-Create a sign-in risk-based Conditional Access policy with MS Graph APIs. For more information, see [Conditional Access APIs](../active-directory/conditional-access/howto-conditional-access-apis.md#graph-api).

-To create a user risk-based Conditional Access policy with Conditional Access APIs, refer to the documentation for [Conditional Access APIs](../active-directory/conditional-access/howto-conditional-access-apis.md#graph-api).

-To create a location-based Conditional Access policy with Conditional Access APIs, refer to the documentation for [Conditional Access APIs](../active-directory/conditional-access/howto-conditional-access-apis.md#graph-api). To set up Named Locations, refer to the documentations for [Named Locations](/graph/api/resources/namedlocation).

-|[Policy keys](policy-keys-overview.md)|Add and manage encryption keys for signing and validating tokens, client secrets, certificates, and passwords used in custom policies.|[B2C IEF Keyset Administrator](../active-directory/roles/permissions-reference.md#b2c-ief-keyset-administrator)|

-1. Browse to **Conditional Access** and you'll find a new policy named **CA policy created from CAE settings** with your settings configured. Administrators can choose to customize this policy or create their own to replace it.

-### IP address variation

-Your identity provider and resource providers may see different IP addresses. This mismatch may happen because of:

-

-Examples:

-To avoid infinite loops because of these scenarios, Azure AD issues a one hour CAE token and won't enforce client location change. In this case, security is improved compared to traditional one hour tokens since we're still evaluating the [other events](#critical-event-evaluation) besides client location change events.

-### Graph API

-This example shows the basic Create, Read, Update, and Delete (CRUD) options available in the Conditional Access Graph APIs. The example also includes some JSON templates you can use to create some sample policies.

-These samples are available in our [GitHub repository](https://github.com/Azure-Samples/azure-ad-conditional-access-apis). We are happy to support community contributions thorough GitHub Issues and Pull Requests.

-WWW-Authenticate=Bearer

- authorization_uri="https://login.windows.net/common/oauth2/authorize",

-Azure Active Directory (Azure AD) supports customizing the claims that are issued in the SAML token for B2B collaboration users. When a user authenticates to the application, Azure AD issues a SAML token to the app that contains information (or claims) about the user that uniquely identifies them. By default, this includes the user's user name, email address, first name, and last name.

-

-2. The application requires the NameIdentifier claim to be something other than the user principal name (UPN) that's stored in Azure AD.

-Azure Active Directory (Azure AD) provides several ways to manage access to resources, applications, and tasks. With Azure AD groups, you can grant access and permissions to a group of users instead of for each individual user. Limiting access to Azure AD resources to only those users who need access is one of the core security principals of [Zero Trust](/security/zero-trust/zero-trust-overview). This article provides an overview of how groups and access rights can be used together to make managing your Azure AD users easier while also applying security best practices.

-| **Register applications** | Setting this option to **No** prevents users from creating application registrations. You can the grant the ability back to specific individuals, by adding them to the application developer role. |

-| skip-nodes-with-local-storage | If true cluster autoscaler will never delete nodes with pods with local storage, for example, EmptyDir or HostPath | true |

-Use **Node** workbooks in Container Insights to analyze disk capacity and IO in addition to GPU usage. See [Node workbooks](../azure-monitor/containers/container-insights-reports.md#node-workbooks) for a description of these workbooks.

-[!code-json[Main](~/samples-durable-functions/samples/javascript/E2_BackupSiteContent/function.json)]

-[!code-javascript[Main](~/samples-durable-functions/samples/javascript/E2_BackupSiteContent/index.js)]

-[!code-json[Main](~/samples-durable-functions/samples/javascript/E2_GetFileList/function.json)]

-[!code-javascript[Main](~/samples-durable-functions/samples/javascript/E2_GetFileList/index.js)]

-[!code-json[Main](~/samples-durable-functions/samples/javascript/E2_CopyFileToBlob/function.json)]

-[!code-javascript[Main](~/samples-durable-functions/samples/javascript/E2_CopyFileToBlob/index.js)]

-[!code-javascript[Main](~/samples-durable-functions/samples/javascript/HttpStart/index.js)]

-[!code-json[Main](~/samples-durable-functions/samples/javascript/HttpStart/function.json)]

-[!code-javascript[Main](~/samples-durable-functions/samples/javascript/HttpSyncStart/index.js)]

-[!code-json[Main](~/samples-durable-functions/samples/javascript/E3_Monitor/function.json)]

-[!code-javascript[Main](~/samples-durable-functions/samples/javascript/E3_Monitor/index.js)]

-[!code-json[Main](~/samples-durable-functions/samples/javascript/E3_GetIsClear/function.json)]

-[!code-javascript[Main](~/samples-durable-functions/samples/javascript/E3_GetIsClear/index.js)]

-[!code-json[Main](~/samples-durable-functions/samples/javascript/E3_SendGoodWeatherAlert/function.json)]

-[!code-javascript[Main](~/samples-durable-functions/samples/javascript/E3_SendGoodWeatherAlert/index.js)]

-[!code-json[Main](~/samples-durable-functions/samples/javascript/E4_SmsPhoneVerification/function.json)]

-[!code-javascript[Main](~/samples-durable-functions/samples/javascript/E4_SmsPhoneVerification/index.js)]

-[!code-json[Main](~/samples-durable-functions/samples/javascript/E4_SendSmsChallenge/function.json)]

-[!code-javascript[Main](~/samples-durable-functions/samples/javascript/E4_SendSmsChallenge/index.js)]

-[!code-json[Main](~/samples-durable-functions/samples/javascript/E1_HelloSequence/function.json)]

-[!code-javascript[Main](~/samples-durable-functions/samples/javascript/E1_HelloSequence/index.js)]

-[!code-json[Main](~/samples-durable-functions/samples/javascript/E1_SayHello/function.json)]

-[!code-javascript[Main](~/samples-durable-functions/samples/javascript/E1_SayHello/index.js)]

-[!code-json[Main](~/samples-durable-functions/samples/javascript/HttpStart/function.json?highlight=16-20)]

-[!code-javascript[Main](~/samples-durable-functions/samples/javascript/HttpStart/index.js)]

- > Custom tables have a suffix of *_CL*; for example, *tablename_CL*. The *tablename_CL* in the DataFlows Streams must match the *tablename_CL* name in the Log Analytics workspace.

-description: This article describes what deployment & HPA (Horizontal pod autoscaler) metrics are collected with Container insights.

-# Deployment & HPA metrics with Container insights

-Starting with agent version *ciprod08072020*, Container insights-integrated agent now collects metrics for Deployments & HPAs.

-Container insights automatically starts monitoring Deployments, by collecting the following metrics at 60 sec intervals and storing them in the **InsightMetrics** table:

-|kube_deployment_status_replicas_ready |container.azm.ms/clusterId, container.azm.ms/clusterName, creationTime, deployment, deploymentStrategy, k8sNamespace, spec_replicas, status_replicas_available, status_replicas_updated (status.updatedReplicas) | Total number of ready pods targeted by this deployment (status.readyReplicas). Below are dimensions of this metric. <ul> <li> deployment - name of the deployment </li> <li> k8sNamespace - Kubernetes namespace for the deployment </li> <li> deploymentStrategy - Deployment strategy to use to replace pods with new ones (spec.strategy.type)</li><li> creationTime - deployment creation timestamp </li> <li> spec_replicas - Number of desired pods (spec.replicas) </li> <li>status_replicas_available - Total number of available pods (ready for at least minReadySeconds) targeted by this deployment (status.availableReplicas)</li><li>status_replicas_updated - Total number of non-terminated pods targeted by this deployment that have the desired template spec (status.updatedReplicas) </li></ul>|

-Container insights automatically starts monitoring HPAs, by collecting the following metrics at 60 sec intervals and storing them in the **InsightMetrics** table:

-|kube_hpa_status_current_replicas |container.azm.ms/clusterId, container.azm.ms/clusterName, creationTime, hpa, k8sNamespace, lastScaleTime, spec_max_replicas, spec_min_replicas, status_desired_replicas, targetKind, targetName | Current number of replicas of pods managed by this autoscaler (status.currentReplicas). Below are dimensions of this metric. <ul> <li> hpa - name of the HPA </li> <li> k8sNamespace - Kubernetes namespace for the HPA </li> <li> lastScaleTime - Last time the HPA scaled the number of pods (status.lastScaleTime)</li><li> creationTime - HPA creation timestamp </li> <li> spec_max_replicas - Upper limit for the number of pods that can be set by the autoscaler (spec.maxReplicas) </li> <li> spec_min_replicas - Lower limit for the number of replicas to which the autoscaler can scale down (spec.minReplicas) </li><li>status_desired_replicas - Desired number of replicas of pods managed by this autoscaler (status.desiredReplicas)</li><li>targetKind - Kind of the HPA's target(spec.scaleTargetRef.kind) </li><li>targetName - Name of the HPA's target (spec.scaleTargetRef.name) </li></ul>|

-## Deployment & HPA charts

-Container insights includes pre-configured charts for the metrics listed earlier in the table as a workbook for every cluster. You can find the deployments & HPA workbook **Deployments & HPA** directly from an AKS cluster by selecting **Workbooks** from the left-hand pane, and from the **View Workbooks** drop-down list in the Insight.

-description: This article describes how you can configure Container insights to monitor Kubernetes clusters hosted on Azure Stack or other environment.

-Container insights provides rich monitoring experience for the Azure Kubernetes Service (AKS) and [AKS Engine on Azure](https://github.com/Azure/aks-engine), which is a self-managed Kubernetes cluster hosted on Azure. This article describes how to enable monitoring of Kubernetes clusters hosted outside of Azure and achieve a similar monitoring experience.

-The following configurations are officially supported with Container insights. If you have a different version of Kubernetes and operating system versions, please send a mail to askcoin@microsoft.com.

- - Kubernetes on-premises

- - AKS Engine on Azure and Azure Stack. For more information, see [AKS Engine on Azure Stack](/azure-stack/user/azure-stack-kubernetes-aks-engine-overview)

- - [OpenShift](https://docs.openshift.com/container-platform/4.3/welcome/https://docsupdatetracker.net/index.html) version 4 and higher, on-premises or other cloud environments.

-Before you start, make sure that you have the following:

- >Enable monitoring of multiple clusters with the same cluster name to same Log Analytics workspace is not supported. Cluster names must be unique.

- |Agent Resource|Ports |

->The minimum agent version supported for monitoring hybrid Kubernetes clusters is ciprod10182019 or later.

-Enabling Container insights for the hybrid Kubernetes cluster consists of performing the following steps in order.

-1. Configure your Log Analytics workspace with Container Insights solution.

-2. Enable the Container insights HELM chart with Log Analytics workspace.

-For additional information on Monitoring solutions in Azure Monitor refer [here](../../azure-monitor/insights/solutions.md).

-### How to add the Azure Monitor Containers solution

-You can deploy the solution with the provided Azure Resource Manager template by using the Azure PowerShell cmdlet `New-AzResourceGroupDeployment` or with Azure CLI.

-If you are unfamiliar with the concept of deploying resources by using a template, see:

-This method includes two JSON templates. One template specifies the configuration to enable monitoring, and the other contains parameter values that you configure to specify the following:

-To first identify the full resource ID of your Log Analytics workspace required for the `workspaceResourceId` parameter value in the **containerSolutionParams.json** file, perform the following steps and then run the PowerShell cmdlet or Azure CLI command to add the solution.

-1. List all the subscriptions that you have access to using the following command:

- The output will resemble the following:

-2. Switch to the subscription hosting the Log Analytics workspace using the following command:

-3. The following example displays the list of workspaces in your subscriptions in the default JSON format.

- In the output, find the workspace name, and then copy the full resource ID of that Log Analytics workspace under the field **ID**.

-4. Copy and paste the following JSON syntax into your file:

-5. Save this file as containerSolution.json to a local folder.

-6. Paste the following JSON syntax into your file:

-7. Edit the values for **workspaceResourceId** using the value you copied in step 3, and for **workspaceRegion** copy the **Region** value after running the Azure CLI command [az monitor log-analytics workspace show](/cli/azure/monitor/log-analytics/workspace#az-monitor-log-analytics-workspace-list&preserve-view=true).

-8. Save this file as containerSolutionParams.json to a local folder.

-9. You are ready to deploy this template.

- The configuration change can take a few minutes to complete. When it's completed, a message is displayed that's similar to the following and includes the result:

- - To deploy with Azure CLI, run the following commands:

- The configuration change can take a few minutes to complete. When it's completed, a message is displayed that's similar to the following and includes the result:

-## Install the HELM chart

-In this section you install the containerized agent for Container insights. Before proceeding, you need to identify the workspace ID required for the `amalogsagent.secret.wsid` parameter, and primary key required for the `amalogsagent.secret.key` parameter. You can identify this information by performing the following steps, and then run the commands to install the agent using the HELM chart.

- In the output, find the workspace name under the field **name**, and then copy the workspace ID of that Log Analytics workspace under the field **customerID**.

-2. Run the following command to identify the primary key for the workspace:

- In the output, find the primary key under the field **primarySharedKey**, and then copy the value.

->[!NOTE]

->The following commands are applicable only for Helm version 2. Use of the `--name` parameter is not applicable with Helm version 3.

->[!NOTE]

->If your Kubernetes cluster communicates through a proxy server, configure the parameter `amalogsagent.proxy` with the URL of the proxy server. If the cluster does not communicate through a proxy server, then you don't need to specify this parameter. For more information, see [Configure proxy endpoint](#configure-proxy-endpoint) later in this article.

-3. Add the Azure charts repository to your local list by running the following command:

-4. Install the chart by running the following command:

-### Enable the Helm chart using the API Model

-You can specify an addon in the AKS Engine cluster specification json file, also referred to as the API Model. In this addon, provide the base64 encoded version of `WorkspaceGUID` and `WorkspaceKey` of the Log Analytics workspace where the collected monitoring data is stored. You can find the `WorkspaceGUID` and `WorkspaceKey` using steps 1 and 2 in the previous section.

-Supported API definitions for the Azure Stack Hub cluster can be found in this example - [kubernetes-container-monitoring_existing_workspace_id_and_key.json](https://github.com/Azure/aks-engine/blob/master/examples/addons/container-monitoring/kubernetes-container-monitoring_existing_workspace_id_and_key.json). Specifically, find the **addons** property in **kubernetesConfig**:

-Starting with chart version 1.0.0, the agent data collection settings are controlled from the ConfigMap. Refer to documentation about agent data collection settings [here](container-insights-agent-config.md).

-After you have successfully deployed the chart, you can review the data for your hybrid Kubernetes cluster in Container insights from the Azure portal.

->Ingestion latency is around five to ten minutes from agent to commit in the Azure Log Analytics workspace. Status of the cluster show the value **No data** or **Unknown** until all the required monitoring data is available in Azure Monitor.

-## Configure proxy endpoint

-Starting with chart version 2.7.1, chart will support specifying the proxy endpoint with the `amalogsagent.proxy` chart parameter. This allows it to communicate through your proxy server. Communication between the Container insights agent and Azure Monitor can be an HTTP or HTTPS proxy server, and both anonymous and basic authentication (username/password) are supported.

-The proxy configuration value has the following syntax: `[protocol://][user:password@]proxyhost[:port]`

->If your proxy server does not require authentication, you still need to specify a psuedo username/password. This can be any username or password.

-|Protocol | http or https |

-For example: `amalogsagent.proxy=http://user01:password@proxy01.contoso.com:8080`

-If you specify the protocol as **http**, the HTTP requests are created using SSL/TLS secure connection. Your proxy server must support SSL/TLS protocols.

-If you encounter an error while attempting to enable monitoring for your hybrid Kubernetes cluster, copy the PowerShell script [TroubleshootError_nonAzureK8s.ps1](https://aka.ms/troubleshoot-non-azure-k8s) and save it to a folder on your computer. This script is provided to help detect and fix the issues encountered. The issues it is designed to detect and attempt correction of are the following:

-With monitoring enabled to collect health and resource utilization of your hybrid Kubernetes cluster and workloads running on them, learn [how to use](container-insights-analyze.md) Container insights.

-# How to view metrics in real-time

-Container insights Live Data (preview) feature allows you to visualize metrics about node and pod state in a cluster in real-time. It emulates direct access to the `kubectl top nodes`, `kubectl get pods ΓÇôall-namespaces`, and `kubectl get nodes` commands to call, parse, and visualize the data in performance charts that are included with this Insight.

->AKS clusters enabled as [private clusters](https://azure.microsoft.com/updates/aks-private-cluster/) are not supported with this feature. This feature relies on directly accessing the Kubernetes API through a proxy server from your browser. Enabling networking security to block the Kubernetes API from this proxy will block this traffic.

-For help with setting up or troubleshooting the Live Data (preview) feature, review our [setup guide](container-insights-livedata-setup.md).

-## How it Works

-The Live Data (preview) feature directly access the Kubernetes API, and additional information about the authentication model can be found [here](https://kubernetes.io/docs/concepts/overview/kubernetes-api/).

-This feature performs a polling operation against the metrics endpoints (including `/api/v1/nodes`, `/apis/metrics.k8s.io/v1beta1/nodes`, and `/api/v1/pods`), which is every five seconds by default. This data is cached in your browser and charted in the four performance charts included in Container insights on the **Cluster** tab by selecting **Go Live (preview)**. Each subsequent poll is charted into a rolling five-minute visualization window.

-

-The polling interval is configured from the **Set interval** drop-down allowing you to set polling for new data every 1, 5, 15 and 30 seconds.

-

->We recommend setting the polling interval to one second while troubleshooting an issue for a short period of time. These requests may impact the availability and throttling of the Kubernetes API on your cluster. Afterwards, reconfigure to a longer polling interval.

->[!IMPORTANT]

->No data is stored permanently during operation of this feature. All information captured during this session is immediately deleted when you close your browser or navigate away from the feature. Data only remains present for visualization inside the five minute window; any metrics older than five minutes are also permanently deleted.

-These charts cannot be pinned to the last Azure dashboard you viewed in live mode.

-### Node CPU utilization % / Node Memory utilization %

-

-

-

-The percentile calculations will function in larger clusters to help identify outlier nodes in your cluster. For example, to understand if nodes are under-utilized for scale down purposes. Utilizing the **Min** aggregation you can see which nodes have low utilization in the cluster. To further investigate, you select the **Nodes** tab and sort the grid by CPU or memory utilization.

-This also helps you understand which nodes are being pushed to their limits and if scale-out may be required. Utilizing both the **Max** and **P95** aggregations can help you see if there are nodes in the cluster with high resource utilization. For further investigation, you would again switch to the **Nodes** tab.

-

-

-Nodes are reported either in a **Ready** or **Not Ready** state. They are counted (and a total count is created), and the results of these two aggregations are charted.

-For example, to understand if your nodes are falling into failed states. Utilizing the **Not Ready** aggregation you can quickly see the number of nodes in your cluster currently in the **Not Ready** state.

-

-

->Names of status as interpreted by `kubectl` may not exactly match in the chart.

-View [log query examples](container-insights-log-query.md) to see predefined queries and examples to create alerts, visualizations, or perform further analysis of your clusters.

-Starting with agent version *ciprod10052020*, Container insights integrated agent now supports monitoring PV (persistent volume) usage. With agent version *ciprod01112021*, the agent supports monitoring PV inventory, including information about the status, storage class, type, access modes, and other details.

-| Metric name | Metric Dimension (tags) | Metric Description |

-| `pvUsedBytes`| `podUID`, `podName`, `pvcName`, `pvcNamespace`, `capacityBytes`, `clusterId`, `clusterName`| Used space in bytes for a specific persistent volume with a claim used by a specific pod. `capacityBytes` is folded in as a dimension in the Tags field to reduce data ingestion cost and to simplify queries.|

-Learn more about configuring collected PV metrics [here](./container-insights-agent-config.md).

-|Data |Data Source| Data Type| Fields|

-## Monitor Persistent Volumes

-Container insights includes pre-configured charts for this usage metric and inventory information in workbook templates for every cluster. You can also enable a recommended alert for PV usage, and query these metrics in Log Analytics.

-### Workload Details Workbook

-You can find usage charts for specific workloads in the Persistent Volume tab of the **Workload Details** workbook directly from an AKS cluster by selecting Workbooks from the left-hand pane, from the **View Workbooks** drop-down list in the Insights pane, or from the **Reports (preview) tab** in the Insights pane.

-### Persistent Volume Details Workbook

-You can find an overview of persistent volume inventory in the **Persistent Volume Details** workbook directly from an AKS cluster by selecting Workbooks from the left-hand pane. You can also open this workbook from the **View Workbooks** drop-down list in the Insights pane or from the **Reports** tab in the Insights pane.

-### Persistent Volume Usage Recommended Alert

-You can enable a recommended alert to alert you when average PV usage for a pod is above 80%. Learn more about alerting [here](./container-insights-metric-alerts.md) and how to override the default threshold [here](./container-insights-metric-alerts.md#configure-alertable-metrics-in-configmaps).

-description: Describes reports available to analyze data collected by Container insights.

-Reports in Container insights are recommended out-of-the-box [Azure workbooks](../visualize/workbooks-overview.md). This article describes the different reports that are available and how to access them.

-## Viewing reports

-From the **Azure Monitor** menu in the Azure portal, select **Containers**. Select **Insights** in the **Monitoring** section, choose a particular cluster, and then select the **Reports** page.

-[](media/container-insights-reports/reports-page.png#lightbox)

-To create a custom workbook based on any of these workbooks, select the **View Workbooks** dropdown and then **Go to AKS Gallery** at the bottom of the dropdown. See [Azure Monitor Workbooks](../visualize/workbooks-overview.md) for more information about workbooks and using workbook templates.

-[](media/container-insights-reports/aks-gallery.png#lightbox)

-## Node workbooks

- - Disk I/O summarized across all disks by read bytes/sec, writes bytes/sec, and read and write bytes/sec trends.

-> As per the Kubernetes [upstream announcement](https://kubernetes.io/blog/2020/12/16/third-party-device-metrics-reaches-g)

-

- - Overview of CPU and Memory usage by POD.

- - POD/Container Status showing POD restart trend, container restart trend, and container status for PODs.

- - Kubernetes Events showing summary of events for the controller.

-## Billing workbooks

- - Total billable data ingested in GB by solution

- - Billable data ingested by Container logs(application logs)

- - Billable container logs data ingested per by Kubernetes namespace

- - Billable container logs data ingested segregated by Cluster name

- - Billable container log data ingested by log source entry

- - Billable diagnostic data ingested by diagnostic master node logs

- StateHasChanged();

-| Partner ecosystem | Support for their product/solution. For reference, the following are some of the supported Azure VMware Solution partner solution/product:<ul><li>BCDR - SRM, JetStream, RiverMeadow, and others</li><li>Backup - Veeam, Commvault, Rubrik, and others</li><li>VDI - Horizon/Citrix</li><li>Security solutions - BitDefender, TrendMicro, Checkpoint</li><li>Other VMware products - vRA, VRops, AVI |

-* **Job Failure Alerts**: For scenarios, such as backup failure and restore failure, Azure Backup provides built-in alerts via Azure Monitor (of Severity Sev 1). Unlike security alerts, you can choose to turn off Azure Monitor alerts for job failure scenarios. For example, you've already configured custom alert rules for job failures via Log Analytics, and don't need built-in alerts to be fired for every job failure. By default, alerts for job failures are turned off. For more information, see the [section on turning on alerts for these scenarios](#turning-on-azure-monitor-alerts-for-job-failure-scenarios).

-[Monitor Azure Backup workloads using Azure Monitor](backup-azure-monitoring-use-azuremonitor.md)

-This article discusses about how to:

-3. In the Encryption Settings pane, select **Use your own key** and continue to specify the key using one of the following ways. **Ensure that the key you want to use is an RSA 2048 key, which is in an enabled state.**

-1. When recovering disk / VM from a "Snapshot" recovery point, the restored data will be encrypted with the DES used for encrypting the source VM's disks.

-When performing a file restore, the restored data will be encrypted with the key used for encrypting the target location.

-When restoring from a backed-up SAP HANA/SQL database running in an Azure VM, the restored data will be encrypted using the encryption key used at the target storage location. It may be a customer-managed key or a platform-managed key used for encrypting the disks of the VM.

-1. Once done, proceed to add Tags (optional) and continue creating the vault.

-Note: USA mixed rates to `+1-425` is $0.013. Refer to the following link for details: https://github.com/Azure/Communication/blob/master/pricing/communication-services-pstn-rates.csv)

-1. Follow the detailed steps in the [How to add the Azure Monitor Containers solution](../azure-monitor/containers/container-insights-hybrid-setup.md#how-to-add-the-azure-monitor-containers-solution). Use the following template file `containerSolution.json`:

-|**TVM**|Threat and Vulnerability Management, a built-in module in Microsoft Defender for Endpoint that can discover vulnerabilities and misconfigurations in near real time and prioritize vulnerabilities based on the threat landscape and detections in your organization.|[Investigate weaknesses with Microsoft Defender for Endpoint's threat and vulnerability management](deploy-vulnerability-assessment-tvm.md)

-Microsoft Defender for Servers includes automatic, native integration with Microsoft Defender for Endpoint. Learn more, [Protect your endpoints with Defender for Cloud's integrated EDR solution: Microsoft Defender for Endpoint](integration-defender-for-endpoint.md). With this integration enabled, you'll have access to the vulnerability findings from **Microsoft threat and vulnerability management**. Learn more in [Investigate weaknesses with Microsoft Defender for Endpoint's threat and vulnerability management](deploy-vulnerability-assessment-tvm.md).

-| **Microsoft threat and vulnerability management** | Discover vulnerabilities and misconfigurations in real time with Microsoft Defender for Endpoint, without needing other agents or periodic scans. [Learn more](deploy-vulnerability-assessment-tvm.md). | :::image type="icon" source="./media/icons/yes-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: |

-<!--

- [Learn more](fileless-attack-detection.md).

-| Future ΓÇô TVM P2 | | :::image type="icon" source="./media/icons/yes-icon.png"::: |

-| Future ΓÇô disk scanning insights | | :::image type="icon" source="./media/icons/yes-icon.png"::: | -->

-If you don't want to use the vulnerability assessment powered by Qualys, you can use [Microsoft Defender for Endpoint's threat and vulnerability management](deploy-vulnerability-assessment-tvm.md) or [deploy a BYOL solution](deploy-vulnerability-assessment-byol-vm.md) with your own Qualys license, Rapid7 license, or another vulnerability assessment solution.

-Defender for Cloud already supports different agent-based vulnerability scans, including [Microsoft Defender for Endpoint (MDE)](deploy-vulnerability-assessment-tvm.md), [BYOL](deploy-vulnerability-assessment-byol-vm.md) and [Qualys](deploy-vulnerability-assessment-vm.md). Agentless scanning extends the visibility of Defender for Cloud to reach more devices.

- :::image type="content" source="media/enable-vulnerability-assessment-agentless/defender-plan-settings.png" alt-text="Screenshot of link for the settings of the Defender plans for Azure subscriptions." lightbox="media/enable-vulnerability-assessment-agentless/defender-plan-settings.png":::

- :::image type="content" source="media/enable-vulnerability-assessment-agentless/agentless-scanning-off.png" alt-text="Screenshot of the agentless scanning status." lightbox="media/enable-vulnerability-assessment-agentless/agentless-scanning-off.png":::

- :::image type="content" source="media/enable-vulnerability-assessment-agentless/agentless-scanning-off-aws.png" alt-text="Screenshot of the agentless scanning status for AWS accounts.":::

-**Episode description**: In this episode of Defender for Cloud in the field, Aviv Mor joins Yuri Diogenes to talk about Microsoft Defender for Servers updates, including the new integration with TVM. Aviv explains how this new integration with TVM works, the advantages of this integration, which includes software inventory and easy experience to onboard. Aviv also covers the integration with MDE for Linux and the Defender for Servers support for the new multicloud connector for AWS.

-Learn how to [Investigate weaknesses with Microsoft Defender for Endpoint's threat and vulnerability management](deploy-vulnerability-assessment-tvm.md).

-> [New AWS Connector in Microsoft Defender for Cloud](episode-one.md)

-|Clouds:|:::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/no-icon.png"::: Azure Government<br>:::image type="icon" source="./media/icons/no-icon.png"::: Azure China 21Vianet (**Partial**: Subset of alerts and vulnerability assessment for SQL servers. Behavioral threat protections aren't available.)|

-> [!TIP]

-> If a resource is scanned by multiple Microsoft Purview accounts, the information shown in Defender for Cloud relates to the most recent scan.

- Set-AzSecurityWorkspaceSetting -Name "default" -Scope "/subscriptions/d07c0080-170c-4c24-861d-9c817742786c" -WorkspaceId"/subscriptions/d07c0080-170c-4c24-861d-9c817742786c/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace"

-Learn more about [vulnerability management](deploy-vulnerability-assessment-tvm.md)

-Learn more in [Investigate weaknesses with Microsoft Defender for Endpoint's threat and vulnerability management](deploy-vulnerability-assessment-tvm.md).

-Learn more in [Investigate weaknesses with Microsoft Defender for Endpoint's threat and vulnerability management](deploy-vulnerability-assessment-tvm.md).

-| Lambda functions should have a dead-letter queue configured | This control checks whether a Lambda function is configured with a dead-letter queue. The control fails if the Lambda function is not configured with a dead-letter queue. As an alternative to an on-failure destination, you can configure your function with a dead-letter queue to save discarded events for further processing. A dead-letter queue acts the same as an on-failure destination. It is used when an event fails all processing attempts or expires without being processed. A dead-letter queue allows you to look back at errors or failed requests to your Lambda function to debug or identify unusual behavior. From a security perspective, it is important to understand why your function failed and to ensure that your function does not drop data or compromise data security as a result. For example, if your function cannot communicate to an underlying resource, that could be a symptom of a denial of service (DoS) attack elsewhere in the network. | Medium |

-## Create a device app with a direct method

- ```csharp

- using Microsoft.Azure.Devices.Client;

- using Microsoft.Azure.Devices.Shared;

- using Newtonsoft.Json;

- ```

- ```csharp

- static string DeviceConnectionString = "HostName=<yourIotHubName>.azure-devices.net;DeviceId=<yourIotDeviceName>;SharedAccessKey=<yourIotDeviceAccessKey>";

- static DeviceClient Client = null;

- ```

- ```csharp

- public static async void InitClient()

- {

- try

- {

- Console.WriteLine("Connecting to hub");

- Client = DeviceClient.CreateFromConnectionString(DeviceConnectionString,

- TransportType.Mqtt);

- Console.WriteLine("Retrieving twin");

- await Client.GetTwinAsync();

- }

- catch (Exception ex)

- {

- Console.WriteLine();

- Console.WriteLine("Error in sample: {0}", ex.Message);

- }

- }

- ```

- The **Client** object exposes all the methods you require to interact with device twins from the device. The code shown above initializes the **Client** object, and then retrieves the device twin for **myDeviceId**.

- ```csharp

- public static async void ReportConnectivity()

- {

- try

- {

- Console.WriteLine("Sending connectivity data as reported property");

- TwinCollection reportedProperties, connectivity;

- reportedProperties = new TwinCollection();

- connectivity = new TwinCollection();

- connectivity["type"] = "cellular";

- reportedProperties["connectivity"] = connectivity;

- await Client.UpdateReportedPropertiesAsync(reportedProperties);

- }

- catch (Exception ex)

- {

- Console.WriteLine();

- Console.WriteLine("Error in sample: {0}", ex.Message);

- }

- }

- ```

- ```csharp

- try

- {

- InitClient();

- ReportConnectivity();

- }

- catch (Exception ex)

- {

- Console.WriteLine();

- Console.WriteLine("Error in sample: {0}", ex.Message);

- }

- Console.WriteLine("Press Enter to exit.");

- Console.ReadLine();

- ```

- 

- 

-## Create a service app to trigger a reboot

- 

- ```csharp

- using Microsoft.Azure.Devices;

- ```

- ```csharp

- static RegistryManager registryManager;

- static string connectionString = "{iot hub connection string}";

- ```

- ```csharp

- public static async Task AddTagsAndQuery()

- {

- var twin = await registryManager.GetTwinAsync("myDeviceId");

- var patch =

- @"{

- tags: {

- location: {

- region: 'US',

- plant: 'Redmond43'

- }

- }

- }";

- await registryManager.UpdateTwinAsync(twin.DeviceId, patch, twin.ETag);

- var query = registryManager.CreateQuery(

- "SELECT * FROM devices WHERE tags.location.plant = 'Redmond43'", 100);

- var twinsInRedmond43 = await query.GetNextAsTwinAsync();

- Console.WriteLine("Devices in Redmond43: {0}",

- string.Join(", ", twinsInRedmond43.Select(t => t.DeviceId)));

- query = registryManager.CreateQuery("SELECT * FROM devices WHERE tags.location.plant = 'Redmond43' AND properties.reported.connectivity.type = 'cellular'", 100);

- var twinsInRedmond43UsingCellular = await query.GetNextAsTwinAsync();

- Console.WriteLine("Devices in Redmond43 using cellular network: {0}",

- string.Join(", ", twinsInRedmond43UsingCellular.Select(t => t.DeviceId)));

- }

- ```

- The **RegistryManager** class exposes all the methods required to interact with device twins from the service. The previous code first initializes the **registryManager** object, then retrieves the device twin for **myDeviceId**, and finally updates its tags with the desired location information.

- After updating, it executes two queries: the first selects only the device twins of devices located in the **Redmond43** plant, and the second refines the query to select only the devices that are also connected through cellular network.

- The previous code, when it creates the **query** object, specifies a maximum number of returned documents. The **query** object contains a **HasMoreResults** boolean property that you can use to invoke the **GetNextAsTwinAsync** methods multiple times to retrieve all results. A method called **GetNextAsJson** is available for results that are not device twins, for example, results of aggregation queries.

- ```csharp

- registryManager = RegistryManager.CreateFromConnectionString(connectionString);

- AddTagsAndQuery().Wait();

- Console.WriteLine("Press Enter to exit.");

- Console.ReadLine();

- ```

- 

-* Configured a new IoT hub in the Azure portal

-* Created a device identity in the IoT hub's identity registry

-* Control devices interactively, such as turning on a fan from a user-controlled app, see [Quickstart: Control a device connected to an IoT hub](./quickstart-control-device.md?pivots=programming-language-csharp).

-## Create a device app with a direct method

- ```cmd/sh

- mvn archetype:generate -DgroupId=com.mycompany.app -DartifactId=simulated-device -DarchetypeArtifactId=maven-archetype-quickstart -DinteractiveMode=false

- ```

-2. At your command prompt, navigate to the **simulated-device** folder.

-3. Using a text editor, open the **pom.xml** file in the **simulated-device** folder and add the following dependencies to the **dependencies** node. This dependency enables you to use the **iot-device-client** package in your app to communicate with your IoT hub.

- ```xml

- <dependency>

- <groupId>com.microsoft.azure.sdk.iot</groupId>

- <artifactId>iot-device-client</artifactId>

- <version>1.17.5</version>

- </dependency>

- ```

- > [!NOTE]

- > You can check for the latest version of **iot-device-client** using [Maven search](https://search.maven.org/#search%7Cga%7C1%7Ca%3A%22iot-device-client%22%20g%3A%22com.microsoft.azure.sdk.iot%22).

-4. Add the following dependency to the **dependencies** node. This dependency configures a NOP for the Apache [SLF4J](https://www.slf4j.org/) logging facade, which is used by the device client SDK to implement logging. This configuration is optional, but, if you omit it, you may see a warning in the console when you run the app. For more information about logging in the device client SDK, see [Logging](https://github.com/Azure/azure-iot-sdk-jav#logging) in the *Samples for the Azure IoT device SDK for Java* readme file.

- ```xml

- <dependency>

- <groupId>org.slf4j</groupId>

- <artifactId>slf4j-nop</artifactId>

- <version>1.7.28</version>

- </dependency>

- ```

-5. Add the following **build** node after the **dependencies** node. This configuration instructs Maven to use Java 1.8 to build the app:

- ```xml

- <build>

- <plugins>

- <plugin>

- <groupId>org.apache.maven.plugins</groupId>

- <artifactId>maven-compiler-plugin</artifactId>

- <version>3.3</version>

- <configuration>

- <source>1.8</source>

- <target>1.8</target>

- </configuration>

- </plugin>

- </plugins>

- </build>

- ```

-6. Save and close the **pom.xml** file.

-7. Using a text editor, open the **simulated-device\src\main\java\com\mycompany\app\App.java** file.

-8. Add the following **import** statements to the file:

- ```java

- import com.microsoft.azure.sdk.iot.device.*;

- import com.microsoft.azure.sdk.iot.device.DeviceTwin.*;

- import java.io.IOException;

- import java.net.URISyntaxException;

- import java.util.Scanner;

- ```

-9. Add the following class-level variables to the **App** class. Replace `{yourdeviceconnectionstring}` with the device connection string you saw when you registered a device in the IoT Hub:

- ```java

- private static String connString = "{yourdeviceconnectionstring}";

- private static IotHubClientProtocol protocol = IotHubClientProtocol.MQTT;

- private static String deviceId = "myDeviceId";

- ```

- This sample app uses the **protocol** variable when it instantiates a **DeviceClient** object.

-10. Add the following method to the **App** class to print information about twin updates:

- ```java

- protected static class DeviceTwinStatusCallBack implements IotHubEventCallback {

- @Override

- public void execute(IotHubStatusCode status, Object context) {

- System.out.println("IoT Hub responded to device twin operation with status " + status.name());

- }

- }

- ```

-11. Replace the code in the **main** method with the following code to:

- * Create a device client to communicate with IoT Hub.

- * Create a **Device** object to store the device twin properties.

- ```java

- DeviceClient client = new DeviceClient(connString, protocol);

- // Create a Device object to store the device twin properties

- Device dataCollector = new Device() {

- // Print details when a property value changes

- @Override

- public void PropertyCall(String propertyKey, Object propertyValue, Object context) {

- System.out.println(propertyKey + " changed to " + propertyValue);

- }

- };

- ```

-12. Add the following code to the **main** method to create a **connectivityType** reported property and send it to IoT Hub:

- ```java

- try {

- // Open the DeviceClient and start the device twin services.

- client.open();

- client.startDeviceTwin(new DeviceTwinStatusCallBack(), null, dataCollector, null);

- // Create a reported property and send it to your IoT hub.

- dataCollector.setReportedProp(new Property("connectivityType", "cellular"));

- client.sendReportedProperties(dataCollector.getReportedProp());

- }

- catch (Exception e) {

- System.out.println("On exception, shutting down \n" + " Cause: " + e.getCause() + " \n" + e.getMessage());

- dataCollector.clean();

- client.closeNow();

- System.out.println("Shutting down...");

- }

- ```

-13. Add the following code to the end of the **main** method. Waiting for the **Enter** key allows time for IoT Hub to report the status of the device twin operations.

- ```java

- System.out.println("Press any key to exit...");

- Scanner scanner = new Scanner(System.in);

- scanner.nextLine();

- dataCollector.clean();

- client.close();

- ```

-14. Modify the signature of the **main** method to include the exceptions as follows:

- ```java

- public static void main(String[] args) throws URISyntaxException, IOException

- ```

-15. Save and close the **simulated-device\src\main\java\com\mycompany\app\App.java** file.

-16. Build the **simulated-device** app and correct any errors. At your command prompt, navigate to the **simulated-device** folder and run the following command:

- ```cmd/sh

- mvn clean package -DskipTests

- ```

-## Create a service app to trigger a reboot

-2. In the **iot-java-twin-getstarted** folder, create a Maven project named **add-tags-query** using the following command at your command prompt:

- ```cmd/sh

- mvn archetype:generate -DgroupId=com.mycompany.app -DartifactId=add-tags-query -DarchetypeArtifactId=maven-archetype-quickstart -DinteractiveMode=false

- ```

-3. At your command prompt, navigate to the **add-tags-query** folder.

-4. Using a text editor, open the **pom.xml** file in the **add-tags-query** folder and add the following dependency to the **dependencies** node. This dependency enables you to use the **iot-service-client** package in your app to communicate with your IoT hub:

- ```xml

- <dependency>

- <groupId>com.microsoft.azure.sdk.iot</groupId>

- <artifactId>iot-service-client</artifactId>

- <version>1.17.1</version>

- <type>jar</type>

- </dependency>

- ```

- > [!NOTE]

- > You can check for the latest version of **iot-service-client** using [Maven search](https://search.maven.org/#search%7Cga%7C1%7Ca%3A%22iot-service-client%22%20g%3A%22com.microsoft.azure.sdk.iot%22).

-5. Add the following **build** node after the **dependencies** node. This configuration instructs Maven to use Java 1.8 to build the app.

- ```xml

- <build>

- <plugins>

- <plugin>

- <groupId>org.apache.maven.plugins</groupId>

- <artifactId>maven-compiler-plugin</artifactId>

- <version>3.3</version>

- <configuration>

- <source>1.8</source>

- <target>1.8</target>

- </configuration>

- </plugin>

- </plugins>

- </build>

- ```

-6. Save and close the **pom.xml** file.

-7. Using a text editor, open the **add-tags-query\src\main\java\com\mycompany\app\App.java** file.

-8. Add the following **import** statements to the file:

- ```java

- import com.microsoft.azure.sdk.iot.service.devicetwin.*;

- import com.microsoft.azure.sdk.iot.service.exceptions.IotHubException;

- import java.io.IOException;

- import java.util.HashSet;

- import java.util.Set;

- ```

-9. Add the following class-level variables to the **App** class. Replace `{youriothubconnectionstring}` with the IoT hub connection string you copied in [Get the IoT hub connection string](#get-the-iot-hub-connection-string).

- ```java

- public static final String iotHubConnectionString = "{youriothubconnectionstring}";

- public static final String deviceId = "myDeviceId";

- public static final String region = "US";

- public static final String plant = "Redmond43";

- ```

-10. Update the **main** method signature to include the following `throws` clause:

- ```java

- public static void main( String[] args ) throws IOException

- ```

-11. Replace the code in the **main** method with the following code to create the **DeviceTwin** and **DeviceTwinDevice** objects. The **DeviceTwin** object handles the communication with your IoT hub. The **DeviceTwinDevice** object represents the device twin with its properties and tags:

- ```java

- // Get the DeviceTwin and DeviceTwinDevice objects

- DeviceTwin twinClient = DeviceTwin.createFromConnectionString(iotHubConnectionString);

- DeviceTwinDevice device = new DeviceTwinDevice(deviceId);

- ```

-12. Add the following `try/catch` block to the **main** method:

- ```java

- try {

- // Code goes here

- } catch (IotHubException e) {

- System.out.println(e.getMessage());

- } catch (IOException e) {

- System.out.println(e.getMessage());

- }

- ```

-13. To update the **region** and **plant** device twin tags in your device twin, add the following code in the `try` block:

- ```java

- // Get the device twin from IoT Hub

- System.out.println("Device twin before update:");

- twinClient.getTwin(device);

- System.out.println(device);

- // Update device twin tags if they are different

- // from the existing values

- String currentTags = device.tagsToString();

- if ((!currentTags.contains("region=" + region) && !currentTags.contains("plant=" + plant))) {

- // Create the tags and attach them to the DeviceTwinDevice object

- Set<Pair> tags = new HashSet<Pair>();

- tags.add(new Pair("region", region));

- tags.add(new Pair("plant", plant));

- device.setTags(tags);

- // Update the device twin in IoT Hub

- System.out.println("Updating device twin");

- twinClient.updateTwin(device);

- }

- // Retrieve the device twin with the tag values from IoT Hub

- System.out.println("Device twin after update:");

- twinClient.getTwin(device);

- System.out.println(device);

- ```

-14. To query the device twins in IoT hub, add the following code to the `try` block after the code you added in the previous step. The code runs two queries. Each query returns a maximum of 100 devices.

- ```java

- // Query the device twins in IoT Hub

- System.out.println("Devices in Redmond:");

- // Construct the query

- SqlQuery sqlQuery = SqlQuery.createSqlQuery("*", SqlQuery.FromType.DEVICES, "tags.plant='Redmond43'", null);

- // Run the query, returning a maximum of 100 devices

- Query twinQuery = twinClient.queryTwin(sqlQuery.getQuery(), 100);

- while (twinClient.hasNextDeviceTwin(twinQuery)) {

- DeviceTwinDevice d = twinClient.getNextDeviceTwin(twinQuery);

- System.out.println(d.getDeviceId());

- }

- System.out.println("Devices in Redmond using a cellular network:");

- // Construct the query

- sqlQuery = SqlQuery.createSqlQuery("*", SqlQuery.FromType.DEVICES, "tags.plant='Redmond43' AND properties.reported.connectivityType = 'cellular'", null);

- // Run the query, returning a maximum of 100 devices

- twinQuery = twinClient.queryTwin(sqlQuery.getQuery(), 3);

- while (twinClient.hasNextDeviceTwin(twinQuery)) {

- DeviceTwinDevice d = twinClient.getNextDeviceTwin(twinQuery);

- System.out.println(d.getDeviceId());

- }

- ```

-15. Save and close the **add-tags-query\src\main\java\com\mycompany\app\App.java** file

-16. Build the **add-tags-query** app and correct any errors. At your command prompt, navigate to the **add-tags-query** folder and run the following command:

- ```cmd/sh

- mvn clean package -DskipTests

- ```

-* Configured a new IoT hub in the Azure portal

-* Created a device identity in the IoT hub's identity registry

-## Create a device app with a direct method

-## Create a service app to trigger a reboot

-* Configured a new IoT hub in the Azure portal

-* Created a device identity in the IoT hub's identity registry

-## Create a device app with a direct method

-## Create a service app to trigger a reboot

-* Configured a new IoT hub in the Azure portal

-* Created a device identity in the IoT hub's identity registry

-* Queried the device twin information, using SQL-like IoT Hub query language

-* Control devices interactively, such as turning on a fan from a user-controlled app, see [Quickstart: Control a device connected to an IoT hub](./quickstart-control-device.md?pivots=programming-language-python).

-The first approach usually applies to the team that hasnΓÇÖt used pipeline before and wants to take some advantage of pipeline like MLOps. In this situation, data scientists typically have developed some machine learning models on their local environment using their favorite tools. Machine learning engineers need to take data scientistsΓÇÖ output into production. The work involves cleaning up some unnecessary code from original notebook or python code, changes the training input from local data to parameterized values, split the training code into multiple steps as needed, perform unit test of each step, and finally wraps all steps into a pipeline.

-# Debug online endpoints locally in Visual Studio Code (preview)

-In this quickstart, you deploy a virtual machine (VM) and then check communications to an IP address and URL and from an IP address. You determine the cause of a communication failure and how you can resolve it.

-To visualize and get analysis of what's happening on your environment, first, take a look at the overview dashboard to get an idea of the security posture of your organization. You can click on each element of these tiles to drill down to the raw data from which they are created. To help you reduce noise and minimize the number of alerts you have to review and investigate, Microsoft Sentinel uses a fusion technique to correlate alerts into incidents. **Incidents** are groups of related alerts that together create an actionable incident that you can investigate and resolve.

- 

- 

-The main body of the overview page gives insight at a glance into the security status of your workspace:

- 

- 

-# Build an Azure Static Web Apps website with Blazor

- | API location | **Api** | Folder containing the Azure Functions app |

-|API | The C# Azure Functions application implements the API endpoint that provides weather information to the Blazor WebAssembly app. The **WeatherForecastFunction** returns an array of `WeatherForecast` objects. |

-The json configuration ensures that requests to any route in the app return the `https://docsupdatetracker.net/index.html` page.

-Identifying software vulnerabilities that exist in operating systems and applications is critical to keeping your environment secure. Microsoft Defender for Cloud can help you identify problem spots through [Microsoft Defender for Endpoint's threat and vulnerability management solution](../defender-for-cloud/deploy-vulnerability-assessment-tvm.md). You can also use third-party products if you're so inclined, although we recommend using Microsoft Defender for Cloud and Microsoft Defender for Endpoint.