverfort-azure-ad-integration.md)

+description: Learn how to view Conditional Access policies in Azure AD sign-in logs so that you can assess the effect of those policies.

+With Conditional Access policies, you can control how your users get access to the resources of your Azure tenant. As a tenant admin, you need to be able to determine what effect your Conditional Access policies have on sign-ins to your tenant, so that you can take action if necessary.

+The sign-in logs in Azure Active Directory (Azure AD) give you the information that you need to assess the effect of your policies. This article explains how to view applied Conditional Access policies in those logs.

+- *Tenant administrators* who need to verify that Conditional Access policies have the intended effect on the users of a tenant.

+For more information about this cmdlet, see [Get-MgAuditLogSignIn](/powershell/module/microsoft.graph.reports/get-mgauditlogsignin).

+* The following roles in Azure Active Directory (if you're accessing Log Analytics through Azure Active Directory portal)

+5. Once you've configured the alert, select **Create alert** to enable it.

+* **Provisioning analysis**: This [workbook](../app-provisioning/application-provisioning-log-analytics.md) shows reports related to auditing provisioning activity. Activities can include the number of new users provisioned, provisioning failures, number of users updated, update failures, the number of users de-provisioned, and corresponding failures.

+* **Sign-ins Events**: This workbook shows the most relevant reports related to monitoring sign-in activity, such as sign-ins by application, user, device, and a summary view tracking the number of sign-ins over time.

+* **Conditional access insights**: The Conditional Access insights and reporting [workbook](../conditional-access/howto-conditional-access-insights-reporting.md) enables you to understand the effect of Conditional Access policies in your organization over time.

+The [Azure Active Directory (Azure AD) reporting APIs](./concept-reporting-api.md) provide you with programmatic access to the data through a set of REST-based APIs. You can call these APIs from many programming languages and tools.

+You need these values when configuring calls to the reporting API. We recommend using a certificate because it's more secure.

+1. In the [Azure portal](https://portal.azure.com), on the left navigation pane, select **Azure Active Directory**.

+1. In the [Azure portal](https://portal.azure.com), on the left navigation pane, select **Azure Active Directory**.

+3. Select **Certificates and Secrets** on the **API Application** page, in the **Client Secrets** section, select **+ New Client Secret**.

+ c. Select **Save**.

+### Error: Tenant isn't B2C or tenant doesn't have premium license

+### Error: The allowed roles doesn't include User.

+### Error: Application missing Azure AD 'Read directory data' permission

+1. Select **Audit logs** from the **Activity** section of Azure Active Directory.

+2. Select your directory from the top-right corner, then select **Azure Active Directory** from the left navigation pane.

+The Azure Active Directory (Azure AD) log analytics views helps you analyze and search the Azure AD activity logs in your Azure AD tenant. Azure AD activity logs include:

+1. Navigate to the [Azure portal](https://portal.azure.com) and select **All services**.

+1. Type **Log Analytics** in the text box, and select **Log Analytics workspaces**. Select the workspace you routed the activity logs to, as part of the prerequisites.

+1. Select **View Designer** > **Import** > **Choose File** to import the views from your local computer.

+1. Select the views you downloaded from the prerequisites and select **Save** to save the import. Complete this step for the **Azure AD Account Provisioning Events** view and the **Sign-ins Events** view.

+1. Navigate to the [Azure portal](https://portal.azure.com) and select **All services**.

+1. Type **Log Analytics** in the text box, and select **Log Analytics workspaces**. Select the workspace you routed the activity logs to, as part of the prerequisites.

+1. Once you're in the workspace, select **Workspace Summary**. You should see the following three views:

+ * **Azure AD Account Provisioning Events**: This view shows reports related to the auditing provisioning activity. Activities can include the number of new users provisioned, provisioning failures, number of users updated, update failures, the number of users de-provisioned and their corresponding failures.

+ * **Sign-ins Events**: This view shows the most relevant reports related to monitoring sign-in activity, such as sign-ins by application, user, device, and a summary view tracking the number of sign-ins over time.

+1. Select either of these views to jump in to the individual reports. You can also set alerts on any of the report parameters. For example, let's set an alert for every time there's a sign-in error.

+1. Select the **Sign-ins Events** > **Sign-in errors over time** > **Analytics** to open the details page, with the actual query behind the report.

+1. Select **Set Alert**, and then select **Whenever the Custom log search is &lt;logic undefined&gt;** under the **Alert criteria** section. Since we want to alert whenever there's a sign-in error, set the **Threshold** of the default alert logic to **1** and then select **Done**.

+1. Enter a name and description for the alert and set the severity to **Warning**.

+1. Select the action group to alert, such as a team you want to notify via email or text message. Learn how to [create and manage action groups in the Azure portal](../../azure-monitor/alerts/action-groups.md).

+1. Select **Create alert rule** to create the alert. Now you'll be alerted every time there's a sign-in error.

+* A configured instance of ArcSight Syslog NG Daemon SmartConnector (SmartConnector) or ArcSight Load Balancer. If the events are sent to ArcSight Load Balancer, they're sent to the SmartConnector by the Load Balancer.

+Download and open the [configuration guide for ArcSight SmartConnector for Azure Monitor Event Hubs](https://community.microfocus.com/t5/ArcSight-Connectors/SmartConnector-for-Microsoft-Azure-Monitor-Event-Hub/ta-p/1671292). This guide contains the steps you need to install and configure the ArcSight SmartConnector for Azure Monitor.

+3. Use the steps in the **Verifying the Deployment in Azure** to make sure the connector is set up and functions correctly. Verify the following prerequisites:

+4. Finally, complete the post-deployment steps in the **Post-Deployment Configurations** of the configuration guide. This section explains how to perform another configuration if you are on an App Service Plan to prevent the function apps from going idle after a timeout period, configure streaming of resource logs from the event hub, and update the SysLog NG Daemon SmartConnector keystore certificate to associate it with the newly created storage account.

+5. The configuration guide also explains how to customize the connector properties in Azure, and how to upgrade and uninstall the connector. There's also a section on performance improvements, including upgrading to an [Azure Consumption plan](https://azure.microsoft.com/pricing/details/functions) and configuring an ArcSight Load Balancer if the event load is greater than what a single Syslog NG Daemon SmartConnector can handle.

+[Configuration guide for ArcSight SmartConnector for Azure Monitor Event Hubs](https://community.microfocus.com/t5/ArcSight-Connectors/SmartConnector-for-Microsoft-Azure-Monitor-Event-Hub/ta-p/1671292)

+4. Identify the failed sign-in you want to investigate. Select it to open up the other details window with more information about the failed sign-in. Note down the **Sign-in error code** and **Failure reason**.

+## What is Azure Monitor workbooks for Azure AD reports?

+For one-off investigations with a limited scope, the Azure portal is often the easiest way to find the data you need. However, there are also business problems requiring a more complex analysis of the data in your activity logs. One common example for a scenario that requires a trend analysis is related to blocking legacy authentication in your Azure AD tenant.

+How can you determine whether it's safe to block legacy authentication in an environment? Answering this question requires an analysis of the sign-ins in your environment for a certain timeframe. Workbooks provide a flexible canvas for data analysis and the creation of rich visual reports within the Azure portal. They allow you to tap into multiple data sources from across Azure, and combine them into unified interactive experiences.

+- **Public templates** published to a [gallery](../../azure-monitor/visualize/workbooks-overview.md#the-gallery) that serve as a good starting point when you're just getting started with workbooks.

+- Following roles in Azure Active Directory (if you're accessing Log Analytics through Azure Active Directory portal)

+ - [Risky sign-ins](../identity-protection/overview-identity-protection.md) - A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who isn't the legitimate owner of a user account.

+This article lists the audit activities that can be logged in your audit logs.

+|Access Reviews|Review RBAC Role membership|

+|Authentication|Create a custom domain in the tenant|

+|Authorization|User Authorization: API is disabled for tenant feature set|

+|Authorization|Disable Desktop SSO|

+|Authorization|Disable Desktop SSO for a specific domain|

+|Authorization|Enable Desktop SSO|

+|Directory Management|Enable Desktop SSO for a specific domain|

+As an identity admin, you may need to track the Azure Active Directory (Azure AD) service-level agreement (SLA) performance to make sure Azure AD can support your vital apps. This article shows how the Azure AD service has performed according to the [SLA for Azure Active Directory (Azure AD)](https://azure.microsoft.com/support/legal/sla/active-directory/v1_1/).

+- **User authentication:** Users are able to sign in to the Azure AD service.

+- **App access:** Azure AD successfully emits the authentication and authorization tokens required for users to sign in to applications connected to the service.

+The SLA attainment is truncated at three places after the decimal. Numbers are not rounded up, so actual SLA attainment is higher than indicated.

+description: Describe the Azure AD sign-in log schema for use in Azure Monitor

+This article describes the Azure Active Directory (Azure AD) sign-in log schema in Azure Monitor. Information related to sign-ins is provided under the *Properties* attribute of the `records` object.

+| authProcessingDetails | Azure AD app authentication library | Contains Family, Library, and Platform information in format: "Family: Microsoft Authentication Library: ADAL.JS 1.0.0 Platform: JS" |

+| riskLevelAggregated | riskLevel | Aggregated risk level. The possible values are: `none`, `low`, `medium`, `high`, `hidden`, and `unknownFutureValue`. The value `hidden` means the user or sign-in wasn't enabled for Azure AD Identity Protection. **Note:** Details for this property are only available for Azure AD Premium P2 customers. All other customers will be returned `hidden`. |

+| riskLevelDuringSignIn | riskLevel | Risk level during sign-in. The possible values are: `none`, `low`, `medium`, `high`, `hidden`, and `unknownFutureValue`. The value `hidden` means the user or sign-in wasn't enabled for Azure AD Identity Protection. **Note:** Details for this property are only available for Azure AD Premium P2 customers. All other customers will be returned `hidden`. |

+Azure AD logs all sign-ins into an Azure tenant for compliance. As an IT administrator, you need to know what the values in the sign-in logs mean, so that you can interpret the log values correctly. [Learn how to access, view, and analyze Azure AD sign-in logs](concept-sign-ins.md)

+### Tenant

+### Sign-in

+The sign-in identifier is a string the user provides to Azure AD to identify itself when attempting to sign-in. It's usually a user principal name (UPN), but can be another identifier such as a phone number.

+### Authentication requirement

+This attribute shows the highest level of authentication needed through all the sign-in steps for the sign-in to succeed. Graph API supports `$filter` (`eq` and `startsWith` operators only).

+### Sign-in event types

+### User type

+### Cross-tenant access type

+### Conditional access evaluation

+* [Learn about exporting Azure AD sign-in logs](concept-activity-logs-azure-monitor.md)

+* [Explore the sign-in diagnostic in Azure AD](overview-sign-in-diagnostics.md)

+To install the public preview release, use the following:

+For more information on how to connect to Azure AD using PowerShell, see the article [Azure AD PowerShell for Graph](/powershell/azure/active-directory/install-adv2).

+In this article, you learn about the data retention policies for the different activity reports in Azure Active Directory (Azure AD).

+| Azure AD Free| The first time you open [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) or use the [reporting APIs](./overview-reports.md) |

+**No**, you can't. Azure stores up to seven days of activity data for a free version. When you switch from a free to a premium version, you can only see up to 7 days of data.

+- [Risky sign-ins](../identity-protection/overview-identity-protection.md) - A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who isn't the legitimate owner of a user account.

+## I have a lot of changes to my users and I'm not sure what the cause of it is.

+I check the Azure AD audit logs, and see multiple user updates occurring in my Azure AD tenant. These **Update User** events don't display **Actor** information, which causes uncertainty as to what/who triggered the mass changes to users.

+ A common reason behind mass object changes is a non-synchronous backend operation called **ProxyCalc**. **ProxyCalc** is the logic that determines the appropriate **UserPrincipalName** and **Proxy Addresses** that are updated in Azure AD users, groups, or contacts. The design behind **ProxyCalc** is to ensure that all **UserPrincipalName** and **Proxy Addresses** are consistent in Azure AD at any time. **ProxyCalc** must be triggered by an explicit change like a verified domain change and doesn't perpetually run in the background as a task.

+#### Notes:

+ProxyCalc doesn't cause changes to certain objects that:

+- don't have an active Exchange license

+- aren't considered a shared resource. Shared Resource is when **CloudMSExchRecipientDisplayType** contains one of the following values: **MailboxUser (shared)**, **PublicFolder**, **ConferenceRoomMailbox**, **EquipmentMailbox**, **ArbitrationMailbox**, **RoomList**, **TeamMailboxUser**, **Group mailbox**, **Scheduling mailbox**, **ACLableMailboxUser**, **ACLableTeamMailboxUser**

+Additionally, in most cases, there are no changes to users as their **UserPrincipalName** and **Proxy Addresses** are consistent, so we're working to display in Audit Logs only those updates that caused an actual change to the object. This action will prevent noise in the audit logs and help admins correlate the remaining user changes to verified domain change event as explained above.

+### Error: Application missing Azure AD 'Read directory data' permission

+I performed some actions in the Azure portal and expected to see the audit logs for those actions in the `Activity logs > Audit Logs`, but I canΓÇÖt find them.

+Wait for 15 minutes to two hours and see if the actions appear in the log. If you donΓÇÖt see the logs even after two hours, [file a support request,](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest) and we'll look into it.

+I recently signed into the Azure portal and expected to see the sign-in logs for those actions in the `Activity logs > Sign-ins`, but I canΓÇÖt find them.

+Wait for 15 minutes to two hours and see if the actions appear in the log. If you donΓÇÖt see the logs even after two hours, [file a support request,](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest) and we'll look into it.

+| Sign-in Activity | Not available. You can access your own sign-ins for 7 days from the individual user profile | 30 days | 30 days |

+You can use [Azure AD Reporting APIs](concept-reporting-api.md) to fetch up to a million records at any given point.

+Overprompting users can affect your user's productivity and often leads users getting phished for MFA. To be clear, MFA is essential! We are not talking about if you should require MFA but how frequently you should prompt your users.

+The prompts by application list view shows additional information such as timestamps, and request IDs that help with investigations.

+If data isn't showing up or seems to be showing up incorrectly, confirm that you have set the **Log Analytics Workspace** and **Subscriptions** on the proper resources.

+- To understand more about the different policies that affect MFA prompts, see [Optimize reauthentication prompts and understand session lifetime for Azure AD Multi-Factor Authentication](../authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md).

+- To learn more about the different vulnerabilities of different MFA methods, see [All your creds belong to us!](https://aka.ms/allyourcreds).

+- Number of sign-ins by applications that aren't impacted by conditional access policies

+- Number of sign-ins by location that weren't affected by conditional access policies

+Have you ever wondered how you can determine whether it's safe to turn off legacy authentication in your tenant? The sign-ins using legacy authentication workbook helps you to answer this question.

+Single-factor authentication (for example, username and password) doesnΓÇÖt provide the required level of protection for todayΓÇÖs computing environments. Passwords are bad as they're easy to guess and humans are bad at choosing good passwords.

+- Doesn't support multi-factor authentication (MFA) or other strong authentication methods.

+- Some clients can use both legacy authentication or modern authentication depending on client configuration. If you see ΓÇ£modern mobile/desktop clientΓÇ¥ or ΓÇ£browserΓÇ¥ for a client in the Azure AD logs, it's using modern authentication. If it has a specific client or protocol name, such as ΓÇ£Exchange ActiveSyncΓÇ¥, it's using legacy authentication to connect to Azure AD. The client types in conditional access, and the Azure AD reporting page in the Azure portal demarcate modern authentication clients and legacy authentication clients for you, and only legacy authentication is captured in this workbook.

+As an IT administrator, you need to be able to identify compromises in your environment to ensure that you can keep it in a healthy state.

+If your organization is new to Azure monitor workbooks, you need to integrate your Azure AD sign-in and audit logs with Azure Monitor before accessing the workbook. This integration allows you to store, and query, and visualize your logs using workbooks for up to two years. Only sign-in and audit events created after Azure Monitor integration will be stored, so the workbook won't contain insights prior to that date. Learn more about the prerequisites to Azure Monitor workbooks for Azure Active Directory. If you've previously integrated your Azure AD sign-in and audit logs with Azure Monitor, you can use the workbook to assess past information.

+- **Modified application and service principal credentials/authentication methods** - This report flags actors who have recently changed many service principal credentials, and how many of each type of service principal credentials have been changed.

+- Top actors and the number of credentials modifications they performed

+In cases where the attacker can't find a service principal or an application with a high privilege set of permissions through which to gain access, they'll often attempt to add the permissions to another service principal or app.

+- Add another SAML IDP that is controlled by the attacker as a trusted authentication source.

+- **Modified application and service principal credentials** to look out for credentials being added to service principals that aren't frequently used in your organization. Use the filters present in this section to further investigate any of the suspicious actors or service principals that were modified.

+Deployments are typically created and managed with `kubectl create` or `kubectl apply`. Create a deployment by defining a manifest file in the YAML format.

+A breakdown of the deployment specifications in the YAML manifest file is as follows:

+| Specification | Description |

+| -- | - |

+| `.apiVersion` | Specifies the API group and API resource you want to use when creating the resource. |

+| `.kind` | Specifies the type of resource you want to create. |

+| `.metadata.name` | Specifies the image to run. This file will run the *nginx* image from Docker Hub. |

+| `.spec.replicas` | Specifies how many pods to create. This file will create three deplicated pods. |

+| `.spec.selector` | Specifies which pods will be affected by this deployment. |

+| `.spec.selector.matchLabels` | Contains a map of *{key, value}* pairs that allows the deployment to find and manage the created pods. |

+| `.spec.selector.matchLabels.app` | Has to match `.spec.template.metadata.labels`. |

+| `.spec.template.labels` | Specifies the *{key, value}* pairs attached to the object. |

+| `.spec.template.app` | Has to match `.spec.selector.matchLabels`. |

+| `.spec.spec.containers` | Specifies the list of containers belonging to the pod. |

+| `.spec.spec.containers.name` | Specifies the name of the container specified as a DNS label. |

+| `.spec.spec.containers.image` | Specifies the container image name. |

+| `.spec.spec.containers.ports` | Specifies the list of ports to expose from the container. |

+| `.spec.spec.containers.ports.containerPort` | Specifies the number of port to expose on the pod's IP address. |

+| `.spec.spec.resources` | Specifies the compute resources required by the container. |

+| `.spec.spec.resources.requests` | Specifies the minimum amount of compute resources required. |

+| `.spec.spec.resources.requests.cpu` | Specifies the minimum amount of CPU required. |

+| `.spec.spec.resources.requests.memory` | Specifies the minimum amount of memory required. |

+| `.spec.spec.resources.limits` | Specifies the maximum amount of compute resources allowed. This limit is enforced by the kubelet. |

+| `.spec.spec.resources.limits.cpu` | Specifies the maximum amount of CPU allowed. This limit is enforced by the kubelet. |

+| `.spec.spec.resources.limits.memory` | Specifies the maximum amount of memory allowed. This limit is enforced by the kubelet. |

+ Title: Deploy an Azure container offer from Azure Marketplace

+description: Learn how to deploy Azure container offers from Azure Marketplace on an Azure Kubernetes Service (AKS) cluster.

+# Deploy a container offer from Azure Marketplace (preview)

+[Azure Marketplace][azure-marketplace] is an online store that contains thousands of IT software applications and services built by industry-leading technology companies. In Azure Marketplace, you can find, try, buy, and deploy the software and services that you need to build new solutions and manage your cloud infrastructure. The catalog includes solutions for different industries and technical areas, free trials, and consulting services from Microsoft partners.

+Included among these solutions are Kubernetes application-based container offers. These offers contain applications that are meant to run on Kubernetes clusters such as Azure Kubernetes Service (AKS). In this article, you'll learn how to:

+- Browse offers in Azure Marketplace.

+- Purchase an application.

+- Deploy the application on your AKS cluster.

+- Monitor usage and billing information.

+> This feature is currently supported only in the following regions:

+> - East US

+Before you deploy a container offer, you must register the `Microsoft.ContainerService` and `Microsoft.KubernetesConfiguration` providers on your subscription by using the `az provider register` command:

+## Select and deploy a Kubernetes offer

+1. In the [Azure portal](https://ms.portal.azure.com/), search for **Marketplace** on the top search bar. In the results, under **Services**, select **Marketplace**.

+1. You can search for an offer or publisher directly by name, or you can browse all offers. To find Kubernetes application offers, use the **Product Type** filter for **Azure Containers**.

+ :::image type="content" source="./media/deploy-marketplace/browse-marketplace-inline.png" alt-text="Screenshot of Azure Marketplace offers in the Azure portal, with the filter for product type set to Azure containers." lightbox="./media/deploy-marketplace/browse-marketplace-full.png":::

+ > [!IMPORTANT]

+ > The **Azure Containers** category includes both Kubernetes applications and standalone container images. This walkthrough is specific to Kubernetes applications. If you find that the steps to deploy an offer differ in some way, you're most likely trying to deploy a container image-based offer instead of a Kubernetes application-based offer.

+ >

+ > To ensure that you're searching for Kubernetes applications, include the term **KubernetesApps** in your search.

+1. After you decide on an application, select the offer.

+1. On the **Plans + Pricing** tab, select an option. Ensure that the terms are acceptable, and then select **Create**.

+ :::image type="content" source="./media/deploy-marketplace/plans-pricing-inline.png" alt-text="Screenshot of the offer purchasing page in the Azure portal, including plan and pricing information." lightbox="./media/deploy-marketplace/plans-pricing-full.png":::

+1. Follow each page in the wizard, all the way through **Review + Create**. Fill in information for your resource group, your cluster, and any configuration options that the application requires. You can decide to deploy on a new AKS cluster or use an existing cluster.

+ :::image type="content" source="./media/deploy-marketplace/purchase-experience-inline.png" alt-text="Screenshot of the Azure portal wizard for deploying a new offer, with the selector for creating a new cluster or using an existing cluster." lightbox="./media/deploy-marketplace/purchase-experience-full.png":::

+ When the application is deployed, the portal shows **Your deployment is complete**, along with details of the deployment.

+ :::image type="content" source="./media/deploy-marketplace/deployment-inline.png" alt-text="Screenshot of the Azure portal that shows a successful resource deployment to the cluster." lightbox="./media/deploy-marketplace/deployment-full.png":::

+1. Verify the deployment by using the following command to list the extensions that are running on your cluster:

+ ```azurecli-interactive

+ az k8s-extension list --cluster-name <clusterName> --resource-group <resourceGroupName> --cluster-type managedClusters

+ ```

+## Manage the offer lifecycle

+For lifecycle management, an Azure Kubernetes offer is represented as a cluster extension for AKS. For more information, seeΓÇ»[Cluster extensions for AKS][cluster-extensions].

+Purchasing an offer from Azure Marketplace creates a new instance of the extension on your AKS cluster. You can view the extension instance from the cluster by using the following command:

+## Monitor billing and usage information

+To monitor billing and usage information for the offer that you deployed:

+1. In the Azure portal, go to the page for your cluster's resource group.

+1. Select **Cost Management** > **Cost analysis**. Under **Product**, you can see a cost breakdown for the plan that you selected.

+ :::image type="content" source="./media/deploy-marketplace/billing-inline.png" alt-text="Screenshot of the Azure portal page for a resource group, with billing information broken down by offer plan." lightbox="./media/deploy-marketplace/billing-full.png":::

+## Remove an offer

+You can delete a purchased plan for an Azure container offer by deleting the extension instance on the cluster. For example:

+```azurecli-interactive

+az k8s-extension delete --name <extension-name> --cluster-name <clusterName> --resource-group <resourceGroupName> --cluster-type managedClusters

+```

+## Next steps

+[billing]: ../cost-management-billing/costs/quick-acm-cost-analysis.md

+ For a breakdown of YAML manifest files, see [Deployments and YAML manifests](../concepts-clusters-workloads.md#deployments-and-yaml-manifests).

+ For a breakdown of YAML manifest files, see [Deployments and YAML manifests](../concepts-clusters-workloads.md#deployments-and-yaml-manifests).

+ For a breakdown of YAML manifest files, see [Deployments and YAML manifests](../concepts-clusters-workloads.md#deployments-and-yaml-manifests).

+ For a breakdown of YAML manifest files, see [Deployments and YAML manifests](../concepts-clusters-workloads.md#deployments-and-yaml-manifests).

+ For a breakdown of YAML manifest files, see [Deployments and YAML manifests](../concepts-clusters-workloads.md#deployments-and-yaml-manifests).

+For a breakdown of YAML manifest files, see [Deployments and YAML manifests](../concepts-clusters-workloads.md#deployments-and-yaml-manifests).

+For a breakdown of YAML manifest files, see [Deployments and YAML manifests](../concepts-clusters-workloads.md#deployments-and-yaml-manifests).

+3. In scenarios where the VNet containing your cluster has custom DNS settings (4), cluster deployment fails unless the private DNS zone is linked to the VNet that contains the custom DNS resolvers (5). This link can be created manually after the private zone is created during cluster provisioning or via automation upon detection of creation of the zone using event-based deployment mechanisms (for example, Azure Event Grid and Azure Functions). To avoid cluster failure during initial deployment, the cluster can be deployed with the private DNS zone resource ID. This only works with resource type Microsoft.ContainerService/managedCluster and API version 2022-07-01. Using an older version with an ARM template or Bicep resource definition is not supported.

+[use-custom-domains]: coredns-custom.md#use-custom-domains

+* **Administrators** - Azure subscription administrators are members of this group. Administrators manage API Management service instances, creating the APIs, operations, and products that are used by developers. You can't add users to this group.

+ > [!NOTE]

+ > You can change the administrator [email settings](api-management-howto-configure-notifications.md#configure-email-settings) that are used in notifications sent to developers from your API Management instance.

+* Learn how to manage the administrator [email settings](api-management-howto-configure-notifications.md#configure-email-settings) that are used in notifications to developers from your API Management instance.

+You can also disable certificate chain validation by using the [Backend](/rest/api/apimanagement/current-ga/backend) REST API.

+ 1. On the **Managed identities** page of your API Management instance, enable a system-assigned or user-assigned [managed identity](api-management-howto-use-managed-service-identity.md). Note the principal ID on that page.

+ 1. Give the list and get secrets permissions to this principal ID on the Azure Key Vault containing the certificate.

+Configure a CNAME record that points from your custom domain name (for example, `api.contoso.com`) to your API Management service hostname (for example, `<apim-service-name>.azure-api.net`). A CNAME record is more stable than an A-record in case the IP address changes. For more information, see [IP addresses of Azure API Management](api-management-howto-ip-addresses.md#changes-to-the-ip-addresses) and the [API Management FAQ](./api-management-faq.yml#how-can-i-secure-the-connection-between-the-api-management-gateway-and-my-backend-services-).

+* The [Azure APIOps Toolkit][5] provides a workflow built on top of a [git][21] source code control system (such as [GitHub][22] or [Azure Repos][23]). It uses an _extractor_ similar to the DevOps Resource Toolkit to produce an API definition that is then applied to a target API Management service. APIOps supports REST and GraphQL APIs at this time.

+[28]: /azure/architecture/example-scenario/devops/automated-api-deployments-apiops

+ Title: Configure virtual network integration with application and configuration routing.

+description: This how-to article walks you through configuring routing on a regional virtual network integration.

+Through application routing or configuration routing options, you can configure what traffic will be sent through the virtual network integration. See the [overview section](./overview-vnet-integration.md#routes) for more details.

+Your app is already integrated using the regional virtual network integration feature.

+## Configure application routing

+Application routing defines what traffic is routed from your app and into the virtual network. We recommend that you use the **Route All** site setting to enable routing of all traffic. Using the configuration setting allows you to audit the behavior with [a built-in policy](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F33228571-70a4-4fa1-8ca1-26d0aba8d6ef). The existing `WEBSITE_VNET_ROUTE_ALL` app setting can still be used, and you can enable all traffic routing with either setting.

+### Configure in the Azure portal

+### Configure with the Azure CLI

+You can also configure **Route All** by using the Azure CLI.

+```azurecli-interactive

+az resource update --resource-group <group-name> --name <app-name> --resource-type "Microsoft.Web/sites" --properties.vnetRouteAllEnabled [true|false]

+```

+## Configure configuration routing

+When you're using virtual network integration, you can configure how parts of the configuration traffic are managed. By default, configuration traffic will go directly over the public route, but for the mentioned individual components, you can actively configure it to be routed through the virtual network integration.

+### Container image pull

+Routing container image pull over virtual network integration can be configured using the Azure CLI.

+az resource update --resource-group <group-name> --name <app-name> --resource-type "Microsoft.Web/sites" --properties.vnetImagePullEnabled [true|false]

+We recommend that you use the site property to enable routing image pull traffic through the virtual network integration. Using the configuration setting allows you to audit the behavior with Azure Policy. The existing `WEBSITE_PULL_IMAGE_OVER_VNET` app setting with the value `true` can still be used, and you can enable routing through the virtual network with either setting.

+### Content storage

+Routing content storage over virtual network integration can be configured using the Azure CLI. In addition to enabling the feature, you must also ensure that any firewall or Network Security Group configured on traffic from the subnet allow traffic to port 443 and 445.

+```azurecli-interactive

+az resource update --resource-group <group-name> --name <app-name> --resource-type "Microsoft.Web/sites" --properties.vnetContentStorageEnabled [true|false]

+We recommend that you use the site property to enable content storage traffic through the virtual network integration. Using the configuration setting allows you to audit the behavior with Azure Policy. The existing `WEBSITE_CONTENTOVERVNET` app setting with the value `1` can still be used, and you can enable routing through the virtual network with either setting.

+In addition to enabling access, you need to ensure that you have [configured DNS if you are using ILB App Service Environment](./networking.md#dns-configuration-for-ftp-access) and that the [necessary ports](./networking.md#ports-and-network-restrictions) are unblocked.

+If the certificate used for the custom domain suffix contains a Subject Alternate Name (SAN) entry for **.scm.CUSTOM-DOMAIN*, the scm site will then also be reachable from *APP-NAME.scm.CUSTOM-DOMAIN*. You can only access scm over custom domain using basic authentication. Single sign-on is only possible with the default root domain.

+Your certificate must be a wildcard certificate for the selected custom domain name. For example, *internal-contoso.com* would need a certificate covering **.internal-contoso.com*. If the certificate used custom domain suffix contains a Subject Alternate Name (SAN) entry for scm, for example **.scm.internal-contoso.com*, the scm site will also available using the custom domain suffix.

+1. Optionally create a zone for scm sub-domain with a * A record that points to the inbound IP address used by your App Service Environment

+1. Optionally create an A record in that zone that points *.scm to the inbound IP address used by your App Service Environment.

+> [!NOTE]

+> For FTP access, even if you want to disallow standard FTP on port 21, you still need to allow traffic from the LoadBalancer to the App Service Environment subnet range, as this is used for internal health ping traffic for the ftp service specifically.

+* **X-Azure-FDID**. [Custom header](../frontdoor/front-door-http-headers-protocol.md#from-the-front-door-to-the-backend) for identifying the reverse proxy instance. Azure Front Door will send a guid identifying the instance, but it can also be used by third party proxies to identify the specific instance. Accepts any string up to 64 characters in length.

+* **X-FD-HealthProbe**. [Custom header](../frontdoor/front-door-http-headers-protocol.md#from-the-front-door-to-the-backend) for identifying the health probe of the reverse proxy. Azure Front Door will send "1" to uniquely identify a health probe request. The header can also be used by third party proxies to identify health probes. Accepts any string up to 64 characters in length.

+The feature supports two virtual interface per worker. Two virtual interfaces per worker means two regional virtual network integrations per App Service plan. The apps in the same App Service plan can only use one of the virtual network integrations to a specific subnet. If you need an app to connect to additional virtual networks or additional subnets in the same virtual network, you need to create another App Service plan. The virtual interfaces used isn't a resource that customers have direct access to.

+Learn [how to configure application routing](./configure-vnet-integration-routing.md#configure-application-routing).

+To route content storage traffic through the virtual network integration, you must ensure that the routing setting is configured. Learn [how to configure content storage routing](./configure-vnet-integration-routing.md#content-storage).

+In addition to configuring the routing, you must also ensure that any firewall or Network Security Group configured on traffic from the subnet allow traffic to port 443 and 445.

+When using custom containers, you can pull the container over the virtual network integration. To route the container pull traffic through the virtual network integration, you must ensure that the routing setting is configured. Learn [how to configure image pull routing](./configure-vnet-integration-routing.md#container-image-pull).

+* You can have two regional virtual network integration per App Service plan. Multiple apps in the same App Service plan can use the same virtual network integration.

+Upon deletion of an App Service app or App Service Environment (ASE), the corresponding DNS is reserved. During the reservation period, reuse of the DNS is forbidden except for subscriptions belonging to tenant of the subscription originally owning the DNS.

+After the reservation expires, the DNS is free to be claimed by any subscription. By Name Reservation Service, the customer is afforded some time to either clean-up any associations/pointers to said DNS or reclaim the DNS in Azure. The DNS name being reserved for web apps can be derived by appending 'azurewebsites.net' and for ASE can be derived by appending 'appserviceenvironment.net'. Name Reservation Service is enabled by default on Azure App Service and doesn't require more configuration.

+ Title: Azure TPM VBS attestation usage

+description: Learn about how to apply TPM and VBS attestation

+# Using TPM/VBS attestation

+Attestation can be integrated into various applications and services, catering to different use cases. Azure Attestation service, which acts the remote attestation service can be used for desired purposes by updating the attestation policy. The policy engine works as processor, which takes the incoming payload as evidence and performs the validations as authored in the policy. This architecture simplifies the workflow and enables the service owner to purpose build solutions for the varied platforms and use cases.The workflow remains the same as described in [Azure attestation workflow](workflow.md). The attestation policy needs to be crafted as per the validations required.

+Attesting a platform has its own challenges with its varied components of boot and setup, one needs to rely on a hardware root-of-trust anchor which can be used to verify the first steps of the boot and extend that trust upwards into every layer on your system. A hardware TPM provides such an anchor for a remote attestation solution. Azure Attestation provides a highly scalable measured boot and runtime integrity measurement attestation solution with a revocation framework to give you full control over platform attestation.

+## Attestation steps

+Attestation Setup has two setups. One pertaining to the service setup and one pertaining to the client setup.

+Detailed information about the workflow is described in [Azure attestation workflow](workflow.md).

+### Service endpoint setup:

+This is the first step for any attestation to be performed. Setting up an endpoint, this can be performed either via code or using the Azure portal.

+Here's how you can set up an attestation endpoint using Portal

+1 Prerequisite: Access to the Microsoft Azure Active Directory(Azure AD) tenant and subscription under which you want to create the attestation endpoint.

+Learn more about setting up an [Azure AD tenant](../active-directory/develop/quickstart-create-new-tenant.md).

+2 Create an endpoint under the desired resource group, with the desired name.

+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE5azcU]

+3 Add Attestation Contributor Role to the Identity who will be responsible to update the attestation policy.

+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE5aoRj]

+4 Configure the endpoint with the required policy.

+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE5aoRk]

+Sample policies can be found in the [policy section](tpm-attestation-sample-policies.md).

+> [!NOTE]

+> TPM endpoints are designed to be provisioned without a default attestation policy.

+### Client setup:

+A client to communicate with the attestation service endpoint needs to ensure it's following the protocol as described in the [protocol documentation](virtualization-based-security-protocol.md). Use the [Attestation Client NuGet](https://www.nuget.org/packages/Microsoft.Attestation.Client) to ease the integration.

+

+1 Prerequisite: An Azure AD identity is needed to access the TPM endpoint.

+Learn more [Azure AD identity tokens](../active-directory/develop/v2-overview.md).

+2 Add Attestation Reader Role to the identity that will be need for authentication against the endpoint. Azure i

+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE5aoRi]

+## Execute the attestation workflow:

+Using the [Client](https://github.com/microsoft/Attestation-Client-Samples) to trigger an attestation flow. A successful attestation will result in an attestation report (encoded JWT token). Parsing the JWT token, the contents of the report can be easily validated against expected outcome.

+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE5azcT]

+Here's a sample of the contents of the attestation report.

+Using the Open ID [metadata endpoint](/rest/api/attestation/metadata-configuration/get?tabs=HTTP) contains properties, which describe the attestation service.The signing keys describe the keys, which will be used to sign tokens generated by the attestation service. All tokens emitted by the attestation service will be signed by one of the certificates listed in the attestation signing keys.

+## Next steps

+- [Set up Azure Attestation using PowerShell](quickstart-powershell.md)

+- [Attest an SGX enclave using code samples](/samples/browse/?expanded=azure&terms=attestation)

+- [Learn more about policy](policy-reference.md)

+ Title: Examples of an Azure SGX Attestation policy

+| Secure boot |Device boots using only software that's trusted by the OEM. | ` c:[type == "events", issuer=="AttestationService"] => add(type = "efiConfigVariables", value = JmesPath(c.value, "Events[?EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && ProcessedData.VariableGuid == '8BE4DF61-93CA-11D2-AA0D-00E098032B8C']"));`<br>` => issue(type = "secureBootEnabled", value = JsonToClaimValue(JmesPath(c.value, "[?ProcessedData.UnicodeName == 'SecureBoot'] \| length(@) == `1` && @[0].ProcessedData.VariableData == 'AQ'")));`<br>` ![type=="secureBootEnabled", issuer=="AttestationPolicy"] => issue(type="secureBootEnabled", value=false);` |

+| Code integrity |Code integrity is a feature that validates the integrity of a driver or system file each time it's loaded into memory.| `// Retrieve bool properties `<br>` c:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` \|\| PcrIndex == `13` \|\| PcrIndex == `19` \|\| PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY"));`<br>`c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="codeIntegrityEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_CODEINTEGRITY")));`<br>`c:[type=="codeIntegrityEnabledSet", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=ContainsOnlyValue(c.value, true));`<br>`![type=="codeIntegrityEnabled", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=false);` |

+|BitLocker [Boot state] |Used for encryption of device drives.| `// Bitlocker Boot Status, The first non zero measurement or zero.`<br>`c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` \|\| PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY"));`<br>`c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => issue(type="bitlockerStatus", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BITLOCKER_UNLOCK \| @[? Value != `0`].Value \| @[0]")));`<br>`![type=="bitlockerStatus"] => issue(type="bitlockerStatus", value=0);` |

+| Early Launch Antimalware (ELAM) | ELAM protects against loading unsigned or malicious drivers during boot. | `// Elam Driver (windows defender) Loaded.`<br>`c:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` \|\| PcrIndex == `13` \|\| PcrIndex == `19` \|\| PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY"));`<br>`c:[type=="boolProperties", issuer=="AttestationPolicy"] => issue(type="elamDriverLoaded", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_LOADEDMODULE_AGGREGATION[] \| [? EVENT_IMAGEVALIDATED == `true` && (equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wdboot.sys') \|\| equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wd\\wdboot.sys'))] \| @ != `null`")));`<br>`![type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="elamDriverLoaded", value=false);` |

+| Boot debugging |Allows the user to connect to a boot debugger. Can be used to bypass secure boot and other boot protections. | `// Boot debugging`<br>`c:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` \|\| PcrIndex == `13` \|\| PcrIndex == `19` \|\| PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY"));`<br>`c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="bootDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BOOTDEBUGGING")));`<br>`c:[type=="bootDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=ContainsOnlyValue(c.value, false));`<br>`![type=="bootDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=false);` |

+| Kernel debugging | Allows the user to connect a kernel debugger. Grants access to all system resources (less virtualization-based security [VBS] protected resources). | `// Kernel Debugging`<br>`c:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` \|\| PcrIndex == `13` \|\| PcrIndex == `19` \|\| PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY"));`<br>`c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="osKernelDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_OSKERNELDEBUG")));`<br>`c:[type=="osKernelDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=ContainsOnlyValue(c.value, false));`<br>`![type=="osKernelDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=false);` |

+|Data Execution Prevention (DEP) policy | DEP policy is a set of hardware and software technologies that perform extra checks on memory to help prevent malicious code from running on a system. | `// DEP Policy`<br>`c:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` \|\| PcrIndex == `13` \|\| PcrIndex == `19` \|\| PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY"));`<br>`c:[type=="boolProperties", issuer=="AttestationPolicy"] => issue(type="depPolicy", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_DATAEXECUTIONPREVENTION.Value \| @[-1]")));`<br>`![type=="depPolicy"] => issue(type="depPolicy", value=0);` |

+| Test and flight signing | Enables the user to run test-signed code. | `// Test Signing `<br>`c:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` \|\| PcrIndex == `13` \|\| PcrIndex == `19` \|\| PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY"));`<br>` c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="testSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_TESTSIGNING")));`<br>` c:[type=="testSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=ContainsOnlyValue(c.value, false));`<br>` ![type=="testSigningDisabled", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=false);`<br>`//Flight Signingc:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="flightSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "\[\*\].EVENT_FLIGHTSIGNING")));`<br>`c:[type=="flightSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=ContainsOnlyValue(c.value, false));`<br>`![type=="flightSigningNotEnabled", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=false);` |

+| Virtual Secure Mode/VBS | VBS uses the Windows hypervisor to create this virtual secure mode that's used to protect vital system and operating system resources and credentials. | `// VSM enabled `<br>` c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` \|\| PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY"));`<br>`c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vsmEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "\[\*\].EVENT_VBS_VSM_REQUIRED")));`<br>`c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vsmEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_MANDATORY_ENFORCEMENT")));`<br>`c:[type=="vsmEnabledSet", issuer=="AttestationPolicy"] => issue(type="vsmEnabled", value=ContainsOnlyValue(c.value, true));`<br>`![type=="vsmEnabled", issuer=="AttestationPolicy"] => issue(type="vsmEnabled", value=false);`<br>`c:[type=="vsmEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=c.value);` |

+| Hypervisor-protected code integrity (HVCI) | HVCI is a feature that validates the integrity of a system file each time it's loaded into memory.| `// HVCI`<br>`c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` \|\| PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY"));`<br>`c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="hvciEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_HVCI_POLICY \| @[?String == 'HypervisorEnforcedCodeIntegrityEnable'].Value")));`<br>`c:[type=="hvciEnabledSet", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=ContainsOnlyValue(c.value, 1));`<br>`![type=="hvciEnabled", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=false);` |

+| Input-output memory management unit (IOMMU) | IOMMU translates virtual to physical memory addresses for Direct memory access-capable device peripherals. IOMMU protects sensitive memory regions. | `// IOMMU`<br>`c:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` \|\| PcrIndex == `13` \|\| PcrIndex == `19` \|\| PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY"));`<br>`c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="iommuEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_IOMMU_REQUIRED")));`<br>`c:[type=="iommuEnabledSet", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=ContainsOnlyValue(c.value, true));`<br>`![type=="iommuEnabled", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=false);` |

+| PCR value evaluation | PCRs contain measurements of components that are made during the boot. These measurements can be used to verify the components against golden or known measurements. | `//PCRS are only read-only and thus cannot be used with issue operation, but they can be used to validate expected/golden measurements.`<br>`c:[type == "pcrs", issuer=="AttestationService"] && c1:[type=="pcrMatchesExpectedValue", value==JsonToClaimValue(JmesPath(c.value, "PCRs[? Index == `0`].Digests.SHA1 \| @[0] == `\"KCk6Ow\"`"))] => issue(claim = c1);` |

+| Boot Manager version | The security version number of the Boot Manager that was loaded during initial boot on the attested device. | `// Find the first EVENT_APPLICATION_SVN. That value is the Boot Manager SVN`<br>`// Find the first EV_SEPARATOR in PCR 12, 13, Or 14`<br>`c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` \|\| PcrIndex == `13` \|\| PcrIndex == `14`)] \| @[0].EventSeq"));`<br>`c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`"));`<br>`[type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` ");`<br>`// Find the first EVENT_APPLICATION_SVN. That value is the Boot Manager SVNc:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] => add(type="bootMgrSvnSeqQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12` && ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN] \| @[0].EventSeq"));`<br>`c1:[type=="bootMgrSvnSeqQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="bootMgrSvnSeq", value=JmesPath(c2.value, c1.value));`<br>`c:[type=="bootMgrSvnSeq", value!="null", issuer=="AttestationPolicy"] => add(type="bootMgrSvnQuery", value=AppendString(AppendString("Events[? EventSeq == `", c.value), "`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN \| @[0]"));`<br>`c1:[type=="bootMgrSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootMgrSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value)));` |

+| Safe mode | Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started. | `// Safe mode`<br>`c:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` \|\| PcrIndex == `13` \|\| PcrIndex == `19` \|\| PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY"));`<br>`c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="safeModeEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_SAFEMODE")));`<br>`c:[type=="safeModeEnabledSet", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=ContainsOnlyValue(c.value, false));`<br>`![type=="notSafeMode", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=true);` |

+| WinPE boot | Windows pre-installation Environment (Windows PE) is a minimal operating system with limited services that's used to prepare a computer for Windows installation, to copy disk images from a network file server, and to initiate Windows setup. | `// Win PE`<br>`c:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` \|\| PcrIndex == `13` \|\| PcrIndex == `19` \|\| PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY"));`<br>`c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="winPEEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "\[\*\].EVENT_WINPE")));`<br>`c:[type=="winPEEnabledSet", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=ContainsOnlyValue(c.value, false));`<br>`![type=="notWinPE", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=true);` |

+| Code integrity (CI) policy | Hash of CI policy that's controlling the security of the boot environment. | `// CI Policy`<br>`c :[type=="events", issuer=="AttestationService"] => issue(type="codeIntegrityPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_SI_POLICY[].RawData")));`|

+| Secure Boot Configuration Policy Hash (SBCPHash) | SBCPHash is the fingerprint of the Custom SBCP that was loaded during boot in Windows devices, except PCs. | `// Secure Boot Custom Policy`<br>`c:[type=="events", issuer=="AttestationService"] => issue(type="secureBootCustomPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && PcrIndex == `7` && ProcessedData.UnicodeName == 'CurrentPolicy' && ProcessedData.VariableGuid == '77FA9ABD-0359-4D32-BD60-28F4E78F784B'].ProcessedData.VariableData \| @[0]")));` |

+| System Guard (DRTM Validation and SMM Levels) | Ensure System Guard has been validated during boot and corresponding System Management Mode Level | ` // Extract the DRTM state auth event. `<br>`// The rule attempts to find the valid DRTM state auth event by applying following conditions:`<br>`// 1. There is only one DRTM state auth event in the events log`<br>`// 2. The EVENT_DRTM_STATE_AUTH.SignatureValid field in the DRTM state auth event is set to true`<br><br>` c:[type=="events", issuer=="AttestationService"] => add(type="validDrtmStateAuthEvent", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `20` && ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_DRTM_STATE_AUTH.SignatureValid != `null`] \| length(@) == `1` && @[0] \| @.{EventSeq:EventSeq, SignatureValid:ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_DRTM_STATE_AUTH.SignatureValid}"));`<br><br>` // Check if Signature is valid in extracted state auth events`<br>`c:[type=="validDrtmStateAuthEvent", issuer=="AttestationPolicy"] => issue(type="drtmMleValid", value=JsonToClaimValue(JmesPath(c.value, "SignatureValid")));`<br>`![type=="drtmMleValid", issuer=="AttestationPolicy"] => issue(type="drtmMleValid", value=false);`<br><br>`// Get the sequence number of the DRTM state auth event.`<br>`// The sequence number is used to ensure that the SMM event appears before the last DRTM state auth event.`<br>`[type=="drtmMleValid", value==true, issuer=="AttestationPolicy"] && c:[type=="validDrtmStateAuthEvent", issuer=="AttestationPolicy"] => add(type="validDrtmStateAuthEventSeq", value=JmesPath(c.value, "EventSeq"));`<br><br>` // Create query for SMM event`<br>`// The query is constructed to find the SMM level from the SMM level event that appears exactly once before the valid DRTM state auth event in the event log`<br>`[type=="drtmMleValid", value==true, issuer=="AttestationPolicy"] && c:[type=="validDrtmStateAuthEventSeq", issuer=="AttestationPolicy"] => add(type="smmQuery", value=AppendString(AppendString("Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `20` && EventSeq <`", c.value), "`].ProcessedData.EVENT_DRTM_SMM \| length(@) == `1` && @[0] \| @.Value"));`<br><br>`// Extract SMM value`<br>`[type=="drtmMleValid", value==true, issuer=="AttestationPolicy"] &&`<br>` c1:[type=="smmQuery", issuer=="AttestationPolicy"] &&`<br>` c2:[type=="events", issuer=="AttestationService"] => issue(type="smmLevel", value=JsonToClaimValue(JmesPath(c2.value, c1.value)));`<br>` ` |

+| Boot application subversion | The version of the Boot Manager that's running on the device. | `// Find the first EV_SEPARATOR in PCR 12, 13, Or 14, the ordering of the events is critical to ensure correctness.`<br>`c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` \|\| PcrIndex == `13` \|\| PcrIndex == `14`)] \| @[0].EventSeq"));`<br>`c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`"));`<br>`[type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` ");`<br>` // No restriction of EV_SEPARATOR in case it is not present// Find the first EVENT_TRANSFER_CONTROL with value 1 or 2 in PCR 12 that is before the EV_SEPARATORc1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="bootMgrSvnSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepAfterBootMgrSvnClause", value=AppendString(AppendString(AppendString(c1.value, "&& EventSeq >= `"), c2.value), "`"));`<br>`c:[type=="beforeEvSepAfterBootMgrSvnClause", issuer=="AttestationPolicy"] => add(type="tranferControlQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`&& (ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `1` \|\| ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `2`)] \| @[0].EventSeq"));`<br>`c1:[type=="tranferControlQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="tranferControlSeq", value=JmesPath(c2.value, c1.value));`<br>`// Find the first non-null EVENT_MODULE_SVN in PCR 13 after the transfer control.c:[type=="tranferControlSeq", value!="null", issuer=="AttestationPolicy"] => add(type="afterTransferCtrlClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`"));`<br>`c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="afterTransferCtrlClause", issuer=="AttestationPolicy"] => add(type="moduleQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13` && ((ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN \| @[0]) \|\| (ProcessedData.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN \| @[0]))].EventSeq \| @[0]"));`<br>`c1:[type=="moduleQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="moduleSeq", value=JmesPath(c2.value, c1.value));`<br>`// Find the first EVENT_APPLICATION_SVN after EV_EVENT_TAG in PCR 12. That value is Boot App SVNc:[type=="moduleSeq", value!="null", issuer=="AttestationPolicy"] => add(type="applicationSvnAfterModuleClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`"));`<br>`c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="applicationSvnAfterModuleClause", issuer=="AttestationPolicy"] => add(type="bootAppSvnQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN \| @[0]"));`<br>`c1:[type=="bootAppSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootAppSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value)));` |

+| Boot revision list | Boot revision list used to direct the device to an enterprise honeypot to further monitor the device's activities. | `// Boot Rev List Info `<br>`c:[type=="events", issuer=="AttestationService"] => issue(type="bootRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_BOOT_REVOCATION_LIST.RawData \| @[0]")));` |

+[type=="aikValidated", value==true] &&

+};

+authorizationrules {

+c:[type=="efiConfigVariables", issuer=="AttestationPolicy"]=> add(type = "secureBootEnabled", value = JsonToClaimValue(JmesPath(c.value, "[?ProcessedData.UnicodeName == 'SecureBoot'] | length(@) == `1` && @[0].ProcessedData.VariableData == 'AQ'")));

+c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY"));

+c:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `19` || PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY"));

+c:[type=="boolProperties", issuer=="AttestationPolicy"] => issue(type="MaliciousDriverLoaded", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_LOADEDMODULE_AGGREGATION[] | [? EVENT_IMAGEVALIDATED == true && (equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\malicious.sys') || equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wd\\malicious.sys'))] | @ != null ")));

+## Extending the protection from malicious boot attacks via Integrity Measurement Architecture(IMA) on Linux

+Linux systems follow a similar boot process to Windows, and with TPM attestation the protection profile can be extended to beyond boot into the kernel as well using Integrity Measurement Architecture(IMA). IMA subsystem was designed to detect if files have been accidentally or maliciously altered, both remotely and locally, it maintains a runtime measurement list and, if anchored in a hardware Trusted Platform Module(TPM), an aggregate integrity value over this list provides the benefit of resiliency from software attacks. Recent enhancements in the IMA subsystem also allow for non file based attributes to be measured and attested remotely. Azure attestation supports non file based measurements to be attested remotely to provide a holistic view of system integrity.

+Enabling IMA with the following ima-policy will enable measurement of non file attributes while still enabling local file integrity attestation.

+Using the following Attestation policy, you can now validate the secureboot, kernel signature, kernel version, kernel cmdline passed in by grub and other key security attributes supported by IMA.

+```

+version = 1.2;

+configurationrules

+{

+};

+authorizationrules

+{

+ [type == "aikValidated", value==true]

+ => permit();

+};

+issuancerules {

+ // Retrieve all EFI Boot variables with event = 'EV_EFI_VARIABLE_BOOT'

+ c:[type == "events", issuer=="AttestationService"] => add(type ="efiBootVariables", value = JmesPath(c.value, "Events[?EventTypeString == 'EV_EFI_VARIABLE_BOOT']"));

+ // Retrieve all EFI Driver Config variables with event = 'EV_EFI_VARIABLE_DRIVER_CONFIG'

+ c:[type == "events", issuer=="AttestationService"] => add(type ="efiConfigVariables", value = JmesPath(c.value, "Events[?EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG']"));

+ // Grab all IMA events

+ c:[type=="events", issuer=="AttestationService"] => add(type="imaMeasurementEvents", value=JmesPath(c.value, "Events[?EventTypeString == 'IMA_MEASUREMENT_EVENT']"));

+ // Look for "Boot Order" from EFI Boot Data

+ c:[type == "efiBootVariables", issuer=="AttestationPolicy"] => add(type = "bootOrderFound", value = JmesPath(c.value, "[?ProcessedData.UnicodeName == 'BootOrder'] | length(@) == `1` && @[0].PcrIndex == `1` && @[0].ProcessedData.VariableData"));

+ c:[type=="bootOrderFound", issuer=="AttestationPolicy"] => issue(type="bootOrder", value=JsonToClaimValue(c.value));

+ ![type=="bootOrderFound", issuer=="AttestationPolicy"] => issue(type="bootOrder", value=0);

+ // Look for "Secure Boot" from EFI Driver Configuration Data

+ c:[type == "efiConfigVariables", issuer=="AttestationPolicy"] => issue(type = "secureBootEnabled", value = JsonToClaimValue(JmesPath(c.value, "[?ProcessedData.UnicodeName == 'SecureBoot'] | length(@) == `1` && @[0].PcrIndex == `7` && @[0].ProcessedData.VariableData == 'AQ'")));

+ ![type=="secureBootEnabled", issuer=="AttestationPolicy"] => issue(type="secureBootEnabled", value=false);

+ // Look for "Platform Key" from EFI Boot Data

+ c:[type == "efiConfigVariables", issuer=="AttestationPolicy"] => add(type = "platformKeyFound", value = JmesPath(c.value, "[?ProcessedData.UnicodeName == 'PK'] | length(@) == `1` && @[0].PcrIndex == `7` && @[0].ProcessedData.VariableData"));

+ c:[type=="platformKeyFound", issuer=="AttestationPolicy"] => issue(type="platformKey", value=JsonToClaimValue(c.value));

+ ![type=="platformKeyFound", issuer=="AttestationPolicy"] => issue(type="platformKey", value=0);

+

+ // Look for "Key Exchange Key" from EFI Driver Configuration Data

+ c:[type == "efiConfigVariables", issuer=="AttestationPolicy"] => add(type = "keyExchangeKeyFound", value = JmesPath(c.value, "[?ProcessedData.UnicodeName == 'KEK'] | length(@) == `1` && @[0].PcrIndex == `7` && @[0].ProcessedData.VariableData"));

+ c:[type=="keyExchangeKeyFound", issuer=="AttestationPolicy"] => issue(type="keyExchangeKey", value=JsonToClaimValue(c.value));

+ ![type=="keyExchangeKeyFound", issuer=="AttestationPolicy"] => issue(type="keyExchangeKey", value=0);

+ // Look for "Key Database" from EFI Driver Configuration Data

+ c:[type == "efiConfigVariables", issuer=="AttestationPolicy"] => add(type = "keyDatabaseFound", value = JmesPath(c.value, "[?ProcessedData.UnicodeName == 'db'] | length(@) == `1` && @[0].PcrIndex == `7` && @[0].ProcessedData.VariableData"));

+ c:[type=="keyDatabaseFound", issuer=="AttestationPolicy"] => issue(type="keyDatabase", value=JsonToClaimValue(c.value));

+ ![type=="keyDatabaseFound", issuer=="AttestationPolicy"] => issue(type="keyDatabase", value=0);

+ // Look for "Forbidden Signatures" from EFI Driver Configuration Data

+ c:[type == "efiConfigVariables", issuer=="AttestationPolicy"] => add(type = "forbiddenSignaturesFound", value = JmesPath(c.value, "[?ProcessedData.UnicodeName == 'dbx'] | length(@) == `1` && @[0].PcrIndex == `7` && @[0].ProcessedData.VariableData"));

+ c:[type=="forbiddenSignaturesFound", issuer=="AttestationPolicy"] => issue(type="forbiddenSignatures", value=JsonToClaimValue(c.value));

+ ![type=="forbiddenSignaturesFound", issuer=="AttestationPolicy"] => issue(type="forbiddenSignatures", value=0);

+ // Look for "Kernel Version" in IMA Measurement events

+ c:[type=="imaMeasurementEvents", issuer=="AttestationPolicy"] => add(type="kernelVersionsFound", value=JmesPath(c.value, "[].ProcessedData.KernelVersion"));

+ c:[type=="kernelVersionsFound", issuer=="AttestationPolicy"] => issue(type="kernelVersions", value=JsonToClaimValue(c.value));

+ ![type=="kernelVersionsFound", issuer=="AttestationPolicy"] => issue(type="kernelVersions", value=0);

+ // Look for "Built-In Trusted Keys" in IMA Measurement events

+ c:[type=="imaMeasurementEvents", issuer=="AttestationPolicy"] => add(type="builtintrustedkeysFound", value=JmesPath(c.value, "[? ProcessedData.Keyring == '.builtin_trusted_keys'].ProcessedData.CertificateSubject"));

+ c:[type=="builtintrustedkeysFound", issuer=="AttestationPolicy"] => issue(type="builtintrustedkeys", value=JsonToClaimValue(c.value));

+ ![type=="builtintrustedkeysFound", issuer=="AttestationPolicy"] => issue(type="builtintrustedkeys", value=0);

+};

+```

+Note: Support for non-file based measurements are only available from linux kernel version: 5.15

+## TPM Key attestation support

+Numerous applications rely on foundational credential management of keys and certs for protections against credential theft, and one of main ways of ensuring the credential security is the reliance of key storage providers that provide additional security from malware and attacks. Windows implements various cryptographic providers that can be either software or hardware based.

+The two most important ones are:

+* Microsoft Software Key Storage Provider: Standard provider, which stores keys software based and supports CNG (Crypto-Next Generation)

+* Microsoft Platform Crypto Provider: Hardware based which stores keys on a TPM (trusted platform module) and supports CNG as well

+Whenever a Storage provider is used, itΓÇÖs usually to create a pub/priv key pair that is chained to a root of trust. At creation more properties can also be used to enable certain aspects of the key storage, exportability, etc. Key attestation in this context, is the technical ability to prove to a replying party that a private key was generated inside, and is managed inside, and in a not exportable form. Such attestation clubbed with other information can help protect from credential theft and replay type of attack.

+TPMs also provide the capability ability to attest that keys are resident in a TPM, enabling higher security assurance, backed up by non-exportability, anti-hammering, and isolation of keys. A common use case is for applications that issue digital signature certificate for subscriber keys, verifying that the subscribers private signature key is generated and managed in an approved TPM.

+One can easily attest to the fact the keys are resident in a valid TPM with appropriate Nonexportability flags using a policy as below.

+```

+version=1.2;

+authorizationrules

+{

+ => permit();

+};

+issuancerules

+{

+ // Key Attest Policy

+ // -- Validating key types

+ c:[type=="x-ms-tpm-request-key", issuer=="AttestationService"] => add(type="requestKeyType", value=JsonToClaimValue(JmesPath(c.value, "jwk.kty")));

+ c:[type=="x-ms-tpm-other-keys", issuer=="AttestationService"] => add(type="otherKeysTypes", value=JsonToClaimValue(JmesPath(c.value, "[*].jwk.kty")));

+ c:[type=="requestKeyType", issuer=="AttestationPolicy", value=="RSA"] => issue(type="requestKeyType", value="RSA");

+ c:[type=="otherKeysTypes", issuer=="AttestationPolicy", value=="RSA"] => issue(type="otherKeysTypes", value="RSA");

+ // -- Validating tpm_quote attributes

+ c:[type=="x-ms-tpm-request-key", issuer=="AttestationService"] => add(type="requestKeyQuote", value=JmesPath(c.value, "info.tpm_quote"));

+ c:[type=="requestKeyQuote", issuer=="AttestationPolicy"] => add(type="requestKeyQuoteHashAlg", value=JsonToClaimValue(JmesPath(c.value, "hash_alg")));

+ c:[type=="requestKeyQuoteHashAlg", issuer=="AttestationPolicy", value=="sha-256"] => issue(type="requestKeyQuoteHashAlg", value="sha-256");

+ // -- Validating tpm_certify attributes

+ c:[type=="x-ms-tpm-request-key", issuer=="AttestationService"] => add(type="requestKeyCertify", value=JmesPath(c.value, "info.tpm_certify"));

+ c:[type=="requestKeyCertify", issuer=="AttestationPolicy"] => add(type="requestKeyCertifyNameAlg", value=JsonToClaimValue(JmesPath(c.value, "name_alg")));

+ c:[type=="requestKeyCertifyNameAlg", issuer=="AttestationPolicy", value==11] => issue(type="requestKeyCertifyNameAlg", value=11);

+ c:[type=="requestKeyCertify", issuer=="AttestationPolicy"] => add(type="requestKeyCertifyObjAttr", value=JsonToClaimValue(JmesPath(c.value, "obj_attr")));

+ c:[type=="requestKeyCertifyObjAttr", issuer=="AttestationPolicy", value==50] => issue(type="requestKeyCertifyObjAttr", value=50);

+ c:[type=="requestKeyCertify", issuer=="AttestationPolicy"] => add(type="requestKeyCertifyAuthPolicy", value=JsonToClaimValue(JmesPath(c.value, "auth_policy")));

+ c:[type=="requestKeyCertifyAuthPolicy", issuer=="AttestationPolicy", value=="AQIDBA"] => issue(type="requestKeyCertifyAuthPolicy", value="AQIDBA");

+ c:[type=="x-ms-tpm-other-keys", issuer=="AttestationService"] => add(type="otherKeysCertify", value=JmesPath(c.value, "[*].info.tpm_certify"));

+ c:[type=="otherKeysCertify", issuer=="AttestationPolicy"] => add(type="otherKeysCertifyNameAlgs", value=JsonToClaimValue(JmesPath(c.value, "[*].name_alg")));

+ c:[type=="otherKeysCertifyNameAlgs", issuer=="AttestationPolicy", value==11] => issue(type="otherKeysCertifyNameAlgs", value=11);

+ c:[type=="otherKeysCertify", issuer=="AttestationPolicy"] => add(type="otherKeysCertifyObjAttr", value=JsonToClaimValue(JmesPath(c.value, "[*].obj_attr")));

+ c:[type=="otherKeysCertifyObjAttr", issuer=="AttestationPolicy", value==50] => issue(type="otherKeysCertifyObjAttr", value=50);

+ c:[type=="otherKeysCertify", issuer=="AttestationPolicy"] => add(type="otherKeysCertifyAuthPolicy", value=JsonToClaimValue(JmesPath(c.value, "[*].auth_policy")));

+ c:[type=="otherKeysCertifyAuthPolicy", issuer=="AttestationPolicy", value=="AQIDBA"] => issue(type="otherKeysCertifyAuthPolicy", value="AQIDBA");

+};

+```

+- [Try out TPM attestation](azure-tpm-vbs-attestation-usage.md)

+ Title: Examples of an Azure TPM Attestation policy

+description: Examples of Azure Attestation policy for TPM endpoint.

+# Examples of an attestation policy for TPM endpoint

+Attestation policy is used to process the attestation evidence and determine whether Azure Attestation will issue an attestation token. Attestation token generation can be controlled with custom policies. Below are some examples of an attestation policy.

+## Sample policy for TPM using Policy version 1.0

+```

+version=1.0;

+authorizationrules {

+ => permit();

+};

+issuancerules

+{

+[type=="aikValidated", value==true]&&

+[type=="secureBootEnabled", value==true] &&

+[type=="bootDebuggingDisabled", value==true] &&

+[type=="vbsEnabled", value==true] &&

+[type=="notWinPE", value==true] &&

+[type=="notSafeMode", value==true] => issue(type="PlatformAttested", value=true);

+};

+```

+A simple TPM attestation policy that can be used to verify minimal aspects of the boot.

+## Sample policy for TPM using Policy version 1.2

+The policy uses the TPM version to restrict attestation calls. The issuancerules looks at various properties measured during boot.

+```

+version=1.2;

+configurationrules{

+};

+authorizationrules {

+ => permit();

+};

+issuancerules{

+c:[type == "aikValidated", issuer=="AttestationService"] =>issue(type="aikValidated", value=c.value);

+// SecureBoot enabled

+c:[type == "events", issuer=="AttestationService"] => add(type = "efiConfigVariables", value = JmesPath(c.value, "Events[?EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && ProcessedData.VariableGuid == '8BE4DF61-93CA-11D2-AA0D-00E098032B8C']"));

+c:[type == "efiConfigVariables", issuer=="AttestationPolicy"]=> issue(type = "SecureBootEnabled", value = JsonToClaimValue(JmesPath(c.value, "[?ProcessedData.UnicodeName == 'SecureBoot'] | length(@) == `1` && @[0].ProcessedData.VariableData == 'AQ'")));

+![type=="SecureBootEnabled", issuer=="AttestationPolicy"] => issue(type="SecureBootEnabled", value=false);

+// Retrieve bool properties Code integrity

+c:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `19` || PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY"));

+c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="codeIntegrityEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_CODEINTEGRITY")));

+c:[type=="codeIntegrityEnabledSet", issuer=="AttestationPolicy"] => issue(type="CodeIntegrityEnabled", value=ContainsOnlyValue(c.value, true));

+![type=="CodeIntegrityEnabled", issuer=="AttestationPolicy"] => issue(type="CodeIntegrityEnabled", value=false);

+// Bitlocker Boot Status, The first non zero measurement or zero.

+c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY"));

+c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="BitlockerStatus", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BITLOCKER_UNLOCK | @[? Value != `0`].Value | @[0]")));

+[type=="BitlockerStatus", issuer=="AttestationPolicy"] => issue(type="BitlockerStatus", value=true);

+![type=="BitlockerStatus", issuer=="AttestationPolicy"] => issue(type="BitlockerStatus", value=false);

+// Elam Driver (windows defender) Loaded

+c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="elamDriverLoaded", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_LOADEDMODULE_AGGREGATION[] | [? EVENT_IMAGEVALIDATED == `true` && (equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wdboot.sys') || equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wd\\wdboot.sys'))] | @ != `null`")));

+[type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="ELAMDriverLoaded", value=true);

+![type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="ELAMDriverLoaded", value=false);

+};

+```

+### Attestation policy to authorize only those TPMs that match known PCR hashes.

+```

+version=1.2;

+authorizationrules

+{

+ c:[type == "pcrs", issuer=="AttestationService"] => add(type="pcr0Validated", value=JsonToClaimValue(JmesPath(c.value, "PCRs[? Index == `0`].Digests.SHA256 | @[0] =='4c833b1c361fceffd8dc0f81eec76081b71e1a0eb2193caed0b6e1c7735ec33e' ")));

+ c:[type == "pcrs", issuer=="AttestationService"] => add(type="pcr1Validated", value=JsonToClaimValue(JmesPath(c.value, "PCRs[? Index == `1`].Digests.SHA256 | @[0] =='8c25e3be6ad6f5bd33c9ae40d5d5461e88c1a7366df0c9ee5c7e5ff40d3d1d0e' ")));

+ c:[type == "pcrs", issuer=="AttestationService"] => add(type="pcr2Validated", value=JsonToClaimValue(JmesPath(c.value, "PCRs[? Index == `2`].Digests.SHA256 | @[0] =='3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969' ")));

+ c:[type == "pcrs", issuer=="AttestationService"] => add(type="pcr3Validated", value=JsonToClaimValue(JmesPath(c.value, "PCRs[? Index == `3`].Digests.SHA256 | @[0] =='3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969' ")));

+

+ [type=="pcr0Validated", value==true] &&

+ [type=="pcr1Validated", value==true] &&

+ [type=="pcr2Validated", value==true] &&

+ [type=="pcr3Validated", value==true] => permit();

+};

+issuancerules

+{

+};

+```

+### Attestation policy to validate System Guard is enabled as expected and has been validated for its state.

+```

+version = 1.2;

+authorizationrules

+{

+ => permit();

+};

+issuancerules

+{

+ // Extract the DRTM state auth event

+ // The rule attempts to find the valid DRTM state auth event by applying following conditions:

+ // 1. There is only one DRTM state auth event in the events log

+ // 2. The EVENT_DRTM_STATE_AUTH.SignatureValid field in the DRTM state auth event is set to true

+ c:[type=="events", issuer=="AttestationService"] => add(type="validDrtmStateAuthEvent", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `20` && ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_DRTM_STATE_AUTH.SignatureValid != `null`] | length(@) == `1` && @[0] | @.{EventSeq:EventSeq, SignatureValid:ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_DRTM_STATE_AUTH.SignatureValid}"));

+ // Check if Signature is valid in extracted state auth events

+ c:[type=="validDrtmStateAuthEvent", issuer=="AttestationPolicy"] => issue(type="drtmMleValid", value=JsonToClaimValue(JmesPath(c.value, "SignatureValid")));

+ ![type=="drtmMleValid", issuer=="AttestationPolicy"] => issue(type="drtmMleValid", value=false);

+ // Get the sequence number of the DRTM state auth event.

+ // The sequence number is used to ensure that the SMM event appears before the last DRTM state auth event.

+ [type=="drtmMleValid", value==true, issuer=="AttestationPolicy"] &&

+ c:[type=="validDrtmStateAuthEvent", issuer=="AttestationPolicy"] => add(type="validDrtmStateAuthEventSeq", value=JmesPath(c.value, "EventSeq"));

+ // Create query for SMM event

+ // The query is constructed to find the SMM level from the SMM level event that appears exactly once before the valid DRTM state auth event in the event log

+ [type=="drtmMleValid", value==true, issuer=="AttestationPolicy"] &&

+ c:[type=="validDrtmStateAuthEventSeq", issuer=="AttestationPolicy"] => add(type="smmQuery", value=AppendString(AppendString("Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `20` && EventSeq < `", c.value), "`].ProcessedData.EVENT_DRTM_SMM | length(@) == `1` && @[0] | @.Value"));

+ // Extract SMM value

+ [type=="drtmMleValid", value==true, issuer=="AttestationPolicy"] &&

+ c1:[type=="smmQuery", issuer=="AttestationPolicy"] &&

+ c2:[type=="events", issuer=="AttestationService"] => issue(type="smmLevel", value=JsonToClaimValue(JmesPath(c2.value, c1.value)));

+};

+```

+### Attestation policy to validate VBS enclave for its validity and identity.

+```

+version=1.2;

+authorizationrules {

+ [type=="vsmReportPresent", value==true] &&

+ [type=="enclaveAuthorId", value=="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"] &&

+ [type=="enclaveImageId", value=="AQEAAAAAAAAAAAAAAAAAAA"] &&

+ [type=="enclaveSvn", value>=0] => permit();

+};

+issuancerules

+{

+};

+```

+### Attestation policy to issue all incoming claims produced by the service.

+```

+version = 1.2;

+configurationrules

+{

+};

+authorizationrules

+{

+ => permit();

+};

+issuancerules

+{

+ c:[type=="bootEvents", issuer=="AttestationService"] => issue(type="outputBootEvents", value=c.value);

+ c:[type=="events", issuer=="AttestationService"] => issue(type="outputEvents", value=c.value);

+};

+```

+### Attestation policy to produce some critical security evaluation claims for Windows.

+```

+version=1.2;

+authorizationrules {

+ => permit();

+};

+issuancerules{

+// SecureBoot enabled

+c:[type == "events", issuer=="AttestationService"] => add(type = "efiConfigVariables", value = JmesPath(c.value, "Events[?EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && ProcessedData.VariableGuid == '8BE4DF61-93CA-11D2-AA0D-00E098032B8C']")); c:[type == "efiConfigVariables", issuer=="AttestationPolicy"]=> issue(type = "secureBootEnabled", value = JsonToClaimValue(JmesPath(c.value, "[?ProcessedData.UnicodeName == 'SecureBoot'] | length(@) == `1` && @[0].ProcessedData.VariableData == 'AQ'"))); ![type=="secureBootEnabled", issuer=="AttestationPolicy"] => issue(type="secureBootEnabled", value=false);

+// Boot debugging

+c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="bootDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BOOTDEBUGGING"))); c:[type=="bootDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=ContainsOnlyValue(c.value, false)); ![type=="bootDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=false);

+// Virtualization Based Security enabled

+c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY")); c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_VSM_REQUIRED"))); c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_MANDATORY_ENFORCEMENT"))); c:[type=="vbsEnabledSet", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=ContainsOnlyValue(c.value, true)); ![type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=false); c:[type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=c.value);

+// System Guard and SMM value

+c:[type=="events", issuer=="AttestationService"] => add(type="validDrtmStateAuthEvent", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == '20' && ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_DRTM_STATE_AUTH.SignatureValid !=null] | length(@) == '1' && @[0] | @.{EventSeq:EventSeq, SignatureValid:ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_DRTM_STATE_AUTH.SignatureValid}"));

+// Check if Signature is valid in extracted state auth events

+c:[type=="validDrtmStateAuthEvent", issuer=="AttestationPolicy"] => issue(type="drtmMleValid", value=JsonToClaimValue(JmesPath(c.value, "SignatureValid")));

+![type=="drtmMleValid", issuer=="AttestationPolicy"] => issue(type="drtmMleValid", value=false);

+// Get the sequence number of the DRTM state auth event.

+// The sequence number is used to ensure that the SMM event appears before the last DRTM state auth event.

+[type=="drtmMleValid", value==true, issuer=="AttestationPolicy"] && c:[type=="validDrtmStateAuthEvent", issuer=="AttestationPolicy"] => add(type="validDrtmStateAuthEventSeq", value=JmesPath(c.value, "EventSeq"));

+// Create query for SMM event

+// The query is constructed to find the SMM level from the SMM level event that appears exactly once before the valid DRTM state auth event in the event log

+[type=="drtmMleValid", value==true, issuer=="AttestationPolicy"] && c:[type=="validDrtmStateAuthEventSeq", issuer=="AttestationPolicy"] => add(type="smmQuery", value=AppendString(AppendString("Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == 20 && EventSeq <", c.value), "].ProcessedData.EVENT_DRTM_SMM | length(@) == 1 && @[0] | @.Value"));

+// Extract SMM value

+[type=="drtmMleValid", value==true, issuer=="AttestationPolicy"] &&

+c1:[type=="smmQuery", issuer=="AttestationPolicy"] &&

+c2:[type=="events", issuer=="AttestationService"] => issue(type="smmLevel", value=JsonToClaimValue(JmesPath(c2.value, c1.value)));

+};

+```

+### Attestation policy to validate boot related firmware and early boot driver signers on linux

+```

+version = 1.2;

+configurationrules

+{

+};

+authorizationrules

+{

+ [type == "aikValidated", value==true]

+ => permit();

+};

+issuancerules {

+ // Retrieve all EFI Boot variables with event = 'EV_EFI_VARIABLE_BOOT'

+ c:[type == "events", issuer=="AttestationService"] => add(type ="efiBootVariables", value = JmesPath(c.value, "Events[?EventTypeString == 'EV_EFI_VARIABLE_BOOT']"));

+ // Retrieve all EFI Driver Config variables with event = 'EV_EFI_VARIABLE_DRIVER_CONFIG'

+ c:[type == "events", issuer=="AttestationService"] => add(type ="efiConfigVariables", value = JmesPath(c.value, "Events[?EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG']"));

+ // Grab all IMA events

+ c:[type=="events", issuer=="AttestationService"] => add(type="imaMeasurementEvents", value=JmesPath(c.value, "Events[?EventTypeString == 'IMA_MEASUREMENT_EVENT']"));

+ // Look for "Boot Order" from EFI Boot Data

+ c:[type == "efiBootVariables", issuer=="AttestationPolicy"] => add(type = "bootOrderFound", value = JmesPath(c.value, "[?ProcessedData.UnicodeName == 'BootOrder'] | length(@) == `1` && @[0].PcrIndex == `1` && @[0].ProcessedData.VariableData"));

+ c:[type=="bootOrderFound", issuer=="AttestationPolicy"] => issue(type="bootOrder", value=JsonToClaimValue(c.value));

+ ![type=="bootOrderFound", issuer=="AttestationPolicy"] => issue(type="bootOrder", value=0);

+ // Look for "Secure Boot" from EFI Driver Configuration Data

+ c:[type == "efiConfigVariables", issuer=="AttestationPolicy"] => issue(type = "secureBootEnabled", value = JsonToClaimValue(JmesPath(c.value, "[?ProcessedData.UnicodeName == 'SecureBoot'] | length(@) == `1` && @[0].PcrIndex == `7` && @[0].ProcessedData.VariableData == 'AQ'")));

+ ![type=="secureBootEnabled", issuer=="AttestationPolicy"] => issue(type="secureBootEnabled", value=false);

+ // Look for "Platform Key" from EFI Boot Data

+ c:[type == "efiConfigVariables", issuer=="AttestationPolicy"] => add(type = "platformKeyFound", value = JmesPath(c.value, "[?ProcessedData.UnicodeName == 'PK'] | length(@) == `1` && @[0].PcrIndex == `7` && @[0].ProcessedData.VariableData"));

+ c:[type=="platformKeyFound", issuer=="AttestationPolicy"] => issue(type="platformKey", value=JsonToClaimValue(c.value));

+ ![type=="platformKeyFound", issuer=="AttestationPolicy"] => issue(type="platformKey", value=0);

+

+ // Look for "Key Exchange Key" from EFI Driver Configuration Data

+ c:[type == "efiConfigVariables", issuer=="AttestationPolicy"] => add(type = "keyExchangeKeyFound", value = JmesPath(c.value, "[?ProcessedData.UnicodeName == 'KEK'] | length(@) == `1` && @[0].PcrIndex == `7` && @[0].ProcessedData.VariableData"));

+ c:[type=="keyExchangeKeyFound", issuer=="AttestationPolicy"] => issue(type="keyExchangeKey", value=JsonToClaimValue(c.value));

+ ![type=="keyExchangeKeyFound", issuer=="AttestationPolicy"] => issue(type="keyExchangeKey", value=0);

+ // Look for "Key Database" from EFI Driver Configuration Data

+ c:[type == "efiConfigVariables", issuer=="AttestationPolicy"] => add(type = "keyDatabaseFound", value = JmesPath(c.value, "[?ProcessedData.UnicodeName == 'db'] | length(@) == `1` && @[0].PcrIndex == `7` && @[0].ProcessedData.VariableData"));

+ c:[type=="keyDatabaseFound", issuer=="AttestationPolicy"] => issue(type="keyDatabase", value=JsonToClaimValue(c.value));

+ ![type=="keyDatabaseFound", issuer=="AttestationPolicy"] => issue(type="keyDatabase", value=0);

+ // Look for "Forbidden Signatures" from EFI Driver Configuration Data

+ c:[type == "efiConfigVariables", issuer=="AttestationPolicy"] => add(type = "forbiddenSignaturesFound", value = JmesPath(c.value, "[?ProcessedData.UnicodeName == 'dbx'] | length(@) == `1` && @[0].PcrIndex == `7` && @[0].ProcessedData.VariableData"));

+ c:[type=="forbiddenSignaturesFound", issuer=="AttestationPolicy"] => issue(type="forbiddenSignatures", value=JsonToClaimValue(c.value));

+ ![type=="forbiddenSignaturesFound", issuer=="AttestationPolicy"] => issue(type="forbiddenSignatures", value=0);

+ // Look for "Kernel Version" in IMA Measurement events

+ c:[type=="imaMeasurementEvents", issuer=="AttestationPolicy"] => add(type="kernelVersionsFound", value=JmesPath(c.value, "[].ProcessedData.KernelVersion"));

+ c:[type=="kernelVersionsFound", issuer=="AttestationPolicy"] => issue(type="kernelVersions", value=JsonToClaimValue(c.value));

+ ![type=="kernelVersionsFound", issuer=="AttestationPolicy"] => issue(type="kernelVersions", value=0);

+ // Look for "Built-In Trusted Keys" in IMA Measurement events

+ c:[type=="imaMeasurementEvents", issuer=="AttestationPolicy"] => add(type="builtintrustedkeysFound", value=JmesPath(c.value, "[? ProcessedData.Keyring == '.builtin_trusted_keys'].ProcessedData.CertificateSubject"));

+ c:[type=="builtintrustedkeysFound", issuer=="AttestationPolicy"] => issue(type="builtintrustedkeys", value=JsonToClaimValue(c.value));

+ ![type=="builtintrustedkeysFound", issuer=="AttestationPolicy"] => issue(type="builtintrustedkeys", value=0);

+};

+```

+### Attestation policy to issue the list of drivers loaded during boot.

+```

+version = 1.2;

+configurationrules

+{

+};

+authorizationrules

+{

+ => permit();

+};

+issuancerules {

+c:[type=="events", issuer=="AttestationService"] => issue(type="alldriverloads", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' ].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_FILEPATH"));

+c:[type=="events", issuer=="AttestationService"] => issue(type="DriverLoadPolicy", value=JmesPath(c.value, "events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == '13')].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_DRIVER_LOAD_POLICY.String"));

+};

+```

+### Attestation policy for Key attestation, validating keys and properties of the key.

+```

+version=1.2;

+authorizationrules

+{

+ // Key Attest Policy

+ // -- Validating key types

+ c:[type=="x-ms-tpm-request-key", issuer=="AttestationService"] => add(type="requestKeyType", value=JsonToClaimValue(JmesPath(c.value, "jwk.kty")));

+ c:[type=="requestKeyType", issuer=="AttestationPolicy", value=="RSA"] => issue(type="requestKeyType", value="RSA");

+ // -- Validating tpm_certify attributes

+ c:[type=="x-ms-tpm-request-key", issuer=="AttestationService"] => add(type="requestKeyCertify", value=JmesPath(c.value, "info.tpm_certify"));

+ c:[type=="requestKeyCertify", issuer=="AttestationPolicy"] => add(type="requestKeyCertifyObjAttr", value=JsonToClaimValue(JmesPath(c.value, "obj_attr")));

+ c:[type=="requestKeyCertifyObjAttr", issuer=="AttestationPolicy", value==50] => issue(type="requestKeyCertifyObjAttrVerified", value=true);

+

+ c:[type=="requestKeyCertifyObjAttrVerified", issuer=="AttestationPolicy" , value==true] => permit();

+};

+issuancerules

+{

+

+};

+```

+ Title: Virtualization-based security (VBS) protocol for Azure Attestation

+The protocol has 2 messages exchanges:

+* Init Message

+* Request Message

+Message to establish context for the request message.

+## Request Message

+Payload containing the data that is to be attested by the attestation service.

+Note: Support for IMA measurement logs and Keys has been added to Request message, and can be found in the Request Message V2 section

+## Request message v1

+##### JWS protected header

+##### JWS payload

+## Request message v2

+```

+{

+ "request": "<JWS>"

+}

+```

+**request** (JWS): Request consists of a JSON Web Signature (JWS) structure. The JWS Protected Header and JWS Payload are shown below. As in any JWS structure, the final value consists of:

+BASE64URL(UTF8(JWS Protected Header)) || '.' ||

+BASE64URL(JWS Payload) || '.' ||

+BASE64URL(JWS Signature)

+##### JWS protected header

+```

+{

+ "alg": "PS256",

+ "typ": "attReqV2"

+ // no "kid" parameter as the key specified by request_key MUST sign this JWS to prove possession.

+}

+```

+#### JWS payload

+JWS payload can be of type basic or vsm. Basic is used when attestation evidence does not include VSM data.

+Basic example:

+```

+{

+ "att_type": "basic",

+ "att_data": {

+ "rp_id": "<URL>",

+ "rp_data": "<BASE64URL(RPCUSTOMDATA)>",

+ "challenge": "<BASE64URL(CHALLENGE)>",

+ "tpm_att_data": {

+ "current_attestation": {

+ "logs": [

+ {

+ "type": "TCG",

+ "log": "<BASE64URL(CURRENT_LOG1)>"

+ },

+ {

+ "type": "TCG",

+ "log": "<BASE64URL(CURRENT_LOG2)>"

+ },

+ {

+ "type": "TCG",

+ "log": "<BASE64URL(CURRENT_LOG3)>"

+ }

+ ],

+ "aik_cert": "<BASE64URL(AIKCERTIFICATE)>",

+ // aik_pub is represented as a JSON Web Key (JWK) object (RFC 7517).

+ "aik_pub": {

+ "kty": "RSA",

+ "n": "<Base64urlUInt(MODULUS)>",

+ "e": "<Base64urlUInt(EXPONENT)>"

+ },

+ "pcrs": [

+ {

+ "algorithm": 4, // TPM_ALG_SHA1

+ "values": [

+ {

+ "index": 0,

+ "digest": "<BASE64URL(DIGEST)>"

+ },

+ {

+ "index": 5,

+ "digest": "<BASE64URL(DIGEST)>"

+ }

+ ]

+ },

+ {

+ "algorithm": 11, // TPM_ALG_SHA256

+ "values": [

+ {

+ "index": 2,

+ "digest": "<BASE64URL(DIGEST)>"

+ },

+ {

+ "index": 1,

+ "digest": "<BASE64URL(DIGEST)>"

+ }

+ ]

+ }

+ ],

+ "quote": "<BASE64URL(TPMS_ATTEST)>",

+ "signature": "<BASE64URL(TPMT_SIGNATURE)>"

+ },

+ "boot_attestation": {

+ "logs": [

+ {

+ "type": "TCG",

+ "log": "<BASE64URL(BOOT_LOG1)>"

+ },

+ {

+ "type": "TCG",

+ "log": "<BASE64URL(BOOT_LOG2)>"

+ }

+ ],

+ "aik_cert": "<BASE64URL(AIKCERTIFICATE)>",

+ // aik_pub is represented as a JSON Web Key (JWK) object (RFC 7517).

+ "aik_pub": {

+ "kty": "RSA",

+ "n": "<Base64urlUInt(MODULUS)>",

+ "e": "<Base64urlUInt(EXPONENT)>"

+ },

+ "pcrs": [

+ {

+ "algorithm": 4, // TPM_ALG_SHA1

+ "values": [

+ {

+ "index": 0,

+ "digest": "<BASE64URL(DIGEST)>"

+ },

+ {

+ "index": 5,

+ "digest": "<BASE64URL(DIGEST)>"

+ }

+ ]

+ },

+ {

+ "algorithm": 11, // TPM_ALG_SHA256

+ "values": [

+ {

+ "index": 2,

+ "digest": "<BASE64URL(DIGEST)>"

+ },

+ {

+ "index": 1,

+ "digest": "<BASE64URL(DIGEST)>"

+ }

+ ]

+ }

+ ],

+ "quote": "<BASE64URL(TPMS_ATTEST)>",

+ "signature": "<BASE64URL(TPMT_SIGNATURE)>"

+ }

+ },

+ "request_key": {

+ "jwk": {

+ "kty": "RSA",

+ "n": "<Base64urlUInt(MODULUS)>",

+ "e": "<Base64urlUInt(EXPONENT)>"

+ },

+ "info": {

+ "tpm_quote": {

+ "hash_alg": "sha-256"

+ }

+ }

+ },

+ "other_keys": [

+ {

+ "jwk": {

+ "kty": "RSA",

+ "n": "<Base64urlUInt(MODULUS)>",

+ "e": "<Base64urlUInt(EXPONENT)>"

+ },

+ "info": {

+ "tpm_certify": {

+ "public": "<BASE64URL(TPMT_PUBLIC)>",

+ "certification": "<BASE64URL(TPMS_ATTEST)>",

+ "signature": "<BASE64URL(TPMT_SIGNATURE)>"

+ }

+ }

+ },

+ {

+ "jwk": {

+ "kty": "RSA",

+ "n": "<Base64urlUInt(MODULUS)>",

+ "e": "<Base64urlUInt(EXPONENT)>"

+ }

+ }

+ ],

+ "custom_claims": [

+ {

+ "name": "<name>",

+ "value": "<value>",

+ "value_type": "<value_type>"

+ },

+ {

+ "name": "<name>",

+ "value": "<value>",

+ "value_type": "<value_type>"

+ }

+ ],

+ "service_context": "<BASE64URL(SERVICECONTEXT)>"

+ }

+}

+```

+TPM + VBS enclave example:

+```

+{

+ "att_type": "vbs",

+ "att_data": {

+ "report_signed": {

+ "rp_id": "<URL>",

+ "rp_data": "<BASE64URL(RPCUSTOMDATA)>",

+ "challenge": "<BASE64URL(CHALLENGE)>",

+ "tpm_att_data": {

+ "current_attestation": {

+ "logs": [

+ {

+ "type": "TCG",

+ "log": "<BASE64URL(CURRENT_LOG1)>"

+ },

+ {

+ "type": "TCG",

+ "log": "<BASE64URL(CURRENT_LOG2)>"

+ },

+ {

+ "type": "TCG",

+ "log": "<BASE64URL(CURRENT_LOG3)>"

+ }

+ ],

+ "aik_cert": "<BASE64URL(AIKCERTIFICATE)>",

+ // aik_pub is represented as a JSON Web Key (JWK) object (RFC 7517).

+ "aik_pub": {

+ "kty": "RSA",

+ "n": "<Base64urlUInt(MODULUS)>",

+ "e": "<Base64urlUInt(EXPONENT)>"

+ },

+ "pcrs": [

+ {

+ "algorithm": 4, // TPM_ALG_SHA1

+ "values": [

+ {

+ "index": 0,

+ "digest": "<BASE64URL(DIGEST)>"

+ },

+ {

+ "index": 5,

+ "digest": "<BASE64URL(DIGEST)>"

+ }

+ ]

+ },

+ {

+ "algorithm": 11, // TPM_ALG_SHA256

+ "values": [

+ {

+ "index": 2,

+ "digest": "<BASE64URL(DIGEST)>"

+ },

+ {

+ "index": 1,

+ "digest": "<BASE64URL(DIGEST)>"

+ }

+ ]

+ }

+ ],

+ "quote": "<BASE64URL(TPMS_ATTEST)>",

+ "signature": "<BASE64URL(TPMT_SIGNATURE)>"

+ },

+ "boot_attestation": {

+ "logs": [

+ {

+ "type": "TCG",

+ "log": "<BASE64URL(BOOT_LOG1)>"

+ },

+ {

+ "type": "TCG",

+ "log": "<BASE64URL(BOOT_LOG2)>"

+ }

+ ],

+ "aik_cert": "<BASE64URL(AIKCERTIFICATE)>",

+ // aik_pub is represented as a JSON Web Key (JWK) object (RFC 7517).

+ "aik_pub": {

+ "kty": "RSA",

+ "n": "<Base64urlUInt(MODULUS)>",

+ "e": "<Base64urlUInt(EXPONENT)>"

+ },

+ "pcrs": [

+ {

+ "algorithm": 4, // TPM_ALG_SHA1

+ "values": [

+ {

+ "index": 0,

+ "digest": "<BASE64URL(DIGEST)>"

+ },

+ {

+ "index": 5,

+ "digest": "<BASE64URL(DIGEST)>"

+ }

+ ]

+ },

+ {

+ "algorithm": 11, // TPM_ALG_SHA256

+ "values": [

+ {

+ "index": 2,

+ "digest": "<BASE64URL(DIGEST)>"

+ },

+ {

+ "index": 1,

+ "digest": "<BASE64URL(DIGEST)>"

+ }

+ ]

+ }

+ ],

+ "quote": "<BASE64URL(TPMS_ATTEST)>",

+ "signature": "<BASE64URL(TPMT_SIGNATURE)>"

+ }

+ },

+ "request_key": {

+ "jwk": {

+ "kty": "RSA",

+ "n": "<Base64urlUInt(MODULUS)>",

+ "e": "<Base64urlUInt(EXPONENT)>"

+ },

+ "info": {

+ "tpm_quote": {

+ "hash_alg": "sha-256"

+ }

+ }

+ },

+ "other_keys": [

+ {

+ "jwk": {

+ "kty": "RSA",

+ "n": "<Base64urlUInt(MODULUS)>",

+ "e": "<Base64urlUInt(EXPONENT)>"

+ },

+ "info": {

+ "tpm_certify": {

+ "public": "<BASE64URL(TPMT_PUBLIC)>",

+ "certification": "<BASE64URL(TPMS_ATTEST)>",

+ "signature": "<BASE64URL(TPMT_SIGNATURE)>"

+ }

+ }

+ },

+ {

+ "jwk": {

+ "kty": "RSA",

+ "n": "<Base64urlUInt(MODULUS)>",

+ "e": "<Base64urlUInt(EXPONENT)>"

+ }

+ }

+ ],

+ "custom_claims": [

+ {

+ "name": "<name>",

+ "value": "<value>",

+ "value_type": "<value_type>"

+ },

+ {

+ "name": "<name>",

+ "value": "<value>",

+ "value_type": "<value_type>"

+ }

+ ],

+ "service_context": "<BASE64URL(SERVICECONTEXT)>"

+ },

+ "vsm_report": {

+ "enclave": {

+ "report": "<BASE64URL(REPORT)>"

+ }

+ }

+ }

+}

+```

+**rp_id** (StringOrURI): Relying party identifier. Used by the service in the computation of the machine ID claim.

+**rp_data** (BASE64URL(OCTETS)): Opaque data passed by the relying party. This is normally used by the relying party as a nonce to guarantee freshness of the report.

+**challenge** (BASE64URL(OCTETS)): Random value issued by the service.

+- ***current_attestation*** (Object): Contains logs and TPM quote for the current state of the system (either boot or resume). The nonce received from the service must be passed to the TPM2_Quote command in the 'qualifyingData' parameter.

+- ***boot_attestation*** (Object): This is optional and contains logs and the TPM quote saved before the system hibernated and resumed. boot_attestation info must be associated with the same cold boot cycle (i.e. the system was only hibernated and resumed between them).

+- ***logs*** (Array(Object)): Array of logs. Each element of the array contains a log and the array must be in the order used for measurements.

+- ***aik_cert*** (BASE64URL(OCTETS)): The X.509 certificate representing the AIK.

+- ***aik_pub*** (JWK): The public part of the AIK represented as a JSON Web Key (JWK) object (RFC 7517).

+- ***pcrs*** (Array(Object)): Contains the set quoted. Each element of the array represents a PCR bank and the array must be in the order used to create the quote. A PCR bank is defined by its algorithm and its values (only the values quoted should be in the list).

+**vsm_report** (VSM Report Object): The VSM attestation report. See the VSM REPORT OBJECT section.

+**request_key** (Key object): Key used to sign the request. If a TPM is present (request contains TPM quote), request_key must either be bound to the TPM via quote or be resident in the TPM (see KEY OBJECT).

+**other_keys** (Array(Key object)): Array of keys to be sent to the service. Maximum of 2 keys.

+**custom_claims** (Array(Object)): Array of custom enclave claims sent to the service that can be evaluated by the policy.

+- ***name*** (String): Name of the claim. This name will be appended to a url determined by the Attestation Service (to avoid conflicts) and the concatenated string becomes the type of the claim that can be used in the policy.

+- ***value*** (String): Value of the claim.

+- ***value_type*** (String): Data type of the claimΓÇÖs value.

+**service_context** (BASE64URL(OCTETS)): Opaque, encrypted context created by the service which includes, among others, the challenge and an expiration time for that challenge.

+## Key object

+**jwk** (Object): The public part of the key represented as a JSON Web Key (JWK) object (RFC 7517).

+**info** (Object): Extra information about the key.

+No extra information:(Info object can be empty or missing from request)

+ΓÇó Key bound to the TPM via quote:

+- ***tpm_quote*** (Object): Data for the TPM quote binding method.

+- ***hash_alg*** (String): The algorithm used to create the hash passed to the TPM2_Quote command in the 'qualifyingData' parameter. The hash is computed by HASH[UTF8(jwk) || 0x00 || <OCTETS(service challenge)>]. Note: UTF8(jwk) must be the exact string that will be sent on the wire as the service will compute the hash using the exact string received in the request without modifications.

+>> Note: This binding method cannot be used for keys in the other_keys array.

+ΓÇó Key certified to be resident in the TPM:

+- ***tpm_certify*** (Object): Data for the TPM certification binding method.

+ΓÇ£publicΓÇ¥ (BASE64URL(OCTETS)): TPMT_PUBLIC structure representing the public area of the key in the TPM.

+- ***certification*** (BASE64URL(OCTETS)): TPMS_ATTEST returned by the TPM2_Certify command. The challenge received from the service must be passed to the TPM2_Certify command in the 'qualifyingData' parameter. The AIK provided in the request must be used to certify the key.

+- ***signature*** (BASE64URL(OCTETS)): TPMT_SIGNATURE returned by the TPM2_Certify command. The challenge received from the service must be passed to the TPM2_Certify command in the 'qualifyingData' parameter. The AIK provided in the request must be used to certify the key.

+>> Note: When this binding method is used for the request_key, the 'qualifyingData' parameter value passed to the TPM2_Quote command is simply the challenge received from the service.

+Examples:

+Key not bound to the TPM:

+```

+{

+ "jwk": {

+ "kty": "RSA",

+ "n": "<Base64urlUInt(MODULUS)>",

+ "e": "<Base64urlUInt(EXPONENT)>"

+ }

+}

+```

+Key bound to the TPM via quote (either resident in a VBS enclave or not):

+```

+{

+ "jwk": {

+ "kty": "RSA",

+ "n": "<Base64urlUInt(MODULUS)>",

+ "e": "<Base64urlUInt(EXPONENT)>"

+ },

+ "info": {

+ "tpm_quote":

+ "hash_alg": "sha-256"

+ }

+ }

+}

+```

+Key certified to be resident in the TPM:

+```

+{

+ "jwk": {

+ "kty": "RSA",

+ "n": "<Base64urlUInt(MODULUS)>",

+ "e": "<Base64urlUInt(EXPONENT)>"

+ },

+ "info": {

+ "tpm_certify": {

+ "public": "<BASE64URL(TPMT_PUBLIC)>",

+ "certification": "<BASE64URL(TPMS_ATTEST)>",

+ "signature": "<BASE64URL(TPMT_SIGNATURE)>"

+ }

+ }

+}

+```

+## Policy key object

+The policy key object is the version of the key object used as input claims in the policy. It is processed by the service in order to make it more readable and easier to evaluate by policy rules.

+ΓÇó Key not bound to the TPM:

+Same as the respective key object.

+Example:

+```

+{

+ "jwk": {

+ "kty": "RSA",

+ "n": "<Base64urlUInt(MODULUS)>",

+ "e": "<Base64urlUInt(EXPONENT)>"

+ }

+}

+```

+ΓÇó Key bound to the TPM via quote (either resident in a VBS enclave or not):

+Same as the respective key object.

+Example:

+```

+{

+ "jwk": {

+ "kty": "RSA",

+ "n": "<Base64urlUInt(MODULUS)>",

+ "e": "<Base64urlUInt(EXPONENT)>"

+ },

+ "info": {

+ "tpm_quote":

+ "hash_alg": "sha-256"

+ }

+ }

+}

+```

+ΓÇó Key certified to be resident in the TPM:

+***jwk*** (Object): Same as the respective key object.

+***info.tpm_certify*** (Object):

+- ***name_alg*** (Integer): UINT16 value representing a hash algorithm defined by the TPM_ALG_ID constants.

+- ***obj_attr*** (Integer): UINT32 value representing the attributes of the key object defined by TPMA_OBJECT

+- ***auth_policy*** (BASE64URL(OCTETS)): Optional policy for using this key object.

+Example:

+```

+{

+ "jwk": {

+ "kty": "RSA",

+ "n": "<Base64urlUInt(MODULUS)>",

+ "e": "<Base64urlUInt(EXPONENT)>"

+ },

+ "info": {

+ "tpm_certify": {

+ "name_alg": 11, // 0xB (TPM_ALG_SHA256)

+ "obj_attr": 50, // 0x32 (fixedTPM | fixedParent | sensitiveDataOrigin)

+ "auth_policy": "<BASE64URL(AUTH_POLICY)>"

+ }

+ }

+}

+```

+## VBS report object

+### Enclave attestation:

+***enclave*** (Object): Data for VSM enclave attestation.

+- ***report*** (BASE64URL(OCTETS)): The VSM enclave attestation report as returned by function EnclaveGetAttestationReport. The EnclaveData parameter must be the SHA-512 hash of the value of report_signed (including the opening and closing braces). The hash function input is UTF8(report_signed).

+Examples:

+Enclave attestation:

+```

+{

+ "enclave": {

+ "report": "<BASE64URL(REPORT)>"

+ }

+}

+```

+## Report message

+Direction

+Attestation Service -> Client

+Payload

+```

+{

+ "report": "<JWT>"

+}

+```

+***report*** (JWT): The attestation report in JSON Web Token (JWT) format (RFC 7519).

+Automation accounts currently support the following regions:

+### Public preview of PowerShell 7.2 and Python 3.10

+Azure Automation now supports runbooks in latest Runtime versions - PowerShell 7.2 and Python 3.10 in public preview. This enables creation and execution of runbooks for orchestration of management tasks. These new runtimes are currently supported only for Cloud jobs in five regions - West Central US, East US, South Africa North, North Europe, Australia, and Southeast. [Learn more](automation-runbook-types.md).

+Build your own disaster recovery strategy to handle a region-wide or zone-wide failure [Learn more](https://learn.microsoft.com/azure/automation/automation-disaster-recovery).

+az customlocation delete -n <customLocationName> -g <resourceGroupName>

+Required parameters:

+| Parameter name | Description |

+|-||

+| `--name, --n` | Name of the custom location |

+| `--resource-group, --g` | Resource group of the custom location |

+ - Ability to log in as a local user or an [Azure user (Linux only)](../../active-directory/devices/howto-vm-sign-in-azure-ad-linux.md)

+### Install local command line tool

+This functionality is currently packaged in an Azure CLI extension and an Azure PowerShell module.

+#### [Install Azure CLI extension](#tab/azure-cli)

+```az extension add --name ssh```

+> The Azure CLI extension version must be greater than 1.1.0.

+#### [Install Azure PowerShell module](#tab/azure-powershell)

+```Install-Module -Name AzPreview -Scope CurrentUser -Repository PSGallery -Force```

+### Enable functionality on your Arc-enabled server

+In order to use the SSH connect feature, you must enable connections on the hybrid agent.

+> [!NOTE]

+> The following actions must be completed in an elevated terminal session.

+View your current incoming connections:

+```azcmagent config list```

+If you have existing ports, you'll need to include them in the following command.

+To add access to SSH connections, run the following:

+```azcmagent config set incomingconnections.ports 22<,other open ports,...>```

+If you're using a non-default port for your SSH connection, replace port 22 with your desired port in the previous command.

+> The following steps will not need to be run for most users.

+### Register the HybridConnectivity resource provider

+> [!NOTE]

+> This is a one-time operation that needs to be performed on each subscription.

+Check if the HybridConnectivity resource provider (RP) has been registered:

+```az provider show -n Microsoft.HybridConnectivity```

+If the RP hasn't been registered, run the following:

+```az provider register -n Microsoft.HybridConnectivity```

+This operation can take 2-5 minutes to complete. Before moving on, check that the RP has been registered.

+To view examples, view the Az CLI documentation page for [az ssh](/cli/azure/ssh) or the Azure PowerShell documentation page for [Az.Ssh](/powershell/module/az.ssh).

+## WEBSITE\_SLOT\_NAME

+Read-only. Name of the current deployment slot. The name of the production slot is `Production`.

+|Key|Sample value|

+|||

+|WEBSITE_SLOT_NAME|`Production`|

+ Title: How to create a dataset using a GeoJson package

+description: Learn how to create a dataset using a GeoJson package embedding the module's JavaScript libraries.

+# Create a dataset using a GeoJson package (Preview)

+Azure Maps Creator enables users to import their indoor map data in GeoJSON format with [Facility Ontology 2.0][Facility Ontology], which can then be used to create a [dataset][dataset-concept].

+> [!NOTE]

+> This article explains how to create a dataset from a GeoJSON package. For information on additional steps required to complete an indoor map, see [Next steps](#next-steps).

+## Prerequisites

+- Basic understanding of [Creator for indoor maps](creator-indoor-maps.md).

+- Basic understanding of [Facility Ontology 2.0][Facility Ontology].

+- [Azure Maps account][Azure Maps account].

+- [Azure Maps Creator resource][Creator resource].

+- [Subscription key][Subscription key].

+- Zip package containing all required GeoJSON files. If you don't have GeoJSON

+ files, you can download the [Contoso building sample][Contoso building sample].

+>[!IMPORTANT]

+>

+> - This article uses the `us.atlas.microsoft.com` geographical URL. If your Creator service wasn't created in the United States, you must use a different geographical URL. For more information, see [Access to Creator Services](how-to-manage-creator.md#access-to-creator-services).

+> - In the URL examples in this article you will need to replace `{Azure-Maps-Primary-Subscription-key}` with your primary subscription key.

+## Create dataset using the GeoJSON package

+For more information on the GeoJSON package, see the [Geojson zip package requirements](#geojson-zip-package-requirements) section.

+### Upload the GeoJSON package

+Use the [Data Upload API](/rest/api/maps/data-v2/upload) to upload the Drawing package to Azure Maps Creator account.

+The Data Upload API is a long running transaction that implements the pattern defined in [Creator Long-Running Operation API V2](creator-long-running-operation-v2.md).

+To upload the GeoJSON package:

+1. Execute the following HTTP POST request that uses the [Data Upload API](/rest/api/maps/data-v2/upload):

+ ```http

+ https://us.atlas.microsoft.com/mapData?api-version=2.0&dataFormat=zip&subscription-key={Your-Azure-Maps-Primary-Subscription-key}

+ ```

+ 1. Set `Content-Type` in the **Header** to `application/zip`.

+1. Copy the value of the `Operation-Location` key in the response header. The `Operation-Location` key is also known as the `status URL` and is required to check the status of the upload, which is explained in the next section.

+### Check the GeoJSON package upload status

+To check the status of the GeoJSON package and retrieve its unique identifier (`udid`):

+1. Execute the following HTTP GET request that uses the status URL you copied as the last step in the previous section of this article. The request should look like the following URL:

+```http

+https://us.atlas.microsoft.com/mapData/operations/{operationId}?api-version=2.0&subscription-key={Your-Azure-Maps-Primary-Subscription-key}

+```

+1. Copy the value of the `Resource-Location` key in the response header, which is the `resource location URL`. The `resource location URL` contains the unique identifier (`udid`) of the GeoJSON package resource.

+### Create a dataset

+<!--

+A dataset is a collection of map features, such as buildings, levels, and rooms. To create a dataset from your GeoJSON, use the new [Dataset Create API][Dataset Create 2022-09-01-preview]. The Dataset Create API takes the `udid` you got in the previous section and returns the `datasetId` of the new dataset.

+-->

+A dataset is a collection of map features, such as buildings, levels, and rooms. To create a dataset from your GeoJSON, use the new create dataset API. The create dataset API takes the `udid` you got in the previous section and returns the `datasetId` of the new dataset.

+> [!IMPORTANT]

+> This is different from the [previous version][Dataset Create] in that it doesn't require a `conversionId` from a converted Drawing package.

+To create a dataset:

+1. Enter the following URL to the dataset service. The request should look like the following URL (replace {udid} with the `udid` obtained in [Check the GeoJSON package upload status](#check-the-geojson-package-upload-status) section):

+<!--1. Enter the following URL to the [Dataset service][Dataset Create 2022-09-01-preview]. The request should look like the following URL (replace {udid} with the `udid` obtained in [Check the GeoJSON package upload status](#check-the-geojson-package-upload-status) section):-->

+ ```http

+ https://us.atlas.microsoft.com/datasets?api-version=2022-09-01-preview&udid={udid}&subscription-key={Your-Azure-Maps-Primary-Subscription-key}

+ ```

+1. Copy the value of the `Operation-Location` key in the response header. The `Operation-Location` key is also known as the `status URL` and is required to check the status of the dataset creation process and to get the `datasetId`, which is required to create a tileset.

+### Check the dataset creation status

+To check the status of the dataset creation process and retrieve the `datasetId`:

+1. Enter the status URL you copied in [Create a dataset](#create-a-dataset). The request should look like the following URL:

+ ```http

+ https://us.atlas.microsoft.com/datasets/operations/{operationId}?api-version=2022-09-01-preview&subscription-key={Your-Azure-Maps-Primary-Subscription-key}

+ ```

+1. In the Header of the HTTP response, copy the value of the unique identifier contained in the `Resource-Location` key.

+ > `https://us.atlas.microsoft.com/datasets/**c9c15957-646c-13f2-611a-1ea7adc75174**?api-version=2022-09-01-preview`

+See [Next steps](#next-steps) for links to articles to help you complete your indoor map.

+## Add data to an existing dataset

+<!--

+Data can be added to an existing dataset by providing the `datasetId` parameter to the [dataset create API][Dataset Create 2022-09-01-preview] along with the unique identifier of the data you wish to add. The unique identifier can be either a `udid` or `conversionId`. This creates a new dataset consisting of the data (facilities) from both the existing dataset and the new data being imported. Once the new dataset has been created successfully, the old dataset can be deleted.

+-->

+Data can be added to an existing dataset by providing the `datasetId` parameter to the create dataset API along with the unique identifier of the data you wish to add. The unique identifier can be either a `udid` or `conversionId`. This creates a new dataset consisting of the data (facilities) from both the existing dataset and the new data being imported. Once the new dataset has been created successfully, the old dataset can be deleted.

+One thing to consider when adding to an existing dataset is how the feature IDs are created. If a dataset is created from a converted drawing package, the feature IDs are generated automatically. When a dataset is created from a GeoJSON package, feature IDs must be provided in the GeoJSON file. When appending to an existing dataset, the original dataset drives the way feature IDs are created. If the original dataset was created using a `udid`, it uses the IDs from the GeoJSON, and will continue to do so with all GeoJSON packages appended to that dataset in the future. If the dataset was created using a `conversionId`, IDs will be internally generated, and will continue to be internally generated with all GeoJSON packages appended to that dataset in the future.

+### Add to dataset created from a GeoJSON source

+If your original dataset was created from a GoeJSON source and you wish to add another facility created from a drawing package, you can append it to your existing dataset by referencing its `conversionId`, as demonstrated by this HTTP POST request:

+```http

+https://us.atlas.microsoft.com/datasets?api-version=2022-09-01-preview&conversionId={conversionId}&outputOntology=facility-2.0&datasetId={datasetId}

+```

+| Identifier | Description |

+|--|-|

+| conversionId | The ID returned when converting your drawing package. For more information, see [Convert a Drawing package][conversion]. |

+| datasetId | The dataset ID returned when creating the original dataset from a GeoJSON package). |

+<!--For more information, see [][].-->

+## Geojson zip package requirements

+The GeoJSON zip package consists of one or more [RFC 7946][RFC 7946] compliant GeoJSON files, one for each feature class, all in the root directory (subdirectories aren't supported), compressed with standard Zip compression and named using the `.ZIP` extension.

+Each feature class file must match its definition in the [Facility ontology 2.0][Facility ontology] and each feature must have a globally unique identifier.

+Feature IDs can only contain alpha-numeric (a-z, A-Z, 0-9), hyphen (-), dot (.) and underscore (_) characters.

+> [!TIP]

+> If you want to be certain you have a globally unique identifier (GUID), consider creating it by running a GUID generating tool such as the Guidgen.exe command line program (Available with [Visual Studio][Visual Studio]). Guidgen.exe never produces the same number twice, no matter how many times it is run or how many different machines it runs on.

+### Facility ontology 2.0 validations in the Dataset

+[Facility ontology][Facility ontology] defines how Azure Maps Creator internally stores facility data, divided into feature classes, in a Creator dataset. When importing a GeoJSON package, anytime a feature is added or modified, a series of validations run. This includes referential integrity checks as well as geometry and attribute validations. These validations are described in more detail below.

+- The maximum number of features that can be imported into a dataset at a time is 150,000.

+- The facility area can be between 4 and 4,000 Sq Km.

+- The top level element is [facility][facility], which defines each building in the file *facility.geojson*.

+- Each facility has one or more levels, which are defined in the file *levels.goejson*.

+ - Each level must be inside the facility.

+- Each [level][level] contain [units][unit], [structures][structure], [verticalPenetrations][verticalPenetration] and [openings][opening]. All of the items defined in the level must be fully contained within the Level geometry.

+ - `unit` can consist of an array of items such as hallways, offices and courtyards, which are defined by [area][areaElement], [line][lineElement] or [point][pointElement] elements. Units are defined in the file *unit.goejson*.

+ - All `unit` elements must be fully contained within their level and intersect with their children.

+ - `structure` defines physical, non-overlapping areas that can't be navigated through, such as a wall. Structures are defined in the file *structure.goejson*.

+ - `verticalPenetration` represents a method of navigating vertically between levels, such as stairs and elevators and are defined in the file *verticalPenetration.geojson*.

+ - verticalPenetrations can't intersect with other verticalPenetrations on the same level.

+ - `openings` define traversable boundaries between two units, or a `unit` and `verticalPenetration` and are defined in the file *opening.geojson*.

+ - Openings can't intersect with other openings on the same level.

+ - Every `opening` must be associated with at least one `verticalPenetration` or `unit`.

+## Next steps

+> [!div class="nextstepaction"]

+> [Create a tileset](tutorial-creator-indoor-maps.md#create-a-tileset)

+> [!div class="nextstepaction"]

+> [Query datasets with WFS API](tutorial-creator-wfs.md)

+> [!div class="nextstepaction"]

+> [Create a feature stateset](tutorial-creator-feature-stateset.md)

+[Contoso building sample]: https://github.com/Azure-Samples/am-creator-indoor-data-examples

+[unit]: creator-facility-ontology.md?pivots=facility-ontology-v2#unit

+[structure]: creator-facility-ontology.md?pivots=facility-ontology-v2#structure

+[level]: creator-facility-ontology.md?pivots=facility-ontology-v2#level

+[facility]: creator-facility-ontology.md?pivots=facility-ontology-v2#facility

+[verticalPenetration]: creator-facility-ontology.md?pivots=facility-ontology-v2#verticalpenetration

+[opening]: creator-facility-ontology.md?pivots=facility-ontology-v2#opening

+[areaElement]: creator-facility-ontology.md?pivots=facility-ontology-v2#areaelement

+[lineElement]: creator-facility-ontology.md?pivots=facility-ontology-v2#lineelement

+[pointElement]: creator-facility-ontology.md?pivots=facility-ontology-v2#pointelement

+[conversion]: tutorial-creator-indoor-maps.md#convert-a-drawing-package

+[Azure Maps account]: quick-demo-map-app.md#create-an-azure-maps-account

+[Creator resource]: how-to-manage-creator.md

+[Subscription key]: quick-demo-map-app.md#get-the-primary-key-for-your-account

+[Facility Ontology]: creator-facility-ontology.md?pivots=facility-ontology-v2

+[RFC 7946]: https://www.rfc-editor.org/rfc/rfc7946.html

+[dataset-concept]: creator-indoor-maps.md#datasets

+<!--[Dataset Create 2022-09-01-preview]: /rest/api/maps/v20220901preview/dataset/create-->

+[Visual Studio]: https://visualstudio.microsoft.com/downloads/

+> [!TIP]

+> You can also create a dataset from a GeoJSON package. For more information, see [Create a dataset using a GeoJson package (Preview)](how-to-dataset-geojson.md).

+- Azure Diagnostics Extension can be used only with Azure virtual machines. The Log Analytics agent can be used with virtual machines in Azure, other clouds, and on-premises.

+- Azure Diagnostics extension sends data to Azure Storage, [Azure Monitor Metrics](../essentials/data-platform-metrics.md) (Windows only) and Azure Event Hubs. The Log Analytics agent collects data to [Azure Monitor Logs](../logs/data-platform-logs.md).

+- The Log Analytics agent is required for retired [solutions](../insights/solutions.md), [VM insights](../vm/vminsights-overview.md), and other services such as [Microsoft Defender for Cloud](../../security-center/index.yml).

+* Use different [solutions](../insights/solutions.md) to monitor a particular service or application.

+For apps written by using [ASP.NET Core](asp-net-core.md#adding-telemetry-processors) or [WorkerService](worker-service.md#add-telemetry-processors), adding a new telemetry processor is done by using the `AddApplicationInsightsTelemetryProcessor` extension method on `IServiceCollection`, as shown. This method is called in the `ConfigureServices` method of your `Startup.cs` class.

+For apps written using [ASP.NET Core](asp-net-core.md#adding-telemetryinitializers) or [WorkerService](worker-service.md#add-telemetry-initializers), adding a new telemetry initializer is done by adding it to the Dependency Injection container, as shown. Accomplish this step in the `Startup.ConfigureServices` method.

+ Title: Monitor Azure App Service performance in .NET Core | Microsoft Docs

+description: Application performance monitoring for Azure App Service using ASP.NET Core. Chart load and response time, dependency information, and set alerts on performance.

+# Application monitoring for Azure App Service and ASP.NET Core

+Enabling monitoring on your ASP.NET Core-based web applications running on [Azure App Service](../../app-service/index.yml) is now easier than ever. Previously, you needed to manually instrument your app. Now, the latest extension/agent is built into the App Service image by default. This article walks you through enabling Azure Monitor Application Insights monitoring. It also provides preliminary guidance for automating the process for large-scale deployments.

+> Only .NET Core [Long Term Support](https://dotnet.microsoft.com/platform/support/policy/dotnet-core) is supported for auto-instrumentation on Windows.

+[Trim self-contained deployments](/dotnet/core/deploying/trimming/trim-self-contained) is *not supported*. Use [manual instrumentation](./asp-net-core.md) via code instead.

+> [!NOTE]

+> Auto-instrumentation used to be known as "codeless attach" before October 2021.

+See the following [Enable monitoring](#enable-monitoring) section to begin setting up Application Insights with your App Service resource.

+[Trim self-contained deployments](/dotnet/core/deploying/trimming/trim-self-contained) is *not supported*. Use [manual instrumentation](./asp-net-core.md) via code instead.

+> [!NOTE]

+> Linux auto-instrumentation App Service portal enablement is in public preview. These preview versions are provided without a service level agreement. Certain features might not be supported or might have constrained capabilities.

+See the following [Enable monitoring](#enable-monitoring) section to begin setting up Application Insights with your App Service resource.

+### Enable monitoring

+1. Select **Application Insights** in the left pane for your app service. Then select **Enable**.

+ :::image type="content"source="./media/azure-web-apps/enable.png" alt-text=" Screenshot that shows the Application Insights tab with Enable selected.":::

+1. Create a new resource or select an existing Application Insights resource for this application.

+ > When you select **OK** to create a new resource, you're prompted to **Apply monitoring settings**. Selecting **Continue** links your new Application Insights resource to your app service. Your app service then restarts.

+ :::image type="content"source="./media/azure-web-apps/change-resource.png" alt-text="Screenshot that shows the Change your resource dropdown.":::

+1. After you specify which resource to use, you can choose how you want Application Insights to collect data per platform for your application. ASP.NET Core collection options are **Recommended** or **Disabled**.

+ :::image type="content"source="./media/azure-web-apps-net-core/instrument-net-core.png" alt-text=" Screenshot that shows instrumenting your application section.":::

+Client-side monitoring is enabled by default for ASP.NET Core apps with **Recommended** collection, regardless of whether the app setting `APPINSIGHTS_JAVASCRIPT_ENABLED` is present.

+If you want to disable client-side monitoring:

+1. Select **Settings** > **Configuration**.

+1. Under **Application settings**, create a **New application setting** with the following information:

+ - **Name**: `APPINSIGHTS_JAVASCRIPT_ENABLED`

+ - **Value**: `false`

+1. **Save** the settings. Restart your app.

+To enable telemetry collection with Application Insights, only the application settings must be set.

+|XDT_MicrosoftApplicationInsights_PreemptSdk | For ASP.NET Core apps only. Enables Interop (interoperation) with the Application Insights SDK. Loads the extension side by side with the SDK and uses it to send telemetry. (Disables the Application Insights SDK.) |`1`|

+## Upgrade monitoring extension/agent - .NET

+To upgrade the monitoring extension/agent, follow the steps in the next sections.

+Starting with version 2.8.9, the preinstalled site extension is used. If you're using an earlier version, you can update via one of two ways:

+* [Upgrade by enabling via the portal](#enable-auto-instrumentation-monitoring): Even if you have the Application Insights extension for App Service installed, the UI shows only the **Enable** button. Behind the scenes, the old private site extension will be removed.

+ 1. Set the application settings to enable the preinstalled site extension `ApplicationInsightsAgent`. For more information, see [Enable through PowerShell](#enable-through-powershell).

+ 1. Manually remove the private site extension named **Application Insights extension for Azure App Service**.

+If the upgrade is done from a version prior to 2.5.1, check that the `ApplicationInsights` DLLs are removed from the application bin folder. For more information, see [Troubleshooting steps](#troubleshooting).

+> When you create a web app with the `ASP.NET Core` runtimes in App Service, it deploys a single static HTML page as a starter website. We *do not* recommend that you troubleshoot an issue with the default template. Deploy an application before you troubleshoot an issue.

+What follows is our step-by-step troubleshooting guide for extension/agent-based monitoring for ASP.NET Core-based applications running on App Service.

+1. Check that the `ApplicationInsightsAgent_EXTENSION_VERSION` app setting is set to a value of `~2`.

+1. Browse to `https://yoursitename.scm.azurewebsites.net/ApplicationInsights`.

+ :::image type="content"source="./media/azure-web-apps/app-insights-sdk-status.png" alt-text="Screenshot that shows the link above the results page."border ="false":::

+ - Confirm that **Application Insights Extension Status** is `Pre-Installed Site Extension, version 2.8.x.xxxx, is running.`

+ If it isn't running, follow the instructions in the section [Enable Application Insights monitoring](#enable-auto-instrumentation-monitoring).

+ - Confirm that the status source exists and looks like `Status source D:\home\LogFiles\ApplicationInsights\status\status_RD0003FF0317B6_4248_1.json`.

+ If a similar value isn't present, it means the application isn't currently running or isn't supported. To ensure that the application is running, try manually visiting the application URL/application endpoints, which will allow the runtime information to become available.

+ - Confirm that **IKeyExists** is `True`. If it's `False`, add `APPINSIGHTS_INSTRUMENTATIONKEY` and `APPLICATIONINSIGHTS_CONNECTION_STRING` with your ikey GUID to your application settings.

+ - If your application refers to any Application Insights packages, enabling the App Service integration might not take effect and the data might not appear in Application Insights. An example would be if you've previously instrumented, or attempted to instrument, your app with the [ASP.NET Core SDK](./asp-net-core.md). To fix the issue, in the portal, turn on **Interop with Application Insights SDK**. You'll start seeing the data in Application Insights.

+

+ > This functionality is in preview.

+ :::image type="content"source="./media/azure-web-apps-net-core/interop.png" alt-text=" Screenshot that shows the interop setting enabled.":::

+ The data will now be sent by using a codeless approach, even if the Application Insights SDK was originally used or attempted to be used.

+ > If the application used the Application Insights SDK to send any telemetry, the telemetry will be disabled. In other words, custom telemetry (for example, any `Track*()` methods) and custom settings (such as sampling) will be disabled.

+1. Check that the `ApplicationInsightsAgent_EXTENSION_VERSION` app setting is set to a value of `~2`.

+1. Browse to `https://your site name.scm.azurewebsites.net/ApplicationInsights`.

+ * The status source exists and looks like `Status source /var/log/applicationinsights/status_abcde1234567_89_0.json`.

+ * The value `Auto-Instrumentation enabled successfully` is displayed. If a similar value isn't present, it means the application isn't running or isn't supported. To ensure that the application is running, try manually visiting the application URL/application endpoints, which will allow the runtime information to become available.

+ * **IKeyExists** is `True`. If it's `False`, add `APPINSIGHTS_INSTRUMENTATIONKEY` and `APPLICATIONINSIGHTS_CONNECTION_STRING` with your ikey GUID to your application settings.

+ :::image type="content" source="media/azure-web-apps-net-core/auto-instrumentation-status.png" alt-text="Screenshot that shows the auto-instrumentation status webpage." lightbox="media/azure-web-apps-net-core/auto-instrumentation-status.png":::

+When you create a web app with the ASP.NET Core runtimes in App Service, it deploys a single static HTML page as a starter website. The static webpage also loads an ASP.NET-managed web part in IIS. This behavior allows for testing codeless server-side monitoring but doesn't support automatic client-side monitoring.

+If you want to test out codeless server and client-side monitoring for ASP.NET Core in an App Service web app, we recommend that you follow the official guides for [creating an ASP.NET Core web app](../../app-service/quickstart-dotnetcore.md). Then use the instructions in the current article to enable monitoring.

+PHP and WordPress sites aren't supported. There's currently no officially supported SDK/agent for server-side monitoring of these workloads. To manually instrument client-side transactions on a PHP or WordPress site by adding the client-side JavaScript to your webpages, use the [JavaScript SDK](./javascript.md).

+The following table provides an explanation of what these values mean, their underlying causes, and recommended fixes.

+|Problem value |Explanation |Fix |

+| `AppAlreadyInstrumented:true` | This value indicates that the extension detected that some aspect of the SDK is already present in the application and will back off. It can be because of a reference to `Microsoft.ApplicationInsights.AspNetCore` or `Microsoft.ApplicationInsights`. | Remove the references. Some of these references are added by default from certain Visual Studio templates. Older versions of Visual Studio reference `Microsoft.ApplicationInsights`. |

+|`AppAlreadyInstrumented:true` | This value can also be caused by the presence of `Microsoft.ApplicationsInsights` DLL in the app folder from a previous deployment. | Clean the app folder to ensure that these DLLs are removed. Check both your local app's bin directory and the *wwwroot* directory on the App Service. (To check the wwwroot directory of your App Service web app, select **Advanced Tools (Kudu**) > **Debug console** > **CMD** > **home\site\wwwroot**). |

+|`IKeyExists:false`|This value indicates that the instrumentation key isn't present in the app setting `APPINSIGHTS_INSTRUMENTATIONKEY`. Possible causes include accidentally removing the values or forgetting to set the values in automation script. | Make sure the setting is present in the App Service application settings. |

+For the latest updates and bug fixes, see the [Release notes](web-app-extension-release-notes.md).

+* [Run the Profiler on your live app](./profiler.md).

+* Use [Application Insights for JavaScript apps and webpages](javascript.md) to get client telemetry from the browsers that visit a webpage.

+ Title: Application Insights telemetry data model | Microsoft Docs

+description: This article presents an overview of the Application Insights telemetry data model.

+[Application Insights](./app-insights-overview.md) sends telemetry from your web application to the Azure portal so that you can analyze the performance and usage of your application. The telemetry model is standardized, so it's possible to create platform and language-independent monitoring.

+Data collected by Application Insights models this typical application execution pattern.

+

+The following types of telemetry are used to monitor the execution of your app. Three types are automatically collected by the Application Insights SDK from the web application framework:

+* [Request](data-model-request-telemetry.md): Generated to log a request received by your app. For example, the Application Insights web SDK automatically generates a Request telemetry item for each HTTP request that your web app receives.

+ An *operation* is made up of the threads of execution that process a request. You can also [write code](./api-custom-events-metrics.md#trackrequest) to monitor other types of operation, such as a "wake up" in a web job or function that periodically processes data. Each operation has an ID. The ID can be used to [group](./correlation.md) all telemetry generated while your app is processing the request. Each operation either succeeds or fails and has a duration of time.

+* [Exception](data-model-exception-telemetry.md): Typically represents an exception that causes an operation to fail.

+* [Dependency](data-model-dependency-telemetry.md): Represents a call from your app to an external service or storage, such as a REST API or SQL. In ASP.NET, dependency calls to SQL are defined by `System.Data`. Calls to HTTP endpoints are defined by `System.Net`.

+Application Insights provides three data types for custom telemetry:

+* [Trace](data-model-trace-telemetry.md): Used either directly or through an adapter to implement diagnostics logging by using an instrumentation framework that's familiar to you, such as `Log4Net` or `System.Diagnostics`.

+* [Event](data-model-event-telemetry.md): Typically used to capture user interaction with your service to analyze usage patterns.

+* [Metric](data-model-metric-telemetry.md): Used to report periodic scalar measurements.

+Every telemetry item can define the [context information](data-model-context.md) like application version or user session ID. Context is a set of strongly typed fields that unblocks certain scenarios. When application version is properly initialized, Application Insights can detect new patterns in application behavior correlated with redeployment.

+You can use session ID to calculate an outage or an issue impact on users. Calculating the distinct count of session ID values for a specific failed dependency, error trace, or critical exception gives you a good understanding of an impact.

+The Application Insights telemetry model defines a way to [correlate](./correlation.md) telemetry to the operation of which it's a part. For example, a request can make a SQL Database call and record diagnostics information. You can set the correlation context for those telemetry items that tie it back to the request telemetry.

+The Application Insights data model is a basic yet powerful way to model your application telemetry. We strive to keep the model simple and slim to support essential scenarios and allow the schema to be extended for advanced use.

+To report data model or schema problems and suggestions, use our [GitHub repository](https://github.com/microsoft/ApplicationInsights-dotnet/issues/new/choose).

+- [Write custom telemetry](./api-custom-events-metrics.md).

+- Use [sampling](./sampling.md) to minimize the amount of telemetry based on data model.

+The following example shows how to add/remove counters. This customization would be done in the `ConfigureServices` method of your application after Application Insights telemetry collection is enabled using either `AddApplicationInsightsTelemetry()` or `AddApplicationInsightsWorkerService()`. Following is an example code from an ASP.NET Core application. For other type of applications, refer to [this](worker-service.md#configure-or-remove-default-telemetry-modules) document.

+description: Export diagnostic and usage data to storage in Azure and download it from there.

+Do you want to keep your telemetry for longer than the standard retention period? Or do you want to process it in some specialized way? Continuous export is ideal for this purpose. The events you see in the Application Insights portal can be exported to storage in Azure in JSON format. From there, you can download your data and write whatever code you need to process it.

+> * When you [migrate to a workspace-based Application Insights resource](convert-classic-resource.md), you must use [diagnostic settings](#diagnostic-settings-based-export) for exporting telemetry. All [workspace-based Application Insights resources](./create-workspace-resource.md) must use [diagnostic settings](./create-workspace-resource.md#export-telemetry).

+> * Diagnostic settings export might increase costs. For more information, see [Diagnostic settings-based export](export-telemetry.md#diagnostic-settings-based-export).

+* The **Export** button at the top of a metrics or search tab lets you transfer tables and charts to an Excel spreadsheet.

+* [Log Analytics](../logs/log-query-overview.md) provides a powerful query language for telemetry. It can also export results.

+* If you're looking to [explore your data in Power BI](../logs/log-powerbi.md), you can do that without using continuous export if you've [migrated to a workspace-based resource](convert-classic-resource.md).

+* The [Data Access REST API](https://dev.applicationinsights.io/) lets you access your telemetry programmatically.

+* You can also access setup for [continuous export via PowerShell](/powershell/module/az.applicationinsights/new-azapplicationinsightscontinuousexport).

+After continuous export copies your data to storage, where it can stay as long as you like, it's still available in Application Insights for the usual [retention period](./data-retention-privacy.md).

+## Supported regions

+Continuous export is supported in the following regions:

+> Continuous export will continue to work for applications in East US and West Europe if the export was configured before February 23, 2021. New continuous export rules can't be configured on any application in East US or West Europe, no matter when the application was created.

+## Continuous export advanced storage configuration

+Continuous export *doesn't support* the following Azure Storage features or configurations:

+* Use of [Azure Virtual Network/Azure Storage firewalls](../../storage/common/storage-network-security.md) with Azure Blob Storage.

+## <a name="setup"></a> Create a continuous export

+> An application can't export more than 3 TB of data per day. If more than 3 TB per day is exported, the export will be disabled. To export without a limit, use [diagnostic settings-based export](#diagnostic-settings-based-export).

+1. In the Application Insights resource for your app under **Configure** on the left, open **Continuous export** and select **Add**.

+1. Choose the telemetry data types you want to export.

+1. Create or select an [Azure Storage account](../../storage/common/storage-introduction.md) where you want to store the data. For more information on storage pricing options, see the [Pricing page](https://azure.microsoft.com/pricing/details/storage/).

+ Select **Add** > **Export destination** > **Storage account**. Then either create a new store or choose an existing store.

+ > By default, the storage location will be set to the same geographical region as your Application Insights resource. If you store in a different region, you might incur transfer charges.

+1. Create or select a container in the storage.

+> After you've created your export, newly ingested data will begin to flow to Azure Blob Storage. Continuous export only transmits new telemetry that's created or ingested after continuous export was enabled. Any data that existed prior to enabling continuous export won't be exported. There's no supported way to retroactively export previously created data by using continuous export.

+After the first export is finished, you'll find the following structure in your Blob Storage container. (This structure varies depending on the data you're collecting.)

+| [Event](export-data-model.md#events) | Custom events generated by [TrackEvent()](./api-custom-events-metrics.md#trackevent).

+### Edit continuous export

+Select **Continuous export** and select the storage account to edit.

+### Stop continuous export

+To stop the export, select **Disable**. When you select **Enable** again, the export restarts with new data. You won't get the data that arrived in the portal while export was disabled.

+To add or change exports, you need Owner, Contributor, or Application Insights Contributor access rights. [Learn about roles][roles].

+> If your application sends a lot of data, the sampling feature might operate and send only a fraction of the generated telemetry. [Learn more about sampling.](./sampling.md)

+You can inspect the storage directly in the portal. Select **Home** on the leftmost menu. At the top where it says **Azure services**, select **Storage accounts**. Select the storage account name, and on the **Overview** page select **Services** > **Blobs**. Finally, select the container name.

+To inspect Azure Storage in Visual Studio, select **View** > **Cloud Explorer**. If you don't have that menu command, you need to install the Azure SDK. Open the **New Project** dialog, expand **Visual C#/Cloud**, and select **Get Microsoft Azure SDK for .NET**.

+When you open your blob store, you'll see a container with a set of blob files. You'll see the URI of each file derived from your Application Insights resource name, its instrumentation key, and telemetry type, date, and time. The resource name is all lowercase, and the instrumentation key omits dashes.

+

+The date and time are UTC and are when the telemetry was deposited in the store, not the time it was generated. For this reason, if you write code to download the data, it can move linearly through the data.

+Where:

+* `blobCreationTimeUtc` is the time when the blob was created in the internal staging storage.

+* `blobDeliveryTimeUtc` is the time when the blob is copied to the export destination storage.

+The data is formatted so that:

+* Each blob is a text file that contains multiple `\n`-separated rows. It contains the telemetry processed over a time period of roughly half a minute.

+* Each row represents a telemetry data point, such as a request or page view.

+* Each row is an unformatted JSON document. If you want to view the rows, open the blob in Visual Studio and select **Edit** > **Advanced** > **Format File**.

+ 

+For a detailed data model reference for the property types and values, see [Application Insights export data model](export-data-model.md).

+## Process the data

+On a small scale, you can write some code to pull apart your data and read it into a spreadsheet. For example:

+For a larger code sample, see [Using a worker role][exportasa].

+You're responsible for managing your storage capacity and deleting old data, if necessary.

+## Regenerate your storage key

+Select the **Continuous Export** tab and edit your export. Edit the**Export Destination** value, but leave the same storage selected. Select **OK** to confirm.

+Continuous export will restart.

+For export samples, see:

+On larger scales, consider [HDInsight](https://azure.microsoft.com/services/hdinsight/) Hadoop clusters in the cloud. HDInsight provides various technologies for managing and analyzing big data. You can use it to process data that's been exported from Application Insights.

+This section provides answers to common questions.

+### Can I get a one-time download of a chart?

+You can do that. At the top of the tab, select **Export Data**.

+### I set up an export, but why is there no data in my store?

+Did Application Insights receive any telemetry from your app since you set up the export? You'll only receive new data.

+### I tried to set up an export, but why was I denied access?

+If the account is owned by your organization, you have to be a member of the Owners or Contributors groups.

+### Can I export straight to my own on-premises store?

+No. Our export engine currently only works with Azure Storage at this time.

+### Is there any limit to the amount of data you put in my store?

+No. We'll keep pushing data in until you delete the export. We'll stop if we hit the outer limits for Blob Storage, but that limit is huge. It's up to you to control how much storage you use.

+### How many blobs should I see in the storage?

+ * For every data type you selected to export, a new blob is created every minute, if data is available.

+ * For applications with high traffic, extra partition units are allocated. In this case, each unit creates a blob every minute.

+### I regenerated the key to my storage, or changed the name of the container, but why doesn't the export work?

+Edit the export and select the **Export destination** tab. Leave the same storage selected as before, and select **OK** to confirm. Export will restart. If the change was within the past few days, you won't lose data.

+### Can I pause the export?

+Yes. Select **Disable**.

+* [Export to SQL by using Stream Analytics][exportasa]

+* [Detailed data model reference for property types and values](export-data-model.md)

+## Diagnostic settings-based export

+Diagnostic settings export is preferred because it provides extra features:

+ > * Azure Storage accounts with virtual networks, firewalls, and private links.

+ > * Export to Azure Event Hubs.

+ > Extra costs might be incurred because of an increase in calls to the destination, such as a storage account.

+1. [Migrate application to workspace based](convert-classic-resource.md).

+1. [Enable diagnostic settings export](create-workspace-resource.md#export-telemetry). Select **Diagnostic settings** > **Add diagnostic setting** from within your Application Insights resource.

+> If you want to store diagnostic logs in a Log Analytics workspace, there are two points to consider to avoid seeing duplicate data in Application Insights:

+>

+> * The Application Insights user can't have access to both workspaces. Set the Log Analytics [access control mode](../logs/log-analytics-workspace-overview.md#permissions) to **Requires workspace permissions**. Through [Azure role-based access control](./resources-roles-access-control.md), ensure the user only has access to the Log Analytics workspace the Application Insights resource is based on.

+>

+> These steps are necessary because Application Insights accesses telemetry across Application Insight resources, including Log Analytics workspaces, to provide complete end-to-end transaction operations and accurate application maps. Because diagnostic logs use the same table names, duplicate telemetry can be displayed if the user has access to multiple resources that contain the same data.

+[roles]: ./resources-roles-access-control.md

+ Title: Application Insights IP address collection | Microsoft Docs

+By default, IP addresses are temporarily collected but not stored in Application Insights. This process follows some basic steps.

+When telemetry is sent to Azure, Application Insights uses the IP address to do a geolocation lookup. Application Insights uses the results of this lookup to populate the fields `client_City`, `client_StateOrProvince`, and `client_CountryOrRegion`. The address is then discarded, and `0.0.0.0` is written to the `client_IP` field.

+To remove geolocation data, see the following articles:

+* **Browser telemetry**: Application Insights collects the sender's IP address. The ingestion endpoint calculates the IP address.

+* **Server telemetry**: The Application Insights telemetry module temporarily collects the client IP address. The IP address isn't collected locally when the `X-Forwarded-For` header is set. When the incoming IP address list has more than one item, the last IP address is used to populate geolocation fields.

+This behavior is by design to help avoid unnecessary collection of personal data and IP address location information. Whenever possible, we recommend avoiding the collection of personal data.

+> Although the default is to not collect IP addresses, you can override this behavior. We recommend verifying that the collection doesn't break any compliance requirements or local regulations.

+> To learn more about handling personal data in Application Insights, see [Guidance for personal data](../logs/personal-data-mgmt.md).

+When IP addresses aren't collected, city and other geolocation attributes populated by our pipeline by using the IP address also aren't collected. You can mask IP collection at the source. There are two ways to do it. You can:

+* Remove the client IP initializer. For more information, see [Configuration with Applications Insights Configuration](configuration-with-applicationinsights-config.md).

+* Provide your own custom initializer. For more information, see an [API filtering example](api-filtering-sampling.md).

+To enable IP collection and storage, the `DisableIpMasking` property of the Application Insights component must be set to `true`. You can set this property through Azure Resource Manager templates (ARM templates) or by calling the REST API.

+### ARM template

+If you need to modify the behavior for only a single Application Insights resource, use the Azure portal.

+1. Go to your Application Insights resource, and then select **Automation** > **Export template**.

+1. Select **Deploy**.

+ 

+1. Select **Edit template**.

+ 

+ > If you experience the error shown in the preceding screenshot, you can resolve it. It states: "The resource group is in a location that is not supported by one or more resources in the template. Please choose a different resource group." Temporarily select a different resource group from the dropdown list and then re-select your original resource group.

+1. In the JSON template, locate `properties` inside `resources`. Add a comma to the last JSON field, and then add the following new line: `"DisableIpMasking": true`. Then select **Save**.

+1. Select **Review + create** > **Create**.

+1. After the deployment is complete, new telemetry data will be recorded.

+ A list of properties is returned as a result. One of the properties should read `DisableIpMasking: true`. If you run the PowerShell commands before you deploy the new property with Azure Resource Manager, the property won't exist.

+The following [REST API](/rest/api/azure/) payload makes the same modifications:

+If you need a more flexible alternative than `DisableIpMasking`, you can use a [telemetry initializer](./api-filtering-sampling.md#addmodify-properties-itelemetryinitializer) to copy all or part of the IP address to a custom field.

+Unlike the server-side SDKs, the client-side JavaScript SDK doesn't calculate an IP address. By default, IP address calculation for client-side telemetry occurs at the ingestion endpoint in Azure.

+If you want to calculate the IP address directly on the client side, you need to add your own custom logic and use the result to set the `ai.location.ip` tag. When `ai.location.ip` is set, the ingestion endpoint doesn't perform IP address calculation, and the provided IP address is used for the geolocation lookup. In this scenario, the IP address is still zeroed out by default.

+To keep the entire IP address calculated from your custom logic, you could use a telemetry initializer that would copy the IP address data that you provided in `ai.location.ip` to a separate custom field. But again, unlike the server-side SDKs, the client-side SDK won't calculate the address for you if it can't rely on third-party libraries or your own custom logic.

+If client-side data traverses a proxy before forwarding to the ingestion endpoint, IP address calculation might show the IP address of the proxy and not the client.

+Newly collected IP addresses will appear in the `customDimensions_client-ip` column. The default `client-ip` column will still have all four octets zeroed out.

+* Learn more about how [IP address collection](https://apmtips.com/posts/2016-07-05-client-ip-address/) works in Application Insights. This article is an older external blog post written by one of our engineers. It predates the current default behavior where the IP address is recorded as `0.0.0.0`. The article goes into greater depth on the mechanics of the built-in telemetry initializer.

+More information on configuring WorkerService applications can be found in our guidance on [configuring telemetry modules in WorkerServices](./worker-service.md#configure-or-remove-default-telemetry-modules).

+ASP.NET Core applications may be configured in code or through the `appsettings.json` file. For more information, see [Configuration in ASP.NET Core](https://learn.microsoft.com/aspnet/core/fundamentals/configuration).

+[Application Insights SDK for Worker Service](https://www.nuget.org/packages/Microsoft.ApplicationInsights.WorkerService) is a new SDK, which is best suited for non-HTTP workloads like messaging, background tasks, and console applications. These types of applications don't have the notion of an incoming HTTP request like a traditional ASP.NET/ASP.NET Core web application. For this reason, using Application Insights packages for [ASP.NET](asp-net.md) or [ASP.NET Core](asp-net-core.md) applications isn't supported.

+The new SDK doesn't do any telemetry collection by itself. Instead, it brings in other well-known Application Insights auto collectors like [DependencyCollector](https://www.nuget.org/packages/Microsoft.ApplicationInsights.DependencyCollector/), [PerfCounterCollector](https://www.nuget.org/packages/Microsoft.ApplicationInsights.PerfCounterCollector/), and [ApplicationInsightsLoggingProvider](https://www.nuget.org/packages/Microsoft.Extensions.Logging.ApplicationInsights). This SDK exposes extension methods on `IServiceCollection` to enable and configure telemetry collection.

+The [Application Insights SDK for Worker Service](https://www.nuget.org/packages/Microsoft.ApplicationInsights.WorkerService) is best suited for non-HTTP applications no matter where or how they run. If your application is running and has network connectivity to Azure, telemetry can be collected. Application Insights monitoring is supported everywhere .NET Core is supported. This package can be used in the newly introduced [.NET Core Worker Service](https://devblogs.microsoft.com/aspnet/dotnet-core-workers-in-azure-container-instances), [background tasks in ASP.NET Core](/aspnet/core/fundamentals/host/hosted-services), and console apps like .NET Core and .NET Framework.

+You must have a valid Application Insights connection string. This string is required to send any telemetry to Application Insights. If you need to create a new Application Insights resource to get a connection string, see [Create an Application Insights resource](./create-new-resource.md).

+## Use Application Insights SDK for Worker Service

+ The following snippet shows the changes that must be added to your project's `.csproj` file:

+

+ ```xml

+ <ItemGroup>

+ <PackageReference Include="Microsoft.ApplicationInsights.WorkerService" Version="2.13.1" />

+ </ItemGroup>

+ ```

+1. Configure the connection string in the `APPLICATIONINSIGHTS_CONNECTION_STRING` environment variable or in configuration (`appsettings.json`).

+ :::image type="content" source="media/migrate-from-instrumentation-keys-to-connection-strings/migrate-from-instrumentation-keys-to-connection-strings.png" alt-text="Screenshot displaying Application Insights overview and connection string." lightbox="media/migrate-from-instrumentation-keys-to-connection-strings/migrate-from-instrumentation-keys-to-connection-strings.png":::

+1. Retrieve an `ILogger` instance or `TelemetryClient` instance from the Dependency Injection (DI) container by calling `serviceProvider.GetRequiredService<TelemetryClient>();` or by using Constructor Injection. This step will trigger setting up of `TelemetryConfiguration` and auto-collection modules.

+## .NET Core LTS Worker Service application

+The full example is shared at the [NuGet website](https://github.com/microsoft/ApplicationInsights-dotnet/tree/develop/examples/WorkerService).

+1. Download and install .NET Core [Long Term Support (LTS)](https://dotnet.microsoft.com/platform/support/policy/dotnet-core).

+1. Create a new Worker Service project either by using a Visual Studio new project template or the command line `dotnet new worker`.

+1. Install the [Microsoft.ApplicationInsights.WorkerService](https://www.nuget.org/packages/Microsoft.ApplicationInsights.WorkerService) package to the application.

+1. Add `services.AddApplicationInsightsTelemetryWorkerService();` to the `CreateHostBuilder()` method in your `Program.cs` class, as in this example:

+ ```csharp

+ public static IHostBuilder CreateHostBuilder(string[] args) =>

+ Host.CreateDefaultBuilder(args)

+ .ConfigureServices((hostContext, services) =>

+ {

+ services.AddHostedService<Worker>();

+ services.AddApplicationInsightsTelemetryWorkerService();

+ });

+ ```

+1. Modify your `Worker.cs` as per the following example:

+ ```csharp

+ using Microsoft.ApplicationInsights;

+ using Microsoft.ApplicationInsights.DataContracts;

+

+ public class Worker : BackgroundService

+ private readonly ILogger<Worker> _logger;

+ private TelemetryClient _telemetryClient;

+ private static HttpClient _httpClient = new HttpClient();

+

+ public Worker(ILogger<Worker> logger, TelemetryClient tc)

+ _logger = logger;

+ _telemetryClient = tc;

+ }

+

+ protected override async Task ExecuteAsync(CancellationToken stoppingToken)

+ {

+ while (!stoppingToken.IsCancellationRequested)

+ _logger.LogInformation("Worker running at: {time}", DateTimeOffset.Now);

+

+ using (_telemetryClient.StartOperation<RequestTelemetry>("operation"))

+ {

+ _logger.LogWarning("A sample warning message. By default, logs with severity Warning or higher is captured by Application Insights");

+ _logger.LogInformation("Calling bing.com");

+ var res = await _httpClient.GetAsync("https://bing.com");

+ _logger.LogInformation("Calling bing completed with status:" + res.StatusCode);

+ _telemetryClient.TrackEvent("Bing call event completed");

+ }

+

+ await Task.Delay(1000, stoppingToken);

+ ```

+1. Set up the connection string.

+ :::image type="content" source="media/migrate-from-instrumentation-keys-to-connection-strings/migrate-from-instrumentation-keys-to-connection-strings.png" alt-text="Screenshot that shows Application Insights overview and connection string." lightbox="media/migrate-from-instrumentation-keys-to-connection-strings/migrate-from-instrumentation-keys-to-connection-strings.png":::

+ > [!NOTE]

+ > We recommend that you specify the connection string in configuration. The following code sample shows how to specify a connection string in `appsettings.json`. Make sure `appsettings.json` is copied to the application root folder during publishing.

+ ```json

+ "ApplicationInsights":

+ {

+ "ConnectionString" : "InstrumentationKey=00000000-0000-0000-0000-000000000000;"

+ },

+ "Logging":

+ "LogLevel":

+ {

+ "Default": "Warning"

+ }

+ ```

+Typically, `APPLICATIONINSIGHTS_CONNECTION_STRING` specifies the connection string for applications deployed to web apps as web jobs.

+[This document](/aspnet/core/fundamentals/host/hosted-services?tabs=visual-studio) describes how to create background tasks in an ASP.NET Core application.

+The full example is shared at this [GitHub page](https://github.com/microsoft/ApplicationInsights-dotnet/tree/develop/examples/BackgroundTasksWithHostedService).

+1. Add `services.AddApplicationInsightsTelemetryWorkerService();` to the `ConfigureServices()` method, as in this example:

+ ```csharp

+ public static async Task Main(string[] args)

+ var host = new HostBuilder()

+ .ConfigureAppConfiguration((hostContext, config) =>

+ {

+ config.AddJsonFile("appsettings.json", optional: true);

+ })

+ .ConfigureServices((hostContext, services) =>

+ {

+ services.AddLogging();

+ services.AddHostedService<TimedHostedService>();

+

+ // connection string is read automatically from appsettings.json

+ services.AddApplicationInsightsTelemetryWorkerService();

+ })

+ .UseConsoleLifetime()

+ .Build();

+

+ using (host)

+ {

+ // Start the host

+ await host.StartAsync();

+

+ // Wait for the host to shutdown

+ await host.WaitForShutdownAsync();

+ }

+ ```

+ The following code is for `TimedHostedService`, where the background task logic resides:

+ ```csharp

+ using Microsoft.ApplicationInsights;

+ using Microsoft.ApplicationInsights.DataContracts;

+

+ public class TimedHostedService : IHostedService, IDisposable

+ private readonly ILogger _logger;

+ private Timer _timer;

+ private TelemetryClient _telemetryClient;

+ private static HttpClient httpClient = new HttpClient();

+

+ public TimedHostedService(ILogger<TimedHostedService> logger, TelemetryClient tc)

+ {

+ _logger = logger;

+ this._telemetryClient = tc;

+ }

+

+ public Task StartAsync(CancellationToken cancellationToken)

+ {

+ _logger.LogInformation("Timed Background Service is starting.");

+

+ _timer = new Timer(DoWork, null, TimeSpan.Zero,

+ TimeSpan.FromSeconds(1));

+

+ return Task.CompletedTask;

+ }

+

+ private void DoWork(object state)

+ _logger.LogInformation("Worker running at: {time}", DateTimeOffset.Now);

+

+ using (_telemetryClient.StartOperation<RequestTelemetry>("operation"))

+ {

+ _logger.LogWarning("A sample warning message. By default, logs with severity Warning or higher is captured by Application Insights");

+ _logger.LogInformation("Calling bing.com");

+ var res = httpClient.GetAsync("https://bing.com").GetAwaiter().GetResult();

+ _logger.LogInformation("Calling bing completed with status:" + res.StatusCode);

+ _telemetryClient.TrackEvent("Bing call event completed");

+ }

+ ```

+1. Set up the connection string.

+ Use the same `appsettings.json` from the preceding .NET Core [LTS](https://dotnet.microsoft.com/platform/support/policy/dotnet-core) Worker Service example.

+## .NET Core/.NET Framework console application

+As mentioned in the beginning of this article, the new package can be used to enable Application Insights telemetry from even a regular console application. This package targets [`NetStandard2.0`](/dotnet/standard/net-standard), so it can be used for console apps in .NET Core [LTS](https://dotnet.microsoft.com/platform/support/policy/dotnet-core) or higher, and .NET Framework [LTS](https://dotnet.microsoft.com/platform/support/policy/dotnet-core) or higher.

+The full example is shared at this [GitHub page](https://github.com/microsoft/ApplicationInsights-dotnet/tree/develop/examples/ConsoleApp).

+1. Modify *Program.cs* as shown in the following example:

+ ```csharp

+ using Microsoft.ApplicationInsights;

+ using Microsoft.ApplicationInsights.DataContracts;

+ using Microsoft.Extensions.DependencyInjection;

+ using Microsoft.Extensions.Logging;

+ using System;

+ using System.Net.Http;

+ using System.Threading.Tasks;

+

+ namespace WorkerSDKOnConsole

+ class Program

+ static async Task Main(string[] args)

+ // Create the DI container.

+ IServiceCollection services = new ServiceCollection();

+

+ // Being a regular console app, there is no appsettings.json or configuration providers enabled by default.

+ // Hence instrumentation key/ connection string and any changes to default logging level must be specified here.

+ services.AddLogging(loggingBuilder => loggingBuilder.AddFilter<Microsoft.Extensions.Logging.ApplicationInsights.ApplicationInsightsLoggerProvider>("Category", LogLevel.Information));

+ services.AddApplicationInsightsTelemetryWorkerService("instrumentation key here");

+

+ // To pass a connection string

+ // - aiserviceoptions must be created

+ // - set connectionstring on it

+ // - pass it to AddApplicationInsightsTelemetryWorkerService()

+

+ // Build ServiceProvider.

+ IServiceProvider serviceProvider = services.BuildServiceProvider();

+

+ // Obtain logger instance from DI.

+ ILogger<Program> logger = serviceProvider.GetRequiredService<ILogger<Program>>();

+

+ // Obtain TelemetryClient instance from DI, for additional manual tracking or to flush.

+ var telemetryClient = serviceProvider.GetRequiredService<TelemetryClient>();

+

+ var httpClient = new HttpClient();

+

+ while (true) // This app runs indefinitely. Replace with actual application termination logic.

+ logger.LogInformation("Worker running at: {time}", DateTimeOffset.Now);

+

+ // Replace with a name which makes sense for this operation.

+ using (telemetryClient.StartOperation<RequestTelemetry>("operation"))

+ {

+ logger.LogWarning("A sample warning message. By default, logs with severity Warning or higher is captured by Application Insights");

+ logger.LogInformation("Calling bing.com");

+ var res = await httpClient.GetAsync("https://bing.com");

+ logger.LogInformation("Calling bing completed with status:" + res.StatusCode);

+ telemetryClient.TrackEvent("Bing call event completed");

+ }

+

+ await Task.Delay(1000);

+

+ // Explicitly call Flush() followed by sleep is required in console apps.

+ // This is to ensure that even if application terminates, telemetry is sent to the back-end.

+ telemetryClient.Flush();

+ Task.Delay(5000).Wait();

+ ```

+This console application also uses the same default `TelemetryConfiguration`. It can be customized in the same way as the examples in earlier sections.

+Run your application. The workers from all the preceding examples make an HTTP call every second to bing.com and also emit few logs by using `ILogger`. These lines are wrapped inside the `StartOperation` call of `TelemetryClient`, which is used to create an operation. In this example, `RequestTelemetry` is named "operation."

+Application Insights collects these ILogger logs, with a severity of Warning or above by default, and dependencies. They're correlated to `RequestTelemetry` with a parent-child relationship. Correlation also works across process/network boundaries. For example, if the call was made to another monitored component, it's correlated to this parent as well.

+This custom operation of `RequestTelemetry` can be thought of as the equivalent of an incoming web request in a typical web application. It isn't necessary to use an operation, but it fits best with the [Application Insights correlation data model](./correlation.md). `RequestTelemetry` acts as the parent operation and every telemetry generated inside the worker iteration is treated as logically belonging to the same operation.

+This approach also ensures all the telemetry generated, both automatic and manual, will have the same `operation_id`. Because sampling is based on `operation_id`, the sampling algorithm either keeps or drops all the telemetry from a single iteration.

+The following sections list the full telemetry automatically collected by Application Insights.

+[Live Metrics](./live-stream.md) can be used to quickly verify if Application Insights monitoring is configured correctly. Although it might take a few minutes before telemetry appears in the portal and analytics, Live Metrics shows CPU usage of the running process in near real time. It can also show other telemetry like Requests, Dependencies, and Traces.

+Logs emitted via `ILogger` with the severity Warning or greater are automatically captured. Follow [ILogger docs](ilogger.md#logging-level) to customize which log levels are captured by Application Insights.

+Dependency collection is enabled by default. The article [Dependency tracking in Application Insights](asp-net-dependencies.md#automatically-tracked-dependencies) explains the dependencies that are automatically collected and also contains steps to do manual tracking.

+`EventCounterCollectionModule` is enabled by default, and it will collect a default set of counters from .NET Core [LTS](https://dotnet.microsoft.com/platform/support/policy/dotnet-core) apps. The [EventCounter](eventcounters.md) tutorial lists the default set of counters collected. It also has instructions on how to customize the list.

+### Manually track other telemetry

+Although the SDK automatically collects telemetry as explained, in most cases, you'll need to send other telemetry to Application Insights. The recommended way to track other telemetry is by obtaining an instance of `TelemetryClient` from Dependency Injection and then calling one of the supported `TrackXXX()` [API](api-custom-events-metrics.md) methods on it. Another typical use case is [custom tracking of operations](custom-operations-tracking.md). This approach is demonstrated in the preceding worker examples.

+The default `TelemetryConfiguration` used by the Worker Service SDK is similar to the automatic configuration used in an ASP.NET or ASP.NET Core application, minus the telemetry initializers used to enrich telemetry from `HttpContext`.

+You can customize the Application Insights SDK for Worker Service to change the default configuration. Users of the Application Insights ASP.NET Core SDK might be familiar with changing configuration by using ASP.NET Core built-in [dependency injection](/aspnet/core/fundamentals/dependency-injection). The Worker Service SDK is also based on similar principles. Make almost all configuration changes in the `ConfigureServices()` section by calling appropriate methods on `IServiceCollection`, as detailed in the next section.

+> When you use this SDK, changing configuration by modifying `TelemetryConfiguration.Active` isn't supported and changes won't be reflected.

+### Use ApplicationInsightsServiceOptions

+The following table lists commonly used settings in `ApplicationInsightsServiceOptions`.

+|EnableQuickPulseMetricStream | Enable/Disable the Live Metrics feature. | True

+|EnableAdaptiveSampling | Enable/Disable Adaptive Sampling. | True

+|EnableHeartbeat | Enable/Disable the Heartbeats feature, which periodically (15-min default) sends a custom metric named "HeartBeatState" with information about the runtime like .NET version and Azure environment, if applicable. | True

+|AddAutoCollectedMetricExtractor | Enable/Disable the AutoCollectedMetrics extractor, which is a telemetry processor that sends pre-aggregated metrics about Requests/Dependencies before sampling takes place. | True

+|EnableDiagnosticsTelemetryModule | Enable/Disable `DiagnosticsTelemetryModule`. Disabling this setting will cause the following settings to be ignored: `EnableHeartbeat`, `EnableAzureInstanceMetadataTelemetryModule`, and `EnableAppServicesHeartbeatTelemetryModule`. | True

+For the most up-to-date list, see the [configurable settings in `ApplicationInsightsServiceOptions`](https://github.com/microsoft/ApplicationInsights-dotnet/blob/develop/NETCORE/src/Shared/Extensions/ApplicationInsightsServiceOptions.cs).

+The Application Insights SDK for Worker Service supports both fixed-rate and adaptive sampling. Adaptive sampling is enabled by default. Sampling can be disabled by using the `EnableAdaptiveSampling` option in [ApplicationInsightsServiceOptions](#use-applicationinsightsserviceoptions).

+To configure other sampling settings, you can use the following example:

+ // The following adds adaptive sampling with 15 items per sec.

+For more information, see the [Sampling](#sampling) document.

+### Add telemetry initializers

+Add any new telemetry initializer to the `DependencyInjection` container and the SDK automatically adds them to `TelemetryConfiguration`.

+### Remove telemetry initializers

+ // Remove a specific built-in telemetry initializer.

+ // Remove all initializers.

+### Add telemetry processors

+You can add custom telemetry processors to `TelemetryConfiguration` by using the extension method `AddApplicationInsightsTelemetryProcessor` on `IServiceCollection`. You use telemetry processors in [advanced filtering scenarios](./api-filtering-sampling.md#itelemetryprocessor-and-itelemetryinitializer) to allow for more direct control over what's included or excluded from the telemetry you send to Application Insights. Use the following example:

+### Configure or remove default telemetry modules

+The following auto-collection modules are enabled by default. These modules are responsible for automatically collecting telemetry. You can disable or configure them to alter their default behavior.

+* `AppServicesHeartbeatTelemetryModule` (There's currently an issue involving this telemetry module. For a temporary workaround, see [GitHub Issue 1689](https://github.com/microsoft/ApplicationInsights-dotnet/issues/1689

+To configure any default telemetry module, use the extension method `ConfigureTelemetryModule<T>` on `IServiceCollection`, as shown in the following example:

+### Configure the telemetry channel

+The default channel is `ServerTelemetryChannel`. You can override it as the following example shows:

+If you want to disable telemetry conditionally and dynamically, you can resolve the `TelemetryConfiguration` instance with an ASP.NET Core dependency injection container anywhere in your code and set the `DisableTelemetry` flag on it.

+This section provides answers to common questions.

+| .NET Core app scenario | Package |

+Yes. The configuration will be shared with the rest of the web application.

+Get an instance of `TelemetryClient` by using constructor injection and call the required `TrackXXX()` method on it. We don't recommend creating new `TelemetryClient` instances. A singleton instance of `TelemetryClient` is already registered in the `DependencyInjection` container, which shares `TelemetryConfiguration` with the rest of the telemetry. Creating a new `TelemetryClient` instance is recommended only if it needs a configuration that's separate from the rest of the telemetry.

+Visual Studio IDE onboarding is currently supported only for ASP.NET/ASP.NET Core applications. This document will be updated when Visual Studio ships support for onboarding Worker Service applications.

+No. [Azure Monitor Application Insights Agent](./status-monitor-v2-overview.md) currently supports .NET [LTS](https://dotnet.microsoft.com/platform/support/policy/dotnet-core) only.

+ ```csharp

+ using Microsoft.ApplicationInsights.Channel;

+ using Microsoft.ApplicationInsights.WindowsServer.TelemetryChannel;

+ public void ConfigureServices(IServiceCollection services)

+ {

+ // The following will configure the channel to use the given folder to temporarily

+ // store telemetry items during network or Application Insights server issues.

+ // User should ensure that the given folder already exists

+ // and that the application has read/write permissions.

+ services.AddSingleton(typeof(ITelemetryChannel),

+ new ServerTelemetryChannel () {StorageFolder = "/tmp/myfolder"});

+ services.AddApplicationInsightsTelemetryWorkerService();

+ }

+ ```

+[.NET Core console application](https://github.com/microsoft/ApplicationInsights-dotnet/tree/develop/examples/ConsoleApp):

+Use this sample if you're using a console application written in either .NET Core (2.0 or higher) or .NET Framework (4.7.2 or higher).

+[ASP.NET Core background tasks with HostedServices](https://github.com/microsoft/ApplicationInsights-dotnet/tree/develop/examples/BackgroundTasksWithHostedService):

+Use this sample if you're in ASP.NET Core and creating background tasks in accordance with [official guidance](/aspnet/core/fundamentals/host/hosted-services).

+[.NET Core Worker Service](https://github.com/microsoft/ApplicationInsights-dotnet/tree/develop/examples/WorkerService):

+Use this sample if you have a .NET Core [LTS](https://dotnet.microsoft.com/platform/support/policy/dotnet-core) Worker Service application in accordance with [official guidance](/aspnet/core/fundamentals/host/hosted-services?tabs=visual-studio#worker-service-template).

+[Read and contribute to the code](https://github.com/microsoft/ApplicationInsights-dotnet).

+For the latest updates and bug fixes, [see the Release Notes](./release-notes.md).

+* [Enrich or filter auto-collected telemetry](./api-filtering-sampling.md).

+Your cluster must be configured to send metrics to [Azure Monitor managed service for Prometheus](../essentials/prometheus-metrics-overview.md). For more information, see [Collect Prometheus metrics with Container insights](container-insights-prometheus-metrics-addon.md).

+If you're going to configure the cluster to [collect Prometheus metrics](container-insights-prometheus.md) with [Azure Monitor managed service for Prometheus](../essentials/prometheus-metrics-overview.md), you must have an Azure Monitor workspace where Prometheus metrics are stored. You can let the onboarding experience create an Azure Monitor workspace in the default resource group of the AKS cluster subscription or use an existing Azure Monitor workspace.

+This article describes how to send Prometheus metrics to a Log Analytics workspace with the Container insights monitoring addon. You can also send metrics to Azure Monitor managed service for Prometheus with the metrics addon which that supports standard Prometheus features such as PromQL and Prometheus alert rules. See [Collect Prometheus metrics with Container insights](container-insights-prometheus.md).

+Container insights can also scrape Prometheus metrics from your cluster and send the data to either Azure Monitor Logs or to Azure Monitor managed service for Prometheus. This requires exposing the Prometheus metrics endpoint through your exporters or pods and then configuring one of the addons for the Azure Monitor agent used by Container insights as shown the following diagram.

+[Azure Monitor managed service for Prometheus](../essentials/prometheus-metrics-overview.md) is a fully managed Prometheus-compatible service that supports industry standard features such as PromQL, Grafana dashboards, and Prometheus alerts. This requires configuring the *metrics addon* for the Azure Monitor agent, which sends data to Prometheus.

+> [!TIP]

+> You don't need to enable Container insights to configure your AKS cluster to send data to managed Prometheus. See [Collect Prometheus metrics from AKS cluster (preview)](../essentials/prometheus-metrics-enable.md) for details on how to configure your cluster without enabling Container insights.

+Use the following procedure to add Promtheus collection to your cluster that's already using Container insights.

+1. Open the **Kubernetes services** menu in the Azure portal and select your AKS cluster.

+2. Click **Insights**.

+3. Click **Monitor settings**.

+ :::image type="content" source="media/container-insights-prometheus-metrics-addon/aks-cluster-monitor-settings.png" lightbox="media/container-insights-prometheus-metrics-addon/aks-cluster-monitor-settings.png" alt-text="Screenshot of button for monitor settings for an AKS cluster.":::

+4. Click the checkbox for **Enable Prometheus metrics** and select your Azure Monitor workspace.

+5. To send the collected metrics to Grafana, select a Grafana workspace. See [Create an Azure Managed Grafana instance](../../managed-grafan) for details on creating a Grafana workspace.

+ :::image type="content" source="media/container-insights-prometheus-metrics-addon/aks-cluster-monitor-settings-details.png" lightbox="media/container-insights-prometheus-metrics-addon/aks-cluster-monitor-settings-details.png" alt-text="Screenshot of monitor settings for an AKS cluster.":::

+6. Click **Configure** to complete the configuration.

+See [Collect Prometheus metrics from AKS cluster (preview)](../essentials/prometheus-metrics-enable.md) for details on [verifying your deployment](../essentials/prometheus-metrics-enable.md#verify-deployment) and [limitations](../essentials/prometheus-metrics-enable.md#limitations)

+## Send metrics to Azure Monitor Logs

+You may want to collect additional data in addition to the predefined set of data collected by Container insights. This data isn't used by Container insights views but is available for log queries and alerts like the other data it collects. This requires configuring the *monitoring addon* for the Azure Monitor agent, which is the one currently used by Container insights to send data to a Log Analytics workspace.

+### Prometheus scraping settings

+Active scraping of metrics from Prometheus is performed from one of two perspectives:

+- **Cluster-wide**: Defined in the ConfigMap section *[Prometheus data_collection_settings.cluster]*.

+- **Node-wide**: Defined in the ConfigMap section *[Prometheus_data_collection_settings.node]*.

+| Endpoint | Scope | Example |

+|-|-||

+| Pod annotation | Cluster-wide | `prometheus.io/scrape: "true"` <br>`prometheus.io/path: "/mymetrics"` <br>`prometheus.io/port: "8000"` <br>`prometheus.io/scheme: "http"` |

+| Kubernetes service | Cluster-wide | `http://my-service-dns.my-namespace:9100/metrics` <br>`https://metrics-server.kube-system.svc.cluster.local/metrics`ΓÇï |

+| URL/endpoint | Per-node and/or cluster-wide | `http://myurl:9101/metrics` |

+When a URL is specified, Container insights only scrapes the endpoint. When Kubernetes service is specified, the service name is resolved with the cluster DNS server to get the IP address. Then the resolved service is scraped.

+|Scope | Key | Data type | Value | Description |

+||--|--|-|-|

+| Cluster-wide | | | | Specify any one of the following three methods to scrape endpoints for metrics. |

+| | `urls` | String | Comma-separated array | HTTP endpoint (either IP address or valid URL path specified). For example: `urls=[$NODE_IP/metrics]`. ($NODE_IP is a specific Container insights parameter and can be used instead of a node IP address. Must be all uppercase.) |

+| | `kubernetes_services` | String | Comma-separated array | An array of Kubernetes services to scrape metrics from kube-state-metrics. Fully qualified domain names must be used here. For example,`kubernetes_services = ["https://metrics-server.kube-system.svc.cluster.local/metrics",http://my-service-dns.my-namespace.svc.cluster.local:9100/metrics]`|

+| | `monitor_kubernetes_pods` | Boolean | true or false | When set to `true` in the cluster-wide settings, the Container insights agent will scrape Kubernetes pods across the entire cluster for the following Prometheus annotations:<br> `prometheus.io/scrape:`<br> `prometheus.io/scheme:`<br> `prometheus.io/path:`<br> `prometheus.io/port:` |

+| | `prometheus.io/scrape` | Boolean | true or false | Enables scraping of the pod, and `monitor_kubernetes_pods` must be set to `true`. |

+| | `prometheus.io/scheme` | String | http or https | Defaults to scraping over HTTP. If necessary, set to `https`. |

+| | `prometheus.io/path` | String | Comma-separated array | The HTTP resource path from which to fetch metrics. If the metrics path isn't `/metrics`, define it with this annotation. |

+| | `prometheus.io/port` | String | 9102 | Specify a port to scrape from. If the port isn't set, it will default to 9102. |

+| | `monitor_kubernetes_pods_namespaces` | String | Comma-separated array | An allowlist of namespaces to scrape metrics from Kubernetes pods.<br> For example, `monitor_kubernetes_pods_namespaces = ["default1", "default2", "default3"]` |

+| Node-wide | `urls` | String | Comma-separated array | HTTP endpoint (either IP address or valid URL path specified). For example: `urls=[$NODE_IP/metrics]`. ($NODE_IP is a specific Container insights parameter and can be used instead of a node IP address. Must be all uppercase.) |

+| Node-wide or cluster-wide | `interval` | String | 60s | The collection interval default is one minute (60 seconds). You can modify the collection for either the *[prometheus_data_collection_settings.node]* and/or *[prometheus_data_collection_settings.cluster]* to time units such as s, m, and h. |

+| Node-wide or cluster-wide | `fieldpass`<br> `fielddrop`| String | Comma-separated array | You can specify certain metrics to be collected or not from the endpoint by setting the allow (`fieldpass`) and disallow (`fielddrop`) listing. You must set the allowlist first. |

+### Configure ConfigMaps

+Perform the following steps to configure your ConfigMap configuration file for your cluster. ConfigMaps is a global list and there can be only one ConfigMap applied to the agent. You can't have another ConfigMaps overruling the collections.

+1. [Download](https://aka.ms/container-azm-ms-agentconfig) the template ConfigMap YAML file and save it as c*ontainer-azm-ms-agentconfig.yaml*. If you've already deployed a ConfigMap to your cluster and you want to update it with a newer configuration, you can edit the ConfigMap file you've previously used.

+1. Edit the ConfigMap YAML file with your customizations to scrape Prometheus metrics.

+ #### [Cluster-wide](#tab/cluster-wide)

+ To collect Kubernetes services cluster-wide, configure the ConfigMap file by using the following example:

+ ```

+ prometheus-data-collection-settings: |- ΓÇï

+ # Custom Prometheus metrics data collection settings

+ [prometheus_data_collection_settings.cluster] ΓÇï

+ interval = "1m" ## Valid time units are s, m, h.

+ fieldpass = ["metric_to_pass1", "metric_to_pass12"] ## specify metrics to pass through ΓÇï

+ fielddrop = ["metric_to_drop"] ## specify metrics to drop from collecting

+ kubernetes_services = ["http://my-service-dns.my-namespace:9102/metrics"]

+ ```

+ #### [Specific URL](#tab/url)

+ To configure scraping of Prometheus metrics from a specific URL across the cluster, configure the ConfigMap file by using the following example:

+ ```

+ prometheus-data-collection-settings: |- ΓÇï

+ # Custom Prometheus metrics data collection settings

+ [prometheus_data_collection_settings.cluster] ΓÇï

+ interval = "1m" ## Valid time units are s, m, h.

+ fieldpass = ["metric_to_pass1", "metric_to_pass12"] ## specify metrics to pass through ΓÇï

+ fielddrop = ["metric_to_drop"] ## specify metrics to drop from collecting

+ urls = ["http://myurl:9101/metrics"] ## An array of urls to scrape metrics from

+ ```

+ #### [DaemonSet](#tab/deamonset)

+ To configure scraping of Prometheus metrics from an agent's DaemonSet for every individual node in the cluster, configure the following example in the ConfigMap:

+ ```

+ prometheus-data-collection-settings: |- ΓÇï

+ # Custom Prometheus metrics data collection settings ΓÇï

+ [prometheus_data_collection_settings.node] ΓÇï

+ interval = "1m" ## Valid time units are s, m, h.

+ urls = ["http://$NODE_IP:9103/metrics"] ΓÇï

+ fieldpass = ["metric_to_pass1", "metric_to_pass2"] ΓÇï

+ fielddrop = ["metric_to_drop"] ΓÇï

+ ```

+ `$NODE_IP` is a specific Container insights parameter and can be used instead of a node IP address. It must be all uppercase.

+ #### [Pod annotation](#tab/pod)

+ To configure scraping of Prometheus metrics by specifying a pod annotation:

+ 1. In the ConfigMap, specify the following configuration:

+ ```

+ prometheus-data-collection-settings: |- ΓÇï

+ # Custom Prometheus metrics data collection settings

+ [prometheus_data_collection_settings.cluster] ΓÇï

+ interval = "1m" ## Valid time units are s, m, h

+ monitor_kubernetes_pods = true

+ ```

+ 1. Specify the following configuration for pod annotations:

+ ```

+ - prometheus.io/scrape:"true" #Enable scraping for this pod ΓÇï

+ - prometheus.io/scheme:"http" #If the metrics endpoint is secured then you will need to set this to `https`, if not default ΓÇÿhttpΓÇÖΓÇï

+ - prometheus.io/path:"/mymetrics" #If the metrics path is not /metrics, define it with this annotation. ΓÇï

+ - prometheus.io/port:"8000" #If port is not 9102 use this annotationΓÇï

+ ```

+

+ If you want to restrict monitoring to specific namespaces for pods that have annotations, for example, only include pods dedicated for production workloads, set the `monitor_kubernetes_pod` to `true` in ConfigMap. Then add the namespace filter `monitor_kubernetes_pods_namespaces` to specify the namespaces to scrape from. An example is `monitor_kubernetes_pods_namespaces = ["default1", "default2", "default3"]`.

+2. Run the following kubectl command: `kubectl apply -f <configmap_yaml_file.yaml>`.

+

+ Example: `kubectl apply -f container-azm-ms-agentconfig.yaml`.

+The configuration change can take a few minutes to finish before taking effect. You must restart all Azure Monitor Agent pods manually. When the restarts are finished, a message appears that's similar to the following and includes the result `configmap "container-azm-ms-agentconfig" created`.

+### Verify configuration

+To verify the configuration was successfully applied to a cluster, use the following command to review the logs from an agent pod: `kubectl logs ama-logs-fdf58 -n=kube-system`.

+If there are configuration errors from the Azure Monitor Agent pods, the output will show errors similar to the following example:

+```

+***************Start Config Processing********************

+config::unsupported/missing config schema version - 'v21' , using defaults

+```

+Errors related to applying configuration changes are also available for review. The following options are available to perform additional troubleshooting of configuration changes and scraping of Prometheus metrics:

+- From an agent pod logs using the same `kubectl logs` command.

+- From Live Data (preview). Live Data (preview) logs show errors similar to the following example:

+ ```

+ 2019-07-08T18:55:00Z E! [inputs.prometheus]: Error in plugin: error making HTTP request to http://invalidurl:1010/metrics: Get http://invalidurl:1010/metrics: dial tcp: lookup invalidurl on 10.0.0.10:53: no such host

+ ```

+- From the **KubeMonAgentEvents** table in your Log Analytics workspace. Data is sent every hour with *Warning* severity for scrape errors and *Error* severity for configuration errors. If there are no errors, the entry in the table will have data with severity *Info*, which reports no errors. The **Tags** property contains more information about the pod and container ID on which the error occurred and also the first occurrence, last occurrence, and count in the last hour.

+- For Azure Red Hat OpenShift v3.x and v4.x, check the Azure Monitor Agent logs by searching the **ContainerLog** table to verify if log collection of openshift-azure-logging is enabled.

+Errors prevent Azure Monitor Agent from parsing the file, causing it to restart and use the default configuration. After you correct the errors in ConfigMap on clusters other than Azure Red Hat OpenShift v3.x, save the YAML file and apply the updated ConfigMaps by running the command `kubectl apply -f <configmap_yaml_file.yaml`.

+For Azure Red Hat OpenShift v3.x, edit and save the updated ConfigMaps by running the command `oc edit configmaps container-azm-ms-agentconfig -n openshift-azure-logging`.

+### Query Prometheus metrics data

+To view Prometheus metrics scraped by Azure Monitor and any configuration/scraping errors reported by the agent, review [Query Prometheus metrics data](container-insights-log-query.md#prometheus-metrics).

+### View Prometheus metrics in Grafana

+Container insights supports viewing metrics stored in your Log Analytics workspace in Grafana dashboards. We've provided a template that you can download from Grafana's [dashboard repository](https://grafana.com/grafana/dashboards?dataSource=grafana-azure-monitor-datasource&category=docker). Use the template to get started and reference it to help you learn how to query other data from your monitored clusters to visualize in custom Grafana dashboards.

+- [See the default configuration for Prometheus metrics](../essentials/prometheus-metrics-scrape-default.md).

+- [Customize Prometheus metric scraping for the cluster](../essentials/prometheus-metrics-scrape-configuration.md).

+Azure Monitor is based on a [common monitoring data platform](data-platform.md) that includes

+- [Metrics](essentials/data-platform-metrics.md)

+- [Logs](logs/data-platform-logs.md)

+- Traces

+- Changes. This platform allows data from multiple resources to be analyzed together using a common set of tools in Azure Monitor. Monitoring data may also be sent to other locations to support certain scenarios, and some resources may write to other locations before they can be collected into Logs or Metrics.

+> Access to data in the Log Analytics Workspaces is governed as outline [here](logs/manage-access.md).

+| Activity log | The Activity log is collected into its own data store that you can view from the Azure Monitor menu or use to create Activity log alerts. |[Query the Activity log with the Azure portal](essentials/activity-log.md#view-the-activity-log) |

+Enabling the Azure diagnostics extension for Azure Virtual machines allows you to collect logs and metrics from the guest operating system of Azure compute resources including Azure Cloud Service (classic) Web and Worker Roles, Virtual Machines, Virtual Machine Scale Sets, and Service Fabric.

+Detailed application monitoring in Azure Monitor is done with [Application Insights](/azure/application-insights/), which collects data from applications running on various platforms. The application can be running in Azure, another cloud, or on-premises.

+Other services in Azure write data to the Azure Monitor data platform. This allows you to analyze data collected by these services with data collected by Azure Monitor and apply the same analysis and visualization tools.

+| [Microsoft Defender for Cloud](../security-center/index.yml) | Azure Monitor Logs | Microsoft Defender for Cloud stores the security data it collects in a Log Analytics workspace, which allows it to be analyzed with other log data collected by Azure Monitor. | [Data collection in Microsoft Defender for Cloud](../security-center/security-center-enable-data-collection.md) |

+| [Microsoft Sentinel](../sentinel/index.yml) | Azure Monitor Logs | Microsoft Sentinel stores the data it collects from different data sources in a Log Analytics workspace, which allows it to be analyzed with other log data collected by Azure Monitor. | [Connect data sources](../sentinel/quickstart-onboard.md) |

+# Monitor Azure resources with Azure Monitor

+In this article, you learn about:

+> This article describes Azure Monitor concepts and walks you through different menu items. To jump right into using Azure Monitor features, start with [Analyze metrics for an Azure resource](../essentials/tutorial-metrics.md).

+To learn how to use Metrics Explorer, see [Analyze metrics for an Azure resource](../essentials/tutorial-metrics.md).

+To learn how to create alert rules and view alerts, see [Create a metric alert for an Azure resource](../alerts/tutorial-metric-alert.md) or [Create a log query alert for an Azure resource](../alerts/tutorial-log-alert.md).

+To learn how to use Metrics Explorer, see [Analyze metrics for an Azure resource](../essentials/tutorial-metrics.md).

+To learn how to create a diagnostic setting, see [Collect and analyze resource logs from an Azure resource](../essentials/tutorial-resource-logs.md).

+For a list of insights that are available and links to their documentation, see [Insights](../insights/insights-overview.md) and [core solutions](../insights/solutions.md).

+- [Collect Prometheus metrics for your AKS cluster](../essentials/prometheus-metrics-enable.md).

+- [Customize scraping of Prometheus metrics](prometheus-metrics-scrape-configuration.md).

+ Title: Enable Azure Monitor managed service for Prometheus (preview)

+description: Enable Azure Monitor managed service for Prometheus (preview) and configure data collection from your Azure Kubernetes Service (AKS) cluster.

+# Collect Prometheus metrics from AKS cluster (preview)

+This article describes how to configure your Azure Kubernetes Service (AKS) cluster to send data to Azure Monitor managed service for Prometheus. When you configure your AKS cluster to send data to Azure Monitor managed service for Prometheus, a containerized version of the [Azure Monitor agent](../agents/agents-overview.md) is installed with a metrics extension. You just need to specify the Azure Monitor workspace that the data should be sent to.

+> [!NOTE]

+> The process described here doesn't enable [Container insights](../containers/container-insights-overview.md) on the cluster even though the Azure Monitor agent installed in this process is the same one used by Container insights. See [Enable Container insights](../containers/container-insights-onboard.md) for different methods to enable Container insights on your cluster. See [Collect Prometheus metrics with Container insights](../containers/container-insights-prometheus.md) for details on adding Prometheus collection to a cluster that already has Container insights enabled.

+## Prerequisites

+- You must either have an [Azure Monitor workspace](azure-monitor-workspace-overview.md) or [create a new one](azure-monitor-workspace-overview.md#create-an-azure-monitor-workspace).

+- The cluster must use [managed identity authentication](../containers/container-insights-enable-aks.md#migrate-to-managed-identity-authentication).

+- The following resource providers must be registered in the subscription of the AKS cluster and the Azure Monitor Workspace.

+ - Microsoft.ContainerService

+ - Microsoft.Insights

+ - Microsoft.AlertsManagement

+## Enable Prometheus metric collection

+Use any of the following methods to install the Azure Monitor agent on your AKS cluster and send Prometheus metrics to your Azure Monitor workspace.

+### [Azure portal](#tab/azure-portal)

+1. Open the **Azure Monitor workspaces** menu in the Azure portal and select your cluster.

+2. Select **Managed Prometheus** to display a list of AKS clusters.

+3. Click **Configure** next to the cluster you want to enable.

+ :::image type="content" source="media/prometheus-metrics-enable/azure-monitor-workspace-configure-prometheus.png" lightbox="media/prometheus-metrics-enable/azure-monitor-workspace-configure-prometheus.png" alt-text="Screenshot of Azure Monitor workspace with Prometheus configuration.":::

+### [CLI](#tab/cli)

+#### Prerequisites

+- Register the `AKS-PrometheusAddonPreview` feature flag in the Azure Kubernetes clusters subscription with the following command in Azure CLI: `az feature register --namespace Microsoft.ContainerService --name AKS-PrometheusAddonPreview`.

+- The aks-preview extension needs to be installed using the command `az extension add --name aks-preview`. For more information on how to install a CLI extension, see [Use and manage extensions with the Azure CLI](/azure/azure-cli-extensions-overview).

+- Azure CLI version 2.41.0 or higher is required for this feature.

+#### Install metrics addon

+Use `az aks update` with the `-enable-azuremonitormetrics` option to install the metrics addon. Following are multiple options depending on the Azure Monitor workspace and Grafana workspace you want to use.

+**Create a new default Azure Monitor workspace.**<br>

+If no Azure Monitor Workspace is specified, then a default Azure Monitor Workspace will be created in the `DefaultRG-<cluster_region>` following the format `DefaultAzureMonitorWorkspace-<mapped_region>`.

+This Azure Monitor Workspace will be in the region specific in [Region mappings](#region-mappings).

+```azurecli

+az aks update --enable-azuremonitormetrics -n <cluster-name> -g <cluster-resource-group>

+```

+**Use an existing Azure Monitor workspace.**<br>

+If the Azure Monitor workspace is linked to one or more Grafana workspaces, then the data will be available in Grafana.

+```azurecli

+az aks update --enable-azuremonitormetrics -n <cluster-name> -g <cluster-resource-group> --azure-monitor-workspace-resource-id <workspace-name-resource-id>

+```

+**Use an existing Azure Monitor workspace and link with an existing Grafana workspace.**<br>

+This creates a link between the Azure Monitor workspace and the Grafana workspace.

+```azurecli

+az aks update --enable-azuremonitormetrics -n <cluster-name> -g <cluster-resource-group> --azure-monitor-workspace-resource-id <azure-monitor-workspace-name-resource-id> --grafana-resource-id <grafana-workspace-name-resource-id>

+```

+The output for each command will look similar to the following:

+```json

+"azureMonitorProfile": {

+ "metrics": {

+ "enabled": true,

+ "kubeStateMetrics": {

+ "metrican'tationsAllowList": "",

+ "metricLabelsAllowlist": ""

+ }

+ }

+}

+```

+#### Optional parameters

+Following are optional parameters that you can use with the previous commands.

+- `--ksm-metric-annotations-allow-list` is a comma-separated list of Kubernetes annotations keys that will be used in the resource's labels metric. By default the metric contains only name and namespace labels. To include additional annotations provide a list of resource names in their plural form and Kubernetes annotation keys, you would like to allow for them. A single `*` can be provided per resource instead to allow any annotations, but that has severe performance implications.

+- `--ksm-metric-labels-allow-list` is a comma-separated list of additional Kubernetes label keys that will be used in the resource's labels metric. By default the metric contains only name and namespace labels. To include additional labels provide a list of resource names in their plural form and Kubernetes label keys you would like to allow for them. A single `*` can be provided per resource instead to allow any labels, but that has severe performance implications.

+**Use annotations and labels.**

+```azurecli

+az aks update --enable-azuremonitormetrics -n <cluster-name> -g <cluster-resource-group> --ksm-metric-labels-allow-list "namespaces=[k8s-label-1,k8s-label-n]" --ksm-metric-annotations-allow-list "pods=[k8s-annotation-1,k8s-annotation-n]"

+```

+The output will be similar to the following:

+```json

+ "azureMonitorProfile": {

+ "metrics": {

+ "enabled": true,

+ "kubeStateMetrics": {

+ "metrican'tationsAllowList": "pods=[k8s-annotation-1,k8s-annotation-n]",

+ "metricLabelsAllowlist": "namespaces=[k8s-label-1,k8s-label-n]"

+ }

+ }

+ }

+```

+## [Resource Manager](#tab/resource-manager)

+### Prerequisites

+- Register the `AKS-PrometheusAddonPreview` feature flag in the Azure Kubernetes clusters subscription with the following command in Azure CLI: `az feature register --namespace Microsoft.ContainerService --name AKS-PrometheusAddonPreview`.

+- The Azure Monitor workspace and Azure Managed Grafana workspace must already be created.

+- The template needs to be deployed in the same resource group as the Azure Managed Grafana workspace.

+### Retrieve required values for Grafana resource

+From the **Overview** page for the Azure Managed Grafana instance in the Azure portal, select **JSON view**.

+ Copy the value of the `principalId` field for the `SystemAssigned` identity.

+```json

+"identity": {

+ "principalId": "00000000-0000-0000-0000-000000000000",

+ "tenantId": "00000000-0000-0000-0000-000000000000",

+ "type": "SystemAssigned"

+ },

+```

+If you're using an existing Azure Managed Grafana instance that already has been linked to an Azure Monitor workspace then you need the list of Grafana integrations. Copy the value of the `azureMonitorWorkspaceIntegrations` field. If it doesn't exist, then the instance hasn't been linked with any Azure Monitor workspace.

+```json

+"properties": {

+ "grafanaIntegrations": {

+ "azureMonitorWorkspaceIntegrations": [

+ {

+ "azureMonitorWorkspaceResourceId": "full_resource_id_1"

+ },

+ {

+ "azureMonitorWorkspaceResourceId": "full_resource_id_2"

+ }

+ ]

+ }

+}

+```

+### Assign role to system identity

+The Azure Managed Grafana resource requires the `Monitoring Data Reader` role to read data from the Azure Monitor Workspace.

+1. From the **Access control (IAM)** page for the Azure Managed Grafana instance in the Azure portal, select **Add** and then **Add role assignment**.

+2. Select `Monitoring Data Reader`.

+3. Select **Managed identity** and then **Select members**.

+4. Select the **system-assigned managed identity** with the `principalId` from the Grafana resource.

+5. Click **Select** and then **Review+assign**.

+### Download and edit template and parameter file

+1. Download the template at [https://aka.ms/azureprometheus-enable-arm-template](https://aka.ms/azureprometheus-enable-arm-template) and save it as **existingClusterOnboarding.json**.

+2. Download the parameter file at [https://aka.ms/azureprometheus-enable-arm-template-parameterss](https://aka.ms/azureprometheus-enable-arm-template-parameters) and save it as **existingClusterParam.json**.

+3. Edit the values in the parameter file.

+ | Parameter | Value |

+ |:|:|

+ | `azureMonitorWorkspaceResourceId` | Resource ID for the Azure Monitor workspace. Retrieve from the **JSON view** on the **Overview** page for the Azure Monitor workspace. |

+ | `azureMonitorWorkspaceLocation` | Location of the Azure Monitor workspace. Retrieve from the **JSON view** on the **Overview** page for the Azure Monitor workspace. |

+ | `clusterResourceId` | Resource ID for the AKS cluster. Retrieve from the **JSON view** on the **Overview** page for the cluster. |

+ | `clusterLocation` | Location of the AKS cluster. Retrieve from the **JSON view** on the **Overview** page for the cluster. |

+ | `metricLabelsAllowlist` | Comma-separated list of Kubernetes labels keys that will be used in the resource's labels metric. |

+ | `metricAnnotationsAllowList` | Comma-separated list of additional Kubernetes label keys that will be used in the resource's labels metric. |

+ | `grafanaResourceId` | Resource ID for the managed Grafana instance. Retrieve from the **JSON view** on the **Overview** page for the Grafana instance. |

+ | `grafanaLocation` | Location for the managed Grafana instance. Retrieve from the **JSON view** on the **Overview** page for the Grafana instance. |

+ | `grafanaSku` | SKU for the managed Grafana instance. Retrieve from the **JSON view** on the **Overview** page for the Grafana instance. Use the **sku.name**. |

+4. Open the template file and update the `grafanaIntegrations` property at the end of the file with the values that you retrieved from the Grafana instance. This will be similar to the following:

+ ```json

+ {

+ "type": "Microsoft.Dashboard/grafana",

+ "apiVersion": "2022-08-01",

+ "name": "[split(parameters('grafanaResourceId'),'/')[8]]",

+ "sku": {

+ "name": "[parameters('grafanaSku')]"

+ },

+ "location": "[parameters('grafanaLocation')]",

+ "properties": {

+ "grafanaIntegrations": {

+ "azureMonitorWorkspaceIntegrations": [

+ {

+ "azureMonitorWorkspaceResourceId": "full_resource_id_1"

+ },

+ {

+ "azureMonitorWorkspaceResourceId": "full_resource_id_2"

+ },

+ {

+ "azureMonitorWorkspaceResourceId": "[parameters('azureMonitorWorkspaceResourceId')]"

+ }

+ ]

+ }

+ }

+ ````

+In this json, `full_resource_id_1` and `full_resource_id_2` were already in the Azure Managed Grafana resource JSON, and they're added here to the ARM template. If you have no existing Grafana integrations, then don't include these entries for `full_resource_id_1` and `full_resource_id_2`.

+The final `azureMonitorWorkspaceResourceId` entry is already in the template and is used to link to the Azure Monitor Workspace resource ID provided in the parameters file.

+### Deploy template

+Deploy the template with the parameter file using any valid method for deploying Resource Manager templates. See [Deploy the sample templates](../resource-manager-samples.md#deploy-the-sample-templates) for examples of different methods.

+## Verify Deployment

+Run the following command to which verify that the daemon set was deployed properly:

+```

+kubectl get ds ama-metrics-node --namespace=kube-system

+```

+The output should resemble the following:

+```

+User@aksuser:~$ kubectl get ds ama-metrics-node --namespace=kube-system

+NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE

+ama-metrics-node 1 1 1 1 1 <none> 10h

+```

+Run the following command to which verify that the replica set was deployed properly:

+```

+kubectl get rs --namespace=kube-system

+```

+The output should resemble the following:

+```

+User@aksuser:~$kubectl get rs --namespace=kube-system

+NAME DESIRED CURRENT READY AGE

+ama-metrics-5c974985b8 1 1 1 11h

+ama-metrics-ksm-5fcf8dffcd 1 1 1 11h

+```

+## Limitations

+- Ensure that you update the `kube-state metrics` Annotations and Labels list with proper formatting. There's a limitation in the Resource Manager template deployments that require exact values in the `kube-state` metrics pods. If the kuberenetes pod has any issues with malformed parameters and isn't running, then the feature won't work as expected.

+- A data collection rule and data collection endpoint is created with the name `MSPROM-\<cluster-name\>-\<cluster-region\>`. These names can't currently be modified.

+- You must get the existing Azure Monitor workspace integrations for a Grafana workspace and update the Resource Manager template with it, otherwise it will overwrite and remove the existing integrations from the grafana workspace.

+- CPU and Memory requests and limits can't be changed for Container insights metrics addon. If changed, they'll be reconciled and replaced by original values in a few seconds.

+- Metrics addon doesn't work on AKS clusters configured with HTTP proxy.

+## Uninstall metrics addon

+Currently, Azure CLI is the only option to remove the metrics addon and stop sending Prometheus metrics to Azure Monitor managed service for Prometheus.

+If you don't already have it, install the aks-preview extension with the following command.

+The `aks-preview` extension needs to be installed using the following command. For more information on how to install a CLI extension, see [Use and manage extensions with the Azure CLI](/cli/azure/azure-cli-extensions-overview).

+```azurecli

+az extension add --name aks-preview

+```

+Use the following command to remove the agent from the cluster nodes and delete the recording rules created for the data being collected from the cluster. This doesn't remove the DCE, DCR, or the data already collected and stored in your Azure Monitor workspace.

+```azurecli

+az aks update --disable-azuremonitormetrics -n <cluster-name> -g <cluster-resource-group>

+```

+## Region mappings

+When you allow a default Azure Monitor workspace to be created when you install the metrics addon, it's created in the region listed in the following table.

+| AKS Cluster region | Azure Monitor workspace region |

+|--||

+|australiacentral |eastus|

+|australiacentral2 |eastus|

+|australiaeast |eastus|

+|australiasoutheast |eastus|

+|brazilsouth |eastus|

+|canadacentral |eastus|

+|canadaeast |eastus|

+|centralus |centralus|

+|centralindia |centralindia|

+|eastasia |westeurope|

+|eastus |eastus|

+|eastus2 |eastus2|

+|francecentral |westeurope|

+|francesouth |westeurope|

+|japaneast |eastus|

+|japanwest |eastus|

+|koreacentral |westeurope|

+|koreasouth |westeurope|

+|northcentralus |eastus|

+|northeurope |westeurope|

+|southafricanorth |westeurope|

+|southafricawest |westeurope|

+|southcentralus |eastus|

+|southeastasia |westeurope|

+|southindia |centralindia|

+|uksouth |westeurope|

+|ukwest |westeurope|

+|westcentralus |eastus|

+|westeurope |westeurope|

+|westindia |centralindia|

+|westus |westus|

+|westus2 |westus2|

+|westus3 |westus|

+|norwayeast |westeurope|

+|norwaywest |westeurope|

+|switzerlandnorth |westeurope|

+|switzerlandwest |westeurope|

+|uaenorth |westeurope|

+|germanywestcentral |westeurope|

+|germanynorth |westeurope|

+|uaecentral |westeurope|

+|eastus2euap |eastus2euap|

+|centraluseuap |westeurope|

+|brazilsoutheast |eastus|

+|jioindiacentral |centralindia|

+|swedencentral |westeurope|

+|swedensouth |westeurope|

+|qatarcentral |westeurope|

+## Next steps

+- [See the default configuration for Prometheus metrics](prometheus-metrics-scrape-default.md).

+- [Customize Prometheus metric scraping for the cluster](prometheus-metrics-scrape-configuration.md).

+You can create multiple Data Collection Rules that point to the same Data Collection Endpoint for metrics to be sent to additional Azure Monitor Workspaces from the same Kubernetes cluster. Currently, this is only available through onboarding through Resource Manager templates. You can follow the [regular onboarding process](prometheus-metrics-enable.md) and then edit the same Resource Manager templates to add additional DCRs for your additional Azure Monitor Workspaces. You'll need to edit the template to add an additional parameters for every additional Azure Monitor workspace, add another DCR for every additional Azure Monitor workspace, and add an additional Azure Monitor workspace integration for Grafana.

+- [Collect Prometheus metrics from AKS cluster](prometheus-metrics-enable.md).

+- Azure Kubernetes service (AKS)

+- Any Kubernetes cluster running self-managed Prometheus using [remote-write](https://aka.ms/azureprometheus-promio-prw).

+## Enable

+The only requirement to enable Azure Monitor managed service for Prometheus is to create an [Azure Monitor workspace](azure-monitor-workspace-overview.md), which is where Prometheus metrics are stored. Once this workspace is created, you can onboard services that collect Prometheus metrics.

+- To collect Prometheus metrics from your AKS cluster without using Container insights, see [Collect Prometheus metrics from AKS cluster (preview)](prometheus-metrics-enable.md).

+- To add collection of Prometheus metrics to your cluster using Container insights, see [Collect Prometheus metrics with Container insights](../containers/container-insights-prometheus.md#send-data-to-azure-monitor-managed-service-for-prometheus).

+- To configure remote-write to collect data from your self-managed Prometheus server, see [Azure Monitor managed service for Prometheus remote write - managed identity (preview)](prometheus-remote-write-managed-identity.md).

+- [Enable Azure Monitor managed service for Prometheus](prometheus-metrics-enable.md).

+This article provides instructions on customizing metrics scraping for a Kubernetes cluster with the [metrics addon](prometheus-metrics-enable.md) in Azure Monitor.

+This article lists the default targets, dashboards, and recording rules when you [configure Prometheus metrics to be scraped from an AKS cluster](prometheus-metrics-enable.md) for any AKS cluster.

+ Title: Analyze metrics for an Azure resource

+# Analyze metrics for an Azure resource

+Following is a video that shows a more extensive scenario than the procedure outlined in this tutorial. If you are new to metrics, we suggest you read through this article first and then view the video to see more specifics.

+To complete the steps in this tutorial, you need the following:

+ Title: Collect resource logs from an Azure resource

+description: Learn how to configure diagnostic settings to send resource logs from an Azure resource io a Log Analytics workspace where they can be analyzed with a log query.

+# Collect and analyze resource logs from an Azure resource

+To complete the steps in this tutorial, you need the following:

+ Title: Azure Monitor Insights Overview

+description: Lists available Azure Monitor "Insights" and other Azure product integrations

+# Azure Monitor Insights overview

+Some services have a curated monitoring experience. That is, Microsoft provides customized functionality meant to act as a starting point for monitoring those services. These experiences are collectively known as *curated visualizations* with the larger more complex of them being called *Insights*.

+The experiences collect and analyze a subset of available telemetry for a given service(s). Depending on the service, the experiences might also provide out-of-the-box alerting. They present the telemetry in a visual layout. The visualizations vary in size and scale.

+Some visualizations are considered part of Azure Monitor and follow the support and service level agreements for Azure. They're supported in all Azure regions where Azure Monitor is available. Other curated visualizations provide less functionality, might not scale, and might have different agreements. Some might be based solely on Azure Monitor Workbooks, while others might have an extensive custom experience.

+## Insights and curated visualizations

+The following table lists the available curated visualizations and information about them. **Most** of the list below can be found in the [Insights hub in the Azure portal](https://ms.portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/more). The table uses the same grouping as portal.

+>[!NOTE]

+> Another type of older visualization called *monitoring solutions* is no longer in active development. The replacement technology is the Azure Monitor Insights, as mentioned here. We suggest you use the Insights and not deploy new instances of solutions. For more information on the solutions, see [Monitoring solutions in Azure Monitor](solutions.md).

+|Name with docs link| State | [Azure portal link](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/more)| Description |

+|:--|:--|:--|:--|

+|Compute||||

+ | [Azure VM Insights](/azure/azure-monitor/insights/vminsights-overview) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/virtualMachines) | Monitors your Azure VMs and Virtual Machine Scale Sets at scale. It analyzes the performance and health of your Windows and Linux VMs and monitors their processes and dependencies on other resources and external processes. |

+| [Azure Container Insights](/azure/azure-monitor/insights/container-insights-overview) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/containerInsights) | Monitors the performance of container workloads that are deployed to managed Kubernetes clusters hosted on Azure Kubernetes Service. It gives you performance visibility by collecting metrics from controllers, nodes, and containers that are available in Kubernetes through the Metrics API. Container logs are also collected. After you enable monitoring from Kubernetes clusters, these metrics and logs are automatically collected for you through a containerized version of the Log Analytics agent for Linux. |

+|Networking||||

+ | [Azure Network Insights](../../network-watcher/network-insights-overview.md) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/networkInsights) | Provides a comprehensive view of health and metrics for all your network resources. The advanced search capability helps you identify resource dependencies, enabling scenarios like identifying resources that are hosting your website, by searching for your website name. |

+|Storage||||

+ | [Azure Storage Insights](/azure/azure-monitor/insights/storage-insights-overview) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/storageInsights) | Provides comprehensive monitoring of your Azure Storage accounts by delivering a unified view of your Azure Storage services performance, capacity, and availability. |

+| [Azure Backup](../../backup/backup-azure-monitoring-use-azuremonitor.md) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_DataProtection/BackupCenterMenuBlade/backupReportsConfigure/menuId/backupReportsConfigure) | Provides built-in monitoring and alerting capabilities in a Recovery Services vault. |

+|Databases||||

+| [Azure Cosmos DB Insights](../../cosmos-db/cosmosdb-insights-overview.md) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/cosmosDBInsights) | Provides a view of the overall performance, failures, capacity, and operational health of all your Azure Cosmos DB resources in a unified interactive experience. |

+| [Azure Monitor for Azure Cache for Redis (preview)](../../azure-cache-for-redis/redis-cache-insights-overview.md) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/redisCacheInsights) | Provides a unified, interactive view of overall performance, failures, capacity, and operational health. |

+| [Azure Data Explorer Insights](/azure/data-explorer/data-explorer-insights) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/adxClusterInsights) | Azure Data Explorer Insights provides comprehensive monitoring of your clusters by delivering a unified view of your cluster performance, operations, usage, and failures. |

+ | [Azure Monitor Log Analytics Workspace](../logs/log-analytics-workspace-insights-overview.md) | Preview | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/lawsInsights) | Log Analytics Workspace Insights (preview) provides comprehensive monitoring of your workspaces through a unified view of your workspace usage, performance, health, agent, queries, and change log. This article will help you understand how to onboard and use Log Analytics Workspace Insights (preview). |

+|Security||||

+ | [Azure Key Vault Insights (preview)](../../key-vault/key-vault-insights-overview.md) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/keyvaultsInsights) | Provides comprehensive monitoring of your key vaults by delivering a unified view of your Key Vault requests, performance, failures, and latency. |

+|Monitor||||

+ | [Azure Monitor Application Insights](../app/app-insights-overview.md) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/applicationsInsights) | Extensible application performance management service that monitors the availability, performance, and usage of your web applications whether they're hosted in the cloud or on-premises. It uses the powerful data analysis platform in Azure Monitor to provide you with deep insights into your application's operations. It enables you to diagnose errors without waiting for a user to report them. Application Insights includes connection points to various development tools and integrates with Visual Studio to support your DevOps processes. |

+| [Azure activity Log Insights](../essentials/activity-log-insights.md) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_DataProtection/BackupCenterMenuBlade/backupReportsConfigure/menuId/backupReportsConfigure) | Provides built-in monitoring and alerting capabilities in a Recovery Services vault. |

+ | [Azure Monitor for Resource Groups](resource-group-insights.md) | GA | No | Triage and diagnose any problems your individual resources encounter, while offering context for the health and performance of the resource group as a whole. |

+|Integration||||

+ | [Azure Service Bus Insights](../../service-bus-messaging/service-bus-insights.md) | Preview | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/serviceBusInsights) | Azure Service Bus Insights provide a view of the overall performance, failures, capacity, and operational health of all your Service Bus resources in a unified interactive experience. |

+ [Azure IoT Edge](../../iot-edge/how-to-explore-curated-visualizations.md) | GA | No | Visualize and explore metrics collected from the IoT Edge device right in the Azure portal by using Azure Monitor Workbooks-based public templates. The curated workbooks use built-in metrics from the IoT Edge runtime. These views don't need any metrics instrumentation from the workload modules. |

+|Workloads||||

+| [Azure SQL Insights (preview)](/azure/azure-sql/database/sql-insights-overview) | Preview | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/sqlWorkloadInsights) | A comprehensive interface for monitoring any product in the Azure SQL family. SQL Insights uses dynamic management views to expose the data you need to monitor health, diagnose problems, and tune performance. Note: If you're just setting up SQL monitoring, use SQL Insights instead of the SQL Analytics solution. |

+| [Azure Monitor for SAP solutions](../../virtual-machines/workloads/sap/monitor-sap-on-azure.md) | Preview | No | An Azure-native monitoring product for anyone running their SAP landscapes on Azure. It works with both SAP on Azure Virtual Machines and SAP on Azure Large Instances. Collects telemetry data from Azure infrastructure and databases in one central location and visually correlates the data for faster troubleshooting. You can monitor different components of an SAP landscape, such as Azure virtual machines (VMs), high-availability clusters, SAP HANA database, and SAP NetWeaver, by adding the corresponding provider for that component. |

+|Other||||

+ | [Azure Virtual Desktop Insights](../../virtual-desktop/azure-monitor.md) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_WVD/WvdManagerMenuBlade/insights/menuId/insights) | Azure Virtual Desktop Insights is a dashboard built on Azure Monitor Workbooks that helps IT professionals understand their Azure Virtual Desktop environments. |

+ | [Azure Stack HCI Insights](/azure-stack/hci/manage/azure-stack-hci-insights) | Preview | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/azureStackHCIInsights) | Based on Azure Monitor Workbooks. Provides health, performance, and usage insights about registered Azure Stack HCI version 21H2 clusters that are connected to Azure and enrolled in monitoring. It stores its data in a Log Analytics workspace, which allows it to deliver powerful aggregation and filtering and analyze data trends over time. |

+|Not in Azure portal Insight hub||||

+| [Azure Monitor Workbooks for Azure Active Directory](../../active-directory/reports-monitoring/howto-use-azure-monitor-workbooks.md) | General availability (GA) | [Yes](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Workbooks) | Azure Active Directory provides workbooks to understand the effect of your Conditional Access policies, troubleshoot sign-in failures, and identify legacy authentications. |

+| [Azure HDInsight](../../hdinsight/log-analytics-migration.md#insights) | Preview | No | An Azure Monitor workbook that collects important performance metrics from your HDInsight cluster and provides the visualizations and dashboards for most common scenarios. Gives a complete view of a single HDInsight cluster including resource utilization and application status.|

+|Analytics||||

+## Next steps

+- Reference some of the insights listed above to review their functionality

+- Understand [what Azure Monitor can monitor](../monitor-reference.md)

+> Many monitoring solutions are no longer in active development. We suggest you check each solution to see if it has a replacement. We suggest you not deploy new instances of solutions that have other options, even if those solutions are still available. Many have been replaced by a [newer curated visualization or insight](insights-overview.md).

+| **Get insights** | Logs support [insights](../insights/insights-overview.md) that provide a customized monitoring experience for particular applications and services. |

+Azure Monitor data is collected and stored based on resource provider namespaces. Each resource in Azure has a unique ID. The resource provider namespace is part of all unique IDs. For example, a key vault resource ID would be similar to `/subscriptions/d03b04c7-d1d4-eeee-aaaa-87b6fcb38b38/resourceGroups/KeyVaults/providers/Microsoft.KeyVault/vaults/mysafekeys ` . *Microsoft.KeyVault* is the resource provider namespace. *Microsoft.KeyVault/vaults/* is the resource provider.

+For a list of Azure resource provider namespaces, see [Resource providers for Azure services](/azure/azure-resource-manager/management/azure-services-resource-providers).

+For a list of resource providers that support Azure Monitor

+- **Metrics** - See [Supported metrics in Azure Monitor](essentials/metrics-supported.md).

+- **Metric alerts** - See [Supported resources for metric alerts in Azure Monitor](/alerts/alerts-metric-near-real-time.md).

+- **Prometheus metrics** - See [TBD](essentials/FILL ME IN.md).

+- **Resource logs** - See [Supported categories for Azure Monitor resource logs](/essentials/resource-logs-categories.md).

+- **Activity log** - All entries in the activity log are available for query, alerting and routing to Azure Monitor Logs store regardless of resource provider.

+## Services that require agents

+Azure Monitor can't see inside a service running its own application, operating system or container. That type of service requires one or more agents to be installed. The agent then runs as well to collect metrics, logs, traces and changes and forward them to Azure Monitor. The following services require agents for this reason.

+- [Azure Cloud Services](../cloud-services-extended-support/index.yml)

+- [Azure Virtual Machines](../virtual-machines/index.yml)

+- [Azure Virtual Machine Scale Sets](../virtual-machine-scale-sets/index.yml)

+- [Azure Service Fabric](../service-fabric/index.yml)

+In addition, applications also require either the Application Insights SDK or auto-instrumentation (via an agent) to collect information and write it to the Azure Monitor data platform.

+## Services with Insights

+Some services have curated monitoring experiences call "insights". Insights are meant to be a starting point for monitoring a service or set of services. Some insights may also automatically pull additional data that's not captured or stored in Azure Monitor. For more information on monitoring insights, see [Insights Overview](insights/insights-overview.md).

+The services and [older monitoring solutions](insights/solutions.md) in the following table store their data in Azure Monitor Logs so that it can be analyzed with other log data collected by Azure Monitor.

+| **The following solutions also integrate with parts of Azure Monitor. Note that solutions, which are based on Azure Monitor Logs and Log Analytics, are no longer under active development. Use [Insights](insights/insights-overview.md) instead.** | |

+- The stores for the **[data platform](data-platform.md)** are at the center of the diagram. Azure Monitor stores these fundamental types of data: metrics, logs, traces, and changes.

+- The **[sources of monitoring data](data-sources.md)** that populate these data stores are on the left.

+- The different functions that Azure Monitor performs with this collected data are on the right. This includes such actions as analysis, alerting.

+- At the bottom is a layer of integration pieces. These are actually integrated throughout other parts of the diagram, but that is too complex to show visually.

+Natively, Azure Monitor stores data as metrics, logs, or changes. Traces are stored in the Logs store. Each storage platform is optimized for particular monitoring scenarios, and each supports different features in Azure Monitor. It's important for you to understand the differences between features such as data analysis, visualizations, or alerting, so that you can implement your required scenario in the most efficient and cost effective manner.

+| Metrics | Metrics are numerical values that describe some aspect of a system at a particular point in time. Metrics are collected at regular intervals and are identified with a timestamp, a name, a value, and one or more defining labels. Metrics can be aggregated using various algorithms, compared to other metrics, and analyzed for trends over time.<br><br>Metrics in Azure Monitor are stored in a time-series database, which is optimized for analyzing time-stamped data. For more information, see [Azure Monitor Metrics](essentials/data-platform-metrics.md). |

+| Logs | [Logs](logs/data-platform-logs.md) are events that occurred within the system. They can contain different kinds of data and may be structured or free-form text with a timestamp. They may be created sporadically as events in the environment generate log entries, and a system under heavy load will typically generate more log volume.<br><br>Azure Monitor stores logs in the Azure Monitor Logs store. The store allows you to segregate logs into separate "Log Analytics workspaces". There you can analyze them using the Log Analytics tool. Log Analytics workspaces are based on [Azure Data Explorer](/azure/data-explorer/), which provides a powerful analysis engine and the [Kusto rich query language](/azure/kusto/query/). For more information, see [Azure Monitor Logs](logs/data-platform-logs.md). |

+## What data can Azure Monitor collect?

+- **Container** - Data about containers and applications running inside containers, such as Azure Kubernetes.

+- **Azure resource** - Data about the operation of an Azure resource. For a list of the resources that have metrics and/or logs, see [What can you monitor with Azure Monitor?](monitor-reference.md).

+For more information, see [List of insights and curated visualizations using Azure Monitor](insights/insights-overview.md). Some of the larger insights are described here.

+Multiple APIs are available to read and write metrics and logs to and from Azure Monitor in addition to accessing generated alerts. You can also configure and retrieve alerts. With APIs, you have unlimited possibilities to build custom solutions that integrate with Azure Monitor.

+* [Best practices](/azure/architecture/best-practices/monitoring) for monitoring cloud applications and services.

+[New pricing has been introduced for these services](https://azure.microsoft.com/blog/introducing-a-new-way-to-purchase-azure-monitoring-services/), and the OMS bundling is no longer available for new customers. None of the services that were part of OMS have changed, except for the consolidation into Azure Monitor described above. The OMS portal was retired and is no longer available.

+ Title: Alert when Azure virtual is down

+# Create alert when Azure virtual machine is unavailable

+In this article, you learn how to:

+To complete the steps in this article you need the following:

+ Title: Enable monitoring for Azure virtual machine

+# Enable monitoring for Azure virtual machine

+To monitor the health and performance of an Azure virtual machine, you need to install an agent to collect data from its guest operating system. VM insights monitors the guest operating system and workloads running on Azure virtual machines. When you enable monitoring for an Azure virtual machine, it installs the necessary agents and starts collecting performance, process, and dependency information from the guest operating system.

+> * Inspect graphs analyzing performance data collected from the virtual machine.

+To complete this tutorial, you need the following:

+Select **Insights** from your virtual machine's menu in the Azure portal. If VM insights hasn't been enabled, you should see a screen similar to the following allowing you to enable monitoring. Click **Enable**.

+ Title: Collect guest logs and metrics from Azure virtual machine

+# Collect guest logs and metrics from Azure virtual machine

+* [Protecting HANA databases configured with HSR on Azure NetApp Files with AzAcSnap](https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/protecting-hana-databases-configured-with-hsr-on-azure-netapp/ba-p/3654620)

+ * Ensure that DNS servers have network connectivity to the Azure NetApp Files delegated subnet hosting the Azure NetApp Files volumes.

+> Any resource, including a VPN Gateway, that is associated with a public IP Standard SKU address can't be moved across subscriptions. For virtual machines, you can [disassociate the public IP address](../../../virtual-network/ip-services/remove-public-ip-address-vm.md) before moving across subscriptions.

+> | publicipaddresses | Yes | Yes - see [Networking move guidance](./move-limitations/networking-move-limitations.md) | Yes<br/><br/> Use [Azure Resource Mover](../../resource-mover/tutorial-move-region-virtual-machines.md) to move public IP address configurations (IP addresses are not retained). |

+> | virtualnetworkgateways | Yes | Yes - see [Networking move guidance](./move-limitations/networking-move-limitations.md) | No |

+ Title: Indexing configuration guide

+description: This article explains the configuration options of indexing process with Azure Video Indexer.

+# The indexing configuration guide

+It's important to understand the configuration options to index efficiently while ensuring you meet your indexing objectives. When indexing videos, users can use the default settings or adjust many of the settings. Azure Video Indexer allows you to choose between a range of language, indexing, custom models, and streaming settings that have implications on the insights generated, cost, and performance.

+This article explains each of the options and the impact of each option to enable informed decisions when indexing. The article discusses the [Azure Video Indexer website](https://www.videoindexer.ai/) experience but the same options apply when submitting jobs through the API (see the [API guide](video-indexer-use-apis.md)). When indexing large volumes, follow the [at-scale guide](considerations-when-use-at-scale.md).

+The initial upload screen presents options to define the video name, source language, and privacy settings.

+All the other setting options appear if you select Advanced options.

+## Default settings

+By default, Azure Video Indexer is configured to a **Video source language** of English, **Privacy** of private, **Standard** audio and video setting, and **Streaming quality** of single bitrate.

+> [!TIP]

+> This topic describes each indexing option in detail.

+Below are a few examples of when using the default setting might not be a good fit:

+- If you need insights observed people or matched person that is only available through Advanced Video.

+- If you're only using Azure Video Indexer for transcription and translation, indexing of both audio and video isnΓÇÖt required, **Basic** for audio should suffice.

+- If you're consuming Azure Video Indexer insights but have no need to generate a new media file, streaming isn't necessary and **No streaming** should be selected to avoid the encoding job and its associated cost.

+- If a video is primarily in a language that isn't English.

+### Video source language

+If you're aware of the language spoken in the video, select the language from the video source language list. If you're unsure of the language of the video, choose **Auto-detect single language**. When uploading and indexing your video, Azure Video Indexer will use language identification (LID) to detect the videos language and generate transcription and insights with the detected language.

+If the video may contain multiple languages and you aren't sure which ones, select **Auto-detect multi-language**. In this case, multi-language (MLID) detection will be applied when uploading and indexing your video.

+While auto-detect is a great option when the language in your videos varies, there are two points to consider when using LID or MLID:

+- LID/MLID don't support all the languages supported by Azure Video Indexer.

+- The transcription is of a higher quality when you pre-select the videoΓÇÖs appropriate language.

+Learn more about [language support and supported languages](language-support.md).

+### Privacy

+This option allows you to determine if the insights should only be accessible to users in your Azure Video Indexer account or to anyone with a link.

+### Indexing options

+When indexing a video with the default settings, beware each of the audio and video indexing options may be priced differently. See [Azure Video Indexer pricing](https://azure.microsoft.com/pricing/details/video-indexer/) for details.

+Below are the indexing type options with details of their insights provided. To modify the indexing type, select **Advanced settings**.

+|Audio only|Video only |Audio & Video |

+||||

+|Basic |||

+|Standard| Standard |Standard |

+|Advanced |Advanced|Advanced |

+## Advanced settings

+### Audio only

+- **Basic**: Indexes and extract insights by using audio only (ignoring video) and provides the following insights: transcription, translation, formatting of output captions and subtitles, named entities (brands, locations, people), and topics.

+- **Standard**: Indexes and extract insights by using audio only (ignoring video) and provides the following insights: transcription, translation, formatting of output captions and subtitles, emotions, keywords, named entities (brands, locations, people), sentiments, speakers, and topics.

+- **Advanced**: Indexes and extract insights by using audio only (ignoring video) and provides the following insights: transcription, translation, formatting of output captions and subtitles, audio effects (preview), emotions, keywords, named entities (brands, locations, people), sentiments, speakers, and articles.

+### Video only

+- **Standard**: Indexes and extract insights by using video only (ignoring audio) and provides the following insights: labels (OCR), named entities (OCR - brands, locations, people), OCR, people, scenes (keyframes and shots), and topics (OCR).

+- **Advanced**: Indexes and extract insights by using video only (ignoring audio) and provides the following insights: labels (OCR), matched person (preview), named entities (OCR - brands, locations, people), OCR, observed people (preview), people, scenes (keyframes and shots), and topics (OCR).

+### Audio and Video

+- **Standard**: Indexes and extract insights by using audio and video and provides the following insights: transcription, translation, formatting of output captions and subtitles, audio effects (preview), emotions, keywords, named entities (brands, locations, people), OCR, people, sentiments, speakers, and topics.

+- **Advanced**: Indexes and extract insights by using audio and video and provides the following insights: transcription, translation, formatting of output captions and subtitles, audio effects (preview), emotions, keywords, matched person (preview), named entities (brands, locations, people), OCR, observed people (preview), people, sentiments, speakers, and topics.

+### Streaming quality options

+When indexing a video, you can decide if encoding of the file should occur which will enable streaming. The sequence is as follows:

+Upload > Encode (optional) > Index & Analysis > Publish for streaming (optional)

+Encoding and streaming operations are performed by and billed by Azure Media Services. There are two additional operations associated with the creation of a streaming video:

+- The creation of a Streaming Endpoint.

+- Egress traffic ΓÇô the volume depends on the number of video playbacks, video playback length, and the video quality (bitrate).

+

+There are several aspects that influence the total costs of the encoding job. The first is if the encoding is with single or adaptive streaming. This will create either a single output or multiple encoding quality outputs. Each output is billed separately and depends on the source quality of the video you uploaded to Azure Video Indexer.

+For Media Services encoding pricing details, see [pricing](https://azure.microsoft.com/pricing/details/media-services/#pricing).

+When indexing a video, default streaming settings are applied. Below are the streaming type options that can be modified if you, select **Advanced** settings and go to **Streaming quality**.

+|Single bitrate|Adaptive bitrate| No streaming |

+||||

+- **Single bitrate**: With Single Bitrate, the standard Media Services encoder cost will apply for the output. If the video height is greater than or equal to 720p HD, Azure Video Indexer encodes it with a resolution of 1280 x 720. Otherwise, it's encoded as 640 x 468. The default setting is content-aware encoding.

+- **Adaptive bitrate**: With Adaptive Bitrate, if you upload a video in 720p HD single bitrate to Azure Video Indexer and select Adaptive Bitrate, the encoder will use the [AdaptiveStreaming](/rest/api/media/transforms/create-or-update?tabs=HTTP#encodernamedpreset) preset. An output of 720p HD (no output exceeding 720p HD is created) and several lower quality outputs are created (for playback on smaller screens/low bandwidth environments). Each output will use the Media Encoder Standard base price and apply a multiplier for each output. The multiplier is 2x for HD, 1x for non-HD, and 0.25 for audio and billing is per minute of the input video.

+ **Example**: If you index a video in the US East region that is 40 minutes in length and is 720p HP and have selected the streaming option of Adaptive Bitrate, 3 outputs will be created - 1 HD (multiplied by 2), 1 SD (multiplied by 1) and 1 audio track (multiplied by 0.25). This will total to (2+1+0.25) * 40 = 130 billable output minutes.

+ Output minutes (standard encoder): 130 x $0.015/minute = $1.95.

+- **No streaming**: Insights are generated but no streaming operation is performed and the video isn't available on the Azure Video Indexer website. When No streaming is selected, you aren't billed for encoding.

+### Customizing content models - People/Animated characters and Brand categories

+Azure Video Indexer allows you to customize some of its models to be adapted to your specific use case. These models include animated characters, brands, language, and person. If you have customized models, this section enables you to configure if one of the created models should be used for the indexing.

+## Next steps

+Learn more about [language support and supported languages](language-support.md).

+| **Language** | **Code** | **Transcription** | **LID** | **MLID** | **Translation** | **Customization** (language model) |

+|::|:--:|:--:|:--:|:--:|:-:|::|

+| Chinese (Simplified) | `zh-Hans` | Γ£ö | Γ£ö\*<br/>[Change default languages supported by LID and MLID](#change-default-languages-supported-by-lid-and-mlid)| | Γ£ö | Γ£ö |

+| English United States | `en-US` | Γ£ö | Γ£ö\*<br/>[Change default languages supported by LID and MLID](#change-default-languages-supported-by-lid-and-mlid) | Γ£ö\* <br/>[Change default languages supported by LID and MLID](#change-default-languages-supported-by-lid-and-mlid)| Γ£ö | Γ£ö |

+| French | `fr-FR` | Γ£ö | Γ£ö\* <br/>[Change default languages supported by LID and MLID](#change-default-languages-supported-by-lid-and-mlid)| Γ£ö\* <br/>[Change default languages supported by LID and MLID](#change-default-languages-supported-by-lid-and-mlid)| Γ£ö | Γ£ö |

+| German | `de-DE` | Γ£ö | Γ£ö \* <br/>[Change default languages supported by LID and MLID](#change-default-languages-supported-by-lid-and-mlid)| Γ£ö \* <br/>[Change default languages supported by LID and MLID](#change-default-languages-supported-by-lid-and-mlid)| Γ£ö | Γ£ö |

+| Italian | `it-IT` | Γ£ö | Γ£ö\* <br/>[Change default languages supported by LID and MLID](#change-default-languages-supported-by-lid-and-mlid) | Γ£ö | Γ£ö | Γ£ö |

+| Japanese | `ja-JP` | Γ£ö | Γ£ö\* <br/>[Change default languages supported by LID and MLID](#change-default-languages-supported-by-lid-and-mlid) | Γ£ö | Γ£ö | Γ£ö |

+| Portuguese | `pt-BR` | Γ£ö | Γ£ö\* <br/>[Change default languages supported by LID and MLID](#change-default-languages-supported-by-lid-and-mlid) | Γ£ö | Γ£ö | Γ£ö |

+| Russian | `ru-RU` | Γ£ö | Γ£ö\* <br/>[Change default languages supported by LID and MLID](#change-default-languages-supported-by-lid-and-mlid) | Γ£ö | Γ£ö | Γ£ö |

+| Slovenian as default languages, w | `sl-SI` | | | | Γ£ö |

+| Spanish | `es-ES` | Γ£ö | Γ£ö\* <br/>[Change default languages supported by LID and MLID](#change-default-languages-supported-by-lid-and-mlid)| Γ£ö\* <br/>[Change default languages supported by LID and MLID](#change-default-languages-supported-by-lid-and-mlid)| Γ£ö | Γ£ö |

+### Change default languages supported by LID and MLID

+Languages marked with * (in the table above) are used as default when auto-detecting languages by LID or/and MLID. You can specify to use other supported languages (listed in the table above) as default languages, when [uploading a video](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=Upload-Video) with an API and passing the `customLanguages` parameter. The `customLanguages` parameter allows up to 10 languages to be identified by LID or MLID.

+> To change the default languages that you want for LID or MLID to use when auto-detecting, call [upload a video](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=Upload-Video) and set the `customLanguages` parameter.

+An annotation is any type of additional information that is added to an already existing text, be it a transcription of an audio file or an original text file.

+[JetStream DR](https://www.jetstreamsoft.com/product-portfolio/jetstream-dr/) is a cloud-native disaster recovery solution designed to minimize downtime of virtual machines (VMs) if there is a disaster. Instances of JetStream DR are deployed at both the protected and recovery sites.

+| **JetStream Management Server Virtual Appliance (MSA)** | MSA enables both Day 0 and Day 2 configuration, such as primary sites, protection domains, and recovering VMs. The MSA is deployed from an OVA on a vSphere node by the cloud admin. The MSA collects and maintains statistics relevant to VM protection and implements a vCenter plugin that allows you to manage JetStream DR natively with the vSphere Client. The MSA doesn't handle replication data of protected VMs. |

+| **JetStream DR Virtual Appliance (DRVA)** | Linux-based Virtual Machine appliance receives protected VMs replication data from the source ESXi host. It maintains the replication log and manages the transfer of the VMs and their data to the object store such as Azure Blob Storage. Depending on the number of protected VMs and the amount of VM data to replicate, the private cloud admin can create one or more DRVA instances. |

+| **JetStream ESXi host components (IO Filter packages)** | JetStream software installed on each ESXi host configured for JetStream DR. The host driver intercepts the vSphere VMs IO and sends the replication data to the DRVA. The IO filters also monitor relevant events, such as vMotion, Storage vMotion, snapshots, etc. |

+| **JetStream Protected Domain** | Logical group of VMs that will be protected together using the same policies and runbook. The data for all VMs in a protection domain is stored in the same Azure Blob container instance. A single DRVA instance handles replication to remote DR storage for all VMs in a Protected Domain. |

+| **Azure Blob Storage containers** | The protected VMs replicated data is stored in Azure Blobs. JetStream software creates one Azure Blob container instance for each JetStream Protected Domain. |

+ - Create Protected Domains (groups of related VMs) and assign DRVAs and the Azure Blob Storage/ANF.

+Disks with Write Accelerator enabled | Azure VM with WA disk backup is available in all Azure public regions starting from May 18, 2022. If WA disk backup is not required as part of VM backup, you can choose to remove with [**Selective disk** feature](selective-disk-backup-restore.md). <br><br>**Important** <br> Virtual machines with WA disks need internet connectivity for a successful backup (even though those disks are excluded from the backup).

+## Fetch mapping details

+To fetch the geo-code mapping list, run the following command:

+```azurecli-interactive

+ az cli list-locations

+```

+- **Pool allocation mode:** When creating a Batch account, you can choose between two pool allocation modes: **Batch service** or **user subscription**. For most cases, you should use the default Batch service mode, in which pools are allocated behind the scenes in Batch-managed subscriptions. In the alternative user subscription mode, Batch VMs and other resources are created directly in your subscription when a pool is created. User subscription accounts are primarily used to enable a small but important subset of scenarios. For more information, see [configuration for user subscription mode](batch-account-create-portal.md#additional-configuration-for-user-subscription-mode).

+- **'virtualMachineConfiguration' or 'cloudServiceConfiguration':** While you can currently create pools using either configuration, new pools should be configured using 'virtualMachineConfiguration' and not 'cloudServiceConfiguration'. All current and new Batch features will be supported by Virtual Machine Configuration pools. Cloud Services Configuration pools don't support all features and no new capabilities are planned. You won't be able to create new 'cloudServiceConfiguration' pools or add new nodes to existing pools [after February 29, 2024](https://azure.microsoft.com/updates/azure-batch-cloudserviceconfiguration-pools-will-be-retired-on-29-february-2024/). For more information, see [Migrate Batch pool configuration from Cloud Services to Virtual Machine](batch-pool-cloud-service-to-virtual-machine-configuration.md).

+- **Job and task run time considerations:** If you have jobs comprised primarily of short-running tasks, and the expected total task counts are small, so that the overall expected run time of the job isn't long, don't allocate a new pool for each job. The allocation time of the nodes will diminish the run time of the job.

+- **Multiple compute nodes:** Individual nodes aren't guaranteed to always be available. While uncommon, hardware failures, operating system updates, and a host of other issues can cause individual nodes to be offline. If your Batch workload requires deterministic, guaranteed progress, you should allocate pools with multiple nodes.

+- **Images with impending end-of-life (EOL) dates:** We strongly recommended avoiding images with impending Batch support end of life (EOL) dates. These dates can be discovered via the [`ListSupportedImages` API](/rest/api/batchservice/account/listsupportedimages), [PowerShell](/powershell/module/az.batch/get-azbatchsupportedimage), or [Azure CLI](/cli/azure/batch/pool/supported-images). It's your responsibility to periodically refresh your view of the EOL dates pertinent to your pools and migrate your workloads before the EOL date occurs. If you're using a custom image with a specified node agent, ensure that you follow Batch support end-of-life dates for the image for which your custom image is derived or aligned with.

+- **Unique resource names:** Batch resources (jobs, pools, etc.) often come and go over time. For example, you may create a pool on Monday, delete it on Tuesday, and then create another similar pool on Thursday. Each new resource you create should be given a unique name that you haven't used before. You can create uniqueness by using a GUID (either as the entire resource name, or as a part of it) or by embedding the date and time that the resource was created in the resource name. Batch supports [DisplayName](/dotnet/api/microsoft.azure.batch.jobspecification.displayname), which can give a resource a more readable name even if the actual resource ID is something that isn't human-friendly. Using unique names makes it easier for you to differentiate which particular resource did something in logs and metrics. It also removes ambiguity if you ever have to file a support case for a resource.

+- **Continuity during pool maintenance and failure:** It's best to have your jobs use pools dynamically. If your jobs use the same pool for everything, there's a chance that jobs won't run if something goes wrong with the pool. This principle is especially important for time-sensitive workloads. For example, select or create a pool dynamically when you schedule each job, or have a way to override the pool name so that you can bypass an unhealthy pool.

+- **Business continuity during pool maintenance and failure:** There are many reasons why a pool may not grow to the size you desire, such as internal errors or capacity constraints. Make sure you can retarget jobs at a different pool (possibly with a different VM size using [UpdateJob](/dotnet/api/microsoft.azure.batch.protocol.joboperationsextensions.update)) if necessary. Avoid relying on a static pool ID with the expectation that it will never be deleted and never change.

+For the purposes of isolation, if your scenario requires isolating jobs or tasks from each other, do so by having them in separate pools. A pool is the security isolation boundary in Batch, and by default, two pools aren't visible or able to communicate with each other. Avoid using separate Batch accounts as a means of security isolation unless the larger environment from which the Batch account operates in requires isolation.

+Batch node agents aren't automatically upgraded for pools that have non-zero compute nodes. To ensure your Batch pools receive the latest security fixes and updates to the Batch node agent, you need to either resize the pool to zero compute nodes or recreate the pool. It's recommended to monitor the [Batch Node Agent release notes](https://github.com/Azure/Batch/blob/master/changelogs/nodeagent/CHANGELOG.md) to understand changes to new Batch node agent versions. Checking regularly for updates when they were released enables you to plan upgrades to the latest agent version.

+Before you recreate or resize your pool, you should download any node agent logs for debugging purposes if you're experiencing issues with your Batch pool or compute nodes. This is further discussed in the [Nodes](#nodes) section.

+- **Pool efficiency and billing:** Batch itself incurs no extra charges. However, you do incur charges for Azure resources utilized, such as compute, storage, networking and any other resources that may be required for your Batch workload. You're billed for every compute node in the pool, regardless of the state it's in. For more information, see [Cost analysis and budgets for Azure Batch](budget.md).

+Pool allocation failures can happen at any point during first allocation or subsequent resizes. These failures can be due to temporary capacity exhaustion in a region or failures in other Azure services that Batch relies on. Your core quota isn't a guarantee but rather a limit.

+It's possible for Batch pools to experience downtime events in Azure. Understanding that problems can arise and you should develop your workflow to be resilient to re-executions. If nodes fail, Batch automatically attempts to recover these compute nodes on your behalf. This recovery may trigger rescheduling any running task on the node that is restored or on a different, available node. To learn more about interrupted tasks, see [Designing for retries](#design-for-retries-and-re-execution).

+When you create an Azure Batch pool using the Virtual Machine Configuration, you specify a VM image that provides the operating system for each compute node in the pool. You can create the pool with a supported Azure Marketplace image, or you can [create a custom image with an Azure Compute Gallery image](batch-sig-images.md). While you can also use a [managed image](batch-custom-images.md) to create a custom image pool, we recommend creating custom images using the Azure Compute Gallery whenever possible. Using the Azure Compute Gallery helps you provision pools faster, scale larger quantities of VMs, and improves reliability when provisioning VMs.

+Using a job to run a single task is inefficient. For example, it's more efficient to use a single job containing 1000 tasks rather than creating 100 jobs that contain 10 tasks each. If you used 1000 jobs, each with a single task that would be the least efficient, slowest, and most expensive approach to take.

+Avoid designing a Batch solution that requires thousands of simultaneously active jobs. There's no quota for tasks, so executing many tasks under as few jobs as possible efficiently uses your [job and job schedule quotas](batch-quota-limit.md#resource-quotas).

+A job doesn't automatically move to completed state unless explicitly terminated. This action can be automatically triggered through the [onAllTasksComplete](/dotnet/api/microsoft.azure.batch.common.onalltaskscomplete) property or [maxWallClockTime](/rest/api/batchservice/job/add#jobconstraints).

+There's a default [active job and job schedule quota](batch-quota-limit.md#resource-quotas). Jobs and job schedules in completed state don't count towards this quota.

+Compute nodes are by their nature ephemeral. Batch features such as [autopool](nodes-and-pools.md#autopools) and [autoscale](nodes-and-pools.md#automatic-scaling-policy) can make it easy for nodes to disappear. When nodes leave a pool (due to a resize or a pool delete), all the files on those nodes are also deleted. Because of this behavior, a task should move its output off of the node it's running on, and to a durable store before it completes. Similarly, if a task fails, it should move logs required to diagnose the failure to a durable store.

+Batch has integrated support Azure Storage to upload data via [OutputFiles](batch-task-output-files.md), and with various shared file systems, or you can perform the upload yourself in your tasks.

+Delete tasks when they're no longer needed, or set a [retentionTime](/dotnet/api/microsoft.azure.batch.taskconstraints.retentiontime) task constraint. If a `retentionTime` is set, Batch automatically cleans up the disk space used by the task when the `retentionTime` expires.

+Deleting tasks accomplishes two things:

+- Ensures that you don't have a build-up of tasks in the job. This action will help avoid difficulty in finding the task you're interested in as you'll have to filter through the Completed tasks.

+- Cleans up the corresponding task data on the node (provided `retentionTime` hasn't already been hit). This action helps ensure that your nodes don't fill up with task data and run out of disk space.

+Batch supports oversubscribing tasks on nodes (running more tasks than a node has cores). It's up to you to ensure that your tasks are right-sized for the nodes in your pool. For example, you may have a degraded experience if you attempt to schedule eight tasks that each consume 25% CPU usage onto one node (in a pool with `taskSlotsPerNode = 8`).