+1. Select **Add**. If **Turn on the Microsoft Graph profile permission (required for claims to appear in token)** appears, enable it, and then select **Add** again.

+description: Learn about the sign-up and sign-in options you can use with Azure Active Directory B2C, including username and password, email, phone, or federation with social or external identity providers.

+* **Custom policies** enable you to create your own user journeys for complex identity experience scenarios that are not supported by user flows. Azure AD B2C uses custom policies to provide extensibility.

+A custom policy is defined by multiple XML files that refer to each other in a hierarchical chain. The XML elements define the claims schema, claims transformations, content definitions, claims providers, technical profiles, user journey orchestration steps, and other aspects of the identity experience.

+- **DO** store in Azure AD B2C:

+- **DON'T** store in Azure AD B2C:

+## Support for certificates on hardware security key (preview)

+Certificates can be provisioned in external devices like hardware security keys along with a PIN to protect private key access. Azure AD supports CBA with YubiKey.

+### Advantages of certificates on hardware security key

+Security keys with certificates:

+- Has the roaming nature of security key, which allows users to use the same certificate on different devices

+- Are hardware-secured with a PIN, which makes them phishing-resistant

+- Provide multifactor authentication with a PIN as second factor to access the private key of the certificate

+- Satisfy the industry requirement to have MFA on separate device

+- Help in future proofing where multiple credentials can be stored including Fast Identity Online 2 (FIDO2) keys.

+### Azure AD CBA on Android mobile

+Android needs a middleware application to be able to support smartcard or security keys with certificates. To support YubiKeys with Azure AD CBA, YubiKey Android SDK has been integrated into the Microsoft broker code which can be leveraged through the latest MSAL

+### Azure AD CBA on Android mobile with YubiKey

+Since Azure AD CBA with YubiKey on Android mobile is enabled via the latest MSAL, YubiKey Authenticator app is not a requirement for Android support.

+Steps to test YubiKey on Microsoft apps on Android:

+1. Install the latest Microsoft Authenticator app.

+1. Open Outlook and plug in your YubiKey.

+1. Select **Add account** and enter your user principal name (UPN).

+1. Click **Continue**. A dialog should immediately pop up asking for permission to access your YubiKey. Click **OK**.

+1. Select **Use Certificate or smart card**. A custom certificate picker will appear.

+1. Select the certificate associated with the userΓÇÖs account. Click **Continue**.

+1. Enter the PIN to access YubiKey and select **Unlock**.

+The user should be successfully logged in and redirected to the Outlook homepage.

+>[!NOTE]

+>For a smooth CBA flow, plug in YubiKey as soon as the application is opened and accept the consent dialog from YubiKey before selecting the link **Use Certificate or smart card**.

+### Troubleshoot certificates on hardware security key

+#### What will happen if the user has certificates both on the Android device and YubiKey?

+- If the user has certificates both on the android device and YubiKey, then if the YubiKey is plugged in before user clicks **Use Certificate or smart card**, the user will be shown the certificates in the YubiKey.

+- If the YubiKey is not plugged in before user clicks **Use Certificate or smart card**, the user will be shown all the certificates on the device. The user can **Cancel** the certificate picker, plug in the YubiKey, and restart the CBA process with YubiKey.

+#### My YubiKey is locked after incorrectly typing PIN three times. How do I fix it?

+- Users should see a dialog informing you that too many PIN attempts have been made. This dialog also pops up during subsequent attempts to select **Use Certificate or smart card**.

+- [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) can reset a YubiKeyΓÇÖs PIN.

+#### I have installed Microsoft authenticator but still do not see an option to do Certificate based authentication with YubiKey

+Before installing Microsoft Authenticator, uninstall Company Portal and install it after Microsoft Authenticator installation.

+#### Does Azure AD CBA support YubiKey via NFC?

+This feature currently only supports using YubiKey with USB and not NFC. We are working to add support for NFC.

+#### Once CBA fails, clicking on the CBA option again in the ΓÇÿOther ways to signinΓÇÖ link on the error page fails.

+This issue happens because of certificate caching. We are working to add a fix to clear the cache. As a workaround, clicking cancel and restarting the login flow will let the user choose a new certificate and successfully login.

+#### Azure AD CBA with YubiKey is failing. What information would help debug the issue?

+1. Open Microsoft Authenticator app, click the three dots icon in the top right corner and select **Send Feedback**.

+1. Click **Having Trouble?**.

+1. For **Select an option**, select **Add or sign into an account**.

+1. Describe any details you want to add.

+1. Click the send arrow in the top right corner. Note the code provided in the dialog that appears.

+### Known Issues

+- Sometimes, plugging in the YubiKey and providing permission via the permission dialog and clicking **Use Certificate or smart card** will still take the user to on-device CBA picker pop up (instead of the smart card CBA picker). The user will need to cancel out of the picker, unplug their key, and re-plugin their key before attempting to sign in again.

+- With the Most Recently Used (MRU) feature, once a user uses CBA for authentication, MRU auth method will be set to CBA. Since the user will be directly taken into CBA flow, there may not be enough time for the user to accept the Android USB consent dialog. As a workaround user needs to remove and re-plugin the YubiKey, accept the consent dialog from YubiKey then click the back button and try again to complete CBA authentication flow.

+- Azure AD CBA with YubiKey on latest Outlook and Teams fail at times. This could be due to a keyboard configuration change when the YubiKey is plugged in. This can be solved by:

+ - Plug in YubiKey as soon as the application is opened.

+ - Accept the consent dialog from YubiKey before selecting the link **Use Certificate or smart card**.

+### Supported platforms

+- Applications using the latest Microsoft Authentication Library (MSAL) or Microsoft Authenticator can do CBA

+- Microsoft first-party apps with latest MSAL libraries or Microsoft Authenticator can do CBA

+#### Supported operating systems

+|Operating system | Certificate on-device/Derived PIV | Smart cards |

+|:-|::|::|

+| Android | ✅ | Supported vendors only|

+#### Supported browsers

+|Operating system | Chrome certificate on-device | Chrome smart card | Safari certificate on-device | Safari smart card | Edge certificate on-device | Edge smart card |

+|:-|::|::|::|::|::|::|

+| Android | ✅ | ❌|N/A | N/A | ❌ | ❌|

+### Security key providers

+|Provider | Android |

+|:-|::|

+| YubiKey | ✅ |

+## Support for certificates on hardware security key (preview)

+Certificates can be provisioned in external devices like hardware security keys along with a PIN to protect private key access.

+Microsoft's mobile certificate-based solution coupled with the hardware security keys is a simple, convenient, FIPS (Federal Information Processing Standards) certified phishing-resistant MFA method.

+As for iOS 16/iPadOS 16.1, Apple devices provide native driver support for USB-C or Lightning connected CCID-compliant smart cards. This means Apple devices on iOS 16/iPadOS 16.1 will see a USB-C or Lightning connected CCID-compliant device as a smart card without the use of additional drivers or 3rd party apps. Azure AD CBA will work on these USB-A or USB-C, or Lightning connected CCID-compliant smart cards.

+### Advantages of certificates on hardware security key

+Security keys with certificates:

+- Can be used on any device, and don't need a certificate to be provisioned on every device the user has

+- Are hardware-secured with a PIN, which makes them phishing-resistant

+- Provide multifactor authentication with a PIN as second factor to access the private key of the certificate

+- Satisfy the industry requirement to have MFA on separate device

+- Help in future proofing where multiple credentials can be stored including Fast Identity Online 2 (FIDO2) keys

+### Azure AD CBA on iOS mobile with YubiKey

+Even though the native Smartcard/CCID driver is available on iOS/iPadOS for Lightning connected CCID-compliant smart cards, the YubiKey 5Ci Lightning connector is not seen as a connected smart card on these devices without the use of PIV (Personal Identity Verification) middleware like the Yubico Authenticator.

+### One-time registration prerequisite

+- Have a PIV-enabled YubiKey with a smartcard certificate provisioned on it

+- Download the [Yubico Authenticator for iOS app](https://apps.apple.com/app/yubico-authenticator/id1476679808) on your iPhone with v14.2 or later

+- Open the app, insert the YubiKey or tap over near field communication (NFC) and follow steps to upload the certificate to iOS keychain

+### Steps to test YubiKey on Microsoft apps on iOS mobile

+1. Install the latest Microsoft Authenticator app.

+1. Open Outlook and plug in your YubiKey.

+1. Select **Add account** and enter your user principal name (UPN).

+1. Click **Continue** and the iOS certificate picker will appear.

+1. Select the public certificate copied from YubiKey that is associated with the userΓÇÖs account.

+1. Click **YubiKey required** to open the YubiKey authenticator app.

+1. Enter the PIN to access YubiKey and select the back button at the top left corner.

+The user should be successfully logged in and redirected to the Outlook homepage.

+### Troubleshoot certificates on hardware security key

+#### What will happen if the user has certificates both on the iOS device and YubiKey?

+The iOS certificate picker will show all the certificates on both iOS device and the ones copied from YubiKey into iOS device. Depending on the certificate user picks they will be either taken to YubiKey authenticator to enter PIN or directly authenticated.

+#### My YubiKey is locked after incorrectly typing PIN 3 times. How do I fix it?

+- Users should see a dialog informing you that too many PIN attempts have been made. This dialog also pops up during subsequent attempts to select **Use Certificate or smart card**.

+- [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) can reset a YubiKeyΓÇÖs PIN.

+#### Once CBA fails, clicking on the CBA option again in the ΓÇÿOther ways to signinΓÇÖ link on the error page fails.

+This issue happens because of certificate caching. We are working to add a fix to clear the cache. As a workaround, clicking cancel and restarting the login flow will let the user choose a new certificate and successfully login.

+#### Azure AD CBA with YubiKey is failing. What information would help debug the issue?

+1. Open Microsoft Authenticator app, click the three dots icon in the top right corner and select **Send Feedback**.

+1. Click **Having Trouble?**.

+1. For **Select an option**, select **Add or sign into an account**.

+1. Describe any details you want to add.

+1. Click the send arrow in the top right corner. Note the code provided in the dialog that appears.

+#### How can I enforce phishing-resistant MFA using a hardware security key on browser-based applications on mobile?

+Certificate based authentication and Conditional Access authentication strength capability makes it powerful for customers to enforce authentication needs. Edge as a profile (add an account) will work with a hardware security key like YubiKey and conditional access policy with authentication strength capability can enforce phishing-resistant authentication with CBA.

+CBA support for YubiKey is available in the latest Microsoft Authentication Library (MSAL) libraries, any third-party application that integrates the latest MSAL, and all Microsoft first party applications can leverage CBA and Conditional Access authentication strength.

+### Supported operating systems

+|Operating system | Certificate on-device/Derived PIV | Smart cards |

+|:-|::|::|

+| iOS | ✅ | Supported vendors only|

+### Supported browsers

+|Operating system | Chrome certificate on-device | Chrome smart card | Safari certificate on-device | Safari smart card | Edge certificate on-device | Edge smart card |

+|:-|::|::|::|::|::|::|

+| iOS | ❌ | ❌|✅ | ✅ | ❌ | ❌|

+### Security key providers

+|Provider | iOS |

+|:-|::|

+| YubiKey | ✅ |

+>Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator that will begin to be enabled by default for all users starting February 27, 2023.<br>

+Number match will be enabled for all users of Microsoft Authenticator app after February 27, 2023. Relevant services will begin deploying these changes after February 27, 2023 and users will start to see number match in approval requests. As services deploy, some may see number match while others don't. To ensure consistent behavior for all your users, we highly recommend you use the Azure portal or Graph API to roll out number match for all Microsoft Authenticator users.

+Yes, currently you can disable number matching. We highly recommend that you enable number matching for all users in your tenant to protect yourself from MFA fatigue attacks. Microsoft will enable number matching for all tenants by Feb 27, 2023. After protection is enabled by default, users can't opt out of number matching in Microsoft Authenticator push notifications.

+ - Interactive logon: Do not require CTRL+ALT+DEL = Disabled (only for Windows 10 version 1710 and earlier)

+- **Restrict access to privileged resources**. For this example, lets say you want to allow access to Microsoft Azure Management from a user who is assigned a privileged role Global Admin, has satisfied multifactor authentication and accessing from a device that is [privileged or secure admin workstations](/security/compass/privileged-access-devices) and attested as compliant. For this scenario, organizations would create two Conditional Access policies:

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+1. Under **Assignments**, select **Users or workload identities**.

+1. Under **Assignments**, select **Users or workload identities**.

+The filter for devices API is available in Microsoft Graph v1.0 endpoint and can be accessed using https://graph.microsoft.com/v1.0/identity/conditionalaccess/policies/. You can configure a filter for devices when creating a new Conditional Access policy or you can update an existing policy to configure the filter for devices condition. To update an existing policy, you can do a patch call on the Microsoft Graph v1.0 endpoint mentioned above by appending the policy ID of an existing policy and executing the following request body. The example here shows configuring a filter for devices condition excluding devices that aren't marked as SAW devices. The rule syntax can consist of more than one single expression. To learn more about the syntax, see [dynamic membership rules for groups in Azure Active Directory](../enterprise-users/groups-dynamic-membership.md).

+The filter for devices condition in Conditional Access evaluates policy based on device attributes of a registered device in Azure AD and hence it's important to understand under what circumstances the policy is applied or not applied. The table below illustrates the behavior when a filter for devices condition is configured.

+Organizations not comfortable allowing Microsoft to create these policies can create them manually by copying the settings from **View policy summary** or use the linked articles to create policies themselves.

+ - [Require multi-factor authentication for guest access](howto-policy-guest-mfa.md)

+ - [Require compliant or hybrid Azure AD joined device or multifactor authentication for all users](howto-conditional-access-policy-compliant-device.md)

+ - [Block access for unknown or unsupported device platform](howto-policy-unknown-unsupported-device.md)

+ - [No persistent browser session](howto-policy-persistent-browser-session.md)

+ - [Require compliant or Hybrid Azure AD joined device for administrators](howto-conditional-access-policy-compliant-device-admin.md)

+ - [Use application enforced restrictions for unmanaged devices](howto-policy-app-enforced-restriction.md)

+ Title: Require MFA for administrators with Conditional Access - Azure Active Directory

+# Common Conditional Access policy: Require MFA for administrators

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+ Title: Require MFA for all users with Conditional Access - Azure Active Directory

+# Common Conditional Access policy: Require MFA for all users

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+ Title: Require MFA for Azure management with Conditional Access - Azure Active Directory

+# Common Conditional Access policy: Require MFA for Azure management

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+ Title: Block legacy authentication with Conditional Access - Azure Active Directory

+# Common Conditional Access policy: Block legacy authentication

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+ Title: Require administrators use compliant or hybrid joined devices - Azure Active Directory

+description: Create a custom Conditional Access policy to require compliant or hybrid joined devices for admins

+# Common Conditional Access policy: Require compliant or hybrid Azure AD joined device for administrators

+Accounts that are assigned administrative rights are targeted by attackers. Requiring users with these highly privileged rights to perform actions from devices marked as compliant or hybrid Azure AD joined can help limit possible exposure.

+More information about device compliance policies can be found in the article, [Set rules on devices to allow access to resources in your organization using Intune](/intune/protect/device-compliance-get-started)

+Requiring a hybrid Azure AD joined device is dependent on your devices already being hybrid Azure AD joined. For more information, see the article [Configure hybrid Azure AD join](../devices/howto-hybrid-azure-ad-join.md).

+Microsoft recommends you require enable this policy for the following roles at a minimum, based on [identity score recommendations](../fundamentals/identity-secure-score.md):

+- Global administrator

+- Application administrator

+- Authentication Administrator

+- Billing administrator

+- Cloud application administrator

+- Conditional Access administrator

+- Exchange administrator

+- Helpdesk administrator

+- Password administrator

+- Privileged authentication administrator

+- Privileged Role Administrator

+- Security administrator

+- SharePoint administrator

+- User administrator

+Organizations can choose to include or exclude roles as they see fit.

+## Create a Conditional Access policy

+The following steps will help create a Conditional Access policy to require multifactor authentication, devices accessing resources be marked as compliant with your organization's Intune compliance policies, or be hybrid Azure AD joined.

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.

+1. Select **New policy**.

+1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.

+1. Under **Assignments**, select **Users or workload identities**.

+ 1. Under **Include**, select **Directory roles** and choose built-in roles like:

+ - Global Administrator

+ - Application administrator

+ - Authentication Administrator

+ - Billing Administrator

+ - Cloud application Administrator

+ - Conditional Access Administrator

+ - Exchange Administrator

+ - Helpdesk Administrator

+ - Password Administrator

+ - Privileged authentication Administrator

+ - Privileged Role Administrator

+ - Security Administrator

+ - SharePoint Administrator

+ - User Administrator

+

+ > [!WARNING]

+ > Conditional Access policies support built-in roles. Conditional Access policies are not enforced for other role types including [administrative unit-scoped](../roles/admin-units-assign-roles.md) or [custom roles](../roles/custom-create.md).

+ 1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts.

+1. Under **Cloud apps or actions** > **Include**, select **All cloud apps**.

+1. Under **Access controls** > **Grant**.

+ 1. Select **Require device to be marked as compliant**, and **Require hybrid Azure AD joined device**

+ 1. **For multiple controls** select **Require one of the selected controls**.

+ 1. Select **Select**.

+1. Confirm your settings and set **Enable policy** to **Report-only**.

+1. Select **Create** to create to enable your policy.

+After confirming your settings using [report-only mode](howto-conditional-access-insights-reporting.md), an administrator can move the **Enable policy** toggle from **Report-only** to **On**.

+> [!NOTE]

+> You can enroll your new devices to Intune even if you select **Require device to be marked as compliant** for **All users** and **All cloud apps** using the steps above. **Require device to be marked as compliant** control does not block Intune enrollment.

+### Known behavior

+On Windows 7, iOS, Android, macOS, and some third-party web browsers, Azure AD identifies the device using a client certificate that is provisioned when the device is registered with Azure AD. When a user first signs in through the browser the user is prompted to select the certificate. The end user must select this certificate before they can continue to use the browser.

+#### Subscription activation

+Organizations that use the [Subscription Activation](/windows/deployment/windows-10-subscription-activation) feature to enable users to ΓÇ£step-upΓÇ¥ from one version of Windows to another, may want to exclude the Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f from their device compliance policy.

+## Next steps

+[Conditional Access common policies](concept-conditional-access-policy-common.md)

+[Determine impact using Conditional Access report-only mode](howto-conditional-access-insights-reporting.md)

+[Simulate sign in behavior using the Conditional Access What If tool](troubleshoot-conditional-access-what-if.md)

+[Device compliance policies work with Azure AD](/intune/device-compliance-get-started#device-compliance-policies-work-with-azure-ad)

+ Title: Require compliant, hybrid joined devices, or MFA - Azure Active Directory

+description: Create a custom Conditional Access policy to require compliant, hybrid joined devices, or multifactor authentication

+# Common Conditional Access policy: Require a compliant device, hybrid Azure AD joined device, or multifactor authentication for all users

+The following steps will help create a Conditional Access policy to require multifactor authentication, devices accessing resources be marked as compliant with your organization's Intune compliance policies, or be hybrid Azure AD joined.

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+ 1. Select **Require multifactor authentication**, **Require device to be marked as compliant**, and **Require hybrid Azure AD joined device**

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+ Title: Control security information registration with Conditional Access - Azure Active Directory

+# Common Conditional Access policy: Securing security info registration

+ Title: User risk-based password change - Azure Active Directory

+# Common Conditional Access policy: User risk-based password change

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+ Title: Sign-in risk-based multifactor authentication - Azure Active Directory

+# Common Conditional Access policy: Sign-in risk-based multifactor authentication

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+ Title: Conditional Access - Use application enforced restrictions for unmanaged devices - Azure Active Directory

+description: Create a custom Conditional Access policy for unmanaged devices

+# Common Conditional Access policy: Use application enforced restrictions for unmanaged devices

+Block or limit access to SharePoint, OneDrive, and Exchange content from unmanaged devices.

+## Create a Conditional Access policy

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.

+1. Select **New policy**.

+1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.

+1. Under **Assignments**, select **Users or workload identities**.

+ 1. Under **Include**, select **All users**

+ 1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts.

+1. Under **Cloud apps or actions**, select the following options:

+ 1. Under **Include**, choose **Select apps**.

+ 1. Choose **Office 365**, then select **Select**.

+1. Under **Access controls** > **Session**, select **Use app enforced restrictions**, then select **Select**.

+1. Confirm your settings and set **Enable policy** to **Report-only**.

+1. Select **Create** to create to enable your policy.

+After confirming your settings using [report-only mode](howto-conditional-access-insights-reporting.md), an administrator can move the **Enable policy** toggle from **Report-only** to **On**.

+## Next steps

+[Conditional Access common policies](concept-conditional-access-policy-common.md)

+[Simulate sign in behavior using the Conditional Access What If tool](troubleshoot-conditional-access-what-if.md)

+# Common Conditional Access policy: Require approved client apps or app protection policy

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+ Title: Require MFA for guest users with Conditional Access - Azure Active Directory

+description: Create a custom Conditional Access policy requiring guest users perform multifactor authentication

+# Common Conditional Access policy: Require multifactor authentication for guest access

+Require guest users perform multifactor authentication when accessing your organization's resources.

+## Create a Conditional Access policy

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.

+1. Select **New policy**.

+1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.

+1. Under **Assignments**, select **Users or workload identities**.

+ 1. Under **Include**, select **All guest and external users**

+ 1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts.

+1. Under **Cloud apps or actions** > **Include**, select **All cloud apps**.

+ 1. Under **Exclude**, select any applications that don't require multifactor authentication.

+1. Under **Access controls** > **Grant**, select **Grant access**, **Require multifactor authentication**, and select **Select**.

+1. Confirm your settings and set **Enable policy** to **Report-only**.

+1. Select **Create** to create to enable your policy.

+After confirming your settings using [report-only mode](howto-conditional-access-insights-reporting.md), an administrator can move the **Enable policy** toggle from **Report-only** to **On**.

+## Next steps

+[Conditional Access common policies](concept-conditional-access-policy-common.md)

+[Simulate sign in behavior using the Conditional Access What If tool](troubleshoot-conditional-access-what-if.md)

+ Title: Require reauthentication with Conditional Access - Azure Active Directory

+description: Create a custom Conditional Access policy requiring reauthentication

+# Common Conditional Access policy: Require reauthentication and disable browser persistence

+Protect user access on unmanaged devices by preventing browser sessions from remaining signed in after the browser is closed and setting a sign-in frequency to 1 hour.

+## Create a Conditional Access policy

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.

+1. Select **New policy**.

+1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.

+1. Under **Assignments**, select **Users or workload identities**.

+ 1. Under **Include**, select **All users**

+ 1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts.

+1. Under **Cloud apps or actions** > **Include**, select **All cloud apps**.

+1. Under **Conditions** > **Filter for devices**, set **Configure** to **Yes**.

+ 1. Under **Devices matching the rule:**, set to **Include filtered devices in policy**.

+ 1. Under **Rule syntax** select the **Edit** pencil and paste the following expressing in the box, then select **Apply**.

+ 1. device.trustType -ne "ServerAD" -or device.isCompliant -ne True

+ 1. Select **Done**.

+1. Under **Access controls** > **Session**

+ 1. Select **Sign-in frequency**, specify **Periodic reauthentication**, and set the duration to **1** and the period to **Hours**.

+ 1. Select **Persistent browser session**, and set **Persistent browser session** to **Never persistent**.

+ 1. Select, **Select**

+1. Confirm your settings and set **Enable policy** to **Report-only**.

+1. Select **Create** to create to enable your policy.

+After confirming your settings using [report-only mode](howto-conditional-access-insights-reporting.md), an administrator can move the **Enable policy** toggle from **Report-only** to **On**.

+## Next steps

+[Conditional Access common policies](concept-conditional-access-policy-common.md)

+[Simulate sign in behavior using the Conditional Access What If tool](troubleshoot-conditional-access-what-if.md)

+ Title: Block unsupported platforms with Conditional Access - Azure Active Directory

+description: Create a custom Conditional Access policy to block unsupported platforms

+# Common Conditional Access policy: Block access for unknown or unsupported device platform

+Users will be blocked from accessing company resources when the device type is unknown or unsupported.

+## Create a Conditional Access policy

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.

+1. Select **New policy**.

+1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.

+1. Under **Assignments**, select **Users or workload identities**.

+ 1. Under **Include**, select **All users**

+ 1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts.

+1. Under **Cloud apps or actions** > **Include**, select **All cloud apps**.

+1. Under **Conditions**, select **Device platforms**

+ 1. Set **Configure** to **Yes**.

+ 1. Under **Include**, select **Any device**

+ 1. Under **Exclude**, select **Android**, **iOS**, **Windows**, and **macOS**.

+ 1. Select, **Done**.

+1. Under **Access controls** > **Grant**, select **Block access**, then select **Select**.

+1. Confirm your settings and set **Enable policy** to **Report-only**.

+1. Select **Create** to create to enable your policy.

+After confirming your settings using [report-only mode](howto-conditional-access-insights-reporting.md), an administrator can move the **Enable policy** toggle from **Report-only** to **On**.

+## Next steps

+[Conditional Access common policies](concept-conditional-access-policy-common.md)

+[Simulate sign in behavior using the Conditional Access What If tool](troubleshoot-conditional-access-what-if.md)

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+ | Date in the future | Monthly | Starting today, users must accept the terms of use policy. When the future date occurs, consents will expire, and then users must reaccept every month. |

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+1. If you would like to see the previous consent events, you can select **All** from the **Current State** drop-down. Now you can see each user's events in details about each version and what happened.

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+To set up federation, the following attributes must be received in the SAML 2.0 response from the IdP. These attributes can be configured by linking to the online security token service XML file or by entering them manually. Step 12 in [Create a test AD FS instance](https://medium.com/in-the-weeds/create-a-test-active-directory-federation-services-3-0-instance-on-an-azure-virtual-machine-9071d978e8ed) describes how to find the AD FS endpoints or how to generate your metadata URL, for example `https://fs.iga.azure-test.net/federationmetadata/2007-06/federationmetadata.xml`.

+ - **Claim identifier**: `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`

+> Be sure to include a slash (/) after the tenant ID, for example: `https://login.microsoftonline.com/00000000-27d4-489f-a23b-00000000084d/`.

+ > Be sure to include a slash (/) after the tenant ID, for example: `https://login.microsoftonline.com/00000000-27d4-489f-a23b-00000000084d/`.

+As an Azure Active Directory (Azure AD) [B2B collaboration](what-is-b2b.md) or [B2B direct connect](b2b-direct-connect-overview.md) user, you can leave an organization at any time if you no longer need to use apps from that organization, or maintain any association.

+1. [Convert local guest accounts to B2B](10-secure-local-guest.md) (YouΓÇÖre here)

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+1. Under **Assignments**, select **Users or workload identities**.

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+1. Under **Assignments**, select **Users or workload identities**.

+- Microsoft 365 (E3, A3, F1, F3)

+- Microsoft 365 (E5, A5)

+10. [Convert local guest accounts to B2B](10-secure-local-guest.md)

+1. Under rules, select the **Property**, **Operator**, and give it a **value**. The following picture gives an example of a rule being set up for a sales department. For a full list of user properties supported by Lifecycle Workflows, see [Supported user properties and query parameters](/graph/api/resources/identitygovernance-rulebasedsubjectset?view=graph-rest-beta#supported-user-properties-and-query-parameters?toc=/azure/active-directory/governance/toc.json&bc=/azure/active-directory/governance/breadcrumb/toc.json)

+ Then **Select directories + domains** pane opens.

+1. In the search box, enter a domain name to search for the Azure AD directory or domain. You can also add domains that are not in Azure AD. Be sure to enter the entire domain name.

+1. Confirm that the organization name(s) and authentication type(s) are correct. User sign in, prior to being able to access the MyAccess portal, depends on the authentication type for their organization. If the authentication type for a connected organization is Azure AD, all users with an account in any verified domain of that Azure AD directory will sign into their directory, and then can request access to access packages that allow that connected organization. If the authentication type is One-time passcode, this allows users with email addresses from just that domain to visit the MyAccess portal. After they authenticate with the passcode, the user can make a request.

+1. Select **Add** to add the Azure AD directory or domain. **You can add multiple Azure AD directories and domains**.

+1. After you've added the Azure AD directories or domains, select **Select**.

+ The organization(s) appears in the list.

+> [!NOTE]

+> For a full list of user properties supported by Lifecycle Workflows, see [Supported user properties and query parameters](/graph/api/resources/identitygovernance-rulebasedsubjectset?view=graph-rest-beta#supported-user-properties-and-query-parameters?toc=/azure/active-directory/governance/toc.json&bc=/azure/active-directory/governance/breadcrumb/toc.json)

+## 2.1.19.0

+### Release status:

+11/2/2022: Released for download

+### Functional changes

+ - We added a new attribute 'employeeLeaveDateTime' for syncing to Azure AD. To learn more about how to use this attribute to manage your users' life cycles, please refer to [this article](https://learn.microsoft.com/azure/active-directory/governance/how-to-lifecycle-workflow-sync-attributes)

+### Bug fixes

+ - we fixed a bug where Azure AD Connect Password writeback stopped with error code "SSPR_0029 ERROR_ACCESS_DENIED"

+ Title: 'Tutorial: App Proxy configuration for Azure AD SAML SSO for Confluence'

+description: Learn App Proxy configuration for Azure AD SAML SSO for Confluence.

+# Tutorial: App Proxy configuration for Azure AD SAML SSO for Confluence

+This article helps to configure Azure AD SAML SSO for your on-premises Confluence application using Application Proxy.

+## Prerequisites

+To configure Azure AD integration with Confluence SAML SSO by Microsoft, you need the following items:

+- An Azure AD subscription.

+- Confluence server application installed on a Windows 64-bit server (on-premises or on the cloud IaaS infrastructure).

+- Confluence server is HTTPS enabled.

+- Note the supported versions for Confluence Plugin are mentioned in below section.

+- Confluence server is reachable on internet particularly to Azure AD Login page for authentication and should able to receive the token from Azure AD.

+- Admin credentials are set up in Confluence.

+- WebSudo is disabled in Confluence.

+- Test user created in the Confluence server application.

+To get started, you need the following items:

+* Do not use your production environment, unless it is necessary.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Confluence SAML SSO by Microsoft single sign-on (SSO) enabled subscription.

+## Supported versions of Confluence

+As of now, following versions of Confluence are supported:

+- Confluence: 5.0 to 5.10

+- Confluence: 6.0.1 to 6.15.9

+- Confluence: 7.0.1 to 7.17.0

+> [!NOTE]

+> Please note that our Confluence Plugin also works on Ubuntu Version 16.04

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO for on-premises confluence setup using application proxy mode.

+1. Download and Install Azure AD App Proxy connector.

+1. Add Application Proxy in Azure AD.

+1. Add a Confluence SAML SSO app in Azure AD.

+1. Configure SSO for SAML SSO Confluence Application in Azure AD.

+1. Create an Azure AD Test user.

+1. Assigning the test user for the Confluence Azure AD App.

+1. Configure SSO for Confluence SAML SSO by Microsoft Confluence plugin in your Confluence Server.

+1. Assigning the test user for the Microsoft Confluence plugin in your Confluence Server.

+1. Test the SSO.

+## Download and Install the App Proxy Connector Service

+1. Sign in to the [Azure portal](https://portal.azure.com/) as an application administrator of the directory that uses Application Proxy.

+2. Select **App proxy** from Azure Services section.

+3. Select **Download connector service**.

+ 

+4. Accept terms & conditions to download connector. Once downloaded, install it to the system, which hosts the confluence application.

+## Add an On-premises Application in Azure AD

+To add an Application proxy, we need to create an enterprise application.

+1. Sign in as an administrator in the Azure portal.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. Choose **Add an on-premises application**.

+ 

+1. Type the name of the application and click the create button at the bottom left column.

+ 

+ 1. **Internal URL** will be your Confluence application URL.

+ 2. **External URL** will be auto-generated based on the Name you choose.

+ 3. **Pre Authentication** can be left to Azure Active Directory as default.

+ 4. Choose **Connector Group** which lists your connector agent under it as active.

+ 5. Leave the **Additional Settings** as default.

+1. Click on the **Save** from the top options to configure an application proxy.

+## Add a Confluence SAML SSO app in Azure AD

+Now that you've prepared your environment and installed a connector, you're ready to add confluence applications to Azure AD.

+1. Sign in as an administrator in the Azure portal.

+2. In the left navigation panel, select Azure Active Directory.

+3. Select Enterprise applications, and then select New applications.

+4. Select **Confluence SAML SSO by Microsoft** widget from the Azure AD Gallery.

+## Configure SSO for Confluence SAML SSO Application in Azure AD

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. Open the **Confluence SAML SSO by Microsoft** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the Basic SAML Configuration section, enter the **External Url** value for the following fields: identifier, Reply URL, SignOn URL.

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assigning the test user for the Confluence Azure AD App

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Confluence Azure AD App.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Confluence SAML SSO by Microsoft**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user/group**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+1. Verify the App Proxy setup by checking if the configured test user is able to SSO using the external URL mentioned in the on-premises application.

+> [!NOTE]

+> Complete the setup of the JIRA SAML SSO by Microsoft application by following [this](./jiramicrosoft-tutorial.md) tutorial.

+> [!NOTE]

+> For the information on application proxy configuration for Confluence, please refer [this](confluence-app-proxy-tutorial.md) tutorial.

+ Title: 'Tutorial: Configure Keepabl for automatic user provisioning with Azure Active Directory | Microsoft Docs'

+description: Learn how to automatically provision and de-provision user accounts from Azure AD to Keepabl.

+documentationcenter: ''

+writer: Thwimmer

+ms.assetid: 80b48f18-fbdd-4c35-8aa9-b5f7a8331044

+ms.devlang: na

+# Tutorial: Configure Keepabl for automatic user provisioning

+This tutorial describes the steps you need to perform in both Keepabl and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users to [Keepabl](https://keepabl.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

+## Capabilities supported

+> [!div class="checklist"]

+> * Create users in Keepabl.

+> * Remove users in Keepabl when they do not require access anymore.

+> * Keep user attributes synchronized between Azure AD and Keepabl.

+> * [Single sign-on](keepabl-tutorial.md) to Keepabl (recommended).

+## Prerequisites

+The scenario outlined in this tutorial assumes that you already have the following prerequisites:

+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md).

+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).

+* A user account in Keepabl with Admin permissions.

+## Step 1. Plan your provisioning deployment

+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).

+1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. Determine what data to [map between Azure AD and Keepabl](../app-provisioning/customize-application-attributes.md).

+## Step 2. Configure Keepabl to support provisioning with Azure AD

+1. Sign in to [Keepabl Admin Portal](https://app.keepabl.com) and then navigate to **Account Settings > Your Organization**, where youΓÇÖll see the **Single Sign-On (SSO)** section.

+1. Click on the **Edit Identity Provider** button.You will be taken to the SSO Setup page, where once you select Microsoft Azure as your provider and then scroll down, you will see your **Tenant URL** and **Secret Token**. These value will be entered in the Provisioning tab of your Keepabl application in the Azure portal.

+ 

+>[!NOTE]

+>To Setup Identity Provider or SSO visit [here](https://keepabl.com/admin-guide-to-sso-keepabl).

+## Step 3. Add Keepabl from the Azure AD application gallery

+Add Keepabl from the Azure AD application gallery to start managing provisioning to Keepabl. If you have previously setup Keepabl for SSO, you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).

+## Step 4. Define who will be in scope for provisioning

+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users to the application. If you choose to scope who will be provisioned based solely on attributes of the user, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* Start small. Test with a small set of users before rolling out to everyone. When scope for provisioning is set to assigned users, you can control this by assigning one or two users to the app. When scope is set to all users, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* If you need additional roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles.

+## Step 5. Configure automatic user provisioning to Keepabl

+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users in Keepabl based on user assignments in Azure AD.

+### To configure automatic user provisioning for Keepabl in Azure AD:

+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.

+ 

+1. In the applications list, select **Keepabl**.

+ 

+1. Select the **Provisioning** tab.

+ 

+1. Set the **Provisioning Mode** to **Automatic**.

+ 

+1. Under the **Admin Credentials** section, input your Keepabl Tenant URL and corresponding Secret Token. Click **Test Connection** to ensure Azure AD can connect to Keepabl.

+ 

+1. In the **Notification Email** field, enter the email address of a person who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.

+ 

+1. Select **Save**.

+1. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Keepabl**.

+1. Review the user attributes that are synchronized from Azure AD to Keepabl in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Keepabl for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the Keepabl API supports filtering users based on that attribute. Select the **Save** button to commit any changes.

+ |Attribute|Type|Supported for filtering|Required by Keepabl|

+ |||||

+ |userName|String|&check;|&check;

+ |emails[type eq "work"].value|String|&check;|&check;

+ |active|Boolean|||

+ |name.givenName|String|||

+ |name.familyName|String|||

+

+1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. To enable the Azure AD provisioning service for Keepabl, change the **Provisioning Status** to **On** in the **Settings** section.

+ 

+1. Define the users that you would like to provision to Keepabl by choosing the desired values in **Scope** in the **Settings** section.

+ 

+1. When you are ready to provision, click **Save**.

+ 

+This operation starts the initial synchronization cycle of all users defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.

+## Step 6. Monitor your deployment

+Once you've configured provisioning, use the following resources to monitor your deployment:

+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully

+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion

+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).

+## More resources

+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)

+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+## Next steps

+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)

+[region-availability]: https://azure.microsoft.com/global-infrastructure/services/?products=kubernetes-service

+This article shows you how to create a connection to an AKS node.

+> [!NOTE]

+> For version 1.1, the command is `osm uninstall mesh --delete-cluster-wide-resources`

+# Create a basic single-node pool AKS cluster

+> [!Important]

+> The feature described in this article, pod security policy (preview), will be deprecated starting with Kubernetes version 1.21, and it will be removed in version 1.25. AKS will mark the pod security policy as Deprecated with the AKS API on 04-01-2023. You can migrate pod security policy to pod security admission controller before the deprecation deadline.

+> [!NOTE]

+> If your are using `*` for the App Setting, you will need to restart your web app after adding a new certificate to your web app to ensure that new certificate becomes accessible to your app.

+* [Environment variables and app settings reference](reference-app-settings.md)

+In this quickstart, you'll create a feature flag in Azure App Configuration and use it to dynamically control the availability of a new web page in an ASP.NET Core app without restarting or redeploying it.

+The feature management support extends the dynamic configuration feature in App Configuration. The example in this quickstart builds on the ASP.NET Core app introduced in the dynamic configuration tutorial. Before you continue, finish the [quickstart](./quickstart-aspnet-core-app.md), and the [tutorial](./enable-dynamic-configuration-aspnet-core.md) to create an ASP.NET Core app with dynamic configuration first.

+Follow the documents to create an ASP.NET Core app with dynamic configuration.

+* [Quickstart: Create an ASP.NET Core app with App Configuration](./quickstart-aspnet-core-app.md)

+* [Tutorial: Use dynamic configuration in an ASP.NET Core app](./enable-dynamic-configuration-aspnet-core.md)

+## Create a feature flag

+Navigate to the Azure App Configuration store you created previously in Azure portal. Under **Operations** section, select **Feature manager** > **Create** to add a feature flag called *Beta*.

+> [!div class="mx-imgBorder"]

+> 

+Leave the rest of fields empty for now. Select **Apply** to save the new feature flag. To learn more, check out [Manage feature flags in Azure App Configuration](./manage-feature-flags.md).

+## Use a feature flag

+1. Navigate into the project's directory, and run the following command to add a reference to the [Microsoft.FeatureManagement.AspNetCore](https://www.nuget.org/packages/Microsoft.FeatureManagement.AspNetCore) NuGet package.

+1. Open *Program.cs*, and add a call to the `UseFeatureFlags` method inside the `AddAzureAppConfiguration` call.

+ #### [.NET 6.x](#tab/core6x)

+ // Load configuration from Azure App Configuration

+ builder.Configuration.AddAzureAppConfiguration(options =>

+ {

+ options.Connect(connectionString)

+ // Load all keys that start with `TestApp:` and have no label

+ .Select("TestApp:*", LabelFilter.Null)

+ // Configure to reload configuration if the registered sentinel key is modified

+ .ConfigureRefresh(refreshOptions =>

+ refreshOptions.Register("TestApp:Settings:Sentinel", refreshAll: true));

+

+ // Load all feature flags with no label

+ options.UseFeatureFlags();

+ });

+ {

+ //Retrieve the Connection String from the secrets manager

+ IConfiguration settings = config.Build();

+ string connectionString = settings.GetConnectionString("AppConfig");

+ // Load configuration from Azure App Configuration

+ {

+ options.Connect(connectionString)

+ // Load all keys that start with `TestApp:` and have no label

+ .Select("TestApp:*", LabelFilter.Null)

+ // Configure to reload configuration if the registered sentinel key is modified

+ .ConfigureRefresh(refreshOptions =>

+ refreshOptions.Register("TestApp:Settings:Sentinel", refreshAll: true));

+ // Load all feature flags with no label

+ options.UseFeatureFlags();

+ });

+ });

+ webBuilder.UseStartup<Startup>();

+ });

+

+ > [!TIP]

+ > When no parameter is passed to the `UseFeatureFlags` method, it loads *all* feature flags with *no label* in your App Configuration store. The default refresh expiration of feature flags is 30 seconds. You can customize this behavior via the `FeatureFlagOptions` parameter. For example, the following code snippet loads only feature flags that start with *TestApp:* in their *key name* and have the label *dev*. The code also changes the refresh expiration time to 5 minutes. Note that this refresh expiration time is separate from that for regular key-values.

+ >

+ > ```csharp

+ > options.UseFeatureFlags(featureFlagOptions =>

+ > {

+ > featureFlagOptions.Select("TestApp:*", "dev");

+ > featureFlagOptions.CacheExpirationInterval = TimeSpan.FromMinutes(5);

+ > });

+ > ```

+1. Add feature management to the service collection of your app by calling `AddFeatureManagement`.

+ #### [.NET 6.x](#tab/core6x)

+ Update *Program.cs* with the following code.

+ ```csharp

+ // Existing code in Program.cs

+ // ... ...

+ builder.Services.AddRazorPages();

+ // Add Azure App Configuration middleware to the container of services.

+ builder.Services.AddAzureAppConfiguration();

+ // Add feature management to the container of services.

+ builder.Services.AddFeatureManagement();

+ // Bind configuration "TestApp:Settings" section to the Settings object

+ builder.Services.Configure<Settings>(builder.Configuration.GetSection("TestApp:Settings"));

+ var app = builder.Build();

+ // The rest of existing code in program.cs

+ // ... ...

+ Open *Startup.cs*, and update the `ConfigureServices` method.

+ ```csharp

+ services.AddRazorPages();

+ // Add Azure App Configuration middleware to the container of services.

+ // Add feature management to the container of services.

+ services.AddFeatureManagement();

+ // Bind configuration "TestApp:Settings" section to the Settings object

+ services.Configure<Settings>(Configuration.GetSection("TestApp:Settings"));

+ }

+

+ Add `using Microsoft.FeatureManagement;` at the top of the file if it's not present.

+1. Add a new empty Razor page named **Beta** under the *Pages* directory. It includes two files *Beta.cshtml* and *Beta.cshtml.cs*.

+ Open *Beta.cshtml*, and update it with the following markup:

+ ```cshtml

+ @page

+ @model TestAppConfig.Pages.BetaModel

+ @{

+ ViewData["Title"] = "Beta Page";

+ <h1>This is the beta website.</h1>

+ Open *Beta.cshtml.cs*, and add `FeatureGate` attribute to the `BetaModel` class. The `FeatureGate` attribute ensures the *Beta* page is accessible only when the *Beta* feature flag is enabled. If the *Beta* feature flag isn't enabled, the page will return 404 Not Found.

+ using Microsoft.AspNetCore.Mvc.RazorPages;

+ namespace TestAppConfig.Pages

+ [FeatureGate("Beta")]

+ public class BetaModel : PageModel

+ public void OnGet()

+ {

+ }

+ }

+1. Open *Pages/_ViewImports.cshtml*, and register the feature manager Tag Helper using an `@addTagHelper` directive:

+1. Open *_Layout.cshtml* in the *Pages*\\*Shared* directory. Insert a new `<feature>` tag in between the *Home* and *Privacy* navbar items, as shown in the highlighted lines below.

+ :::code language="html" source="../../includes/azure-app-configuration-navbar.md" range="15-38" highlight="13-17":::

+ The `<feature>` tag ensures the *Beta* menu item is shown only when the *Beta* feature flag is enabled.

+1. Open a browser window, and go to the URL shown in the `dotnet run` output. Your browser should display a page similar to the image below.

+ 

+1. Sign in to the [Azure portal](https://portal.azure.com). Select **All resources**, and select the App Configuration store that you created previously.

+1. Select **Feature manager** and locate the **Beta** feature flag. Enable the flag by selecting the checkbox under **Enabled**.

+1. Refresh the browser a few times. When the cache expires after 30 seconds, the page shows with updated content.

+ 

+1. Select the *Beta* menu. It will bring you to the beta website that you enabled dynamically.

+ 

+In this quickstart, you added feature management capability to an ASP.NET Core app on top of dynamic configuration. The [Microsoft.FeatureManagement.AspNetCore](https://www.nuget.org/packages/Microsoft.FeatureManagement.AspNetCore) library offers rich integration for ASP.NET Core apps, including feature management in MVC controller actions, razor pages, views, routes, and middleware. For more information, continue to the following tutorial.

+> [!div class="nextstepaction"]

+> [Use feature flags in ASP.NET Core apps](./use-feature-flags-dotnet-core.md)

+While a feature flag allows you to activate or deactivate functionality in your app, you may want to customize a feature flag based on your app's logic. Feature filters allow you to enable a feature flag conditionally. For more information, continue to the following tutorial.

+> [!div class="nextstepaction"]

+> [Use feature filters for conditional feature flags](./howto-feature-filters-aspnet-core.md)

+Azure App Configuration offers built-in feature filters that enable you to activate a feature flag only during a specific period or to a particular targeted audience of your app. For more information, continue to the following tutorial.

+> [!div class="nextstepaction"]

+> [Enable features for targeted audiences](./howto-targetingfilter-aspnet-core.md)

+To enable feature management capability for other types of apps, continue to the following tutorials.

+> [!div class="nextstepaction"]

+> [Use feature flags in .NET apps](./quickstart-feature-flag-dotnet.md)

+> [!div class="nextstepaction"]

+> [Use feature flags in Azure Functions](./quickstart-feature-flag-azure-functions-csharp.md)

+To learn more about managing feature flags in Azure App Configuration, continue to the following tutorial.

+> [!div class="nextstepaction"]

+> [Manage feature flags in Azure App Configuration](./manage-feature-flags.md)

+# Azure Arc-enabled data services data collection and reporting

+Azure Arc-enabled data services doesn't store any customer data.

+* UK South

+* Canada Central

+* Australia East

+* Southeast Asia

+ | **ServiceBusConnection__fullyQualifiedNamespace** | <SERVICE_BUS_NAMESPACE>.servicebus.windows.net | This setting connects your function app to the Service Bus using an identity-based connection instead of secrets. |

+For I/O-bound apps, you should see substantial gains by increasing the number of threads working on each invocation. the recommendation is to start with the Python default (the number of cores) + 4 and then tweak based on the throughput values you're seeing.

+*Last updated: November 2022*

+| [Azure Automanage Guest Configuration](../../governance/machine-configuration/overview.md) | &#x2705; | &#x2705; |

+*Last updated: November 2022*

+| [Azure Active Directory (Premium P1 + P2, specifically Privileged Identity Management and Access Reviews)](../../active-directory/fundamentals/active-directory-whatis.md#what-are-the-azure-ad-licenses) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; |

+| [Azure Automanage Machine Configuration](../../governance/machine-configuration/overview.md) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | |

+| [Notification Hubs](../../notification-hubs/index.yml) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; |

+| [Power Apps](/powerapps/) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; |

+| [Power Automate](/power-automate/) (formerly Microsoft Flow) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; |

+Here's a short **introduction to Azure Monitor agent video**, which includes a quick demo of how to set up the agent from the Azure portal: [ITOps Talk: Azure Monitor Agent](https://www.youtube.com/watch?v=f8bIrFU8tCs)

+ | Windows 10, 11 desktops, workstations | [Client installer](./azure-monitor-agent-windows-client.md) | Installs the agent by using a Windows MSI installer. |

+ | Windows 10, 11 laptops | [Client installer](./azure-monitor-agent-windows-client.md) | Installs the agent by using a Windows MSI installer. The installer works on laptops, but the agent *isn't optimized yet* for battery or network consumption. |

+Azure Monitor Agent is available in all public regions and Azure Government clouds, for generally available features. It's not yet supported in air-gapped clouds. For more information, see [Product availability by region](https://azure.microsoft.com/global-infrastructure/services/?products=monitor&rar=true&regions=all).

+$settingsString = '{"proxy":{"mode":"application","address":"http://[address]:[port]","auth": true}}';

+$protectedSettingsString = '{"proxy":{"username":"[username]","password": "[password]"}}';

+Set-AzVMExtension -ExtensionName AzureMonitorWindowsAgent -ExtensionType AzureMonitorWindowsAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -VMName <virtual-machine-name> -Location <location> -TypeHandlerVersion <type-handler-version> -SettingString $settingsString -ProtectedSettingString $protectedSettingsString

+$settingsString = '{"proxy":{"mode":"application","address":"http://[address]:[port]","auth": true}}';

+$protectedSettingsString = '{"proxy":{"username":"[username]","password": "[password]"}}';

+Set-AzVMExtension -ExtensionName AzureMonitorLinuxAgent -ExtensionType AzureMonitorLinuxAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -VMName <virtual-machine-name> -Location <location> -TypeHandlerVersion <type-handler-version> -SettingString $settingsString -ProtectedSettingString $protectedSettingsString

+$settings = @{"proxy" = @{mode = "application"; address = "http://[address]:[port]"; auth = "true"}}

+$protectedSettings = @{"proxy" = @{username = "[username]"; password = "[password]"}}

+New-AzConnectedMachineExtension -Name AzureMonitorWindowsAgent -ExtensionType AzureMonitorWindowsAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -MachineName <arc-server-name> -Location <arc-server-location> -Setting $settings -ProtectedSetting $protectedSettings

+$settings = @{"proxy" = @{mode = "application"; address = "http://[address]:[port]"; auth = "true"}}

+$protectedSettings = @{"proxy" = @{username = "[username]"; password = "[password]"}}

+New-AzConnectedMachineExtension -Name AzureMonitorLinuxAgent -ExtensionType AzureMonitorLinuxAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -MachineName <arc-server-name> -Location <arc-server-location> -Setting $settings -ProtectedSetting $protectedSettings

+There are five types of alerts:

+- [Create a Prometheus rule group](../essentials/prometheus-rule-groups.md).

+The following table shows the recommended [aggregation types](../essentials/metrics-aggregation-explained.md#aggregation-types) for each of the OpenTelemetry Metric Instruments.

+Statsbeat collects essential and non-essential [custom metric](../essentials/metrics-custom-overview.md) about Application Insights SDKs and auto-instrumentation. Statsbeat serves three benefits for Azure Monitor Application Insights customers:

+> [!NOTE]

+> Funnels are limited to a maximum of six steps.

+# Understand autoscale settings

+Autoscale settings help ensure that you have the right amount of resources running to handle the fluctuating load of your application. You can configure autoscale settings to be triggered based on metrics that indicate load or performance, or triggered at a scheduled date and time.

+This article gives a detailed explanation of the autoscale settings.

+The following example shows an autoscale setting. This autoscale setting has the following attributes:

+- A single default profile.

+- Two metric rules in this profile: one for scale-out, and one for scale-in.

+ - The scale-out rule is triggered when the Virtual Machine Scale Set's average percentage CPU metric is greater than 85 percent for the past 10 minutes.

+ - The scale-in rule is triggered when the Virtual Machine Scale Set's average is less than 60 percent for the past minute.

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "resources": [

+ {

+ "type": "Microsoft.Insights/autoscaleSettings",

+ "apiVersion": "2015-04-01",

+ "name": "VMSS1-Autoscale-607",

+ "location": "eastus",

+ "properties": {

+ "name": "VMSS1-Autoscale-607",

+ "enabled": true,

+ "targetResourceUri": "/subscriptions/abc123456-987-f6e5-d43c-9a8d8e7f6541/resourceGroups/rg-vmss1/providers/Microsoft.Compute/virtualMachineScaleSets/VMSS1",

+ "name": "Auto created default scale condition",

+ "metricResourceUri": "/subscriptions/abc123456-987-f6e5-d43c-9a8d8e7f6541/resourceGroups/rg-vmss1/providers/Microsoft.Compute/virtualMachineScaleSets/VMSS1",

+ "metricResourceUri": "/subscriptions/abc123456-987-f6e5-d43c-9a8d8e7f6541/resourceGroups/rg-vmss1/providers/Microsoft.Compute/virtualMachineScaleSets/VMSS1",

+The table below describes the elements in the above autoscale setting's JSON.

+| Section | Element name |Portal name| Description |

+| | | | |

+| Setting | ID | |The autoscale setting's resource ID. Autoscale settings are an Azure Resource Manager resource. |

+| Setting | name | |The autoscale setting name. |

+| Setting | location | |The location of the autoscale setting. This location can be different from the location of the resource being scaled. |

+| properties | targetResourceUri | |The resource ID of the resource being scaled. You can only have one autoscale setting per resource. |

+| properties | profiles | Scale condition |An autoscale setting is composed of one or more profiles. Each time the autoscale engine runs, it executes one profile. |

+| profiles | name | |The name of the profile. You can choose any name that helps you identify the profile. |

+| profiles | capacity.maximum | Instance limits - Maximum |The maximum capacity allowed. It ensures that autoscale doesn't scale your resource above this number when executing the profile. |

+| profiles | capacity.minimum | Instance limits - Minimum |The minimum capacity allowed. It ensures that autoscale doesn't scale your resource below this number when executing the profile |

+| profiles | capacity.default | Instance limits - Default |If there's a problem reading the resource metric, and the current capacity is below the default, autoscale scales out to the default. This ensures the availability of the resource. If the current capacity is already higher than the default capacity, autoscale doesn't scale in. |

+| profiles | rules | Rules |Autoscale automatically scales between the maximum and minimum capacities, by using the rules in the profile. You can have multiple rules in a profile. Typically there are two rules: one to determine when to scale out, and the other to determine when to scale in. |

+| rule | metricTrigger | Scale rule |Defines the metric condition of the rule. |

+| metricTrigger | metricName | Metric name |The name of the metric. |

+| metricTrigger | metricResourceUri | |The resource ID of the resource that emits the metric. In most cases, it is the same as the resource being scaled. In some cases, it can be different. For example, you can scale a Virtual Machine Scale Set based on the number of messages in a storage queue. |

+| metricTrigger | timeGrain | Time grain (minutes) |The metric sampling duration. For example, **TimeGrain = ΓÇ£PT1MΓÇ¥** means that the metrics should be aggregated every 1 minute, by using the aggregation method specified in the statistic element. |

+| metricTrigger | statistic | Time grain statistic |The aggregation method within the timeGrain period. For example, **statistic = ΓÇ£AverageΓÇ¥** and **timeGrain = ΓÇ£PT1MΓÇ¥** means that the metrics should be aggregated every 1 minute, by taking the average. This property dictates how the metric is sampled. |

+| metricTrigger | timeWindow | Duration |The amount of time to look back for metrics. For example, **timeWindow = ΓÇ£PT10MΓÇ¥** means that every time autoscale runs, it queries metrics for the past 10 minutes. The time window allows your metrics to be normalized, and avoids reacting to transient spikes. |

+| metricTrigger | timeAggregation |Time aggregation |The aggregation method used to aggregate the sampled metrics. For example, **TimeAggregation = ΓÇ£AverageΓÇ¥** should aggregate the sampled metrics by taking the average. In the preceding case, take the ten 1-minute samples, and average them. |

+| rule | scaleAction | Action |The action to take when the metricTrigger of the rule is triggered. |

+| scaleAction | direction | Operation |"Increase" to scale out, or "Decrease" to scale in.|

+| scaleAction | value |Instance count |How much to increase or decrease the capacity of the resource. |

+| scaleAction | cooldown | Cool down (minutes)|The amount of time to wait after a scale operation before scaling again. For example, if **cooldown = ΓÇ£PT10MΓÇ¥**, autoscale doesn't attempt to scale again for another 10 minutes. The cooldown is to allow the metrics to stabilize after the addition or removal of instances. |

+## Autoscale profiles

+There are three types of autoscale profiles:

+- **Default profile:** Use the default profile if you donΓÇÖt need to scale your resource based on a particular date and time, or day of the week. The default profile runs when there are no other applicable profiles for the current date and time. You can only have one default profile.

+- **Fixed date profile:** The fixed date profile is relevant for a single date and time. Use the fixed date profile to set scaling rules for a specific event. The profile runs only once, on the eventΓÇÖs date and time. For all other times, autoscale uses the default profile.

+```json

+ ...

+```

+- **Recurrence profile:** A recurrence profile is used for a day or set of days of the week. The schema for a recurring profile doesn't include an end date. The end of date and time for a recurring profile is set by the start time of the following profile. When using the portal to configure recurring profiles, the default profile is automatically updated to start at the end time that you specify for the recurring profile. For more information on configuring multiple profiles, see [Autoscale with multiple profiles](./autoscale-multiprofile.md)

+ The partial schema example below shows a recurring profile, starting at 06:00 and ending at 19:00 on Saturdays and Sundays. The default profile has been modified to start at 19:00 on Saturdays and Sundays.

+

+``` JSON

+ {

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "resources": [

+ {

+ "type": "Microsoft.Insights/ autoscaleSettings",

+ "apiVersion": "2015-04-01",

+ "name": "VMSS1-Autoscale-607",

+ "location": "eastus",

+ "properties": {

+

+ "name": "VMSS1-Autoscale-607",

+ "enabled": true,

+ "targetResourceUri": "/subscriptions/ abc123456-987-f6e5-d43c-9a8d8e7f6541/ resourceGroups/rg-vmss1/providers/ Microsoft.Compute/ virtualMachineScaleSets/VMSS1",

+ "profiles": [

+ {

+ "name": "Weekend profile",

+ "capacity": {

+ ...

+ },

+ "rules": [

+ ...

+ ],

+ "recurrence": {

+ "frequency": "Week",

+ "schedule": {

+ "timeZone": "E. Europe Standard Time",

+ "days": [

+ "Saturday",

+ "Sunday"

+ ],

+ "hours": [

+ 6

+ ],

+ "minutes": [

+ 0

+ ]

+ }

+ }

+ },

+ {

+ "name": "{\"name\":\"Auto created default scale condition\",\"for\":\"Weekend profile\"}",

+ "capacity": {

+ ...

+ },

+ "recurrence": {

+ "frequency": "Week",

+ "schedule": {

+ "timeZone": "E. Europe Standard Time",

+ "days": [

+ "Saturday",

+ "Sunday"

+ ],

+ "hours": [

+ 19

+ ],

+ "minutes": [

+ 0

+ ]

+ }

+ },

+ "rules": [

+ ...

+ ]

+ }

+ "notifications": [],

+ "targetResourceLocation": "eastus"

+

+ ]

+```

+## Autoscale evaluation

+

+Autoscale settings can have multiple profiles. Each profile can have multiple rules. Each time the autoscale job runs, it begins by choosing the applicable profile for that time. Autoscale then evaluates the minimum and maximum values, any metric rules in the profile, and decides if a scale action is necessary. The autoscale job runs every 30 to 60 seconds, depending on the resource type.

+### Which profile will autoscale use?

+Each time the autoscale service runs, the profiles are evaluated in the following order:

+1. Fixed date profiles

+1. Recurring profiles

+1. Default profile

+The first suitable profile found will be used.

+### How does autoscale evaluate multiple rules?

+After autoscale determines which profile to run, it evaluates the scale-out rules in the profile, that is, where **direction = ΓÇ£IncreaseΓÇ¥**.

+If one or more scale-out rules are triggered, autoscale calculates the new capacity determined by the **scaleAction** specified for each of the rules. If more than one scale-out rule is triggered, autoscale scales to the highest specified capacity to ensure service availability.

+For example, assume that there are two rules: Rule 1 specifies a scale out by 3 instances, and rule 2 specifies a scale out by 5. If both rules are triggered, autoscale will scale out by 5 instances. Similarly, if one rule specifies scale out by 3 instances and another rule, scale out by 15%, the higher of the two instance counts will be used.

+If no scale-out rules are triggered, autoscale evaluates the scale-in rules, that is, rules with **direction = ΓÇ£DecreaseΓÇ¥**. Autoscale only scales in if all of the scale-in rules are triggered.

+Autoscale calculates the new capacity determined by the **scaleAction** of each of those rules. To ensure service availability, autoscale scales in by as little as possible to achieve the maximum capacity specified. For example, assume two scale-in rules, one that decreases capacity by 50 percent, and one that decreases capacity by 3 instances. If first rule results in 5 instances and the second rule results in 7, autoscale scales-in to 7 instances.

+Each time autoscale calculates the result of a scale-in action, it evaluates whether that action would trigger a scale-out action. The scenario where a scale action triggers the opposite scale action is known as flapping. Autoscale may defer a scale-in action to avoid flapping or may scale by a number less than what was specified in the rule. For more information on flapping, see [Flapping in Autoscale](./autoscale-custom-metric.md)

+Learn more about autoscale by referring to the following articles :

+* [Autoscale with multiple profiles](./autoscale-multiprofile.md)

+* [Flapping in Autoscale](./autoscale-custom-metric.md)

+Use one of the following Resource Manager templates with any of the [standard deployment options](../resource-manager-samples.md#deploy-the-sample-templates) to create an Azure Monitor workspace.

+```bicep

+@description('Specify the name of the workspace.')

+param workspaceName string

+@description('Specify the location for the workspace.')

+param location string = resourceGroup().location

+resource workspace 'microsoft.monitor/accounts@2021-06-03-preview' = {

+ name: workspaceName

+ location: location

+}

+```

+## Rules and alerts

+Azure Monitor managed service for Prometheus adds a new Prometheus alert type for creating alert rules and recording rules using PromQL queries. You can view fired and resolved Prometheus alerts in the Azure portal along with other alert types. Prometheus alerts are configured with the same [alert rules](https://aka.ms/azureprometheus-promio-alertrules) used by Prometheus. For your AKS cluster, you can use a [set of predefined Prometheus alert rules](../containers/container-insights-metric-alerts.md).

+ Title: Remote-write in Azure Monitor Managed Service for Prometheus using Azure Active Directory (preview)

+description: Describes how to configure remote-write to send data from self-managed Prometheus running in your Kubernetes cluster running on-premises or in another cloud using Azure Active Directory authentication.

+# Configure remote write for Azure Monitor managed service for Prometheus using Azure Active Directory authentication (preview)

+This article describes how to configure [remote-write](prometheus-remote-write.md) to send data from self-managed Prometheus running in your AKS cluster or Azure Arc-enabled Kubernetes cluster using Azure Active Directory authentication.

+## Cluster configurations

+This article applies to the following cluster configurations:

+- Azure Kubernetes service (AKS)

+- Azure Arc-enabled Kubernetes cluster

+- Kubernetes cluster running in another cloud or on-premises

+> [!NOTE]

+> For Azure Kubernetes service (AKS) or Azure Arc-enabled Kubernetes cluster, managed identify authentication is recommended. See [Azure Monitor managed service for Prometheus remote write - managed identity (preview)](prometheus-remote-write-managed-identity.md).

+## Prerequisites

+See prerequisites at [Azure Monitor managed service for Prometheus remote write (preview)](prometheus-remote-write.md#prerequisites).

+## Create Azure Active Directory application

+Follow the procedure at [Register an application with Azure AD and create a service principal](../../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal) to register an application for Prometheus remote-write and create a service principal.

+## Get the client ID of the Azure Active Directory application.

+1. From the **Azure Active Directory** menu in Azure Portal, select **App registrations**.

+2. Locate your application and note the client ID.

+ :::image type="content" source="media/prometheus-remote-write-active-directory/application-client-id.png" alt-text="Screenshot showing client ID of Azure Active Directory application." lightbox="media/prometheus-remote-write-active-directory/application-client-id.png":::

+## Assign Monitoring Metrics Publisher role on the data collection rule to the application

+The application requires the *Monitoring Metrics Publisher* role on the data collection rule associated with your Azure Monitor workspace.

+1. From the menu of your Azure Monitor Workspace account, click the **Data collection rule** to open the **Overview** page for the data collection rule.

+ :::image type="content" source="media/prometheus-remote-write-managed-identity/azure-monitor-account-data-collection-rule.png" alt-text="Screenshot showing data collection rule used by Azure Monitor workspace." lightbox="media/prometheus-remote-write-managed-identity/azure-monitor-account-data-collection-rule.png":::

+2. Click on **Access control (IAM)** in the **Overview** page for the data collection rule.

+ :::image type="content" source="media/prometheus-remote-write-managed-identity/azure-monitor-account-access-control.png" alt-text="Screenshot showing Access control (IAM) menu item on the data collection rule Overview page." lightbox="media/prometheus-remote-write-managed-identity/azure-monitor-account-access-control.png":::

+3. Click **Add** and then **Add role assignment**.

+ :::image type="content" source="media/prometheus-remote-write-managed-identity/data-collection-rule-add-role-assignment.png" alt-text="Screenshot showing adding a role assignment on Access control pages." lightbox="media/prometheus-remote-write-managed-identity/data-collection-rule-add-role-assignment.png":::

+4. Select **Monitoring Metrics Publisher** role and click **Next**.

+ :::image type="content" source="media/prometheus-remote-write-managed-identity/add-role-assignment.png" alt-text="Screenshot showing list of role assignments." lightbox="media/prometheus-remote-write-managed-identity/add-role-assignment.png":::

+5. Select **User, group, or service principal** and then click **Select members**. Select the application that you created and click **Select**.

+ :::image type="content" source="media/prometheus-remote-write-active-directory/select-application.png" alt-text="Screenshot showing selection of application." lightbox="media/prometheus-remote-write-active-directory/select-application.png":::

+6. Click **Review + assign** to complete the role assignment.

+## Create an Azure key vault and generate certificate

+1. If you don't already have an Azure key vault, then create a new one using the guidance at [Create a vault](../../key-vault/general/quick-create-portal.md#create-a-vault).

+2. Create a certificate using the guidance at [Add a certificate to Key Vault](../../key-vault/certificates/quick-create-portal.md#add-a-certificate-to-key-vault).

+3. Download the newly generated certificate in CER format using the guidance at [Export certificate from Key Vault](../../key-vault/certificates/quick-create-portal.md#export-certificate-from-key-vault).

+## Add certificate to the Azure Active Directory application

+1. From the menu for your Azure Active Directory application, select **Certificates & secrets**.

+2. Click **Upload certificate** and select the certificate that you downloaded.

+ :::image type="content" source="media/prometheus-remote-write-active-directory/upload-certificate.png" alt-text="Screenshot showing upload of certificate for Azure Active Directory application." lightbox="media/prometheus-remote-write-active-directory/upload-certificate.png":::

+> [!WARNING]

+> Certificates have an expiration date, and it's the responsibility of the user to keep these certificates valid.

+## Add CSI driver and storage for cluster

+> [!NOTE]

+> Azure Key Vault CSI driver configuration is just one of the ways to get certificate mounted on the pod. The remote write container only needs a local path to a certificate in the pod for the setting `AZURE_CLIENT_CERTIFICATE_PATH` value in the [Deploy Side car and configure remote write on the Prometheus server](#deploy-side-car-and-configure-remote-write-on-the-prometheus-server) step below.

+This step is only required if you didn't enable Azure Key Vault Provider for Secrets Store CSI Driver when you created your cluster.

+1. Run the following Azure CLI command to enable Azure Key Vault Provider for Secrets Store CSI Driver for your cluster.

+ ```azurecli

+ az aks enable-addons --addons azure-keyvault-secrets-provider --name <aks-cluster-name> --resource-group <resource-group-name>

+ ```

+2. Run the following commands to give the identity access to the key vault.

+ ```azurecli

+ # show client id of the managed identity of the cluster

+ az aks show -g <resource-group> -n <cluster-name> --query addonProfiles.azureKeyvaultSecretsProvider.identity.clientId -o tsv

+ # set policy to access keys in your key vault

+ az keyvault set-policy -n <keyvault-name> --key-permissions get --spn <identity-client-id>

+ # set policy to access secrets in your key vault

+ az keyvault set-policy -n <keyvault-name> --secret-permissions get --spn <identity-client-id>

+

+ # set policy to access certs in your key vault

+ az keyvault set-policy -n <keyvault-name> --certificate-permissions get --spn <identity-client-id>

+ ```

+3. Create a *SecretProviderClass* by saving the following YAML to a file named *secretproviderclass.yml*. Replace the values for `userAssignedIdentityID`, `keyvaultName`, `tenantId` and the objects to retrieve from your key vault. See [Provide an identity to access the Azure Key Vault Provider for Secrets Store CSI Driver](../../aks/csi-secrets-store-identity-access.md) for details on values to use.

+ ```yml

+ # This is a SecretProviderClass example using user-assigned identity to access your key vault

+ apiVersion: secrets-store.csi.x-k8s.io/v1

+ kind: SecretProviderClass

+ metadata:

+ name: azure-kvname-user-msi

+ spec:

+ provider: azure

+ parameters:

+ usePodIdentity: "false"

+ useVMManagedIdentity: "true" # Set to true for using managed identity

+ userAssignedIdentityID: <client-id> # Set the clientID of the user-assigned managed identity to use

+ keyvaultName: <key-vault-name> # Set to the name of your key vault

+ cloudName: "" # [OPTIONAL for Azure] if not provided, the Azure environment defaults to AzurePublicCloud

+ objects: |

+ array:

+ - |

+ objectName: <name-of-cert>

+ objectType: secret # object types: secret, key, or cert

+ objectFormat: pfx

+ objectEncoding: base64

+ objectVersion: ""

+ tenantId: <tenant-id> # The tenant ID of the key vault

+ ```

+4. Apply the *SecretProviderClass* by running the following command on your cluster.

+ ```

+ kubectl apply -f secretproviderclass.yml

+ ```

+## Deploy Side car and configure remote write on the Prometheus server

+1. Copy the YAML below and save to a file. This YAML assumes you're using 8081 as your listening port. Modify that value if you use a different port.

+ ```yml

+ prometheus:

+ prometheusSpec:

+ cluster: <CLUSTER-NAME>

+ ## https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_write

+ remoteWrite:

+ - url: 'http://localhost:8081/api/v1/write'

+

+ # Additional volumes on the output StatefulSet definition.

+ # Required only for AAD based auth

+ volumes:

+ - name: secrets-store-inline

+ csi:

+ driver: secrets-store.csi.k8s.io

+ readOnly: true

+ volumeAttributes:

+ secretProviderClass: azure-kvname-user-msi

+ containers:

+ - name: prom-remotewrite

+ image: <CONTAINER-IMAGE-VERSION>

+ imagePullPolicy: Always

+ # Required only for AAD based auth

+ volumeMounts:

+ - name: secrets-store-inline

+ mountPath: /mnt/secrets-store

+ readOnly: true

+ ports:

+ - name: rw-port

+ containerPort: 8081

+ livenessProbe:

+ httpGet:

+ path: /health

+ port: rw-port

+ initialDelaySeconds: 10

+ timeoutSeconds: 10

+ readinessProbe:

+ httpGet:

+ path: /ready

+ port: rw-port

+ initialDelaySeconds: 10

+ timeoutSeconds: 10

+ env:

+ - name: INGESTION_URL

+ value: '<INGESTION_URL>'

+ - name: LISTENING_PORT

+ value: '8081'

+ - name: IDENTITY_TYPE

+ value: aadApplication

+ - name: AZURE_CLIENT_ID

+ value: '<APP-REGISTRATION-CLIENT-ID>'

+ - name: AZURE_TENANT_ID

+ value: '<TENANT-ID>'

+ - name: AZURE_CLIENT_CERTIFICATE_PATH

+ value: /mnt/secrets-store/<CERT-NAME>

+ - name: CLUSTER

+ value: '<CLUSTER-NAME>'

+ ```

+2. Replace the following values in the YAML.

+ | Value | Description |

+ |:|:|

+ | `<CLUSTER-NAME>` | Name of your AKS cluster |

+ | `<CONTAINER-IMAGE-VERSION>` | `mcr.microsoft.com/azuremonitor/prometheus/promdev/prom-remotewrite:prom-remotewrite-20221102.1`<br>This is the remote write container image version. |

+ | `<INGESTION-URL>` | **Metrics ingestion endpoint** from the **Overview** page for the Azure Monitor workspace |

+ | `<APP-REGISTRATION -CLIENT-ID> ` | Client ID of your application |

+ | `<TENANT-ID> ` | Tenant ID of the Azure Active Directory application |

+ | `<CERT-NAME>` | Name of the certificate |

+ | `<CLUSTER-NAME>` | Name of the cluster Prometheus is running on |

+

+3. Open Azure Cloud Shell and upload the YAML file.

+4. Use helm to apply the YAML file to update your Prometheus configuration with the following CLI commands.

+ ```azurecli

+ # set context to your cluster

+ az aks get-credentials -g <aks-rg-name> -n <aks-cluster-name>

+

+ # use helm to update your remote write config

+ helm upgrade -f <YAML-FILENAME>.yml prometheus prometheus-community/kube-prometheus-stack -namespace <namespace where Prometheus pod resides>

+ ```

+## Verification and troubleshooting

+See [Azure Monitor managed service for Prometheus remote write (preview)](prometheus-remote-write.md#verify-remote-write-is-working-correctly).

+## Next steps

+= [Setup Grafana to use Managed Prometheus as a data source](prometheus-grafana.md).

+- [Learn more about Azure Monitor managed service for Prometheus](prometheus-metrics-overview.md).

+ Title: Remote-write in Azure Monitor Managed Service for Prometheus using managed identity (preview)

+# Configure remote write for Azure Monitor managed service for Prometheus using managed identity authentication (preview)

+This article describes how to configure [remote-write](prometheus-remote-write.md) to send data from self-managed Prometheus running in your AKS cluster or Azure Arc-enabled Kubernetes cluster using managed identity authentication. You either use an existing identity created by AKS or [create one of your own](../../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md). Both options are described here.

+> [!NOTE]

+> For a Kubernetes cluster running in another cloud or on-premises, see [Azure Monitor managed service for Prometheus remote write - Azure Active Directory (preview)](prometheus-remote-write-active-directory.md).

+## Prerequisites

+See prerequisites at [Azure Monitor managed service for Prometheus remote write (preview)](prometheus-remote-write.md#prerequisites).

+## Assign Monitoring Metrics Publisher role on the data collection rule to the managed identity

+ prometheusSpec:

+ ## https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_write

+ - url: 'http://localhost:8081/api/v1/write'

+ - name: prom-remotewrite

+ image: <CONTAINER-IMAGE-VERSION>

+ imagePullPolicy: Always

+ ports:

+ - name: rw-port

+ containerPort: 8081

+ livenessProbe:

+ httpGet:

+ initialDelaySeconds: 10

+ timeoutSeconds: 10

+ readinessProbe:

+ httpGet:

+ initialDelaySeconds: 10

+ timeoutSeconds: 10

+ env:

+ - name: INGESTION_URL

+ value: <INGESTION_URL>

+ - name: LISTENING_PORT

+ value: '8081'

+ - name: IDENTITY_TYPE

+ value: userAssigned

+ - name: AZURE_CLIENT_ID

+ value: <MANAGED-IDENTITY-CLIENT-ID>

+ # Optional parameter

+ - name: CLUSTER

+ value: <CLUSTER-NAME>

+ | `<CONTAINER-IMAGE-VERSION>` | `mcr.microsoft.com/azuremonitor/prometheus/promdev/prom-remotewrite:prom-remotewrite-20221102.1`<br>This is the remote write container image version. |

+## Verification and troubleshooting

+See [Azure Monitor managed service for Prometheus remote write (preview)](prometheus-remote-write.md#verify-remote-write-is-working-correctly).

+ Title: Remote-write in Azure Monitor Managed Service for Prometheus (preview)

+description: Describes how to configure remote-write to send data from self-managed Prometheus running in your AKS cluster or Azure Arc-enabled Kubernetes cluster

+# Azure Monitor managed service for Prometheus remote write (preview)

+Azure Monitor managed service for Prometheus is intended to be a replacement for self managed Prometheus so you don't need to manage a Prometheus server in your Kubernetes clusters. You may also choose to use the managed service to centralize data from self-managed Prometheus clusters for long term data retention and to create a centralized view across your clusters. In this case, you can use [remote_write](https://prometheus.io/docs/operating/integrations/#remote-endpoints-and-storage) to send data from your self-managed Prometheus into our managed service.

+## Architecture

+Azure Monitor provides a reverse proxy container (Azure Monitor side car container) that provides an abstraction for ingesting Prometheus remote write metrics and helps in authenticating packets. The Azure Monitor side car container currently supports User Assigned Identity and Azure Active Directory (Azure AD) based authentication to ingest Prometheus remote write metrics to Azure Monitor workspace.

+## Prerequisites

+- You must have self-managed Prometheus running on your AKS cluster. For example, see [Using Azure Kubernetes Service with Grafana and Prometheus](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/using-azure-kubernetes-service-with-grafana-and-prometheus/ba-p/3020459).

+- You used [Kube-Prometheus Stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack) when you set up Prometheus on your AKS cluster.

+- Data for Azure Monitor managed service for Prometheus is stored in an [Azure Monitor workspace](../essentials/azure-monitor-workspace-overview.md). You must [create a new workspace](../essentials/azure-monitor-workspace-overview.md#create-an-azure-monitor-workspace) if you don't already have one.

+## Configure remote write

+The process for configuring remote write depends on your cluster configuration and the type of authentication that you use.

+- **Managed identity** is recommended for Azure Kubernetes service (AKS) and Azure Arc-enabled Kubernetes cluster. See [Azure Monitor managed service for Prometheus remote write - managed identity (preview)](prometheus-remote-write-managed-identity.md)

+- **Azure Active Directory** can be used for Azure Kubernetes service (AKS) and Azure Arc-enabled Kubernetes cluster and is required for Kubernetes cluster running in another cloud or on-premises. See [Azure Monitor managed service for Prometheus remote write - Azure Active Directory (preview)](prometheus-remote-write-active-directory.md)

+## Verify remote write is working correctly

+Use the following methods to verify that Prometheus data is being sent into your Azure Monitor workspace.

+### kubectl commands

+Use the following command to view your container log. Remote write data is flowing if the output has non-zero value for `avgBytesPerRequest` and `avgRequestDuration`.

+```azurecli

+kubectl logs <Prometheus-Pod-Name> <Azure-Monitor-Side-Car-Container-Name>

+# example: kubectl logs prometheus-prometheus-kube-prometheus-prometheus-0 prom-remotewrite

+```

+The output from this command should look similar to the following:

+```

+time="2022-11-02T21:32:59Z" level=info msg="Metric packets published in last 1 minute" avgBytesPerRequest=19713 avgRequestDurationInSec=0.023 failedPublishing=0 successfullyPublished=122

+```

+### PromQL queries

+Use PromQL queries in Grafana and verify that the results return expected data. See [getting Grafana setup with Managed Prometheus](prometheus-grafana.md) to configure Grafana

+## Troubleshoot remote write

+### No data is flowing

+If remote data isn't flowing, run the following command which will indicate the errors if any in the remote write container.

+```azurecli

+kubectl --namespace <Namespace> describe pod <Prometheus-Pod-Name>

+```

+### Container keeps restarting

+A container regularly restarting is likely due to misconfiguration of the container. Run the following command to view the configuration values set for the container. Verify the configuration values especially `AZURE_CLIENT_ID` and `IDENTITY_TYPE`.

+```azureccli

+kubectl get pod <Prometheus-Pod-Name> -o json | jq -c '.spec.containers[] | select( .name | contains("<Azure-Monitor-Side-Car-Container-Name>"))'

+```

+The output from this command should look similar to the following:

+```

+{"env":[{"name":"INGESTION_URL","value":"https://my-azure-monitor-workspace.eastus2-1.metrics.ingest.monitor.azure.com/dataCollectionRules/dcr-00000000000000000/streams/Microsoft-PrometheusMetrics/api/v1/write?api-version=2021-11-01-preview"},{"name":"LISTENING_PORT","value":"8081"},{"name":"IDENTITY_TYPE","value":"userAssigned"},{"name":"AZURE_CLIENT_ID","value":"00000000-0000-0000-0000-00000000000"}],"image":"mcr.microsoft.com/azuremonitor/prometheus/promdev/prom-remotewrite:prom-remotewrite-20221012.2","imagePullPolicy":"Always","name":"prom-remotewrite","ports":[{"containerPort":8081,"name":"rw-port","protocol":"TCP"}],"resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","volumeMounts":[{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount","name":"kube-api-access-vbr9d","readOnly":true}]}

+```

+## Next steps

+- [Setup Grafana to use Managed Prometheus as a data source](prometheus-grafana.md).

+- [Learn more about Azure Monitor managed service for Prometheus](prometheus-metrics-overview.md).

+ Title: Analyze usage in a Log Analytics workspace in Azure Monitor

+# Analyze usage in a Log Analytics workspace

+Azure Monitor costs can vary significantly based on the volume of data being collected in your Log Analytics workspace. This volume is affected by the set of solutions using the workspace and the amount of data that each solution collects. This article provides guidance on analyzing your collected data to assist in controlling your data ingestion costs. It helps you determine the cause of higher-than-expected usage. It also helps you to predict your costs as you monitor more resources and configure different Azure Monitor features.

+## Causes for higher-than-expected usage

+Each Log Analytics workspace is charged as a separate service and contributes to the bill for your Azure subscription. The amount of data ingestion can be considerable, depending on the:

+ - Set of insights and services enabled and their configuration.

+ - Number and type of monitored resources.

+ - Volume of data collected from each monitored resource.

+Start your analysis with existing tools in Azure Monitor. These tools require no configuration and can often provide the information you need with minimal effort. If you need deeper analysis into your collected data than existing Azure Monitor features, use any of the following [log queries](log-query-overview.md) in [Log Analytics](log-analytics-overview.md).

+### Log Analytics Workspace Insights

+[Log Analytics Workspace Insights](log-analytics-workspace-insights-overview.md#usage-tab) provides you with a quick understanding of the data in your workspace. For example, you can determine the:

+- Data tables that are ingesting the most data volume in the main table.

+- Top resources contributing data.

+- Trend of data ingestion.

+See the **Usage** tab for a breakdown of ingestion by solution and table. This information can help you quickly identify the tables that contribute to the bulk of your data volume. The tab also shows trending of data collection over time. You can determine if data collection steadily increased over time or suddenly increased in response to a configuration change.

+Select **Additional Queries** for prebuilt queries that help you further understand your data patterns.

+### Usage and estimated costs

+The **Data ingestion per solution** chart on the [Usage and estimated costs](../usage-estimated-costs.md#usage-and-estimated-costs) page for each workspace shows the total volume of data sent and how much is being sent by each solution over the previous 31 days. This information helps you determine trends such as whether any increase is from overall data usage or usage by a particular solution.

+You can use [log queries](log-query-overview.md) in [Log Analytics](log-analytics-overview.md) if you need deeper analysis into your collected data. Each table in a Log Analytics workspace has the following standard columns that can assist you in analyzing billable data:

+- [_IsBillable](log-standard-columns.md#_isbillable) identifies records for which there's an ingestion charge. Use this column to filter out non-billable data.

+Analyze the amount of billable data collected by a particular service or solution. These queries use the [Usage](/azure/azure-monitor/reference/tables/usage) table that collects usage data for each table in the workspace.

+> [!NOTE]

+> The clause with `TimeGenerated` is only to ensure that the query experience in the Azure portal looks back beyond the default 24 hours. When you use the **Usage** data type, `StartTime` and `EndTime` represent the time buckets for which results are presented.

+If you find that a particular data type is collecting excessive data, you might want to analyze the data in that table to determine particular records that are increasing. This example filters specific event IDs in the `Event` table and then provides a count for each ID. You can modify this query by using the columns from other tables.

+You can analyze the amount of billable data collected from a virtual machine or a set of virtual machines. The **Usage** table doesn't include information about data collected from virtual machines, so these queries use the [find operator](/azure/data-explorer/kusto/query/findoperator) to search all tables that include a computer name. The **Usage** type is omitted because this query is only for analytics of data trends.

+> Use [find](/azure/data-explorer/kusto/query/findoperator?pivots=azuremonitor) queries sparingly because scans across data types are [resource intensive](./query-optimization.md#query-details-pane) to execute. If you don't need results per subscription, resource group, or resource name, use the [Usage](/azure/azure-monitor/reference/tables/usage) table as in the preceding queries.

+You can analyze the amount of billable data collected from a particular resource or set of resources. These queries use the [_ResourceId](./log-standard-columns.md#_resourceid) and [_SubscriptionId](./log-standard-columns.md#_subscriptionid) columns for data from resources hosted in Azure.

+> Use [find](/azure/data-explorer/kusto/query/findoperator?pivots=azuremonitor) queries sparingly because scans across data types are [resource intensive](./query-optimization.md#query-details-pane) to execute. If you don't need results per subscription, resource group, or resource name, use the [Usage](/azure/azure-monitor/reference/tables/usage) table as in the preceding queries.

+It might be helpful to parse `_ResourceId`:

+> For workspaces with large data volumes, doing queries such as the ones shown in this section, which query large volumes of raw data, might need to be restricted to a single day. To track trends over time, consider setting up a [Power BI report](./log-powerbi.md) and using [incremental refresh](./log-powerbi.md#collect-data-with-power-bi-dataflows) to collect data volumes per resource once a day.

+If you find that you have excessive billable data for a particular data type, you might need to perform a query to analyze data in that table. The following queries provide samples for some common data types:

+## Application Insights data

+There are two approaches to investigating the amount of data collected for Application Insights, depending on whether you have a classic or workspace-based application. Use the `_BilledSize` property that's available on each ingested event for both workspace-based and classic resources. You can also use aggregated information in the [systemEvents](/azure/azure-monitor/reference/tables/appsystemevents) table for classic resources.

+> Queries against Application Insights tables, except `SystemEvents`, will work for both a workspace-based and classic Application Insights resource. [Backward compatibility](../app/convert-classic-resource.md#understand-log-queries) allows you to continue to use [legacy table names](../app/apm-tables.md). For a workspace-based resource, open **Logs** on the **Log Analytics workspace** menu. For a classic resource, open **Logs** on the **Application Insights** menu.

+**Daily data volume by type for this Application Insights resource for the last 7 days (classic only)**

+To look at the data volume trends for [workspace-based Application Insights resources](../app/create-workspace-resource.md), use a query that includes all the Application Insights tables. The following queries use the [table names specific to workspace-based resources](../app/apm-tables.md#table-schemas).

+**Daily data volume by type for all Application Insights resources in a workspace for 7 days**

+To look at the data volume trends for only a single Application Insights resource, add the following line before `summarize` in the preceding query:

+> For workspaces with large data volumes, doing queries such as the preceding one, which query large volumes of raw data, might need to be restricted to a single day. To track trends over time, consider setting up a [Power BI report](./log-powerbi.md) and using [incremental refresh](./log-powerbi.md#collect-data-with-power-bi-dataflows) to collect data volumes per resource once a day.

+## Understand nodes sending data

+If you don't have excessive data from any particular source, you might have an excessive number of agents that are sending data.

+> Use [find](/azure/data-explorer/kusto/query/findoperator?pivots=azuremonitor) queries sparingly because scans across data types are [resource intensive](./query-optimization.md#query-details-pane) to execute. If you don't need results per subscription, resource group, or resource name, use the [Usage](/azure/azure-monitor/reference/tables/usage) table as in the preceding queries.

+The [legacy Per Node pricing tier](cost-logs.md#legacy-pricing-tiers) bills for nodes with hourly granularity. It also doesn't count nodes that are only sending a set of security data types. To get a list of computers that will be billed as nodes if the workspace is in the legacy Per Node pricing tier, look for nodes that are sending billed data types because some data types are free. In this case, use the leftmost field of the fully qualified domain name.

+The following queries return the count of computers with billed data per hour. The number of units on your bill is in units of node months, which is represented by `billableNodeMonthsPerDay` in the query. If the workspace has the Update Management solution installed, add the **Update** and **UpdateSummary** data types to the list in the `where` clause.

+> Some complexity in the actual billing algorithm when solution targeting is used isn't represented in the preceding query.

+## Security and automation node counts

+**Number of distinct automation nodes**

+If you observe high data ingestion reported by using `Usage` records, but you don't observe the same results summing `_BilledSize` directly on the data type, it's possible that you have late-arriving data. This situation occurs when data is ingested with old timestamps.

+For example, an agent might have a connectivity issue and send accumulated data when it reconnects. Or a host might have an incorrect time. Either example can result in an apparent discrepancy between the ingested data reported by the [Usage](/azure/azure-monitor/reference/tables/usage) data type and a query summing [_BilledSize](./log-standard-columns.md#_billedsize) over the raw data for a particular day specified by **TimeGenerated**, the timestamp when the event was generated.

+To diagnose late-arriving data issues, use the [_TimeReceived](./log-standard-columns.md#_timereceived) column and the [TimeGenerated](./log-standard-columns.md#timegenerated) column. The `_TimeReceived` property is the time when the record was received by the Azure Monitor ingestion point in the Azure cloud.

+The following example is in response to high ingested data volumes of [W3CIISLog](/azure/azure-monitor/reference/tables/w3ciislog) data on May 2, 2021, to identify the timestamps on this ingested data. The `where TimeGenerated > datetime(1970-01-01)` statement is included to provide the clue to the Log Analytics user interface to look over all data.

+- See [Azure Monitor Logs pricing details](cost-logs.md) for information on how charges are calculated for data in a Log Analytics workspace and different configuration options to reduce your charges.

+- See [Data collection transformations in Azure Monitor (preview)](../essentials/data-collection-transformations.md) for information on using transformations to reduce the amount of data you collected in a Log Analytics workspace by filtering unwanted records and columns.

+| Table | Details|

+|:|:|

+| Custom tables | All custom tables created with or migrated to the [data collection rule (DCR)-based logs ingestion API.](logs-ingestion-api-overview.md) |

+| [ContainerLogV2](/azure/azure-monitor/reference/tables/containerlogv2) | Used in [Container insights](../containers/container-insights-overview.md) and includes verbose text-based log records. |

+| [AppTraces](/azure/azure-monitor/reference/tables/apptraces) | Freeform Application Insights traces. |

+| [ContainerAppConsoleLogs](/azure/azure-monitor/reference/tables/containerappconsoleLogs) | Logs generated by Azure Container Apps, within a Container Apps environment. |

+| [ACSCallRecordingSummary](/azure/azure-monitor/reference/tables/acscallrecordingsummary) | Communication Services recording summary logs. |

+| [ACSRoomsIncomingOperations](/azure/azure-monitor/reference/tables/acsroomsincomingoperations) | Communication Services rooms operations incoming requests logs. |

+1. If using the Logs ingestion API, also [configure the data collection endpoint (DCE)](tutorial-logs-ingestion-api.md#create-a-data-collection-endpoint) and the agent or component that will be sending data to the API.

+description: PowerShell samples show how to configure a Log Analytics workspace in Azure Monitor to collect data from various data sources.

+The following sample script configures the workspace to collect multiple types of logs from virtual machines by using the [Log Analytics agent](../agents/log-analytics-agent.md).

+1. Create a workspace.

+1. Enable collection of IIS logs from computers with the Windows agent installed.

+1. Collect Logical Disk perf counters from Linux computers (% Used Inodes; Free Megabytes; % Used Space; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec).

+1. Collect Syslog events from Linux computers.

+1. Collect Error and Warning events from the Application Event Log from Windows computers.

+1. Collect Memory Available Mbytes performance counter from Windows computers.

+1. Collect a custom log.

+> The format for the `CustomLogRawJson` parameter that defines the configuration for a custom log can be complex. Use [Get-AzOperationalInsightsDataSource](/powershell/module/az.operationalinsights/get-azoperationalinsightsdatasource) to retrieve the configuration for an existing custom log. The `Properties` property is the configuration required for the `CustomLogRawJson` parameter.

+In the preceding example, `regexDelimiter` was defined as `\\n` for newline. The log delimiter might also be a timestamp. The following table lists the formats that are supported.

+| Format | JSON RegEx format uses two `\\` for every `\` in a standard RegEx, so if testing in a RegEx app, reduce `\\` to `\` |

+When you create a workspace that was deleted in the last 14 days and is in a [soft-delete state](../logs/delete-workspace.md#soft-delete-behavior), the operation could have a different outcome depending on your workspace configuration. For example:

+- If you provide the same workspace name, resource group, subscription, and region as in the deleted workspace, your workspace will be recovered. The recovered workspace includes data, configuration, and connected agents.

+- A workspace name must be unique per resource group. If you use a workspace name that already exists and is also in soft delete in your resource group, you'll get an error. The error will state "The workspace name 'workspace-name' is not unique" or "conflict." To override the soft delete, permanently delete your workspace, and create a new workspace with the same name, follow these steps to recover the workspace first and then perform a permanent delete:

+ * [Recover](../logs/delete-workspace.md#recover-workspace) your workspace.

+ * [Permanently delete](../logs/delete-workspace.md#permanent-workspace-delete) your workspace.

+ * Create a new workspace by using the same workspace name.

+[Review Log Analytics PowerShell cmdlets](/powershell/module/az.operationalinsights/) for more information on using PowerShell for configuration of Log Analytics.

+description: This article describes how to save a query in Log Analytics.

+[Log queries](log-query-overview.md) are requests in Azure Monitor that you can use to process and retrieve data in a Log Analytics workspace. Saving a log query allows you to:

+- Use the query in all Log Analytics contexts, including workspace and resource centric.

+- Allow other users to run the same query.

+- Create a library of common queries for your organization.

+When you save a query, it's stored in a query pack, which has benefits over the previous method of storing the query in a workspace. Saving to a query pack is the preferred method, and it provides the following benefits:

+- Queries are available when you use a resource scope in Log Analytics.

+- Queries are made available across subscriptions.

+- More data is available to describe and categorize the query.

+[](media/save-query/save-query.png#lightbox)

+When you save a query to a query pack, the following dialog box appears where you can provide values for the query properties. The query properties are used for filtering and grouping of similar queries to help you find the query you're looking for. For a detailed description of each property, see [Query properties](queries.md#query-properties).

+Most users should leave the option to **Save to the default query pack**, which will save the query in the [default query pack](query-packs.md#default-query-pack). Clear this checkbox if there are other query packs in your subscription. For information on how to create a new query pack, see [Query packs in Azure Monitor Logs](query-packs.md).

+[](media/save-query/save-query-dialog.png#lightbox)

+You might want to edit a query that you've already saved. You might want to change the query itself or modify any of its properties. After you open an existing query in Log Analytics, you can edit it by selecting **Edit query details** from the **Save** dropdown. Now you can save the edited query with the same properties or modify any properties before saving.

+If you want to save the query with a different name, select **Save as Log Analytics Query** as if you were creating a new query.

+We don't recommend saving as a legacy query because of the advantages of query packs. You can save a query to the workspace to combine it with other queries that were saved to the workspace before the release of query packs.

+To save a legacy query, select **Save as Log Analytics Query** from the **Save** dropdown in Log Analytics. Choose the **Save as Legacy query** option. The only option available will be the legacy category.

+[Get started with KQL queries](get-started-queries.md)

+ Title: 'Tutorial: Send data to Azure Monitor Logs using REST API (Resource Manager templates)'

+description: Tutorial on how to send data to a Log Analytics workspace in Azure Monitor by using the REST API Azure Resource Manager template version.

+The [Logs Ingestion API (preview)](logs-ingestion-api-overview.md) in Azure Monitor allows you to send external data to a Log Analytics workspace with a REST API. This tutorial uses Azure Resource Manager templates (ARM templates) to walk through configuration of a new table and a sample application to send log data to Azure Monitor.

+> This tutorial uses ARM templates and a REST API to configure custom logs. For a similar tutorial using the Azure portal, see [Tutorial: Send data to Azure Monitor Logs using REST API (Azure portal)](tutorial-logs-ingestion-portal.md).

+> * Create a custom table in a Log Analytics workspace.

+> * Create a data collection endpoint (DCE) to receive data over HTTP.

+> * Create a data collection rule (DCR) that transforms incoming data to match the schema of the target table.

+> * Create a sample application to send custom data to Azure Monitor.

+> This tutorial uses PowerShell from Azure Cloud Shell to make REST API calls by using the Azure Monitor **Tables** API and the Azure portal to install ARM templates. You can use any other method to make these calls.

+To complete this tutorial, you need:

+- A Log Analytics workspace where you have at least [contributor rights](manage-access.md#azure-rbac).

+- [Permissions to create DCR objects](../essentials/data-collection-rule-overview.md#permissions) in the workspace.

+Go to your workspace in the **Log Analytics workspaces** menu in the Azure portal. On the **Properties** page, copy the **Resource ID** and save it for later use.

+## Configure an application

+Start by registering an Azure Active Directory application to authenticate against the API. Any Resource Manager authentication scheme is supported, but this tutorial follows the [Client Credential Grant Flow scheme](../../active-directory/develop/v2-oauth2-client-creds-grant-flow.md).

+1. On the **Azure Active Directory** menu in the Azure portal, select **App registrations** > **New registration**.

+ :::image type="content" source="media/tutorial-logs-ingestion-portal/new-app-registration.png" lightbox="media/tutorial-logs-ingestion-portal/new-app-registration.png" alt-text="Screenshot that shows the app registration screen.":::

+1. Give the application a name and change the tenancy scope if the default isn't appropriate for your environment. A **Redirect URI** isn't required.

+ :::image type="content" source="media/tutorial-logs-ingestion-portal/new-app-name.png" lightbox="media/tutorial-logs-ingestion-portal/new-app-name.png" alt-text="Screenshot that shows app details.":::

+1. After registration, you can view the details of the application. Note the **Application (client) ID** and the **Directory (tenant) ID**. You'll need these values later in the process.

+ :::image type="content" source="media/tutorial-logs-ingestion-portal/new-app-id.png" lightbox="media/tutorial-logs-ingestion-portal/new-app-id.png" alt-text="Screenshot that shows the app ID.":::

+1. Generate an application client secret, which is similar to creating a password to use with a username. Select **Certificates & secrets** > **New client secret**. Give the secret a name to identify its purpose and select an **Expires** duration. The option **12 months** is selected here. For a production implementation, you would follow best practices for a secret rotation procedure or use a more secure authentication mode, such as a certificate.

+ :::image type="content" source="media/tutorial-logs-ingestion-portal/new-app-secret.png" lightbox="media/tutorial-logs-ingestion-portal/new-app-secret.png" alt-text="Screenshot that shows the secret for the new app.":::

+1. Select **Add** to save the secret and then note the **Value**. Ensure that you record this value because you can't recover it after you leave this page. Use the same security measures as you would for safekeeping a password because it's the functional equivalent.

+ :::image type="content" source="media/tutorial-logs-ingestion-portal/new-app-secret-value.png" lightbox="media/tutorial-logs-ingestion-portal/new-app-secret-value.png" alt-text="Screenshot that shows the secret value for the new app.":::

+## Create a new table in a Log Analytics workspace

+The custom table must be created before you can send data to it. The table for this tutorial will include three columns, as described in the following schema. The `name`, `type`, and `description` properties are mandatory for each column. The properties `isHidden` and `isDefaultDisplay` both default to `false` if not explicitly specified. Possible data types are `string`, `int`, `long`, `real`, `boolean`, `dateTime`, `guid`, and `dynamic`.

+Use the **Tables - Update** API to create the table with the following PowerShell code.

+> Custom tables must use a suffix of `_CL`.

+1. Select the **Cloud Shell** button in the Azure portal and ensure the environment is set to **PowerShell**.

+ :::image type="content" source="media/tutorial-workspace-transformations-api/open-cloud-shell.png" lightbox="media/tutorial-workspace-transformations-api/open-cloud-shell.png" alt-text="Screenshot that shows opening Cloud Shell.":::

+1. Copy the following PowerShell code and replace the **Path** parameter with the appropriate values for your workspace in the `Invoke-AzRestMethod` command. Paste it into the Cloud Shell prompt to run it.

+## Create a data collection endpoint

+A [DCE](../essentials/data-collection-endpoint-overview.md) is required to accept the data being sent to Azure Monitor. After you configure the DCE and link it to a DCR, you can send data over HTTP from your application. The DCE must be located in the same region as the Log Analytics workspace where the data will be sent.

+1. In the Azure portal's search box, enter **template** and then select **Deploy a custom template**.

+ :::image type="content" source="media/tutorial-workspace-transformations-api/deploy-custom-template.png" lightbox="media/tutorial-workspace-transformations-api/deploy-custom-template.png" alt-text="Screenshot that shows how to deploy a custom template.":::

+1. Select **Build your own template in the editor**.

+ :::image type="content" source="media/tutorial-workspace-transformations-api/build-custom-template.png" lightbox="media/tutorial-workspace-transformations-api/build-custom-template.png" alt-text="Screenshot that shows how to build a template in the editor.":::

+1. Paste the following ARM template into the editor and then select **Save**. You don't need to modify this template because you'll provide values for its parameters.

+ :::image type="content" source="media/tutorial-workspace-transformations-api/edit-template.png" lightbox="media/tutorial-workspace-transformations-api/edit-template.png" alt-text="Screenshot that shows how to edit an ARM template.":::

+1. On the **Custom deployment** screen, specify a **Subscription** and **Resource group** to store the DCR and then provide values like a **Name** for the DCE. The **Location** should be the same location as the workspace. The **Region** will already be populated and will be used for the location of the DCE.

+ :::image type="content" source="media/tutorial-workspace-transformations-api/custom-deployment-values.png" lightbox="media/tutorial-workspace-transformations-api/custom-deployment-values.png" alt-text="Screenshot to edit custom deployment values.":::

+1. Select **Review + create** and then select **Create** after you review the details.

+1. After the DCE is created, select it so that you can view its properties. Note the **Logs ingestion URI** because you'll need it in a later step.

+ :::image type="content" source="media/tutorial-logs-ingestion-api/data-collection-endpoint-overview.png" lightbox="media/tutorial-logs-ingestion-api/data-collection-endpoint-overview.png" alt-text="Screenshot that shows the DCE URI.":::

+1. Select **JSON View** to view other details for the DCE. Copy the **Resource ID** because you'll need it in a later step.

+ :::image type="content" source="media/tutorial-logs-ingestion-api/data-collection-endpoint-json.png" lightbox="media/tutorial-logs-ingestion-api/data-collection-endpoint-json.png" alt-text="Screenshot that shows the DCE resource ID.":::

+## Create a data collection rule

+The [DCR](../essentials/data-collection-rule-overview.md) defines the schema of data that's being sent to the HTTP endpoint. It also defines the transformation that will be applied to it. The DCR also defines the destination workspace and table the transformed data will be sent to.

+1. In the Azure portal's search box, enter **template** and then select **Deploy a custom template**.

+ :::image type="content" source="media/tutorial-workspace-transformations-api/deploy-custom-template.png" lightbox="media/tutorial-workspace-transformations-api/deploy-custom-template.png" alt-text="Screenshot that shows how to deploy a custom template.":::

+1. Select **Build your own template in the editor**.

+ :::image type="content" source="media/tutorial-workspace-transformations-api/build-custom-template.png" lightbox="media/tutorial-workspace-transformations-api/build-custom-template.png" alt-text="Screenshot that shows how to build a template in the editor.":::

+1. Paste the following ARM template into the editor and then select **Save**.

+ :::image type="content" source="media/tutorial-workspace-transformations-api/edit-template.png" lightbox="media/tutorial-workspace-transformations-api/edit-template.png" alt-text="Screenshot that shows how to edit an ARM template.":::

+ - `dataCollectionEndpointId`: Identifies the Resource ID of the data collection endpoint.

+1. On the **Custom deployment** screen, specify a **Subscription** and **Resource group** to store the DCR. Then provide values defined in the template. The values include a **Name** for the DCR and the **Workspace Resource ID** that you collected in a previous step. The **Location** should be the same location as the workspace. The **Region** will already be populated and will be used for the location of the DCR.

+ :::image type="content" source="media/tutorial-workspace-transformations-api/custom-deployment-values.png" lightbox="media/tutorial-workspace-transformations-api/custom-deployment-values.png" alt-text="Screenshot that shows how to edit custom deployment values.":::

+1. Select **Review + create** and then select **Create** after you review the details.

+1. When the deployment is complete, expand the **Deployment details** box and select your DCR to view its details. Select **JSON View**.

+ :::image type="content" source="media/tutorial-workspace-transformations-api/data-collection-rule-details.png" lightbox="media/tutorial-workspace-transformations-api/data-collection-rule-details.png" alt-text="Screenshot that shows DCR details.":::

+1. Copy the **Resource ID** for the DCR. You'll use it in the next step.

+ :::image type="content" source="media/tutorial-workspace-transformations-api/data-collection-rule-json-view.png" lightbox="media/tutorial-workspace-transformations-api/data-collection-rule-json-view.png" alt-text="Screenshot that shows DCR JSON view.":::

+ > All the properties of the DCR, such as the transformation, might not be displayed in the Azure portal even though the DCR was successfully created with those properties.

+## Assign permissions to a DCR

+After the DCR has been created, the application needs to be given permission to it. Permission will allow any application using the correct application ID and application key to send data to the new DCE and DCR.

+1. From the DCR in the Azure portal, select **Access Control (IAM)** > **Add role assignment**.

+ :::image type="content" source="media/tutorial-logs-ingestion-portal/add-role-assignment.png" lightbox="media/tutorial-logs-ingestion-portal/custom-log-create.png" alt-text="Screenshot that shows adding a custom role assignment to DCR.":::

+1. Select **Monitoring Metrics Publisher** and select **Next**. You could instead create a custom action with the `Microsoft.Insights/Telemetry/Write` data action.

+ :::image type="content" source="media/tutorial-logs-ingestion-portal/add-role-assignment-select-role.png" lightbox="media/tutorial-logs-ingestion-portal/add-role-assignment-select-role.png" alt-text="Screenshot that shows selecting a role for DCR role assignment.":::

+1. Select **User, group, or service principal** for **Assign access to** and choose **Select members**. Select the application that you created and choose **Select**.

+ :::image type="content" source="media/tutorial-logs-ingestion-portal/add-role-assignment-select-member.png" lightbox="media/tutorial-logs-ingestion-portal/add-role-assignment-select-member.png" alt-text="Screenshot that shows selecting members for the DCR role assignment.":::

+1. Select **Review + assign** and verify the details before you save your role assignment.

+ :::image type="content" source="media/tutorial-logs-ingestion-portal/add-role-assignment-save.png" lightbox="media/tutorial-logs-ingestion-portal/add-role-assignment-save.png" alt-text="Screenshot that shows saving the DCR role assignment.":::

+The following PowerShell code sends data to the endpoint by using HTTP REST fundamentals.

+> This tutorial uses commands that require PowerShell v7.0 or later. Make sure your local installation of PowerShell is up to date or execute this script by using Azure Cloud Shell.

+1. Run the following PowerShell command, which adds a required assembly for the script.

+1. Replace the parameters in the **Step 0** section with values from the resources that you created. You might also want to replace the sample data in the **Step 2** section with your own.

+ ### Step 0: Set parameters required for the rest of the script.

+ ### Step 1: Obtain a bearer token used later to authenticate against the DCE.

+ ### Step 3: Send the data to Log Analytics via the DCE.

+ > If you receive an `Unable to find type [System.Web.HttpUtility].` error, run the last line in section 1 of the script for a fix and execute it. Executing it uncommented as part of the script won't resolve the issue. The command must be executed separately.

+1. After you execute this script, you should see an `HTTP - 204` response. In a few minutes, the data arrives to your Log Analytics workspace.

+This section describes different error conditions you might receive and how to correct them.

+Ensure that you have the correct permissions for your application to the DCR. You might also need to wait up to 30 minutes for permissions to propagate.

+### Script returns error code 413 or warning of TimeoutExpired with the message ReadyBody_ClientConnectionAbort in the response

+The message is too large. The maximum message size is currently 1 MB per call.

+API limits have been exceeded. For information on the current limits, see [Service limits for the Logs Ingestion API](../service-limits.md#logs-ingestion-api).

+Ensure that you have the correct permissions for your application to the DCR. You might also need to wait up to 30 minutes for permissions to propagate.

+The data might take some time to be ingested, especially if this is the first time data is being sent to a particular table. It shouldn't take longer than 15 minutes.

+### IntelliSense in Log Analytics doesn't recognize the new table

+The cache that drives IntelliSense might take up to 24 hours to update.

+- [Complete a similar tutorial using the Azure portal](tutorial-logs-ingestion-portal.md)

+- [Read more about custom logs](logs-ingestion-api-overview.md)

+description: The article describes the considerations and recommendations for customers preparing to deploy a workspace in Azure Monitor.

+A single [Log Analytics workspace](log-analytics-workspace-overview.md) might be sufficient for many environments that use Azure Monitor and Microsoft Sentinel. But many organizations will create multiple workspaces to optimize costs and better meet different business requirements. This article presents a set of criteria for determining whether to use a single workspace or multiple workspaces. It also discusses the configuration and placement of those workspaces to meet your requirements while optimizing your costs.

+> This article discusses Azure Monitor and Microsoft Sentinel because many customers need to consider both in their design. Most of the decision criteria apply to both services. If you use only one of these services, you can ignore the other in your evaluation.

+Your design should always start with a single workspace to reduce the complexity of managing multiple workspaces and in querying data from them. There are no performance limitations from the amount of data in your workspace. Multiple services and data sources can send data to the same workspace. As you identify criteria to create more workspaces, your design should use the fewest number that will match your requirements.

+Designing a workspace configuration includes evaluation of multiple criteria. But some of the criteria might be in conflict. For example, you might be able to reduce egress charges by creating a separate workspace in each Azure region. Consolidating into a single workspace might allow you to reduce charges even more with a commitment tier. Evaluate each of the criteria independently. Consider your requirements and priorities to determine which design will be most effective for your environment.

+The following table presents criteria to consider when you design your workspace architecture. The sections that follow describe the criteria.

+| [Segregate operational and security data](#segregate-operational-and-security-data) | Many customers will create separate workspaces for their operational and security data for data ownership and the extra cost from Microsoft Sentinel. In some cases, you might be able to save costs by consolidating into a single workspace to qualify for a commitment tier. |

+| [Azure tenants](#azure-tenants) | If you have multiple Azure tenants, you'll usually create a workspace in each one. Several data sources can only send monitoring data to a workspace in the same Azure tenant. |

+| [Azure regions](#azure-regions) | Each workspace resides in a particular Azure region. You might have regulatory or compliance requirements to store data in specific locations. |

+| [Data ownership](#data-ownership) | You might choose to create separate workspaces to define data ownership. For example, you might create workspaces by subsidiaries or affiliated companies. |

+| [Data retention and archive](#data-retention-and-archive) | You can set different retention settings for each table in a workspace. You need a separate workspace if you require different retention settings for different resources that send data to the same tables. |

+Most customers who use both Azure Monitor and Microsoft Sentinel will create a dedicated workspace for each to segregate ownership of data between operational and security teams. This approach also helps to optimize costs. If Microsoft Sentinel is enabled in a workspace, all data in that workspace is subject to Microsoft Sentinel pricing, even if it's operational data collected by Azure Monitor.

+A workspace with Microsoft Sentinel gets three months of free data retention instead of 31 days. This scenario typically results in higher costs for operational data in a workspace without Microsoft Sentinel. See [Azure Monitor Logs pricing details](cost-logs.md#workspaces-with-microsoft-sentinel).

+The exception is if combining data in the same workspace helps you reach a [commitment tier](#commitment-tiers), which provides a discount to your ingestion charges. For example, consider an organization that has operational data and security data each ingesting about 50 GB per day. Combining the data in the same workspace would allow a commitment tier at 100 GB per day. That scenario would provide a 15% discount for Azure Monitor and a 50% discount for Microsoft Sentinel.

+If you create separate workspaces for other criteria, you'll usually create more workspace pairs. For example, if you have two Azure tenants, you might create four workspaces with an operational and security workspace in each tenant.

+- **If you use both Azure Monitor and Microsoft Sentinel:** Create a separate workspace for each. Consider combining the two if it helps you reach a commitment tier.

+- **If you use both Microsoft Sentinel and Microsoft Defender for Cloud:** Consider using the same workspace for both solutions to keep security data in one place.

+Most resources can only send monitoring data to a workspace in the same Azure tenant. Virtual machines that use [Azure Monitor Agent](../agents/azure-monitor-agent-overview.md) or the [Log Analytics agents](../agents/log-analytics-agent.md) can send data to workspaces in separate Azure tenants. You might consider this scenario as a [service provider](#multiple-tenant-strategies).

+- **If you have a single Azure tenant:** Create a single workspace for that tenant.

+- **If you have multiple Azure tenants:** Create a workspace for each tenant. For other options including strategies for service providers, see [Multiple tenant strategies](#multiple-tenant-strategies).

+### Azure regions

+Each Log Analytics workspaces resides in a [particular Azure region](https://azure.microsoft.com/global-infrastructure/geographies/). You might have regulatory or compliance purposes for keeping data in a particular region. For example, an international company might locate a workspace in each major geographical region, such as the United States and Europe.

+- **If you have requirements for keeping data in a particular geography:** Create a separate workspace for each region with such requirements.

+- **If you don't have requirements for keeping data in a particular geography:** Use a single workspace for all regions.

+Also consider potential [bandwidth charges](https://azure.microsoft.com/pricing/details/bandwidth/) that might apply when you're sending data to a workspace from a resource in another region. These charges are usually minor relative to data ingestion costs for most customers. These charges typically result from sending data to the workspace from a virtual machine. Monitoring data from other Azure resources by using [diagnostic settings](../essentials/diagnostic-settings.md) doesn't [incur egress charges](../usage-estimated-costs.md#data-transfer-charges).

+Use the [Azure pricing calculator](https://azure.microsoft.com/pricing/calculator) to estimate the cost and determine which regions you need. Consider workspaces in multiple regions if bandwidth charges are significant.

+- **If bandwidth charges are significant enough to justify the extra complexity:** Create a separate workspace for each region with virtual machines.

+- **If bandwidth charges aren't significant enough to justify the extra complexity:** Use a single workspace for all regions.

+You might have a requirement to segregate data or define boundaries based on ownership. For example, you might have different subsidiaries or affiliated companies that require delineation of their monitoring data.

+- **If you require data segregation:** Use a separate workspace for each data owner.

+- **If you don't require data segregation:** Use a single workspace for all data owners.

+You might need to split billing between different parties or perform charge back to a customer or internal business unit. You can use [Azure Cost Management + Billing](../usage-estimated-costs.md#azure-cost-management--billing) to view charges by workspace. You can also use a log query to view [billable data volume by Azure resource, resource group, or subscription](analyze-usage.md#data-volume-by-azure-resource-resource-group-or-subscription). This approach might be sufficient for your billing requirements.

+- **If you don't need to split billing or perform charge back:** Use a single workspace for all cost owners.

+- **If you need to split billing or perform charge back:** Consider whether [Azure Cost Management + Billing](../usage-estimated-costs.md#azure-cost-management--billing) or a log query provides cost reporting that's granular enough for your requirements. If not, use a separate workspace for each cost owner.

+You can configure default [data retention and archive settings](data-retention-archive.md) for a workspace or [configure different settings for each table](data-retention-archive.md#set-retention-and-archive-policy-by-table). You might require different settings for different sets of data in a particular table. If so, you need to separate that data into different workspaces, each with unique retention settings.

+- **If you can use the same retention and archive settings for all data in each table:** Use a single workspace for all resources.

+- **If you require different retention and archive settings for different resources in the same table:** Use a separate workspace for different resources.

+[Commitment tiers](../logs/cost-logs.md#commitment-tiers) provide a discount to your workspace ingestion costs when you commit to a specific amount of daily data. You might choose to consolidate data in a single workspace to reach the level of a particular tier. This same volume of data spread across multiple workspaces wouldn't be eligible for the same tier, unless you have a dedicated cluster.

+If you can commit to daily ingestion of at least 500 GB per day, you should implement a [dedicated cluster](../logs/cost-logs.md#dedicated-clusters) that provides extra functionality and performance. Dedicated clusters also allow you to combine the data from multiple workspaces in the cluster to reach the level of a commitment tier.

+- **If you'll ingest at least 500 GB per day across all resources:** Create a dedicated cluster and set the appropriate commitment tier.

+- **If you'll ingest at least 100 GB per day across resources:** Consider combining them into a single workspace to take advantage of a commitment tier.

+You should avoid sending duplicate data to multiple workspaces because of the extra charges, but you might have virtual machines connected to multiple workspaces. The most common scenario is an agent connected to separate workspaces for Azure Monitor and Microsoft Sentinel.

+ [Azure Monitor Agent](../agents/azure-monitor-agent-overview.md) and the [Log Analytics agent for Windows](../agents/log-analytics-agent.md) can connect to multiple workspaces. The [Log Analytics agent for Linux](../agents/log-analytics-agent.md) can only connect to a single workspace.

+- **If you use the Log Analytics agent for Linux:** Migrate to [Azure Monitor Agent](../agents/azure-monitor-agent-overview.md) or ensure that your Linux machines only require access to a single workspace.

+When you grant a user [access to a workspace](manage-access.md#azure-rbac), the user has access to all data in that workspace. This access is appropriate for a member of a central administration or security team who must access data for all resources. Access to the workspace is also determined by resource-context role-based access control (RBAC) and table-level RBAC.

+[Resource-context RBAC](manage-access.md#access-mode): By default, if a user has read access to an Azure resource, they inherit permissions to any of that resource's monitoring data sent to the workspace. This level of access allows users to access information about resources they manage without being granted explicit access to the workspace. If you need to block this access, you can change the [access control mode](manage-access.md#access-control-mode) to require explicit workspace permissions.

+- **If you want users to be able to access data for their resources:** Keep the default access control mode of **Use resource or workspace permissions**.

+- **If you want to explicitly assign permissions for all users:** Change the access control mode to **Require workspace permissions**.

+[Table-level RBAC](manage-access.md#set-table-level-read-access): With table-level RBAC, you can grant or deny access to specific tables in the workspace. In this way, you can implement granular permissions required for specific situations in your environment.

+For example, you might grant access to only specific tables collected by Microsoft Sentinel to an internal auditing team. Or you might deny access to security-related tables to resource owners who need operational data related to their resources.

+- **If you don't require granular access control by table:** Grant the operations and security team access to their resources and allow resource owners to use resource-context RBAC for their resources.

+- **If you require granular access control by table:** Grant or deny access to specific tables by using table-level RBAC.

+## Work with multiple workspaces

+Many designs will include multiple workspaces, so Azure Monitor and Microsoft Sentinel include features to assist you in analyzing this data across workspaces. For more information, see:

+- [Extend Microsoft Sentinel across workspaces and tenants](../../sentinel/extend-sentinel-across-workspaces-tenants.md)

+Environments with multiple Azure tenants, including Microsoft service providers (MSPs), independent software vendors (ISVs), and large enterprises, often require a strategy where a central administration team has access to administer workspaces located in other tenants. Each of the tenants might represent separate customers or different business units.

+Two basic strategies for this functionality are described in the following sections.

+In a distributed architecture, a Log Analytics workspace is created in each Azure tenant. This option is the only one you can use if you're monitoring Azure services other than virtual machines.

+There are two options to allow service provider administrators to access the workspaces in the customer tenants:

+- Use [Azure Lighthouse](../../lighthouse/overview.md) to access each customer tenant. The service provider administrators are included in an Azure Active Directory (Azure AD) user group in the service provider's tenant. This group is granted access during the onboarding process for each customer. The administrators can then access each customer's workspaces from within their own service provider tenant instead of having to sign in to each customer's tenant individually. For more information, see [Monitor customer resources at scale](../../lighthouse/how-to/monitor-at-scale.md).

+- Add individual users from the service provider as [Azure AD guest users (B2B)](../../active-directory/external-identities/what-is-b2b.md). The customer tenant administrators manage individual access for each service provider administrator. The service provider administrators must sign in to the directory for each tenant in the Azure portal to access these workspaces.

+Advantages to this strategy:

+- The customer can confirm specific levels of permissions with [Azure delegated resource management](../../lighthouse/concepts/architecture.md). Or the customer can manage access to the logs by using their own [Azure RBAC](../../role-based-access-control/overview.md).

+- Each customer can have different settings for their workspace, such as retention and data cap.

+- The charge for each workspace is included in the bill for the customer's subscription.

+Disadvantages to this strategy:

+- Centrally visualizing and analyzing data across customer tenants with tools such as Azure Monitor workbooks can result in slower experiences. This is the case especially when analyzing data across more than 50 workspaces.

+- If customers aren't onboarded for Azure delegated resource management, service provider administrators must be provisioned in the customer directory. This requirement makes it more difficult for the service provider to manage many customer tenants at once.

+Advantages to this strategy:

+- It's easy to manage many customers.

+- The service provider has full ownership over the logs and the various artifacts, such as functions and saved queries.

+- A service provider can perform analytics across all of its customers.

+Disadvantages to this strategy:

+- Logs can only be collected from virtual machines with an agent. It won't work with PaaS, SaaS, or Azure Service Fabric data sources.

+- It might be difficult to separate data between customers because their data shares a single workspace. Queries need to use the computer's fully qualified domain name or the Azure subscription ID.

+- All data from all customers will be stored in the same region with a single bill and the same retention and configuration settings.

+In a hybrid model, each tenant has its own workspace. A mechanism is used to pull data into a central location for reporting and analytics. This data could include a small number of data types or a summary of the activity, such as daily statistics.

+- **Central workspace**: The service provider creates a workspace in its tenant and uses a script that utilizes the [Query API](api/overview.md) with the [logs ingestion API](logs-ingestion-api-overview.md) to bring the data from the tenant workspaces to this central location. Another option is to use [Azure Logic Apps](../../logic-apps/logic-apps-overview.md) to copy data to the central workspace.

+- **Power BI**: The tenant workspaces export data to Power BI by using the integration between the [Log Analytics workspace and Power BI](log-powerbi.md).

+- Learn more about [designing and configuring data access in a workspace](manage-access.md).

+- Get [sample workspace architectures for Microsoft Sentinel](../../sentinel/sample-workspace-designs.md).

+ Regular billing for Standard network features on Azure NetApp Files began November 1, 2022.

+To create a `bicepconfig.json` file in Visual Studio Code, open the Command Palette (**[CTRL/CMD]**+**[SHIRT]**+**P**), and then select **Bicep: Create Bicep Configuration File**. For more information, see [Visual Studio Code](./visual-studio-code.md#create-bicep-configuration-file).

+| | [Visual Studio and Bicep extension](#visual-studio-and-bicep-extension) | automatic |

+## Visual Studio and Bicep extension

+To author Bicep file from Visual Studio, you need:

+- **Visual Studio** - If you don't already have Visual Studio, [install it](https://visualstudio.microsoft.com/).

+- **Bicep extension for Visual Studio**. Visual Studio with the Bicep extension provides language support and resource autocompletion. The extension helps you create and validate Bicep files. Install the extension from [Visual Studio Marketplace](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.visualstudiobicep).

+To walk through a tutorial, see [Quickstart: Create Bicep files with Visual Studio](./quickstart-create-bicep-use-visual-studio.md).

+ You can also create Bicep files in Visual Studio with the [Bicep extension for Visual Studio](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.visualstudiobicep).

+Similar authoring experience is also supported in Visual Studio. See [Quickstart: Create Bicep files with Visual Studio](./quickstart-create-bicep-use-visual-studio.md).

+Similar authoring experience is also supported in Visual Studio Code. See [Quickstart: Create Bicep files with Visual Studio Code](./quickstart-create-bicep-use-visual-studio-code.md).

+To set up your environment for Bicep development, see [Install Bicep tools](install.md). After completing those steps, you'll have [Visual Studio Code](https://code.visualstudio.com/) and the [Bicep extension](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-bicep), or [Visual Studio](https://visualstudio.microsoft.com/) and the [Bicep extension](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.visualstudiobicep).

+To create a Bicep configuration file:

+1. Open Visual Studio Code.

+1. From the **View** menu, select **Command Palette** (or press **[CTRL/CMD]**+**[SHIRT]**+**P**), and then select **Bicep: Create Bicep Configuration File**.

+1. Select the file directory where you want to place the file.

+1. Save the configuration file when you are done.

+> | resourcegroups | subscription | 1-90 | Underscores, hyphens, periods, parentheses, and letters or digits as defined by the [Char.IsLetterOrDigit](/dotnet/api/system.char.isletterordigit) function.<br><br>Valid characters are members of the following categories in [UnicodeCategory](/dotnet/api/system.globalization.unicodecategory):<br>**UppercaseLetter**,<br>**LowercaseLetter**,<br>**TitlecaseLetter**,<br>**ModifierLetter**,<br>**OtherLetter**,<br>**DecimalDigitNumber**.<br><br>Can't end with period. |

+| Afrikaans | `af-ZA` | | | | Γ£ö | |

+| Arabic (Israel) | `ar-IL` | Γ£ö | | | Γ£ö | Γ£ö |

+| Arabic (Jordan) | `ar-JO` | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Arabic (Kuwait) | `ar-KW` | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Arabic (Lebanon) | `ar-LB` | Γ£ö | | | Γ£ö | Γ£ö |

+| Arabic (Oman) | `ar-OM` | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Arabic (Palestinian Authority) | `ar-PS` | Γ£ö | | | Γ£ö | Γ£ö |

+| Arabic (Qatar) | `ar-QA` | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Arabic (Saudi Arabia) | `ar-SA` | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Arabic (United Arab Emirates) | `ar-AE` | Γ£ö | Γ£ö| Γ£ö | Γ£ö | Γ£ö |

+| Arabic Egypt | `ar-EG` | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Arabic Modern Standard (Bahrain) | `ar-BH` | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Arabic Syrian Arab Republic | `ar-SY` | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Bangla | `bn-BD` | | | | Γ£ö | |

+| Bosnian | `bs-Latn` | | | | Γ£ö | |

+| Bulgarian | `bg-BG` | | | | Γ£ö | |

+| Catalan | `ca-ES` | | | | Γ£ö | |

+| Chinese (Cantonese Traditional) | `zh-HK` | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Chinese (Simplified) | `zh-Hans` | Γ£ö | Γ£ö | | Γ£ö | Γ£ö |

+| Chinese (Simplified) | `zh-CK` | Γ£ö | Γ£ö | | Γ£ö | Γ£ö |

+| Chinese (Traditional) | `zh-Hant` | | | | Γ£ö | |

+| Croatian | `hr-HR` | | | | Γ£ö | |

+| Czech | `cs-CZ` | Γ£ö |Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Danish | `da-DK` | Γ£ö |Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Dutch | `nl-NL` | Γ£ö |Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| English Australia | `en-AU` | Γ£ö |Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| English United Kingdom | `en-GB` | Γ£ö |Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| English United States | `en-US` | Γ£ö |Γ£ö | Γ£ö| Γ£ö | Γ£ö |

+| Estonian | `et-EE` | | | | Γ£ö | |

+| Fijian | `en-FJ` | | | | Γ£ö | |

+| Filipino | `fil-PH` | | | | Γ£ö | |

+| Finnish | `fi-FI` | Γ£ö |Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| French | `fr-FR` | Γ£ö |Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| French (Canada) | `fr-CA` | Γ£ö |Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| German | `de-DE` | Γ£ö |Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Greek | `el-GR` | | | | Γ£ö | |

+| Haitian | `fr-HT` | | | | Γ£ö | |

+| Hebrew | `he-IL` | Γ£ö |Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Hindi | `hi-IN` | Γ£ö |Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Hungarian | `hu-HU` | | | | Γ£ö | |

+| Indonesian | `id-ID` | | | | Γ£ö | |

+| Italian | `it-IT` | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Japanese | `ja-JP` | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Kiswahili | `sw-KE` | | | | Γ£ö | |

+| Korean | `ko-KR` | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Latvian | `lv-LV` | | | | Γ£ö | |

+| Lithuanian | `lt-LT` | | | | Γ£ö | |

+| Malagasy | `mg-MG` | | | | Γ£ö | |

+| Malay | `ms-MY` | | | | Γ£ö | |

+| Maltese | `mt-MT` | | | | Γ£ö | |

+| Norwegian | `nb-NO` | Γ£ö |Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Persian | `fa-IR` | Γ£ö | | | Γ£ö | Γ£ö |

+| Polish | `pl-PL` | Γ£ö |Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Portuguese | `pt-BR` | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Portuguese (Portugal) | `pt-PT` | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Romanian | `ro-RO` | | | | Γ£ö | |

+| Russian | `ru-RU` | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Samoan | `en-WS` | | | | Γ£ö | |

+| Serbian (Cyrillic) | `sr-Cyrl-RS` | | | | Γ£ö | |

+| Serbian (Latin) | `sr-Latn-RS` | | | | Γ£ö | |

+| Slovak | `sk-SK` | | | | Γ£ö | |

+| Slovenian | `sl-SI` | | | | Γ£ö | |

+| Spanish | `es-ES` | Γ£ö | Γ£ö| Γ£ö| Γ£ö | Γ£ö |

+| Spanish (Mexico) | `es-MX` | Γ£ö | | | Γ£ö | Γ£ö |

+| Swedish | `sv-SE` | Γ£ö |Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Tamil | `ta-IN` | | | | Γ£ö | |

+| Thai | `th-TH` | Γ£ö |Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Tongan | `to-TO` | | | | Γ£ö | |

+| Turkish | `tr-TR` | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Ukrainian | `uk-UA` | Γ£ö | Γ£ö | Γ£ö | Γ£ö | |

+| Urdu | `ur-PK` | | | | Γ£ö | |

+| Vietnamese | `vi-VN` | Γ£ö |Γ£ö | Γ£ö | Γ£ö | |

+**Default languages supported by Language identification (LID)**: German (de-DE) , English United States (en-US) , Spanish (es-ES) , French (fr-FR), Italian (it-IT) , Japanese (ja-JP), Portuguese (pt-BR), Russian (ru-RU), Chinese (Simplified) (zh-Hans).

+**Default languages supported by Multi-language identification (MLID)**: German (de-DE) , English United States (en-US) , Spanish (es-ES) , French (fr-FR).

+You can specify to use other supported languages (listed in the table above) as default languages, when [uploading a video](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=Upload-Video) with an API and passing the `customLanguages` parameter. The `customLanguages` parameter allows up to 10 languages to be identified by LID or MLID.

+> Language identification (LID) and Multi-language identification (MLID) compares speech at the language level, such as English and German.

+> Do not include multiple locales of the same language in the custom languages list.

+| Chinese (Simplified) | `zh-CK` | Γ£ö |Γ£ö |

+### Expanded supported languages in LID and MLID through Azure Video Indexer API

+Expanded the languages supported in LID (language identification) and MLID (multi language Identification) using the Azure Video Indexer API.

+The following languages are now supported through the API: Arabic (United Arab Emirates), Arabic Modern Standard, Arabic Egypt, Arabic (Iraq), Arabic (Jordan), Arabic (Kuwait), Arabic (Oman), Arabic (Qatar), Arabic (Saudi Arabia), Arabic Syrian Arab Republic, Czech, Danish, German, English Australia, English United Kingdom, English United States, Spanish, Spanish (Mexico), Finnish, French (Canada), French, Hebrew, Hindi, Italian, Japanese, Korean, Norwegian, Dutch, Polish, Portuguese, Portuguese (Portugal), Russian, Swedish, Thai, Turkish, Ukrainian, Vietnamese, Chinese (Simplified), Chinese (Cantonese, Traditional).

+To specify the list of languages to be identified by LID or MLID when auto-detecting, call [upload a video](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=Upload-Video) API and set the `customLanguages` parameter to include up to 10 languages from the supported languages above. Please note that the languages specified in the `customLanguages` are compared at a language level thus should include only one locale per language.

+When you commit to a reserved instance of [Azure VMware Solution](introduction.md), you save money. The reservation discount automatically applies to the running Azure VMware Solution hosts that match the reservation scope and attributes. In addition, a reserved instance purchase covers only the compute part of your usage and includes software licensing costs.

+- For subscription under a Cloud Solution Provider (CSP) Azure Plan, the partner must purchase the customer's reserved instances in the Azure portal.

+3. Select **Purchase Now**, then select **Azure VMware Solution**.

+ >Azure Backup for Managed Disks uses incremental snapshots which are limited to 500 snapshots per disk. To allow you to take on-demand backups aside from scheduled backups, backup policy limits the total backups to 450. Learn more about [incremental snapshots](../virtual-machines/disks-incremental-snapshots.md#restrictions) for managed disk.

+### Get the area of interest / smart crop

+Analyze the contents of an image to return the coordinates of the *area of interest* that matches a specified aspect ratio. Computer Vision returns the bounding box coordinates of the region, so the calling application can modify the original image as desired. [Generate a thumbnail](concept-generating-thumbnails.md)

+- OCR for general (non-document) images: try the [Computer Vision 4.0 preview Image Analysis REST API quickstart](./concept-ocr.md).

+- OCR for PDF, Office and HTML documents and document images: start with [Form Recognizer Read](../../applied-ai-services/form-recognizer/concept-read.md).

+* [Quickstart: Face](quickstarts-sdk/identity-client-library.md)

+<!--

+> [!NOTE]

+> Call Automation currently doesnt interoperate with Microsoft Teams. Actions like making, redirecting a call to a Teams user or adding them to a call using Call Automation isnt supported.

+| RecognizeFailed | Recognition of user input was unsuccessful <br/>*to learn more about recognize action events view our [quickstart](../../quickstarts/voice-video-calling/Recognize-Action.md)*|

+| macOS | ✔️ | ✔️ | ✔️ |

+## Template deployment failures or errors

+## Problems accessing Key Vault

+## Problems accessing storage

+## Problems with export or import of storage blobs

+## Problems with Source Trigger Imports

+## AzCopy issues

+## Artifacts transfer problems

+## Problems pulling the image in a physically isolated environment

+Get started with the Azure Cosmos DB client library for .NET to create databases, containers, and items within your account. Follow these steps to install the package and try out example code for basic tasks.

+> The [example code snippets](https://github.com/azure-samples/cosmos-db-nosql-dotnet-samples) are available on GitHub as a .NET project.

+> [!TIP]

+> Alternatively, you can [try Azure Cosmos DB free](../try-free.md) before you commit. If you create an account using the free trial, you can safely skip this section.

+Create an item in the container by calling [``Container.CreateItemAsync``](/dotnet/api/microsoft.azure.cosmos.container.createitemasync).

+In this quickstart, you learned how to create an Azure Cosmos DB for NoSQL account, create a database, and create a container using the .NET SDK. You can now dive deeper into a tutorial where you manage your Azure Cosmos DB for NoSQL resources and data using a .NET console application.

+> [Tutorial: Develop a .NET console application with Azure Cosmos DB for NoSQL](tutorial-dotnet-console-app.md)

+The [cosmos-db-sql-api-dotnet-samples](https://github.com/azure-samples/cosmos-db-nosql-dotnet-samples) GitHub repository includes multiple sample projects. These projects illustrate how to perform common operations on Azure Cosmos DB for NoSQL resources.

+| [Create a client with endpoint and key](https://github.com/azure-samples/cosmos-db-nosql-dotnet-samples/blob/v3/101-client-endpoint-key/Program.cs#L11-L14) |[``CosmosClient(string, string)``](/dotnet/api/microsoft.azure.cosmos.cosmosclient.-ctor#microsoft-azure-cosmos-cosmosclient-ctor(system-string-system-string-microsoft-azure-cosmos-cosmosclientoptions)) |

+| [Create a client with connection string](https://github.com/azure-samples/cosmos-db-nosql-dotnet-samples/blob/v3/102-client-connection-string/Program.cs#L11-L13) |[``CosmosClient(string)``](/dotnet/api/microsoft.azure.cosmos.cosmosclient.-ctor#microsoft-azure-cosmos-cosmosclient-ctor(system-string-microsoft-azure-cosmos-cosmosclientoptions)) |

+| [Create a client with ``DefaultAzureCredential``](https://github.com/azure-samples/cosmos-db-nosql-dotnet-samples/blob/v3/103-client-default-credential/Program.cs#L20-L23) |[``CosmosClient(string, TokenCredential)``](/dotnet/api/microsoft.azure.cosmos.cosmosclient.-ctor#microsoft-azure-cosmos-cosmosclient-ctor(system-string-azure-core-tokencredential-microsoft-azure-cosmos-cosmosclientoptions)) |

+| [Create a client with custom ``TokenCredential``](https://github.com/azure-samples/cosmos-db-nosql-dotnet-samples/blob/v3/104-client-secret-credential/Program.cs#L25-L28) |[``CosmosClient(string, TokenCredential)``](/dotnet/api/microsoft.azure.cosmos.cosmosclient.-ctor#microsoft-azure-cosmos-cosmosclient-ctor(system-string-azure-core-tokencredential-microsoft-azure-cosmos-cosmosclientoptions)) |

+| [Create a database](https://github.com/azure-samples/cosmos-db-nosql-dotnet-samples/blob/v3/200-create-database/Program.cs#L19-L21) |[``CosmosClient.CreateDatabaseIfNotExistsAsync``](/dotnet/api/microsoft.azure.cosmos.cosmosclient.createdatabaseifnotexistsasync) |

+| [Create a container](https://github.com/azure-samples/cosmos-db-nosql-dotnet-samples/blob/v3/225-create-container/Program.cs#L26-L30) |[``Database.CreateContainerIfNotExistsAsync``](/dotnet/api/microsoft.azure.cosmos.database.createcontainerifnotexistsasync) |

+| [Create an item](https://github.com/azure-samples/cosmos-db-nosql-dotnet-samples/blob/v3/250-create-item/Program.cs#L35-L46) |[``Container.CreateItemAsync<>``](/dotnet/api/microsoft.azure.cosmos.container.createitemasync) |

+| [Point read an item](https://github.com/azure-samples/cosmos-db-nosql-dotnet-samples/blob/v3/275-read-item/Program.cs#L51-L54) |[``Container.ReadItemAsync<>``](/dotnet/api/microsoft.azure.cosmos.container.readitemasync) |

+| [Query multiple items](https://github.com/azure-samples/cosmos-db-nosql-dotnet-samples/blob/v3/300-query-items/Program.cs#L64-L80) |[``Container.GetItemQueryIterator<>``](/dotnet/api/microsoft.azure.cosmos.container.getitemqueryiterator) |

+ Title: |

+ Tutorial: Develop a .NET console application with Azure Cosmos DB for NoSQL

+description: |

+ .NET tutorial to create a console application that adds data to Azure Cosmos DB for NoSQL.

+ms.devlang: csharp

+# Tutorial: Develop a .NET console application with Azure Cosmos DB for NoSQL

+The Azure SDK for .NET allows you to add data to an API for NoSQL container either how-to-dotnet-create-item.md#create-an-item-asynchronously or by using a [transactional batch](transactional-batch.md?tabs=dotnet). This tutorial will walk through the process of create a new .NET console application that adds multiple items to a container.

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+>

+> - Create a database using API for NoSQL

+> - Create a .NET console application and add the Azure SDK for .NET

+> - Add individual items into an API for NoSQL container

+> - Retrieve items efficient from an API for NoSQL container

+> - Create a transaction with batch changes for the API for NoSQL container

+>

+## Prerequisites

+- An existing Azure Cosmos DB for NoSQL account.

+ - If you have an Azure subscription, [create a new account](how-to-create-account.md?tabs=azure-portal).

+ - If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+ - Alternatively, you can [try Azure Cosmos DB free](../try-free.md) before you commit.

+- [Visual Studio Code](https://code.visualstudio.com)

+- [.NET 6 (LTS) or later](https://dotnet.microsoft.com/download/dotnet/6.0)

+- Experience writing C# applications.

+## Create API for NoSQL resources

+First, create an empty database in the existing API for NoSQL account. You'll create a container using the Azure SDK for .NET later.

+1. Navigate to your existing API for NoSQL account in the [Azure portal](https://portal.azure.com/).

+1. In the resource menu, select **Keys**.

+ :::image type="content" source="media/tutorial-dotnet-console-app/resource-menu-keys.png" lightbox="media/tutorial-dotnet-console-app/resource-menu-keys.png" alt-text="Screenshot of an API for NoSQL account page. The Keys option is highlighted in the resource menu.":::

+1. On the **Keys** page, observe and record the value of the **URI** and **PRIMARY KEY** fields. These values will be used throughout the tutorial.

+ :::image type="content" source="media/tutorial-dotnet-console-app/page-keys.png" alt-text="Screenshot of the Keys page with the URI and Primary Key fields highlighted.":::

+1. In the resource menu, select **Data Explorer**.

+ :::image type="content" source="media/tutorial-dotnet-console-app/resource-menu-data-explorer.png" alt-text="Screenshot of the Data Explorer option highlighted in the resource menu.":::

+1. On the **Data Explorer** page, select the **New Database** option in the command bar.

+ :::image type="content" source="media/tutorial-dotnet-console-app/page-data-explorer-new-database.png" alt-text="Screenshot of the New Database option in the Data Explorer command bar.":::

+1. In the **New Database** dialog, create a new container with the following settings:

+ | | Value |

+ | | |

+ | **Database id** | `cosmicworks` |

+ | **Database throughput type** | **Manual** |

+ | **Database throughput amount** | `400` |

+ :::image type="content" source="media/tutorial-dotnet-console-app/dialog-new-database.png" alt-text="Screenshot of the New Database dialog in the Data Explorer with various values in each field.":::

+1. Select **OK** to create the database.

+## Create .NET console application

+Now, you'll create a new .NET console application and import the Azure SDK for .NET by using the `Microsoft.Azure.Cosmos` library from NuGet.

+1. Open a terminal in an empty directory.

+1. Create a new console application using the `console` built-in template

+ ```bash

+ dotnet new console --langVersion preview

+ ```

+1. Add the **3.31.1-preview** version of the `Microsoft.Azure.Cosmos` package from NuGet.

+ ```bash

+ dotnet add package Microsoft.Azure.Cosmos --version 3.31.1-preview

+ ```

+1. Also, add the **pre-release** version of the `System.CommandLine` package from NuGet.

+ ```bash

+ dotnet add package System.CommandLine --prerelease

+ ```

+1. Also, add the `Humanizer` package from NuGet.

+ ```bash

+ dotnet add package Humanizer

+ ```

+1. Build the console application project.

+ ```bash

+ dotnet build

+ ```

+1. Open Visual Studio Code using the current project folder as the workspace.

+ > [!TIP]

+ > You can run `code .` in the terminal to open Visual Studio Code and automatically open the working directory as the current workspace.

+1. Navigate to and open the **Program.cs** file. Delete all of the existing code in the file.

+1. Add this code to the file to use the **System.CommandLine** library to parse the command line for two strings passed in through the `--first` and `--last` options.

+ ```csharp

+ using System.CommandLine;

+

+ var command = new RootCommand();

+

+ var nameOption = new Option<string>("--name") { IsRequired = true };

+ var emailOption = new Option<string>("--email");

+ var stateOption = new Option<string>("--state") { IsRequired = true };

+ var countryOption = new Option<string>("--country") { IsRequired = true };

+

+ command.AddOption(nameOption);

+ command.AddOption(emailOption);

+ command.AddOption(stateOption);

+ command.AddOption(countryOption);

+

+ command.SetHandler(

+ handle: CosmosHandler.ManageCustomerAsync,

+ nameOption,

+ emailOption,

+ stateOption,

+ countryOption

+ );

+

+ await command.InvokeAsync(args);

+ ```

+ > [!NOTE]

+ > For this tutorial, it's not entirely important that you understand how the command-line parser works. The parser has four options that can be specified when the application is running. Three of the options are required since they will be used to construct the ID and partition key fields.

+1. At this point, the project won't build since you haven't defined the static `CosmosHandler.ManageCustomerAsync` method yet.

+1. **Save** the **Program.cs** file.

+## Add items to a container using the SDK

+Next, you'll use individual operations to add items into the API for NoSQL container. In this section, you'll define the `CosmosHandler.ManageCustomerAsync` method.

+1. Create a new **CosmosHandler.cs** file.

+1. In the **CosmosHandler.cs** file, add a new using directive for the `Humanizer` and `Microsoft.Azure.Cosmos` namespaces.

+ ```csharp

+ using Humanizer;

+ using Microsoft.Azure.Cosmos;

+ ```

+1. Create a new static class named `CosmosHandler`.

+ ```csharp

+ public static class CosmosHandler

+ { }

+ ```

+1. Just to validate this app will work, create a short implementation of the static `ManageCustomerAsync` method to print the command-line input.

+ ```csharp

+ public static async Task ManageCustomerAsync(string name, string email, string state, string country)

+ {

+ await Console.Out.WriteLineAsync($"Hello {name} of {state}, {country}!");

+ }

+ ```

+1. **Save** the **CosmosHandler.cs** file.

+1. Back in the terminal, run the application.

+ ```bash

+ dotnet run -- --name 'Mica Pereira' --state 'Washington' --country 'United States'

+ ```

+1. The output of the command should be a fun greeting.

+ ```output

+ Hello Mica Pereira of Washington, United States!

+ ```

+1. Return to the **CosmosHandler.cs** file.

+1. Within the static **CosmosHandler** class, add a new `private static readonly` member of type `CosmosClient` named `_client`.

+ ```csharp

+ private static readonly CosmosClient _client;

+ ```

+1. Create a new static constructor for the `CosmosHandler` class.

+ ```csharp

+ static CosmosHandler()

+ { }

+ ```

+1. Within the constructor, create a new instance of the `CosmosClient` class passing in two string parameters with the **URI** and **PRIMARY KEY** values you previously recorded in the lab. Store this new instance in the `_client` member.

+ ```csharp

+ static CosmosHandler()

+ {

+ _client = new CosmosClient(

+ accountEndpoint: "<uri>",

+ authKeyOrResourceToken: "<primary-key>"

+ );

+ }

+ ```

+1. Back within the static **CosmosHandler** class, create a new asynchronous method named `GetContainerAsync` that returns an `Container`.

+ ```csharp

+ private static async Task<Container> GetContainer()

+ { }

+ ```

+1. For the next steps, add this code within the `GetContainerAsync` method.

+ 1. Get the `cosmicworks` database and store it in a variable named `database`.

+ ```csharp

+ Database database = _client.GetDatabase("cosmicworks");

+ ```

+ 1. Create a new generic `List<>` of `string` values within a list of hierarchical partition key paths and store it in a variable named `keyPaths`.

+ ```csharp

+ List<string> keyPaths = new()

+ {

+ "/address/country",

+ "/address/state"

+ };

+ ```

+ 1. Create a new `ContainerProperties` variable with the name of the container (`customers`) and the list of partition key paths.

+ ```csharp

+ ContainerProperties properties = new(

+ id: "customers",

+ partitionKeyPaths: keyPaths

+ );

+ ```

+ 1. Use the `CreateContainerIfNotExistsAsync` method to supply the container properties and retrieve the container. This method will, per the name, asynchronously create the container if it doesn't already exist within the database. Return the result as the output of the `GetContainerAsync` method.

+ ```csharp

+ return await database.CreateContainerIfNotExistsAsync(

+ containerProperties: properties

+ );

+ ```

+1. Delete all of the code within the `ManageCustomerAsync` method.

+1. For the next steps, add this code within the `ManageCustomerAsync` method.

+ 1. Asynchronously call the `GetContainerAsync` method and store the result in a variable named `container`.

+ ```csharp

+ Container container = await GetContainerAsync();

+ ```

+ 1. Create a new variable named `id` that uses the `Kebaberize` method from **Humanizer** to transform the `name` method parameter.

+ ```csharp

+ string id = name.Kebaberize();

+ ```

+ > [!NOTE]

+ > The `Kebaberize` method will replace all spaces with hyphens and conver the text to lowercase.

+ 1. Create a new anonymous typed item using the `name`, `state`, and `country` method parameters and the `id` variable. Store the item as a variable named `customer`.

+ ```csharp

+ var customer = new {

+ id = id,

+ name = name,

+ address = new {

+ state = state,

+ country = country

+ }

+ };

+ ```

+ 1. Use the container's asynchronous `CreateItemAsync` method to create a new item in the container and assign the HTTP response metadata to a variable named `response`.

+ ```csharp

+ var response = await container.CreateItemAsync(customer);

+ ```

+ 1. Write the values of the `response` variable's `StatusCode` and `RequestCharge` properties to the console. Also write the value of the `id` variable.

+ ```csharp

+ Console.WriteLine($"[{response.StatusCode}]\t{id}\t{response.RequestCharge} RUs");

+ ```

+1. **Save** the **CosmosHandler.cs** file.

+1. Back in the terminal, run the application again.

+ ```bash

+ dotnet run -- --name 'Mica Pereira' --state 'Washington' --country 'United States'

+ ```

+1. The output of the command should include a status and request charge for the operation.

+ ```output

+ [Created] mica-pereira 7.05 RUs

+ ```

+ > [!NOTE]

+ > Your request charge may vary.

+1. Run the application one more time.

+ ```bash

+ dotnet run -- --name 'Mica Pereira' --state 'Washington' --country 'United States'

+ ```

+1. This time, the program should crash. If you scroll through the error message, you'll see the crash occurred because of a conflict in the unique identifier for the items.

+ ```output

+ Unhandled exception: Microsoft.Azure.Cosmos.CosmosException : Response status code does not indicate success: Conflict (409);Reason: (

+ Errors : [

+ "Resource with specified id or name already exists."

+ ]

+ );

+ ```

+## Retrieve an item using the SDK

+Now that you've created your first item in the container, you can use the same SDK to retrieve the item. Here, you'll query and point read the item to compare the difference in request unit (RU) consumption.

+1. Return to or open the **CosmosHandler.cs** file.

+1. Delete all lines of code from the `ManageCustomerAsync` method except for the first two lines.

+ ```csharp

+ public static async Task ManageCustomerAsync(string name, string email, string state, string country)

+ {

+ Container container = await GetContainerAsync();

+ string id = name.Kebaberize();

+ }

+ ```

+1. For the next steps, add this code within the `ManageCustomerAsync` method.

+ 1. Use the container's asynchronous `CreateItemAsync` method to create a new item in the container and assign the HTTP response metadata to a variable named `response`.

+ ```csharp

+ var response = await container.CreateItemAsync(customer);

+ ```

+ 1. Create a new string named `sql` with a SQL query to retrieve items where a filter (`@id`) matches.

+ ```csharp

+ string sql = """

+ SELECT

+ *

+ FROM customers c

+ WHERE c.id = @id

+ """;

+ ```

+ 1. Create a new `QueryDefinition` variable named `query` passing in the `sql` string as the only query parameter. Also, use the `WithParameter` fluid method to apply the value of the variable `id` to the `@id` parameter.

+ ```csharp

+ var query = new QueryDefinition(

+ query: sql

+ )

+ .WithParameter("@id", id);

+ ```

+ 1. Use the `GetItemQueryIterator<>` generic method and the `query` variable to create an iterator that gets data from Azure Cosmos DB. Store the iterator in a variable named `feed`. Wrap this entire expression in a using statement to dispose the iterator later.

+ ```csharp

+ using var feed = container.GetItemQueryIterator<dynamic>(

+ queryDefinition: query

+ );

+ ```

+ 1. Asynchronously call the `ReadNextAsync` method of the `feed` variable and store the result in a variable named `response`.

+ ```csharp

+ var response = await feed.ReadNextAsync();

+ ```

+ 1. Write the values of the `response` variable's `StatusCode` and `RequestCharge` properties to the console. Also write the value of the `id` variable.

+ ```csharp

+ Console.WriteLine($"[{response.StatusCode}]\t{id}\t{response.RequestCharge} RUs");

+ ```

+1. **Save** the **CosmosHandler.cs** file.

+1. Back in the terminal, run the application to read the single item using a SQL query.

+ ```bash

+ dotnet run -- --name 'Mica Pereira'

+ ```

+1. The output of the command should indicate that the query required multiple RUs.

+ ```output

+ [OK] mica-pereira 2.82 RUs

+ ```

+1. Back in the **CosmosHandler.cs** file, delete all lines of code from the `ManageCustomerAsync` method again except for the first two lines.

+ ```csharp

+ public static async Task ManageCustomerAsync(string name, string email, string state, string country)

+ {

+ Container container = await GetContainerAsync();

+ string id = name.Kebaberize();

+ }

+ ```

+1. For the next steps, add this code within the `ManageCustomerAsync` method.

+ 1. Create a new instance of `PartitionKeyBuilder` by adding the `state` and `country` parameters as a multi-part partition key value.

+ ```csharp

+ var partitionKey = new PartitionKeyBuilder()

+ .Add(country)

+ .Add(state)

+ .Build();

+ ```

+ 1. Use the container's `ReadItemAsync<>` method to point read the item from the container using the `id` and `partitionKey` variables. Save the result in a variable named `response`.

+ ```csharp

+ var response = await container.ReadItemAsync<dynamic>(

+ id: id,

+ partitionKey: partitionKey

+ );

+ ```

+ 1. Write the values of the `response` variable's `StatusCode` and `RequestCharge` properties to the console. Also write the value of the `id` variable.

+ ```csharp

+ Console.WriteLine($"[{response.StatusCode}]\t{id}\t{response.RequestCharge} RU");

+ ```

+1. **Save** the **CosmosHandler.cs** file again.

+1. Back in the terminal, run the application one more time to point read the single item.

+ ```bash

+ dotnet run -- --name 'Mica Pereira' --state 'Washington' --country 'United States'

+ ```

+1. The output of the command should indicate that the query required a single RU.

+ ```output

+ [OK] mica-pereira 1 RUs

+ ```

+## Create a transaction using the SDK

+Finally, you'll take the item you created, read that item, and create a different related item as part of a single transaction using the Azure SDK for .NET.

+1. Return to or open the **CosmosHandler.cs** file.

+1. Delete these lines of code from the `ManageCustomerAsync` method.

+ ```csharp

+ var response = await container.ReadItemAsync<dynamic>(

+ id: id,

+ partitionKey: partitionKey

+ );

+ Console.WriteLine($"[{response.StatusCode}]\t{id}\t{response.RequestCharge} RUs");

+ ```

+1. For the next steps, add this new code within the `ManageCustomerAsync` method.

+ 1. Create a new anonymous typed item using the `name`, `state`, and `country` method parameters and the `id` variable. Store the item as a variable named `customerCart`. This item will represent a real-time shopping cart for the customer that is currently empty.

+ ```csharp

+ var customerCart = new {

+ id = $"{Guid.NewGuid()}",

+ customerId = id,

+ items = new string[] {},

+ address = new {

+ state = state,

+ country = country

+ }

+ };

+ ```

+ 1. Create another new anonymous typed item using the `name`, `state`, and `country` method parameters and the `id` variable. Store the item as a variable named `customerCart`. This item will represent shipping and contact information for the customer.

+ ```csharp

+ var customerContactInfo = new {

+ id = $"{id}-contact",

+ customerId = id,

+ email = email,

+ location = $"{state}, {country}",

+ address = new {

+ state = state,

+ country = country

+ }

+ };

+ ```

+ 1. Create a new batch using the container's `CreateTransactionalBatch` method passing in the `partitionKey` variable. Store the batch in a variable named `batch`. Use fluent methods to perform the following actions:

+ | Method | Parameter |

+ | | |

+ | `ReadItem` | `id` string variable |

+ | `CreateItem` | `customerCart` anonymous type variable |

+ | `CreateItem` | `customerContactInfo` anonymous type variable |

+ ```csharp

+ var batch = container.CreateTransactionalBatch(partitionKey)

+ .ReadItem(id)

+ .CreateItem(customerCart)

+ .CreateItem(customerContactInfo);

+ ```

+ 1. Use the batch's `ExecuteAsync` method to start the transaction. Save the result in a variable named `response`.

+ ```csharp

+ using var response = await batch.ExecuteAsync();

+ ```

+ 1. Write the values of the `response` variable's `StatusCode` and `RequestCharge` properties to the console. Also write the value of the `id` variable.

+ ```csharp

+ Console.WriteLine($"[{response.StatusCode}]\t{response.RequestCharge} RUs");

+ ```

+1. **Save** the **CosmosHandler.cs** file again.

+1. Back in the terminal, run the application one more time to point read the single item.

+ ```bash

+ dotnet run -- --name 'Mica Pereira' --state 'Washington' --country 'United States'

+ ```

+1. The output of the command should show the request units used for the entire transaction.

+ ```output

+ [OK] 16.05 RUs

+ ```

+ > [!NOTE]

+ > Your request charge may vary.

+## Validate the final data in the Data Explorer

+To wrap up things, you'll use the Data Explorer in the Azure portal to view the data, and container you created in this tutorial.

+1. Navigate to your existing API for NoSQL account in the [Azure portal](https://portal.azure.com/).

+1. In the resource menu, select **Data Explorer**.

+ :::image type="content" source="media/tutorial-dotnet-console-app/resource-menu-data-explorer.png" alt-text="Screenshot of the Data Explorer option highlighted in the resource menu.":::

+1. On the **Data Explorer** page, expand the `cosmicworks` database, and then select the `customers` container.

+ :::image type="content" source="media/tutorial-dotnet-web-app/section-data-container.png" alt-text="Screenshot of the selected container node within the database node.":::

+1. In the command bar, select **New SQL query**.

+ :::image type="content" source="media/tutorial-dotnet-console-app/page-data-explorer-new-sql-query.png" alt-text="Screenshot of the New SQL Query option in the Data Explorer command bar.":::

+1. In the query editor, observe this SQL query string.

+ ```sql

+ SELECT * FROM c

+ ```

+1. Select **Execute Query** to run the query and observe the results.

+ :::image type="content" source="media/tutorial-dotnet-console-app/page-data-explorer-execute-query.png" alt-text="Screenshot of the Execute Query option in the Data Explorer command bar.":::

+1. The results should include a JSON array with three items created in this tutorial. Observe that all of the items have the same hierarchical partition key value, but unique ID fields. The example output included is truncated for brevity.

+ ```output

+ [

+ {

+ "id": "mica-pereira",

+ "name": "Mica Pereira",

+ "address": {

+ "state": "Washington",

+ "country": "United States"

+ },

+ ...

+ },

+ {

+ "id": "33d03318-6302-4559-b5c0-f3cc643b2f38",

+ "customerId": "mica-pereira",

+ "items": [],

+ "address": {

+ "state": "Washington",

+ "country": "United States"

+ },

+ ...

+ },

+ {

+ "id": "mica-pereira-contact",

+ "customerId": "mica-pereira",

+ "email": null,

+ "location": "Washington, United States",

+ "address": {

+ "state": "Washington",

+ "country": "United States"

+ },

+ ...

+ }

+ ]

+ ```

+## Clean up resources

+When no longer needed, delete the database used in this tutorial. To do so, navigate to the account page, select **Data Explorer**, select the `cosmicworks` database, and then select **Delete**.

+## Next steps

+Now that you've created your first .NET console application using Azure Cosmos DB, try the next tutorial where you'll update an existing web application to use Azure Cosmos DB data.

+> [!div class="nextstepaction"]

+> [Tutorial: Develop an ASP.NET web application with Azure Cosmos DB for NoSQL](tutorial-dotnet-web-app.md)

+ Title: |

+ Tutorial: Develop an ASP.NET web application with Azure Cosmos DB for NoSQL

+description: |

+ ASP.NET tutorial to create a web application that queries data from Azure Cosmos DB for NoSQL.

+ms.devlang: csharp

+# Tutorial: Develop an ASP.NET web application with Azure Cosmos DB for NoSQL

+The Azure SDK for .NET allows you to query data in an API for NoSQL container using [LINQ in C#](how-to-dotnet-query-items.md#query-items-using-linq-asynchronously) or a [SQL query string](how-to-dotnet-query-items.md#query-items-using-a-sql-query-asynchronously). This tutorial will walk through the process of updating an existing ASP.NET web application that uses placeholder data to instead query from the API.

+In this tutorial, you learn how to:

+> - Create and populate a database and container using API for NoSQL

+> - Create an ASP.NET web application from a template

+> - Query data from the API for NoSQL container using the Azure SDK for .NET

+>

+- An existing Azure Cosmos DB for NoSQL account.

+ - If you have an Azure subscription, [create a new account](how-to-create-account.md?tabs=azure-portal).

+ - If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+ - Alternatively, you can [try Azure Cosmos DB free](../try-free.md) before you commit.

+- [Visual Studio Code](https://code.visualstudio.com)

+- [.NET 6 (LTS) or later](https://dotnet.microsoft.com/download/dotnet/6.0)

+- Experience writing C# applications.

+## Create API for NoSQL resources

+First, you'll create a database and container in the existing API for NoSQL account. You'll then populate this account with data using the `cosmicworks` dotnet tool.

+1. Navigate to your existing API for NoSQL account in the [Azure portal](https://portal.azure.com/).

+1. In the resource menu, select **Keys**.

+ :::image type="content" source="media/tutorial-dotnet-web-app/resource-menu-keys.png" lightbox="media/tutorial-dotnet-web-app/resource-menu-keys.png" alt-text="Screenshot of an API for NoSQL account page. The Keys option is highlighted in the resource menu.":::

+1. On the **Keys** page, observe and record the value of the **URI**, **PRIMARY KEY**, and **PRIMARY CONNECTION STRING*** fields. These values will be used throughout the tutorial.

+ :::image type="content" source="media/tutorial-dotnet-web-app/page-keys.png" alt-text="Screenshot of the Keys page with the URI, Primary Key, and Primary Connection String fields highlighted.":::

+1. In the resource menu, select **Data Explorer**.

+ :::image type="content" source="media/tutorial-dotnet-web-app/resource-menu-data-explorer.png" alt-text="Screenshot of the Data Explorer option highlighted in the resource menu.":::

+1. On the **Data Explorer** page, select the **New Container** option in the command bar.

+ :::image type="content" source="media/tutorial-dotnet-web-app/page-data-explorer-new-container.png" alt-text="Screenshot of the New Container option in the Data Explorer command bar.":::

+1. In the **New Container** dialog, create a new container with the following settings:

+ | Setting | Value |

+ | | |

+ | **Database id** | `cosmicworks` |

+ | **Database throughput type** | **Manual** |

+ | **Database throughput amount** | `4000` |

+ | **Container id** | `products` |

+ | **Partition key** | `/categoryId` |

+ :::image type="content" source="media/tutorial-dotnet-web-app/dialog-new-container.png" alt-text="Screenshot of the New Container dialog in the Data Explorer with various values in each field.":::

+ > [!IMPORTANT]

+ > In this tutorial, we will first scale the database up to 4,000 RU/s in shared throughput to maximize performance for the data migration. Once the data migration is complete, we will scale down to 400 RU/s of provisioned throughput.

+1. Select **OK** to create the database and container.

+1. Open a terminal to run commands to populate the container with data.

+ > [!TIP]

+ > You can optionally use the Azure Cloud Shell here.

+1. Install a **pre-release**version of the `cosmicworks` dotnet tool from NuGet.

+ ```bash

+ dotnet tool install --global cosmicworks --prerelease

+ ```

+1. Use the `cosmicworks` tool to populate your API for NoSQL account with sample product data using the **URI** and **PRIMARY KEY** values you recorded earlier in this lab. Those recorded values will be used for the `endpoint` and `key` parameters respectively.

+ ```bash

+ cosmicworks \

+ --datasets product \

+ --endpoint <uri> \

+ --key <primary-key>

+ ```

+1. Observe the output from the command line tool. It should add more than 200 items to the container. The example output included is truncated for brevity.

+ ```output

+ ...

+ Revision: v4

+ Datasets:

+ product

+

+ Database: [cosmicworks] Status: Created

+ Container: [products] Status: Ready

+

+ product Items Count: 295

+ Entity: [9363838B-2D13-48E8-986D-C9625BE5AB26] Container:products Status: RanToCompletion

+ ...

+ Container: [product] Status: Populated

+ ```

+1. Return to the **Data Explorer** page for your account.

+1. In the **Data** section, expand the `cosmicworks` database node and then select **Scale**.

+ :::image type="content" source="media/tutorial-dotnet-web-app/section-data-database-scale.png" alt-text="Screenshot of the Scale option within the database node.":::

+1. Reduce the throughput from **4,000** down to **400**.

+ :::image type="content" source="media/tutorial-dotnet-web-app/section-scale-throughput.png" alt-text="Screenshot of the throughput settings for the database reduced down to 400 RU/s.":::

+1. In the command bar, select **Save**.

+ :::image type="content" source="media/tutorial-dotnet-web-app/page-data-explorer-save.png" alt-text="Screenshot of the Save option in the Data Explorer command bar.":::

+1. In the **Data** section, expand and select the **products** container node.

+ :::image type="content" source="media/tutorial-dotnet-web-app/section-data-container.png" alt-text="Screenshot of the expanded container node within the database node.":::

+1. In the command bar, select **New SQL query**.

+ :::image type="content" source="media/tutorial-dotnet-web-app/page-data-explorer-new-sql-query.png" alt-text="Screenshot of the New SQL Query option in the Data Explorer command bar.":::

+1. In the query editor, add this SQL query string.

+ ```sql

+ SELECT

+ p.sku,

+ p.price

+ FROM products p

+ WHERE p.price < 2000

+ ORDER BY p.price DESC

+ ```

+1. Select **Execute Query** to run the query and observe the results.

+ :::image type="content" source="media/tutorial-dotnet-web-app/page-data-explorer-execute-query.png" alt-text="Screenshot of the Execute Query option in the Data Explorer command bar.":::

+1. The results should be a paginated array of all items in the container with a `price` value that is less than **2,000** sorted from highest price to lowest. For brevity, a subset of the output is included here.

+ ```output

+ [

+ {

+ "sku": "BK-R79Y-48",

+ "price": 1700.99

+ },

+ ...

+ {

+ "sku": "FR-M94B-46",

+ "price": 1349.6

+ },

+ ...

+ ```

+1. Replace the content of the query editor with this query and then select **Execute Query** again to observe the results.

+ ```sql

+ SELECT

+ p.name,

+ p.categoryName,

+ p.tags

+ FROM products p

+ JOIN t IN p.tags

+ WHERE t.name = "Tag-32"

+ ```

+1. The results should be a smaller array of items filtered to only contain items that include at least one tag with a **name** value of `Tag-32`. Again, a subset of the output is included here for brevity.

+ ```output

+ ...

+ {

+ "name": "ML Mountain Frame - Black, 44",

+ "categoryName": "Components, Mountain Frames",

+ "tags": [

+ {

+ "id": "18AC309F-F81C-4234-A752-5DDD2BEAEE83",

+ "name": "Tag-32"

+ }

+ ]

+ },

+ ...

+ ```

+## Create ASP.NET web application

+Now, you'll create a new ASP.NET web application using a sample project template. You'll then explore the source code and run the sample to get acquainted with the application before adding Azure Cosmos DB connectivity using the Azure SDK for .NET.

+1. Open a terminal in an empty directory.

+1. Install the `cosmicworks.template.web` project template package from NuGet.

+ ```bash

+ dotnet new install cosmicworks.template.web

+ ```

+1. Create a new web application project using the newly installed `dotnet new cosmosdbnosql-webapp` template.

+ ```bash

+ dotnet new cosmosdbnosql-webapp

+ ```

+1. Build and run the web application project.

+ ```bash

+ dotnet run

+ ```

+1. Observe the output of the run command. The output should include a list of ports and URLs where the application is running.

+ ```output

+ ...

+ info: Microsoft.Hosting.Lifetime[14]

+ Now listening on: http://localhost:5000

+ info: Microsoft.Hosting.Lifetime[14]

+ Now listening on: https://localhost:5001

+ info: Microsoft.Hosting.Lifetime[0]

+ Application started. Press Ctrl+C to shut down.

+ info: Microsoft.Hosting.Lifetime[0]

+ Hosting environment: Production

+ ...

+ ```

+1. Open a new browser and navigate to the running web application. Observe all three pages of the running application.

+ :::image type="content" source="media/tutorial-dotnet-web-app/sample-application-placeholder-data.png" lightbox="media/tutorial-dotnet-web-app/sample-application-placeholder-data.png" alt-text="Screenshot of the sample web application running with placeholder data.":::

+1. Stop the running application by terminating the running process.

+ > [!TIP]

+ > Use the <kbd>Ctrl</kbd>+<kbd>C</kbd> command to stop a running process.Alternatively, you can close and re-open the terminal.

+1. Open Visual Studio Code using the current project folder as the workspace.

+ > [!TIP]

+ > You can run `code .` in the terminal to open Visual Studio Code and automatically open the working directory as the current workspace.

+1. Navigate to and open the **Services/ICosmosService.cs** file. Observe the ``RetrieveActiveProductsAsync`` and ``RetrieveAllProductsAsync`` default method implementations. These methods create a static list of products to use when running the project for the first time. A truncated example of one of the methods is provided here.

+ ```csharp

+ public async Task<IEnumerable<Product>> RetrieveActiveProductsAsync()

+ {

+ await Task.Delay(1);

+ return new List<Product>()

+ {

+ new Product(id: "baaa4d2d-5ebe-45fb-9a5c-d06876f408e0", categoryId: "3E4CEACD-D007-46EB-82D7-31F6141752B2", categoryName: "Components, Road Frames", sku: "FR-R72R-60", name: """ML Road Frame - Red, 60""", description: """The product called "ML Road Frame - Red, 60".""", price: 594.83000000000004m),

+ ...

+ new Product(id: "d5928182-0307-4bf9-8624-316b9720c58c", categoryId: "AA5A82D4-914C-4132-8C08-E7B75DCE3428", categoryName: "Components, Cranksets", sku: "CS-6583", name: """ML Crankset""", description: """The product called "ML Crankset".""", price: 256.49000000000001m)

+ };

+ }

+ ```

+1. Navigate to and open the **Services/CosmosService.cs** file. Observe the current implementation of the **CosmosService** class. This class implements the **ICosmosService** interface but doesn't override any methods. In this context, the class will use the default interface implementation until an override of the implementation is provided in the interface.

+ ```csharp

+ public class CosmosService : ICosmosService

+ { }

+ ```

+1. Finally, navigate to and open the **Models/Product.cs** file. Observe the record type defined in this file. This type will be used in queries throughout this tutorial.

+ ```csharp

+ public record Product(

+ string id,

+ string categoryId,

+ string categoryName,

+ string sku,

+ string name,

+ string description,

+ decimal price

+ );

+ ```

+## Query data using the .NET SDK

+Next, you'll add the Azure SDK for .NET to this sample project and use the library to query data from the API for NoSQL container.

+1. Back in the terminal, add the `Microsoft.Azure.Cosmos` package from NuGet.

+ ```bash

+ dotnet add package Microsoft.Azure.Cosmos

+ ```

+1. Build the project.

+ ```bash

+ dotnet build

+ ```

+1. Back in Visual Studio Code, navigate again to the **Services/CosmosService.cs** file.

+1. Add a new using directive for the `Microsoft.Azure.Cosmos` and `Microsoft.Azure.Cosmos.Linq` namespaces.

+ ```csharp

+ using Microsoft.Azure.Cosmos;

+ using Microsoft.Azure.Cosmos.Linq;

+ ```

+1. Within the **CosmosService** class, add a new `private readonly` member of type `CosmosClient` named `_client`.

+ ```csharp

+ private readonly CosmosClient _client;

+ ```

+1. Create a new empty constructor for the `CosmosClient` class.

+ ```csharp

+ public CosmosClient()

+ { }

+ ```

+1. Within the constructor, create a new instance of the `CosmosClient` class passing in a string parameter with the **PRIMARY CONNECTION STRING** value you previously recorded in the lab. Store this new instance in the `_client` member.

+ ```csharp

+ public CosmosClient()

+ {

+ _client = new CosmosClient(

+ connectionString: "<primary-connection-string>"

+ );

+ }

+ ```

+1. Back within the **CosmosClient** class, create a new `private` property of type `Container` named `container`. Set the **get accessor** to return the `cosmicworks` database and `products` container.

+ ```csharp

+ private Container container

+ {

+ get => _client.GetDatabase("cosmicworks").GetContainer("products");

+ }

+ ```

+1. Create a new asynchronous method named `RetrieveAllProductsAsync` that returns an `IEnumerable<Product>`.

+ ```csharp

+ public async Task<IEnumerable<Product>> RetrieveAllProductsAsync()

+ { }

+ ```

+1. For the next steps, add this code within the `RetrieveAllProductsAsync` method.

+ 1. Use the `GetItemLinqQueryable<>` generic method to get an object of type `IQueryable<>` that you can use to construct a Language-integrated query (LINQ). Store that object in a variable named `queryable`.

+ ```csharp

+ var queryable = container.GetItemLinqQueryable<Product>();

+ ```

+ 1. Construct a LINQ query using the `Where` and `OrderByDescending` extension methods. Use the `ToFeedIterator` extension method to create an iterator to get data from Azure Cosmos DB and store the iterator in a variable named `feed`. Wrap this entire expression in a using statement to dispose the iterator later.

+ ```csharp

+ using FeedIterator<Product> feed = queryable

+ .Where(p => p.price < 2000m)

+ .OrderByDescending(p => p.price)

+ .ToFeedIterator();

+ ```

+ 1. Create a new variable named `results` using the generic `List<>` type.

+ ```csharp

+ List<Product> results = new();

+ ```

+ 1. Create a **while** loop that will iterate until the `HasMoreResults` property of the `feed` variable returns false. This loop will ensure that you loop through all pages of server-side results.

+ ```csharp

+ while (feed.HasMoreResults)

+ { }

+ ```

+ 1. Within the **while** loop, asynchronously call the `ReadNextAsync` method of the `feed` variable and store the result in a variable named `response`.

+ ```csharp

+ while (feed.HasMoreResults)

+ {

+ var response = await feed.ReadNextAsync();

+ }

+ ```

+ 1. Still within the **while** loop, use a **foreach** loop to go through each item in the response and add them to the `results` list.

+ ```csharp

+ while (feed.HasMoreResults)

+ {

+ var response = await feed.ReadNextAsync();

+ foreach (Product item in response)

+ {

+ results.Add(item);

+ }

+ }

+ ```

+ 1. Return the `results` list as the output of the `RetrieveAllProductsAsync` method.

+ ```csharp

+ return results;

+ ```

+1. Create a new asynchronous method named `RetrieveActiveProductsAsync` that returns an `IEnumerable<Product>`.

+ ```csharp

+ public async Task<IEnumerable<Product>> RetrieveActiveProductsAsync()

+ { }

+ ```

+1. For the next steps, add this code within the `RetrieveActiveProductsAsync` method.

+ 1. Create a new string named `sql` with a SQL query to retrieve multiple fields where a filter (`@tagFilter`) is applied to **tags** array of each item.

+ ```csharp

+ string sql = """

+ SELECT

+ p.id,

+ p.categoryId,

+ p.categoryName,

+ p.sku,

+ p.name,

+ p.description,

+ p.price,

+ p.tags

+ FROM products p

+ JOIN t IN p.tags

+ WHERE t.name = @tagFilter

+ """;

+ ```

+ 1. Create a new `QueryDefinition` variable named `query` passing in the `sql` string as the only query parameter. Also, use the `WithParameter` fluid method to apply the value `Tag-75` to the `@tagFilter` parameter.

+ ```csharp

+ var query = new QueryDefinition(

+ query: sql

+ )

+ .WithParameter("@tagFilter", "Tag-75");

+ ```

+ 1. Use the `GetItemQueryIterator<>` generic method and the `query` variable to create an iterator that gets data from Azure Cosmos DB. Store the iterator in a variable named `feed`. Wrap this entire expression in a using statement to dispose the iterator later.

+ ```csharp

+ using FeedIterator<Product> feed = container.GetItemQueryIterator<Product>(

+ queryDefinition: query

+ );

+ ```

+ 1. Use a **while** loop to iterate through multiple pages of results and store the value in a generic `List<>` named **results**. Return the **results** as the output of the `RetrieveActiveProductsAsync` method.

+ ```csharp

+ List<Product> results = new();

+

+ while (feed.HasMoreResults)

+ {

+ FeedResponse<Product> response = await feed.ReadNextAsync();

+ foreach (Product item in response)

+ {

+ results.Add(item);

+ }

+ }

+ return results;

+ ```

+1. **Save** the **Services/CosmosClient.cs** file.

+ > [!TIP]

+ > If you are unsure that your code is correct, you can check your source code against the [sample code](https://github.com/Azure-Samples/cosmos-db-nosql-dotnet-sample-web/blob/sample/Services/CosmosService.cs) on GitHub.

+## Validate the final application

+Finally, you'll run the application with **hot reloads** enabled. Running the application will validate that your code can access data from the API for NoSQL.

+1. Back in the terminal, run the application.

+ ```bash

+ dotnet watch

+ ```

+ > [!NOTE]

+ > `dotnet watch` is enabled here so you can quickly change the code if you find a mistake.

+1. The output of the run command should include a list of ports and URLs where the application is running. Open a new browser and navigate to the running web application. Observe all three pages of the running application. Each page should now include live data from Azure Cosmos DB.

+## Clean up resources

+When no longer needed, delete the database used in this tutorial. To do so, navigate to the account page, select **Data Explorer**, select the `cosmicworks` database, and then select **Delete**.

+Now that you've created your first .NET web application using Azure Cosmos DB, you can now dive deeper into the SDK to import more data, perform complex queries, and manage your Azure Cosmos DB for NoSQL resources.

+> [!div class="nextstepaction"]

+> [Get started with Azure Cosmos DB for NoSQL and .NET](how-to-dotnet-get-started.md)

+* [API for PostgreSQL Quickstart](postgresql/quickstart-create-portal.md)

+ * [Get started with Azure Cosmos DB for PostgreSQL](postgresql/quickstart-create-portal.md)

+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE5bkg2]

+| GPU | One or two nVidia T4 GPUs <br> For more information, see [NVIDIA T4](https://www.nvidia.com/en-us/data-center/tesla-t4/).|

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+| GPU | None |

+The Azure Stack Edge Pro 2 device has the following specifications for compute and memory:

+| GPU | 1 NVIDIA A2 GPU <br> For more information, see [NVIDIA A2 GPUs](https://www.nvidia.com/en-us/data-center/products/a2/). |

+The Azure Stack Edge Pro 2 device has the following specifications for compute and memory:

+| GPU | 2 NVIDIA A2 GPUs <br> For more information, see [NVIDIA A2 GPUs](https://www.nvidia.com/en-us/data-center/products/a2/). |

+ > If you've already [installed the Microsoft Security DevOps extension](https://marketplace.visualstudio.com/items?itemName=ms-securitydevops.microsoft-security-devops-azdevops), it will be listed in the Installed tab.

+To optimize costs, you might want to exclude specific Storage accounts associated with high traffic from Defender for Storage protections. To get an estimate of Defender for Storage costs, use the [Price Estimation Workbook](https://portal.azure.com/#blade/AppInsightsExtension/UsageNotebookBlade/ComponentId/Azure%20Security%20Center/ConfigurationId/community-Workbooks%2FAzure%20Security%20Center%2FPrice%20Estimation/Type/workbook/WorkbookTemplateName/Price%20Estimation) in the Azure portal.

+- [00:00](/shows/mdc-in-the-field/defender-cosmos-db#time=00m00s) - Intro

+- [01:37](/shows/mdc-in-the-field/defender-cosmos-db#time=01m37s) - Azure Cosmos DB main use case scenarios

+- [02:30](/shows/mdc-in-the-field/defender-cosmos-db#time=02m30s) - Recommendations and alerts in Defender for Azure Cosmos DB

+- [04:30](/shows/mdc-in-the-field/defender-cosmos-db#time=04m30s) - SQL Injection detection for Azure Cosmos DB

+- [06:15](/shows/mdc-in-the-field/defender-cosmos-db#time=06m15s) - Key extraction detection for Azure Cosmos DB

+- [11:00](/shows/mdc-in-the-field/defender-cosmos-db#time=11m00s) - Demonstration

+- [14:30](/shows/mdc-in-the-field/defender-cosmos-db#time=14m30s) - Final considerations

+Learn more about [Enable Microsoft Defender for Azure Cosmos DB](/defender-for-cloud/defender-for-databases-enable-cosmos-protections.md)

+ - [LinkedIn](https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbFk5TXZuQld2NlpBRV9BQlJqMktYSm95WWhCZ3xBQ3Jtc0tsQU13MkNPWGNFZzVuem5zc05wcnp0VGxybHprVTkwS2todWw0b0VCWUl4a2ZKYVktNGM1TVFHTXpmajVLcjRKX0cwVFNJaDlzTld4MnhyenBuUGRCVmdoYzRZTjFmYXRTVlhpZGc4MHhoa3N6ZDhFMA&q=https%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fmicrosoft-security%2F)

+ - [Twitter](https://twitter.com/msftsecurity)

+- Learn more about [Microsoft Security](https://msft.it/6002T9HQY)

+> [Defender for DevOps | Defender for Cloud in the field](episode-nineteen.md)

+ Title: Defender for DevOps | Defender for Cloud in the Field

+description: Learn about Defender for Cloud integration with Defender for DevOps.

+# Defender for DevOps | Defender for Cloud in the Field

+**Episode description**: In this episode of Defender for Cloud in the Field, Sukhandeep Singh joins Yuri Diogenes to talk about Defender for DevOps. Sukhandeep explains how Defender for DevOps uses a central console to provide security teams DevOps insights across multi-pipeline environments, such as GitHub and Azure DevOps. Sukhandeep also covers the security recommendations created by Defender for DevOps and demonstrates how to configure a GitHub connector using Defender for Cloud dashboard.

+<br>

+<br>

+<iframe src="https://aka.ms/docs/player?id=f1e5ec4f-1e65-400d-915b-4db6cf550014" width="1080" height="530" allowFullScreen="true" frameBorder="0"></iframe>

+- [01:16](/shows/mdc-in-the-field/defender-for-devops#time=01m16s) - What is Defender for DevOps?

+- [02:22](/shows/mdc-in-the-field/defender-for-devops) - Current Integrations

+- [02:47](/shows/mdc-in-the-field/defender-for-devops)- GitHub connector

+- [04:16](/shows/mdc-in-the-field/defender-for-devops) - Security recommendations

+- [05:54](/shows/mdc-in-the-field/defender-for-devops) - Protection for infrastructure as a code

+- [07:03](/shows/mdc-in-the-field/defender-for-devops) - Azure ADO connector

+- [08:22](/shows/mdc-in-the-field/defender-for-devops#time=08m22s) - Demonstration

+## Recommended resources

+ - [Learn more](/defender-for-cloud/defender-for-devops-introduction.md) about Defender for DevOps.

+ - Subscribe to [Microsoft Security on YouTube](https://www.youtube.com/playlist?list=PL3ZTgFEc7LysiX4PfHhdJPR7S8mGO14YS)

+ - Join our [Tech Community](https://aka.ms/SecurityTechCommunity)

+ - For more about [Microsoft Security](https://msft.it/6002T9HQY)

+- Follow us on social media:

+ - [LinkedIn](https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbFk5TXZuQld2NlpBRV9BQlJqMktYSm95WWhCZ3xBQ3Jtc0tsQU13MkNPWGNFZzVuem5zc05wcnp0VGxybHprVTkwS2todWw0b0VCWUl4a2ZKYVktNGM1TVFHTXpmajVLcjRKX0cwVFNJaDlzTld4MnhyenBuUGRCVmdoYzRZTjFmYXRTVlhpZGc4MHhoa3N6ZDhFMA&q=https%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fmicrosoft-security%2F)

+ - [Twitter](https://twitter.com/msftsecurity)

+- Join our [Tech Community](https://aka.ms/SecurityTechCommunity)

+- Learn more about [Microsoft Security](https://msft.it/6002T9HQY)

+## Next steps

+> [!div class="nextstepaction"]

+> [New AWS Connector in Microsoft Defender for Cloud](episode-one.md)

+API calls performed by Defender for Cloud count against the [Azure DevOps Global consumption limit](/azure/devops/integrate/concepts/rate-limits?view=azure-devops). For more information, see the [FAQ section](#faq).

+| Pricing: | For pricing, see the Defender for Cloud [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/?v=17.23h#pricing). |

+## FAQ

+### Do API calls made by Defender for Cloud count against my consumption limit?

+Yes, API calls made by Defender for Cloud count against the [Azure DevOps Global consumption limit](/azure/devops/integrate/concepts/rate-limits?view=azure-devops). Defender for Cloud makes calls on-behalf of the user who onboards the connector.

+### Why is my organization list empty in the UI?

+If your organization list is empty in the UI after you onboarded an Azure DevOps connector, you need to ensure that the organization in Azure DevOps is connected to the Azure tenant that has the user who authenticated the connector.

+For information on how to correct this issue, check out the [DevOps trouble shooting guide](troubleshooting-guide.md#troubleshoot-azure-devops-organization-connector-issues).

+## May 2022

+Updates in May include:

+- [Multicloud settings of Servers plan are now available in connector level](#multicloud-settings-of-servers-plan-are-now-available-in-connector-level)

+- [JIT (Just-in-time) access for VMs is now available for AWS EC2 instances (Preview)](#jit-just-in-time-access-for-vms-is-now-available-for-aws-ec2-instances-preview)

+- [Add and remove the Defender profile for AKS clusters using the CLI](#add-and-remove-the-defender-profile-for-aks-clusters-using-the-cli)

+### Multicloud settings of Servers plan are now available in connector level

+There are now connector-level settings for Defender for Servers in multicloud.

+The new connector-level settings provide granularity for pricing and auto-provisioning configuration per connector, independently of the subscription.

+All auto-provisioning components available in the connector-level (Azure Arc, MDE, and vulnerability assessments) are enabled by default, and the new configuration supports both [Plan 1 and Plan 2 pricing tiers](defender-for-servers-introduction.md#defender-for-servers-plans).

+Updates in the UI include a reflection of the selected pricing tier and the required components configured.

+### Changes to vulnerability assessment

+Defender for Containers now displays vulnerabilities that have medium and low severities that aren't patchable.

+As part of this update, vulnerabilities that have medium and low severities are now shown, whether or not patches are available. This update provides maximum visibility, but still allows you to filter out undesired vulnerabilities by using the provided Disable rule.

+Learn more about [vulnerability management](deploy-vulnerability-assessment-tvm.md)

+### JIT (Just-in-time) access for VMs is now available for AWS EC2 instances (Preview)

+When you [connect AWS accounts](quickstart-onboard-aws.md), JIT will automatically evaluate the network configuration of your instance's security groups and recommend which instances need protection for their exposed management ports. This is similar to how JIT works with Azure. When you onboard unprotected EC2 instances, JIT will block public access to the management ports, and only open them with authorized requests for a limited time frame.

+Learn how [JIT protects your AWS EC2 instances](just-in-time-access-overview.md#how-jit-operates-with-network-resources-in-azure-and-aws)

+### Add and remove the Defender profile for AKS clusters using the CLI

+The Defender profile (preview) is required for Defender for Containers to provide the runtime protections and collects signals from nodes. You can now use the Azure CLI to [add and remove the Defender profile](defender-for-containers-enable.md?tabs=k8s-deploy-cli%2Ck8s-deploy-asc%2Ck8s-verify-asc%2Ck8s-remove-arc%2Ck8s-remove-cli&pivots=defender-for-container-aks#use-azure-cli-to-deploy-the-defender-extension) for an AKS cluster.

+> [!NOTE]

+> This option is included in [Azure CLI 3.7 and above](/cli/azure/update-azure-cli).

+## April 2022

+Updates in April include:

+- [New Defender for Servers plans](#new-defender-for-servers-plans)

+- [Relocation of custom recommendations](#relocation-of-custom-recommendations)

+- [PowerShell script to stream alerts to Splunk and QRadar](#powershell-script-to-stream-alerts-to-splunk-and-ibm-qradar)

+- [Deprecated the Azure Cache for Redis recommendation](#deprecated-the-azure-cache-for-redis-recommendation)

+- [New alert variant for Microsoft Defender for Storage (preview) to detect exposure of sensitive data](#new-alert-variant-for-microsoft-defender-for-storage-preview-to-detect-exposure-of-sensitive-data)

+- [Container scan alert title augmented with IP address reputation](#container-scan-alert-title-augmented-with-ip-address-reputation)

+- [See the activity logs that relate to a security alert](#see-the-activity-logs-that-relate-to-a-security-alert)

+### New Defender for Servers plans

+Microsoft Defender for Servers is now offered in two incremental plans:

+- Defender for Servers Plan 2, formerly Defender for Servers

+- Defender for Servers Plan 1, provides support for Microsoft Defender for Endpoint only

+While Defender for Servers Plan 2 continues to provide protections from threats and vulnerabilities to your cloud and on-premises workloads, Defender for Servers Plan 1 provides endpoint protection only, powered by the natively integrated Defender for Endpoint. Read more about the [Defender for Servers plans](defender-for-servers-introduction.md#defender-for-servers-plans).

+If you have been using Defender for Servers until now no action is required.

+In addition, Defender for Cloud also begins gradual support for the [Defender for Endpoint unified agent for Windows Server 2012 R2 and 2016](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/defending-windows-server-2012-r2-and-2016/ba-p/2783292). Defender for Servers Plan 1 deploys the new unified agent to Windows Server 2012 R2 and 2016 workloads.

+### Relocation of custom recommendations

+Custom recommendations are those created by users and have no effect on the secure score. The custom recommendations can now be found under the All recommendations tab.

+Use the new "recommendation type" filter, to locate custom recommendations.

+Learn more in [Create custom security initiatives and policies](custom-security-policies.md).

+### PowerShell script to stream alerts to Splunk and IBM QRadar

+We recommend that you use Event Hubs and a built-in connector to export security alerts to Splunk and IBM QRadar. Now you can use a PowerShell script to set up the Azure resources needed to export security alerts for your subscription or tenant.

+Just download and run the PowerShell script. After you provide a few details of your environment, the script configures the resources for you. The script then produces output that you use in the SIEM platform to complete the integration.

+To learn more, see [Stream alerts to Splunk and QRadar](export-to-siem.md#stream-alerts-to-qradar-and-splunk).

+### Deprecated the Azure Cache for Redis recommendation

+The recommendation `Azure Cache for Redis should reside within a virtual network` (Preview) has been deprecated. WeΓÇÖve changed our guidance for securing Azure Cache for Redis instances. We recommend the use of a private endpoint to restrict access to your Azure Cache for Redis instance, instead of a virtual network.

+### New alert variant for Microsoft Defender for Storage (preview) to detect exposure of sensitive data

+Microsoft Defender for Storage's alerts notifies you when threat actors attempt to scan and expose, successfully or not, misconfigured, publicly open storage containers to try to exfiltrate sensitive information.

+To allow for faster triaging and response time, when exfiltration of potentially sensitive data may have occurred, we've released a new variation to the existing `Publicly accessible storage containers have been exposed` alert.

+The new alert, `Publicly accessible storage containers with potentially sensitive data have been exposed`, is triggered with a `High` severity level, after there has been a successful discovery of a publicly open storage container(s) with names that statistically have been found to rarely be exposed publicly, suggesting they might hold sensitive information.

+| Alert (alert type) | Description | MITRE tactic | Severity |

+|--|--|--|--|

+|**PREVIEW - Publicly accessible storage containers with potentially sensitive data have been exposed** <br>(Storage.Blob_OpenContainersScanning.SuccessfulDiscovery.Sensitive)| Someone has scanned your Azure Storage account and exposed container(s) that allow public access. One or more of the exposed containers have names that indicate that they may contain sensitive data. <br> <br> This usually indicates reconnaissance by a threat actor that is scanning for misconfigured publicly accessible storage containers that may contain sensitive data. <br> <br> After a threat actor successfully discovers a container, they may continue by exfiltrating the data. <br> Γ£ö Azure Blob Storage <br> Γ£û Azure Files <br> Γ£û Azure Data Lake Storage Gen2 | Collection | High |

+### Container scan alert title augmented with IP address reputation

+An IP address's reputation can indicate whether the scanning activity originates from a known threat actor, or from an actor that is using the Tor network to hide their identity. Both of these indicators, suggest that there's malicious intent. The IP address's reputation is provided by [Microsoft Threat Intelligence](https://go.microsoft.com/fwlink/?linkid=2128684).

+The addition of the IP address's reputation to the alert title provides a way to quickly evaluate the intent of the actor, and thus the severity of the threat.

+The following alerts will include this information:

+- `Publicly accessible storage containers have been exposed`

+- `Publicly accessible storage containers with potentially sensitive data have been exposed`

+- `Publicly accessible storage containers have been scanned. No publicly accessible data was discovered`

+For example, the added information to the title of the `Publicly accessible storage containers have been exposed` alert will look like this:

+- `Publicly accessible storage containers have been exposed`**`by a suspicious IP address`**

+- `Publicly accessible storage containers have been exposed`**`by a Tor exit node`**

+All of the alerts for Microsoft Defender for Storage will continue to include threat intelligence information in the IP entity under the alert's Related Entities section.

+### See the activity logs that relate to a security alert

+As part of the actions you can take to [evaluate a security alert](managing-and-responding-alerts.md#respond-to-security-alerts), you can find the related platform logs in **Inspect resource context** to gain context about the affected resource.

+Microsoft Defender for Cloud identifies platform logs that are within one day of the alert.

+The platform logs can help you evaluate the security threat and identify steps that you can take to mitigate the identified risk.

+| [Template Analyze](https://github.com/Azure/template-analyzer) | ARM template, Bicep file | [MIT License](https://github.com/microsoft/binskim/blob/main/LICENSE) |

+Learn more about the [Defender Cloud Security Posture Management (CSPM) plan](concept-cloud-security-posture-management.md).

+ |Blocked accounts with read and write permissions on Azure resources should be removed| 1ff0b4c9-ed56-4de6-be9c-d7ab39645926 |

+## Limits and performance

+When working with 3D Scenes Studio, it's recommended to stay within the following limits. If you exceed these recommended limits, you may experience degraded performance or unintended application behavior.

+| Number of linked twins (including all unique primary twins and secondary twins on elements) | No limit, but consider performance implications as number of twins increases. For more detail, see [Refresh rate and performance](#refresh-rate-and-performance) below. |

+These limits are recommended because 3D Scenes Studio leverages the standard [Azure Digital Twins APIs](concepts-apis-sdks.md), and therefore is subject to the published [API rate limits](reference-service-limits.md#rate-limits). As the number of digital twins linked to the scenes increases, so does the amount of data that is pulled into your scene on a regular data refresh (see the [next part of this section](#refresh-rate-and-performance) for more detail about refresh rates). This means that you will see these additional API calls reflected in billing meters and operation throughput.

+### Refresh rate and performance

+The default refresh rate of the 3D scene viewer starts at 10 seconds for fewer than 100 twins. It increases as the number of twins increases, at a rate of about one second for every 10 twins.

+The **minimum refresh rate** can also be configured manually, to exercise some control over how often data is pulled and the resulting impact on performance. You can configure the minimum refresh rate for the viewer to be anywhere between 10 seconds and one hour. The viewer will never drop below the minimum refresh rate that you set. The viewer may, however, raise the **actual** refresh rate as the number of twins increases, in an effort to improve performance.

+For instructions on how to configure the minimum refresh rate for the viewer, see [Configure minimum refresh rate](how-to-use-3d-scenes-studio.md#configure-minimum-refresh-rate).

+## Configure minimum refresh rate

+You can manually configure the **minimum refresh rate** for the 3D scene viewer, to exercise some control over how often data is pulled and the resulting impact on performance. You can configure the minimum refresh rate to be anywhere between 10 seconds and one hour.

+In the builder for a scene, select the **Scene configuration** button.

+Use the dropdown list to select a refresh rate option.

+While looking at the scene in the viewer, you can hover over the **Refresh** button to see the refresh rate setting and the time of the last refresh. You can also select it to refresh the scene manually.

+[Azure Event Grid](overview.md) is an eventing service for the cloud. Azure Functions is one of the [supported event handlers](event-handlers.md). In this article, you use the Azure portal to create a custom topic, subscribe to the custom topic, and trigger the event to view the result. You send the events to an Azure Function.

+## Create Azure function app

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. On the left navigational menu, select **All services**.

+1. Select **Compute** in the list of **Categories**.

+1. Hover (not select) the mouse over **Function App**, and select **Create**.

+ :::image type="content" source="./media/custom-event-to-function/create-function-app-link.png" lightbox="./media/custom-event-to-function/create-function-app-link.png" alt-text="Screenshot showing the select of Create link for a Function App.":::

+1. On the **Basics** page of the **Create Function App** wizard, follow these steps:

+ 1. Select your **Azure subscription** in which you want to create the function app.

+ 1. Create a new **resource group** or select an existing resource group.

+ 1. Specify a **name** for the function app.

+ 1. Select **.NET** for **Runtime stack**.

+ 1. Select the **region** closest to you.

+ 1. Select **Next: Hosting** at the bottom of the page.

+

+ :::image type="content" source="./media/custom-event-to-function/create-function-app-page.png" alt-text="Screenshot showing the Basics tab of the Create Function App page.":::

+1. On the **Hosting** page, create a new storage account or select an existing storage account to be associated with the function app, and then select **Review + create** at the bottom of the page.

+

+ :::image type="content" source="./media/custom-event-to-function/create-function-app-hosting-page.png" alt-text="Screenshot showing the Hosting tab of the Create Function App page.":::

+1. On the **Review + create** page, review settings, and select **Create** at the bottom of the page to create the function app.

+1. Once the deployment is successful, select **Go to resource** to navigate to the home page for the function app.

+## Create a function

+1. Select **+ Create** on the toolbar to create a function.

+ :::image type="content" source="./media/custom-event-to-function/create-function-link.png" alt-text="Screenshot showing the selection of Create function link.":::

+

+ 1. Select **Azure Event Grid Trigger** in the **Select a template** section. Use the scroll bar right to the list to scroll down if needed.

+ 1. In the **Template details** section in the bottom pane, enter a name for the function. In this example, it's **HandleEventsFunc**.

+4. On the **Function** page for the **HandleEventsFunc**, select **Code + Test** on the left navigational menu.

+5. Replace the code with the following code.

+ ```csharp

+ #r "Azure.Messaging.EventGrid"

+ #r "System.Memory.Data"

+

+ using Azure.Messaging.EventGrid;

+ using System;

+

+ public static void Run(EventGridEvent eventGridEvent, ILogger log)

+ {

+ log.LogInformation(eventGridEvent.Data.ToString());

+ }

+ ```

+ :::image type="content" source="./media/custom-event-to-function/function-updated-code.png" alt-text="Screenshot showing the Code + Test view of an Azure function with the updated code.":::

+6. Select **Monitor** on the left menu, and then select **Logs**.

+ :::image type="content" source="./media/custom-event-to-function/monitor-page.png" alt-text="Screenshot showing the Monitor view the Azure function.":::

+7. Keep this window or tab of the browser open so that you can see the received event information.

+An Event Grid topic provides a user-defined endpoint that you post your events to.

+1. On a new tab of the web browser window, sign in to [Azure portal](https://portal.azure.com/).

+2. In the search bar at the topic, search for **Event Grid Topics**, and select **Event Grid Topics**.

+ :::image type="content" source="./media/custom-event-to-function/select-event-grid-topics.png" alt-text="Image showing the selection of Event Grid topics.":::

+3. On the **Event Grid Topics** page, select **+ Create** on the command bar.

+ :::image type="content" source="./media/custom-event-to-function/add-event-grid-topic-button.png" alt-text="Screenshot showing the Create button to create an Event Grid topic.":::

+ 4. Select a **location** for the Event Grid topic.

+5. After the custom topic has been created, select **Go to resource** link to see the following Event Grid topic page for the topic you created.

+ :::image type="content" source="./media/custom-event-to-function/event-grid-topic-home-page.png" lightbox="./media/custom-event-to-function/event-grid-topic-home-page.png" alt-text="Image showing the home page for your Event Grid custom topic.":::

+You subscribe to an Event Grid topic to tell Event Grid which events you want to track, and where to send the events.

+1. Set the `topicname` and `resourcegroupname` variables that will be used in the commands.

+ Replace `TOPICNAME` with the name of your Event Grid topic.

+ ```azurecli

+ topicname="TOPICNAME"

+ ```

+ Replace `RESOURCEGROUPNAME` with the name of the Azure resource group that contains the Event Grid topic.

+ ```azurecli

+ resourcegroupname="RESOURCEGROUPNAME"

+ ```

+ endpoint=$(az eventgrid topic show --name $topicname -g $resourcegroupname --query "endpoint" --output tsv)

+ key=$(az eventgrid topic key list --name $topicname -g $resourcegroupname --query "key1" --output tsv)

+ ```

+ ```powershell

+> Additional features can be added to the cluster deployment such as [**Private Cluster**](../aks/private-clusters.md) or changing the [**OS SKU**](../aks/cluster-configuration.md#mariner-os).

+ * **Override always**: Azure Front Door will always override with the cache duration, meaning that it will cache the contents for the cache duration ignoring the values from origin response directives. This behavior will only be applied if the response is cacheable.

+ Title: Use managed identities with Azure Front Door Standard/Premium (Preview)

+description: This article will show you how to set up managed identities to use with your Azure Front Door Standard or Premium profile.

+# Use managed identities with Azure Front Door Standard/Premium (Preview)

+Azure Front Door also supports using managed identities to access Key Vault certificate. A managed identity generated by Azure Active Directory (Azure AD) allows your Azure Front Door instance to easily and securely access other Azure AD-protected resources, such as Azure Key Vault. Azure manages this identity, so you don't have to create or rotate any secrets. For more information about managed identities, seeΓÇ»[What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md).

+> [!NOTE]

+> Once you enable managed identities in Azure Front Door and grant proper permissions to access Key Vault, Azure Front Door will always use managed identities to access Key Vault for customer certificate.

+>

+> You can grant two types of identities to an Azure Front Door profile:

+> * A **system-assigned** identity is tied to your service and is deleted if your service is deleted. The service can have only **one** system-assigned identity.

+> * A **user-assigned** identity is a standalone Azure resource that can be assigned to your service. The service can have **multiple** user-assigned identities.

+>

+> Managed identities are specific to the Azure AD tenant where your Azure subscription is hosted. They don't get updated if a subscription gets moved to a different directory. If a subscription gets moved, you'll need to recreate and configure the identities.

+## Prerequisites

+Before you can set up managed identities for Front Door, you must have a Front Door Standard or Premium profile. To create an Azure Front Door profile, see [create an Azure Front Door](create-front-door-portal.md).

+## Enable managed identity

+1. Go to an existing Azure Front Door Standard or Premium profile. Select **Identity (preview)** under *Settings*.

+ :::image type="content" source="./media/managed-identity/overview.png" alt-text="Screenshot of the identity button under settings for a Front Door profile.":::

+1. Select either **System assigned** or **User assigned**.

+ * **System assigned** - a managed identity is created for the Azure Front Door profile lifecycle and is used to access a Key Vault.

+

+ * **User assigned** - a standalone managed identity resource used to authenticate to a Key Vault and has its own lifecycle.

+### System assigned

+1. Toggle the *Status* to **On** and then select **Save**.

+ :::image type="content" source="./media/managed-identity/system-assigned.png" alt-text="Screenshot of the system assigned managed identity configuration page.":::

+1. You'll be prompted with a message to confirm you would like to create a system managed identity for the Front Door profile. Select **Yes** to confirm.

+ :::image type="content" source="./media/managed-identity/system-assigned-confirm.png" alt-text="Screenshot of the system assigned managed identity confirmation message.":::

+1. Once the system assigned managed identity has been created and registered with Azure AD, you can use the **Object (principal) ID** to allow Azure Front Door access to your Key Vault.

+ :::image type="content" source="./media/managed-identity/system-assigned-created.png" alt-text="Screenshot of the system assigned managed identity registered with Azure Active Directory.":::

+### User assigned

+1. You must have a user managed identity already created. For more information, see [create a user assigned managed identity](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md).

+1. Select the **User assigned** tab and then select **+ Add**.

+ :::image type="content" source="./media/managed-identity/user-assigned.png" alt-text="Screenshot of the user assigned managed identity configuration page.":::

+1. Search and select the user assigned manage identity. Then select **Add** to add the user managed identity to the Azure Front Door profile.

+ :::image type="content" source="./media/managed-identity/add-user-managed-identity.png" alt-text="Screenshot of the add user assigned managed identity page.":::

+1. You'll now see the name of the user assigned managed identity you've selected show in the Azure Front Door profile.

+ :::image type="content" source="./media/managed-identity/user-assigned-configured.png" alt-text="Screenshot of the add user assigned managed identity added to Front Door profile.":::

+## Configure Key Vault access policy

+1. Navigate to your Azure Key Vault.

+ :::image type="content" source="./media/managed-identity/key-vault-list.png" alt-text="Screenshot of the Key Vault resource list.":::

+1. Select **Access policies** from under *Settings* and then select **+ Create**.

+ :::image type="content" source="./media/managed-identity/access-policies.png" alt-text="Screenshot of the access policies page for a Key Vault.":::

+1. On the **Permissions** tab of the *Create an access policy* page, select **List** and **Get** under *Secret permissions*. Then select **Next** to configure the next tab.

+ :::image type="content" source="./media/managed-identity/permissions.png" alt-text="Screenshot of the permissions tab for the Key Vault access policy.":::

+1. On the *Principal* tab, paste the **object (principal) ID** if you're using a system managed identity or enter a **name** if you're using a user assigned manged identity. Then select **Next** to configure the next tab.

+ :::image type="content" source="./media/managed-identity/system-principal.png" alt-text="Screenshot of the principal tab for the Key Vault access policy.":::

+1. On the *Application* tab, the application has already been selected for you. Select **Next** to go to the *Review + create* tab.

+ :::image type="content" source="./media/managed-identity/application.png" alt-text="Screenshot of the application tab for the Key Vault access policy.":::

+1. Review the access policy settings and then select **Create** to set up the access policy.

+ :::image type="content" source="./media/managed-identity/create.png" alt-text="Screenshot of the review and create tab for the Key Vault access policy.":::

+## Verify access

+1. Go to the Azure Front Door profile you enabled managed identity and select **Secret** from under *Settings*.

+ :::image type="content" source="./media/managed-identity/secrets.png" alt-text="Screenshot of accessing secrets from under settings of a Front Door profile.":::

+1. Confirm **Managed identity** appears under the *Access role* column for the certificate used in Front Door.

+ :::image type="content" source="./media/managed-identity/confirm-set-up.png" alt-text="Screenshot of Azure Front Door using managed identity to access certificate in Key Vault.":::

+## Next steps

+* Learn how to [configure HTTPS on an Azure Front Door custom domain](standard-premium/how-to-configure-https-custom-domain.md).

+* Learn more about [End-to-end TLS encryption](end-to-end-tls.md).

+- **Modify**: adds, updates, or removes the defined set of fields in the request

+ Title: Secure Spark and Kafka ΓÇô Spark streaming integration scenario - Azure HDInsight

+description: Learn how to secure Spark and Kafka streaming integration.

+# Secure Spark and Kafka ΓÇô Spark streaming integration scenario

+In this document, you'll learn how to execute a Spark job in a secure Spark cluster that reads from a topic in secure Kafka cluster, provided the virtual networks are same/peered.

+**Pre-requisites**

+* Create a secure Kafka cluster and secure spark cluster with the same Microsoft Azure Active Directory Domain Services (Azure AD DS) domain and same vnet. If you prefer not to create both clusters in the same vnet, you can create them in two separate vnets and pair the vnets also. If you prefer not to create both clusters in the same vnet.

+* If your clusters are in different vnets, see here [Connect virtual networks with virtual network peering using the Azure portal](/azure/virtual-network/tutorial-connect-virtual-networks-portal)

+* Create key tabs for two users. For example, `alicetest` and `bobadmin`.

+## What is a keytab?

+A keytab is a file containing pairs of Kerberos principles and encrypted keys (which are derived from the Kerberos password). You can use a keytab file to authenticate to various remote systems using Kerberos without entering a password.

+For more information about this topic, see

+1. [KTUTIL](https://web.mit.edu/kerberos/krb5-1.12/doc/admin/admin_commands/ktutil.html)

+1. [Creating a Kerberos principal and keytab file](https://www.ibm.com/docs/en/pasc/1.1?topic=file-creating-kerberos-principal-keytab)

+```

+ktutil

+ktutil: addent -password -p user1@TEST.COM -k 1 -e RC4-HMAC

+Password for user1@TEST.COM:

+ktutil: wkt user1.keytab

+ktutil: q

+```

+

+3. Create a spark streaming java application that reads from Kafka topics. This document uses a DirectKafkaWorkCount example that was based off spark streaming examples from https://github.com/apache/spark/blob/branch-2.3/examples/src/main/java/org/apache/spark/examples/streaming/JavaDirectKafkaWordCount.java

+### High level walkthrough of the Scenarios

+Set up on Kafka cluster:

+1. Create topics `alicetopic2`, `bobtopic2`

+1. Produce data to topics `alicetopic2`, `bobtopic2`

+1. Set up Ranger policy to allow `alicetest` user to read from `alicetopic*`

+1. Set up Ranger policy to allow `bobadmin` user to read from `*`

+### Scenarios to be executed on Spark cluster

+1. Consume data from `alicetopic2` as `alicetest` user. The spark job would run successfully and the count of the words in the topic should be output in the YARN UI. The Ranger audit records in kafka cluster would show that access is allowed.

+1. Consume data from `bobtopic2` as `alicetest` user. The spark job would fail with `org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized to access topics: [bobtopic2]`. The Ranger audit records in kafka cluster would show that the access is denied.

+1. Consume data from `alicetopic2` as `bobadmin` user. The spark job would run successfully and the count of the words in the topic should be output in the YARN UI. The Ranger audit records in kafka cluster would show that access is allowed.

+1. Consume data from `bobtopic2` as `bobadmin` user. The spark job would run successfully and the count of the words in the topic should be output in the YARN UI. The Ranger audit records in kafka cluster would show that access is allowed.

+### Steps to be performed on Kafka cluster

+In the Kafka cluster, set up Ranger policies and produce data from Kafka cluster that are explained in this section

+1. Go to Ranger UI on kafka cluster and set up two Ranger policies

+1. Add a Ranger policy for `alicetest` with consume access to topics with wildcard pattern `alicetopic*`

+

+1. Add a Ranger policy for `bobadmin` with all accesses to all topics with wildcard pattern `*`

+

+1. Execute the commands below based on your parameter values

+ ```

+ sshuser@hn0-umasec:~$ sudo apt -y install jq

+ sshuser@hn0-umasec:~$ export clusterName='YOUR_CLUSTER_NAME'

+ sshuser@hn0-umasec:~$ export TOPICNAME='YOUR_TOPIC_NAME'

+ sshuser@hn0-umasec:~$ export password='YOUR_SSH_PASSWORD'

+ sshuser@hn0-umasec:~$ export KAFKABROKERS=$(curl -sS -u admin:$password -G https://$clusterName.azurehdinsight.net/api/v1/clusters/$clusterName/services/KAFKA/components/KAFKA_BROKER | jq -r '["\(.host_components[].HostRoles.host_name):9092"] | join(",")' | cut -d',' -f1,2);

+ sshuser@hn0-umasec:~$ export KAFKAZKHOSTS=$(curl -sS -u admin:$password -G https://$clusterName.azurehdinsight.net/api/v1/clusters/$clusterName/services/ZOOKEEPER/components/ZOOKEEPER_SERVER | jq -r '["\(.host_components[].HostRoles.host_name):2181"] | join(",")' | cut -d',' -f1,2);

+ sshuser@hn0-umasec:~$ echo $KAFKABROKERS

+ wn0-umasec.securehadooprc.onmicrosoft.com:9092,

+ wn1-umasec.securehadooprc.onmicrosoft.com:9092

+ ```

+1. Create a keytab for user `bobadmin` using `ktutil` tool.

+1. Let's call this file `bobadmin.keytab`

+ ```

+ sshuser@hn0-umasec:~$ ktutil

+ ktutil: addent -password -p bobadmin@SECUREHADOOPRC.ONMICROSOFT.COM -k 1 -e RC4-HMAC

+ Password for <username>@<DOMAIN.COM>

+ ktutil: wkt bobadmin.keytab

+ ktutil: q

+ Kinit the created keytab

+ sudo kinit bobadmin@SECUREHADOOPRC.ONMICROSOFT.COM -t bobadmin.keytab

+ ```

+1. Create a `bobadmin_jaas.config`

+ ```

+ KafkaClient {

+ com.sun.security.auth.module.Krb5LoginModule required

+ useKeyTab=true

+ storeKey=true

+ keyTab="./bobadmin.keytab"

+ useTicketCache=false

+ serviceName="kafka"

+ principal="bobadmin@SECUREHADOOPRC.ONMICROSOFT.COM";

+ };

+ ```

+1. Create topics `alicetopic2` and `bobtopic2` as `bobadmin`

+ ```

+ sshuser@hn0-umasec:~$ java -jar -Djava.security.auth.login.config=bobadmin_jaas.conf kafka-producer-consumer.jar create alicetopic2 $KAFKABROKERS

+ sshuser@hn0-umasec:~$ java -jar -Djava.security.auth.login.config=bobadmin_jaas.conf kafka-producer-consumer.jar create bobtopic2 $KAFKABROKERS

+ ```

+1. Produce data to `alicetopic2` as `bobadmin`

+ ```

+ sshuser@hn0-umasec:~$ java -jar -Djava.security.auth.login.config=bobadmin_jaas.conf kafka-producer-consumer.jar producer alicetopic2 $KAFKABROKERS

+ ```

+1. Produce data to `bobtopic2` as `bobadmin`

+ ```

+ sshuser@hn0-umasec:~$ java -jar -Djava.security.auth.login.config=bobadmin_jaas.conf kafka-producer-consumer.jar producer bobadmin2 $KAFKABROKERS

+ ```

+### Set up steps to be performed on Spark cluster

+In the Spark cluster, add entries in `/etc/hosts` in spark worker nodes, for Kafka worker nodes, create keytabs, jaas_config files, and perform a spark-submit to submit a spark job to read from the kafka topic:

+

+1. ssh into spark cluster with sshuser credentials

+1. Make entries for the kafka worker nodes in `/etc/hosts` of the spark cluster.

+ > [!Note]

+ > Make the entry of these kafka worker nodes in every spark node (head node + worker node). You can get these details from kafka cluster in /etc/hosts of head node of Kafka.

+

+ ```

+ 10.3.16.118 wn0-umasec.securehadooprc.onmicrosoft.com wn0-umasec wn0-umasec.securehadooprc.onmicrosoft.com. wn0-umasec.cu1cgjaim53urggr4psrgczloa.cx.internal.cloudapp.net

+

+ 10.3.16.145 wn1-umasec.securehadooprc.onmicrosoft.com wn1-umasec wn1-umasec.securehadooprc.onmicrosoft.com. wn1-umasec.cu1cgjaim53urggr4psrgczloa.cx.internal.cloudapp.net

+

+ 10.3.16.176 wn2-umasec.securehadooprc.onmicrosoft.com wn2-umasec wn2-umasec.securehadooprc.onmicrosoft.com. wn2-umasec.cu1cgjaim53urggr4psrgczloa.cx.internal.cloudapp.net

+ ```

+1. Create a keytab for user `bobadmin` using ktutil tool. Let's call this file `bobadmin.keytab`

+

+1. Create a keytab for user `alicetest` using ktutil tool. Let's call this file `alicetest.keytab`

+

+1. Create a `bobadmin_jaas.conf` as shown in below sample

+ ```

+ KafkaClient {

+ com.sun.security.auth.module.Krb5LoginModule required

+ useKeyTab=true

+ storeKey=true

+ keyTab="./bobadmin.keytab"

+ useTicketCache=false

+ serviceName="kafka"

+ principal="bobadmin@SECUREHADOOPRC.ONMICROSOFT.COM";

+ };

+ ```

+1. Create an `alicetest_jaas.conf` as shown in below sample

+ ```

+ KafkaClient {

+ com.sun.security.auth.module.Krb5LoginModule required

+ useKeyTab=true

+ storeKey=true

+ keyTab="./alicetest.keytab"

+ useTicketCache=false

+ serviceName="kafka"

+ principal="alicetest@SECUREHADOOPRC.ONMICROSOFT.COM";

+ };

+ ```

+1. Get the spark-streaming jar ready.

+1. Build your own jar that reads from a Kafka topic by following the example and instructions [here](https://github.com/apache/spark/blob/branch-2.3/examples/src/main/scala/org/apache/spark/examples/streaming/DirectKafkaWordCount.scala) for `DirectKafkaWorkCount`

+> [!Note]

+> For convenience, this sample jar used in this example was built from https://github.com/markgrover/spark-secure-kafka-app by following these steps.

+```

+sudo apt install maven

+git clone https://github.com/markgrover/spark-secure-kafka-app.git

+cd spark-secure-kafka-app

+mvn clean package

+cd target

+```

+## Scenario 1

+From Spark cluster, read from kafka topic `alicetopic2` as user `alicetest` is allowed

+1. Run a `kdestroy` command to remove the Kerberos tickets in credential cache by issuing following command

+ ```

+ sshuser@hn0-umaspa:~$ kdestroy

+ ```

+1. Run the command `kinit` with `alicetest`

+ ```

+ sshuser@hn0-umaspa:~$ kinit alicetest@SECUREHADOOPRC.ONMICROSOFT.COM -t alicetest.keytab

+ ```

+

+1. Run a `spark-submit` command to read from kafka topic `alicetopic2` as `alicetest`

+

+ ```

+ spark-submit --num-executors 1 --master yarn --deploy-mode cluster --packages <list of packages the jar depends on> --repositories <repository for the dependency packages> --files alicetest_jaas.conf#alicetest_jaas.conf,alicetest.keytab#alicetest.keytab --driver-java-options "-Djava.security.auth.login.config=./alicetest_jaas.conf" --class <classname to execute in jar> --conf "spark.executor.extraJavaOptions=-Djava.security.auth.login.config=./alicetest_jaas.conf" <path to jar> <kafkabrokerlist> <topicname> false

+ ```

+ For example,

+

+ ```

+ sshuser@hn0-umaspa:~$ spark-submit --num-executors 1 --master yarn --deploy-mode cluster --packages org.apache.spark:spark-streaming-kafka-0-10_2.11:2.3.2.3.1.0.4-1 --repositories http://repo.hortonworks.com/content/repositories/releases/ --files alicetest_jaas.conf#alicetest_jaas.conf,alicetest.keytab#alicetest.keytab --driver-java-options "-Djava.security.auth.login.config=./alicetest_jaas.conf" --class com.cloudera.spark.examples.DirectKafkaWordCount --conf "spark.executor.extraJavaOptions=-Djava.security.auth.login.config=./alicetest_jaas.conf" /home/sshuser/spark-secure-kafka-app/target/spark-secure-kafka-app-1.0-SNAPSHOT.jar 10.3.16.118:9092 alicetopic2 false

+ ```

+ If you see the below error, which denotes the DNS (Domain Name Server) issue. Make sure to check Kafka worker nodes entry in `/etc/hosts` file in Spark cluster.

+

+ ```

+ Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))

+ at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:770)

+ at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)

+ at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)

+ at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192)

+ ```

+1. From YARN UI, access the YARN job output you can see the `alicetest` user is able to read from `alicetopic2`. You can see the word count in the output.

+1. Below are the detailed steps on how to check the application output from YARN UI.

+ 1. Go to YARN UI and open your application. Wait for the job to go to RUNNING state. You'll see the application details as below.

+

+ 1. Click on Logs. You'll see the list of logs as shown below.

+

+ 1. Click on 'stdout'. You'll see the output with the count of words from your Kafka topic.

+

+ 1. On the Kafka clusterΓÇÖs Ranger UI, audit logs for the same will be shown.

+

+## Scenario 2

+From Spark cluster, read Kafka topic `bobtopic2` as user `alicetest` is denied

+1. Run `kdestroy` command to remove the Kerberos tickets in credential cache by issuing following command

+ ```

+ sshuser@hn0-umaspa:~$ kdestroy

+ ```

+1. Run the command `kinit` with `alicetest`

+ ```

+ sshuser@hn0-umaspa:~$ kinit alicetest@SECUREHADOOPRC.ONMICROSOFT.COM -t alicetest.keytab

+ ```

+1. Run spark-submit command to read from kafka topic `bobtopic2` as `alicetest`

+

+ ```

+ spark-submit --num-executors 1 --master yarn --deploy-mode cluster --packages <list of packages the jar depends on> --repositories <repository for the dependency packages> --files alicetest_jaas.conf#alicetest_jaas.conf,alicetest.keytab#alicetest.keytab --driver-java-options "-Djava.security.auth.login.config=./alicetest_jaas.conf" --class <classname to execute in jar> --conf "spark.executor.extraJavaOptions=-Djava.security.auth.login.config=./alicetest_jaas.conf" <path to jar> <kafkabrokerlist> <topicname> false

+ ```

+

+ For example,

+ ```

+ sshuser@hn0-umaspa:~$ spark-submit --num-executors 1 --master yarn --deploy-mode cluster --packages org.apache.spark:spark-streaming-kafka-0-10_2.11:2.3.2.3.1.0.4-1 --repositories http://repo.hortonworks.com/content/repositories/releases/ --files alicetest_jaas.conf#alicetest_jaas.conf,alicetest.keytab#alicestest.keytab --driver-java-options "-Djava.security.auth.login.config=./alicetest_jaas.conf" --class com.cloudera.spark.examples.DirectKafkaWordCount --conf "spark.executor.extraJavaOptions=-Djava.security.auth.login.config=./alicetest_jaas.conf" /home/sshuser/spark-secure-kafka-app/target/spark-secure-kafka-app-1.0-SNAPSHOT.jar 10.3.16.118:9092 bobtopic2 false

+ ```

+

+1. From yarn UI, access the yarn job output you can see that `alicetest` user is unable to read from `bobtopic2` and the job fails.

+

+1. On the Kafka clusterΓÇÖs Ranger UI, audit logs for the same will be shown.

+

+## Scenario 3

+From Spark cluster, read from kafka topic `alicetopic2` as user `bobadmin` is allowed

+1. Run `kdestroy` command to remove the Kerberos tickets in credential cache

+ ```

+ sshuser@hn0-umaspa:~$ kdestroy

+ ```

+1. Run `kinit` command with `bobadmin`

+ ```

+ sshuser@hn0-umaspa:~$ kinit bobadmin@SECUREHADOOPRC.ONMICROSOFT.COM -t bobadmin.keytab

+ ```

+

+1. Run `spark-submit` command to read from kafka topic `alicetopic2` as `bobadmin`

+ ```

+ spark-submit --num-executors 1 --master yarn --deploy-mode cluster --packages <list of packages the jar depends on> --repositories <repository for the dependency packages> --files bobadmin_jaas.conf#bobadmin_jaas.conf,bobadmin.keytab#bobadmin.keytab --driver-java-options "-Djava.security.auth.login.config=./bobadmin_jaas.conf" --class <classname to execute in jar> --conf "spark.executor.extraJavaOptions=-Djava.security.auth.login.config=./bobadmin_jaas.conf" <path to jar> <kafkabrokerlist> <topicname> false

+ ```

+

+ For example,

+ ```

+ spark-submit --num-executors 1 --master yarn --deploy-mode cluster --packages org.apache.spark:spark-streaming-kafka-0-10_2.11:2.3.2.3.1.0.4-1 --repositories http://repo.hortonworks.com/content/repositories/releases/ --files bobadmin_jaas.conf#bobadmin_jaas.conf,bobadmin.keytab#bobadmin.keytab --driver-java-options "-Djava.security.auth.login.config=./bobadmin_jaas.conf" --class com.cloudera.spark.examples.DirectKafkaWordCount --conf "spark.executor.extraJavaOptions=-Djava.security.auth.login.config=./bobadmin_jaas.conf" /home/sshuser/spark-secure-kafka-app/target/spark-secure-kafka-app-1.0-SNAPSHOT.jar wn0-umasec:9092, wn1-umasec:9092 alicetopic2 false

+ ```

+

+1. From YARN UI, access the yarn job output you can see that `bobadmin` user is able to read from `alicetopic2` and the count of words is seen in the output.

+

+1. On the Kafka clusterΓÇÖs Ranger UI, audit logs for the same will be shown.

+## Scenario 4

+From Spark cluster, read from Kafka topic `bobtopic2` as user `bobadmin` is allowed.

+1. Remove the Kerberos tickets in Credential Cache by running following command

+ ```

+ sshuser@hn0-umaspa:~$ kdestroy

+ ```

+1. Run `kinit` with `bobadmin`

+ ```

+ sshuser@hn0-umaspa:~$ kinit bobadmin@SECUREHADOOPRC.ONMICROSOFT.COM -t bobadmin.keytab

+ ```

+1. Run a `spark-submit` command to read from Kafka topic `bobtopic2` as `bobadmin`

+ ```

+ spark-submit --num-executors 1 --master yarn --deploy-mode cluster --packages <list of packages the jar depends on> --repositories <repository for the dependency packages> --files bobadmin_jaas.conf#bobadmin_jaas.conf,bobadmin.keytab#bobadmin.keytab --driver-java-options "-Djava.security.auth.login.config=./bobadmin_jaas.conf" --class <classname to execute in jar> --conf "spark.executor.extraJavaOptions=-Djava.security.auth.login.config=./bobadmin_jaas.conf" <path to jar> <kafkabrokerlist> <topicname> false

+ ```

+ For example,

+ ```

+ spark-submit --num-executors 1 --master yarn --deploy-mode cluster --packages org.apache.spark:spark-streaming-kafka-0-10_2.11:2.3.2.3.1.0.4-1 --repositories http://repo.hortonworks.com/content/repositories/releases/ --files bobadmin_jaas.conf#bobadmin_jaas.conf,bobadmin.keytab#bobadmin.keytab --driver-java-options "-Djava.security.auth.login.config=./bobadmin_jaas.conf" --class com.cloudera.spark.examples.DirectKafkaWordCount --conf "spark.executor.extraJavaOptions=-Djava.security.auth.login.config=./bobadmin_jaas.conf" /home/sshuser/spark-secure-kafka-app/target/spark-secure-kafka-app-1.0-SNAPSHOT.jar wn0-umasec:9092, wn1-umasec:9092 bobtopic2 false

+ ```

+1. From YARN UI, access the YARN job output you can see that `bobtest` user is able to read from `bobtopic2` and the count of words is seen in the output.

+1. On the Kafka clusterΓÇÖs Ranger UI, audit logs for the same will be shown.

+

+

+## Next steps

+* [Set up TLS encryption and authentication for Apache Kafka in Azure HDInsight](apache-kafka-ssl-encryption-authentication.md)

+A farm is a geographical area of interest for which you want to create a soil moisture heatmap. You can create a farm using the Farms API or in the [FarmsBeats Accelerator UI](manage-farms-in-azure-farmbeats.md#create-farms)

+1. Download this script, and extract it to your local drive. Two files are inside the zip file.

+The APIs contain Swagger technical documentation.

+For more information on REST API-based integration details, see [REST API](rest-api-in-azure-farmbeats.md).

+For more information about REST API-based integration details, see [REST API](rest-api-in-azure-farmbeats.md).

+The FarmBeats APIs contain Swagger technical documentation.

+```

+The APIs contain Swagger technical documentation.

+FarmBeats supports adding new sensor measure types and units.

+For more information about the REST API, see [REST API](rest-api-in-azure-farmbeats.md).

+**Corrective action**: This issue can occur if the satellite indices generated for the time for which the map was requested has NDVI values that is less than 0.3. For more information, visit [Technical Guide from Sentinel](https://sentinel.esa.int/web/sentinel/technical-guides/sentinel-2-msi).

+8. The search result will contain the folder which has the logs pertaining to the job. Download the logs and send it to farmbeatssupport@microsoft.com for assistance in debugging the issue.

+The FarmBeats APIs contain Swagger technical documentation.

+trigger jobs of that type to get weather data for their location or their farm of interest.

+#### [Bash](#tab/bash)

+```azurecli

+az iot dps show \

+ --name <azurerm_iothub_dps_name> \

+ --resource-group <resource_group_name>

+```

+**Key points:**

+- The names of the resource group and the DPS instance display in the `terraform apply` output. You can also run [terraform output](https://www.terraform.io/cli/commands/output) to view these output values.

+#### [Azure PowerShell](#tab/azure-powershell)

+```powershell

+Get-AzIoTDeviceProvisioningService `

+ -ResourceGroupName <resource_group_name> `

+ -Name <azurerm_iothub_dps_name>

+```

+**Key points:**

+- The names of the resource group and the DPS instance display in the `terraform apply` output. You can also run [terraform output](https://www.terraform.io/cli/commands/output) to view these output values.

+<!-- 1.3 -->

+ ```toml

+ [agent]

+ name = "edgeAgent"

+ type = "docker"

+

+ [agent.config]

+ image = "mcr.microsoft.com/azureiotedge-agent:1.3"

+

+ [agent.env]

+ # "RuntimeLogLevel" = "debug"

+ # "UpstreamProtocol" = "AmqpWs"

+ "https_proxy" = "<proxy URL>"

+ ```

+ ```toml

+ [agent.config]

+ image = "mcr.microsoft.com/azureiotedge-agent:1.3"

+

+ [agent.env]

+ # "RuntimeLogLevel" = "debug"

+ "UpstreamProtocol" = "AmqpWs"

+ "https_proxy" = "<proxy URL>"

+ ```

+<!-- 1.4 -->

+3. Add the **https_proxy** parameter to the environment variables section, and set your proxy URL as its value.

+ ```toml

+ [agent]

+ name = "edgeAgent"

+ type = "docker"

+

+ [agent.config]

+ image = "mcr.microsoft.com/azureiotedge-agent:1.4"

+

+ [agent.env]

+ # "RuntimeLogLevel" = "debug"

+ # "UpstreamProtocol" = "AmqpWs"

+ "https_proxy" = "<proxy URL>"

+ ```

+4. The IoT Edge runtime uses AMQP by default to talk to IoT Hub. Some proxy servers block AMQP ports. If that's the case, then you also need to configure edgeAgent to use AMQP over WebSocket. Uncomment the `UpstreamProtocol` parameter.

+ ```toml

+ [agent.config]

+ image = "mcr.microsoft.com/azureiotedge-agent:1.4"

+

+ [agent.env]

+ # "RuntimeLogLevel" = "debug"

+ "UpstreamProtocol" = "AmqpWs"

+ "https_proxy" = "<proxy URL>"

+ ```

+

+<!-- >= 1.3 -->

+In order for Device Update to receive change notifications from IoT Hub, Device Update integrates with the built-in Event Hubs. The IoT Hub will be configured automatically as part of the resource creation process with the required message routes, consumer groups, and access policy required to communicate with IoT devices.

+ The IoT hub also creates an event hub consumer group called **adum** that is required by the Device Update management services. This should be added automatically as part of the resource creation process.

+### Configuring access for Azure Device Update service principal in the IoT Hub

+Device Update for IoT Hub communicates with the IoT Hub for deployments and manage updates at scale. In order to enable Device Update to do this, users need to set IoT Hub Data Contributor access for Azure Device Update Service Principal in the IoT Hub permissions.

+Deployment, device and update management and diagnostic actions will not be allowed if these permissions are not set. Operations that will be blocked will include:

+* Create Deployment

+* Cancel Deployment

+* Retry Deployment

+* Get Device

+The permission can be set from IoT Hub Access Control (IAM). Refer to [Configure Access for Azure Device update service principal in linked IoT hub](configure-access-control-device-update.md#configure-access-for-azure-device-update-service-principal-in-linked-iot-hub)

+description: This article describes support for devices connecting to IoT Hub device-facing and service-facing endpoints using the AMQP Protocol. Includes information about built-in AMQP support in the Azure IoT device SDKs.

+In this article, you learned how to configure and monitor IoT devices at scale.

+To learn how to manage IoT Hub device identities in bulk, see [Import and export IoT Hub device identities in bulk](iot-hub-bulk-identity-mgmt.md)

+In this article, you learned how to configure and monitor IoT devices at scale.

+To learn how to manage IoT Hub device identities in bulk, see [Import and export IoT Hub device identities in bulk](iot-hub-bulk-identity-mgmt.md)

+Only 1 active device import or export job is allowed at a time for all IoT Hub tiers. IoT Hub also has limits for rate of jobs operations. To learn more, see [IoT Hub quotas and throttling](iot-hub-devguide-quotas-throttling.md).

+You can read more about custom endpoints in [IoT hub endpoints](iot-hub-devguide-endpoints.md).

+Learn more about the commands available in the Microsoft Azure IoT extension for Azure CLI:

+* [IoT Hub-specific commands (az iot hub)](/cli/azure/iot/hub)

+* [All commands (az iot)](/cli/azure/iot)

+* To learn more about cloud-to-device messages, see [Send cloud-to-device messages from an IoT hub](iot-hub-devguide-messages-c2d.md).

+* To learn more about IoT Hub message formats, see [Create and read IoT Hub messages](iot-hub-devguide-messages-construct.md).

+).

+If you use the routing feature of the Azure IoT Hub service to forward device messages to other services, then data requests must be performed by the tenant admin for each routing endpoint in order to complete a full request for a given device. For more details, see the reference documentation for each endpoint. For more information about supported endpoints, see [IoT Hub endpoints](iot-hub-devguide-endpoints.md).

+# Encryption of Azure Iot Hub data at rest using customer-managed keys (preview)

+IoT Hub supports encryption of data at rest using customer-managed keys (CMK), also known as Bring your own key (BYOK). Azure IoT Hub provides encryption of data at rest and in-transit as it's written in our datacenters; the data is encrypted when read and decrypted when written.

+>[!NOTE]

+>The customer-managed keys feature is currently in [public preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+description: This article describes how to control access to IoT Hub for back-end apps by using Azure AD and Azure RBAC.

+description: This article provides guidance on when to use direct methods, device twin's desired properties, or cloud-to-device messages for cloud-to-device communications.

+description: This article provides guidance on when to use device-to-cloud messages, reported properties, or file upload for cloud-to-device communications.

+description: This article provides guidance on how to develop using Azure IoT SDKs for constrained devices.

+description: This article describes how to use device twins to synchronize state and configuration data between IoT Hub and your devices

+description: This article describes how use direct methods to invoke code on your devices from a service app.

+description: This article provides information about IoT Hub device-facing and service-facing endpoints.

+# IoT Hub endpoints

+description: This article shows how to use the file upload feature of IoT Hub to manage uploading files from a device to an Azure storage blob container.

+description: This article provides a description of the IoT Hub identity registry and how to use it to manage your devices. Includes information about the import and export of device identities in bulk.

+description: This article describes scheduling jobs to run on multiple devices connected to your IoT hub. Jobs can update tags and desired properties and invoke direct methods on multiple devices.

+description: This article describes the format and expected content of IoT Hub messages.

+description: This article describes how to use message routing to send device-to-cloud messages. Includes information about sending both telemetry and non-telemetry data.

+description: This article describes how to use the built-in, Event Hub-compatible endpoint to read device-to-cloud messages.

+description: This article describes using routing queries to route device-to-cloud messages to custom endpoints.

+description: This article describes device-to-cloud and cloud-to-device messaging with IoT Hub. Includes information about message formats and supported communications protocols.

+description: This article describes how to use module twins to synchronize state and configuration data between IoT Hub and your devices

+description: This article provides information about and links to topics that you can use to build device apps and back-end apps without using an Azure IoT SDK.

+description: This article provides information about how metering and pricing works with IoT Hub including worked examples.

+description: This article describes the supported communication protocols for device-to-cloud and cloud-to-device communications and the port numbers that must be open.

+description: This article provides a description of the SQL-like IoT Hub query language used to retrieve information about device/module twins and jobs from your IoT hub.

+description: This article provides a description of the quotas that apply to IoT Hub and the expected throttling behavior.

+# IoT Hub quotas and throttling

+ Title: Concepts overview for Azure IoT Hub | Microsoft Docs

+description: The Azure IoT Hub conceptual documentation includes discussions of endpoints, security, the identity registry, device management, direct methods, device twins, file uploads, jobs, the IoT Hub query language, messaging and many other features. This article helps get you to the right articles to learn about a particular feature.

+# Azure IoT Hub concepts overview

+Azure IoT Hub provides many features, including:

+The following articles can help you get started exploring IoT Hub features in more depth:

+* [Choose a device communication protocol](iot-hub-devguide-protocols.md) describes the communication protocols that IoT Hub supports for device communication and lists the ports that should be open.

+* [IoT Hub endpoints](iot-hub-devguide-endpoints.md) describes the various endpoints that each IoT hub exposes for runtime and management operations. The article also describes how you can create additional endpoints in your IoT hub, and how to use a field gateway to enable connectivity to your IoT Hub endpoints in non-standard scenarios.

+* [IoT Hub query language for device twins, jobs, and message routing](iot-hub-devguide-query-language.md) describes that IoT Hub query language that enables you to retrieve information from your hub about your device twins and jobs.

+* [IoT Hub quotas and throttling](iot-hub-devguide-quotas-throttling.md) summarizes the quotas set in the IoT Hub service and the throttling that occurs when you exceed a quota.

+* [IoT Hub pricing](iot-hub-devguide-pricing.md) provides general information on different SKUs and pricing for IoT Hub and details on how the various IoT Hub functionalities are metered as messages by IoT Hub.

+* [Azure IoT Hub SDKs](iot-hub-devguide-sdks.md) lists the Azure IoT SDKs for developing device and service apps that interact with your IoT hub. The article includes links to online API documentation.

+* [IoT Hub MQTT support](iot-hub-mqtt-support.md) provides detailed information about how IoT Hub supports the MQTT protocol. The article describes the support for the MQTT protocol built in to the Azure IoT SDKs and provides information about using the MQTT protocol directly.

+description: In this article, learn about how to develop on Android Things using Azure IoT Hub SDKs.

+description: In this artcile, learn about how to develop for mobile devices using Azure IoT Hub SDKs.

+To learn more about cloud-to-device messages, see [Send cloud-to-device messages from an IoT hub](iot-hub-devguide-messages-c2d.md).

+* To learn more about cloud-to-device messages, see [Send cloud-to-device messages from an IoT hub](iot-hub-devguide-messages-c2d.md).

+* To learn more about IoT Hub message formats, see [Create and read IoT Hub messages](iot-hub-devguide-messages-construct.md).

+To learn more about cloud-to-device messages, see [Send cloud-to-device messages from an IoT hub](iot-hub-devguide-messages-c2d.md).

+* To learn more about cloud-to-device messages, see [Send cloud-to-device messages from an IoT hub](iot-hub-devguide-messages-c2d.md).

+* To learn more about IoT Hub message formats, see [Create and read IoT Hub messages](iot-hub-devguide-messages-construct.md).

+To learn more about cloud-to-device messages, see [Send cloud-to-device messages from an IoT hub](iot-hub-devguide-messages-c2d.md).

+* To learn more about cloud-to-device messages, see [Send cloud-to-device messages from an IoT hub](iot-hub-devguide-messages-c2d.md).

+* To learn more about IoT Hub message formats, see [Create and read IoT Hub messages](iot-hub-devguide-messages-construct.md).

+To learn more about cloud-to-device messages, see [Send cloud-to-device messages from an IoT hub](iot-hub-devguide-messages-c2d.md).

+* To learn more about cloud-to-device messages, see [Send cloud-to-device messages from an IoT hub](iot-hub-devguide-messages-c2d.md).

+* To learn more about IoT Hub message formats, see [Create and read IoT Hub messages](iot-hub-devguide-messages-construct.md).

+* To learn more about message routing in IoT Hub, see [Use IoT Hub message routing](iot-hub-devguide-messages-d2c.md).

+* To learn more about routing query syntax, see [IoT Hub message routing query syntax](iot-hub-devguide-routing-query-syntax.md).

+description: This article describes how to configure IoT Hub to egress to trusted locations only.

+description: This article describes how to retrieve information about device jobs from your Azure IoT hub using the query language.

+description: This article describes how to retrieve information about device/module twins from your IoT hub using the query language.

+* To follow along with this notebook, access the companion [example notebook](https://github.com/Azure/azureml-examples/blob/main/sdk/python/endpoints/online/managed/managed-identities/online-endpoints-managed-identity-uai.ipynb) within in the `sdk/endpoints/online/managed/managed-identities` directory.

+* To follow along with this notebook, access the companion [example notebook](https://github.com/Azure/azureml-examples/blob/main/sdk/python/endpoints/online/managed/managed-identities/online-endpoints-managed-identity-uai.ipynb) within in the `sdk/endpoints/online/managed/managed-identities` directory.

+- [Torch serve sample](https://github.com/Azure/azureml-examples/blob/main/cli/deploy-custom-container-torchserve-densenet.sh)

+Currently, you can specify only one model per deployment in the YAML. If you've more than one model, when you register the model, copy all the models as files or subdirectories into a folder that you use for registration. In your scoring script, use the environment variable `AZUREML_MODEL_DIR` to get the path to the model root folder. The underlying directory structure is retained. For an example of deploying multiple models to one deployment, see [Deploy multiple models to one deployment](https://github.com/Azure/azureml-examples/blob/main/cli/endpoints/online/custom-container/minimal/multimodel/README.md).

+The method returns [`ManagedOnlineEndpoint` entity](/python/api/azure-ai-ml/azure.ai.ml.entities.managedonlineendpoint). The `provisioning_state` is `Succeeded`.

+The method returns list (iterator) of `ManagedOnlineEndpoint` entities. You can get other information by specifying [parameters](/python/api/azure-ai-ml/azure.ai.ml.entities.managedonlineendpoint#parameters).

+1. We use these details above in the `MLClient` from `azure.ai.ml` to get a handle to the required Azure Machine Learning workspace. Check the [configuration notebook](https://github.com/Azure/azureml-examples/blob/main/sdk/python/jobs/configuration.ipynb) for more details on how to configure credentials and connect to a workspace.

+1. The following scoring code uses the [Triton Inference Server Client](https://github.com/triton-inference-server/client) to submit the image of a peacock to the endpoint. This script is available in the companion notebook to this example - [Deploy a model to online endpoints using Triton](https://github.com/Azure/azureml-examples/blob/main/sdk/python/endpoints/online/triton/single-model/online-endpoints-triton.ipynb).

+ Title: Configure a secure online endpoint with TLS/SSL

+description: Learn about how to use TLS/SSL to configure a secure Kubernetes online endpoint.

+# Configure a secure online endpoint with TLS/SSL

+You use [HTTPS](https://en.wikipedia.org/wiki/HTTPS) to restrict access to online endpoints and help secure the data that clients submit. HTTPS encrypts communications between a client and an online endpoint by using [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security). TLS is sometimes still called *Secure Sockets Layer* (SSL), which was the predecessor of TLS.

+> * Specifically, Kubernetes online endpoints support TLS version 1.2 for Azure Kubernetes Service (AKS) and Azure Arc-enabled Kubernetes.

+> * TLS version 1.3 for Azure Machine Learning Kubernetes inference is unsupported.

+> HTTPS also enables the client to verify the authenticity of the server that it's connecting to. This feature protects clients against [man-in-the-middle](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) attacks.

+1. [Get a domain name](#get-a-domain-name).

+1. [Get a digital certificate](#get-a-tlsssl-certificate).

+1. [Configure TLS/SSL in the Azure Machine Learning extension](#configure-tlsssl-in-the-azure-machine-learning-extension).

+1. [Update your DNS with a fully qualified domain name (FQDN) to point to the online endpoint](#update-your-dns-with-an-fqdn).

+> You need to purchase your own certificate to get a domain name or TLS/SSL certificate, and then configure them in the Azure Machine Learning extension. For more detailed information, see the following sections of this article.

+If you don't already own a domain name, purchase one from a *domain name registrar*. The process and price differ among registrars. The registrar provides tools to manage the domain name. You use these tools to map an FQDN (such as `www.contoso.com`) to the IP address that hosts your online endpoint.

+For more information on how to get the IP address of your online endpoints, see the [Update your DNS with an FQDN](#update-your-dns-with-an-fqdn) section of this article.

+There are many ways to get a TLS/SSL certificate (digital certificate). The most common is to purchase one from a *certificate authority*. Regardless of where you get the certificate, you need the following files:

+- A certificate that contains the full certificate chain and is PEM encoded

+- A key that's PEM encoded

+> An SSL key in a PEM file with passphrase protection is not supported.

+For more information on how to configure IP banding with an FQDN, see the [Update your DNS with an FQDN](#update-your-dns-with-an-fqdn) section of this article.

+> If the certificate authority can't provide the certificate and key as PEM-encoded files, you can use a tool like [OpenSSL](https://www.openssl.org/) to change the format.

+> Use *self-signed* certificates only for development. Don't use them in production environments. Self-signed certificates can cause problems in your client applications. For more information, see the documentation for the network libraries that your client application uses.

+## Configure TLS/SSL in the Azure Machine Learning extension

+For a Kubernetes online endpoint that's set to use inference HTTPS for secure connections, you can enable TLS termination with deployment configuration settings when you [deploy the Azure Machine Learning extension](how-to-deploy-managed-online-endpoints.md) in a Kubernetes cluster.

+At deployment time for the Azure Machine Learning extension, the `allowInsecureConnections` configuration setting is `False` by default. To ensure successful extension deployment, you need to specify either the `sslSecret` configuration setting or a combination of `sslKeyPemFile` and `sslCertPemFile` configuration-protected settings. Otherwise, you can set `allowInsecureConnections=True` to support HTTP and disable TLS termination.

+> To support the HTTPS online endpoint, `allowInsecureConnections` must be set to `False`.

+To enable an HTTPS endpoint for real-time inference, you need to provide a PEM-encoded TLS/SSL certificate and key. There are two ways to specify the certificate and key at deployment time for the Azure Machine Learning extension:

+- Specify the `sslSecret` configuration setting.

+- Specify a combination of `sslCertPemFile` and `slKeyPemFile` configuration-protected settings.

+To configure `sslSecret`, you need to save a Kubernetes secret in your Kubernetes cluster in the `azureml` namespace to store *cert.pem* (PEM-encoded TLS/SSL certificate) and *key.pem* (PEM-encoded TLS/SSL key).

+The following code is a sample YAML definition of a TLS/SSL secret:

+For more information on configuring `sslSecret`, see [Reference for configuring a Kubernetes cluster for Azure Machine Learning](reference-kubernetes.md#sample-yaml-definition-of-kubernetes-secret-for-tlsssl).

+After you save the secret in your cluster, you can use the following Azure CLI command to specify `sslSecret` as the name of this Kubernetes secret. (This command will work only if you're using AKS.)

+You can specify the `sslCertPemFile` configuration setting to be the path to the PEM-encoded TLS/SSL certificate file, and the `sslKeyPemFile` configuration setting to be the path to the PEM-encoded TLS/SSL key file.

+The following example demonstrates how to use the Azure CLI to specify PEM files to the Azure Machine Learning extension that uses a TLS/SSL certificate that you purchased. The example assumes that you're using AKS.

+> - A PEM file with passphrase protection is not supported.

+> - Both `sslCertPemFIle` and `sslKeyPemFIle` use configuration-protected parameters. They don't configure `sslSecret` and `sslCertPemFile`/`sslKeyPemFile` at the same time.

+## Update your DNS with an FQDN

+For model deployment on a Kubernetes online endpoint with a custom certificate, you must update your DNS record to point to the IP address of the online endpoint. The Azure Machine Learning inference router service (`azureml-fe`) provides this IP address. For more information about `azureml-fe`, see [Managed Azure Machine Learning inference router](how-to-kubernetes-inference-routing-azureml-fe.md).

+To update the DNS record for your custom domain name:

+1. Get the online endpoint's IP address from the scoring URI, which is usually in the format of `http://104.214.29.152:80/api/v1/service/<service-name>/score`. In this example, the IP address is 104.214.29.152.

+ After you configure your custom domain name, it replaces the IP address in the scoring URI. For Kubernetes clusters that use `LoadBalancer` as the inference router service, `azureml-fe` is exposed externally through a cloud provider's load balancer and TLS/SSL termination. The IP address of the Kubernetes online endpoint is the external IP address of the `azureml-fe` service deployed in the cluster.

+ If you use AKS, you can get the IP address from the [Azure portal](https://portal.azure.com/#home). Go to your AKS resource page, go to **Service and ingresses**, and then find the **azureml-fe** service under the **azuerml** namespace. Then you can find the IP address in the **External IP** column.

+ :::image type="content" source="media/how-to-secure-kubernetes-online-endpoint/get-ip-address-from-aks-ui.png" alt-text="Screenshot of adding a new extension to the Azure Arc-enabled Kubernetes cluster from the Azure portal.":::

+ In addition, you can run the Kubernetes command `kubectl describe svc azureml-fe -n azureml` in your cluster to get the IP address from the `LoadBalancer Ingress` parameter in the output.

+ > For Kubernetes clusters that use either `nodePort` or `clusterIP` as the inference router service, you need to set up your own load-balancing solution and TLS/SSL termination for `azureml-fe`. You also need to get the IP address of the `azureml-fe` service in the cluster scope.

+ > Microsoft is not responsible for updating the DNS for your custom DNS name or certificate. You must update it with your domain name registrar.

+1. After the DNS record update, you can validate DNS resolution by using the `nslookup custom-domain-name` command. If the DNS record is correctly updated, the custom domain name will point to the IP address of the online endpoint.

+ There can be a delay of minutes or hours before clients can resolve the domain name, depending on the registrar and the time to live (TTL) that's configured for the domain name.

+TLS/SSL certificates expire and must be renewed. Typically, this happens every year. Use the information in the following steps to update and renew your certificate for models deployed to Kubernetes (AKS and Azure Arc-enabled Kubernetes):

+1. Use the documentation from the certificate authority to renew the certificate. This process creates new certificate files.

+1. Update your Azure Machine Learning extension and specify the new certificate files by using the `az k8s-extension update` command.

+ If you used a Kubernetes secret to configure TLS/SSL before, you need to first update the Kubernetes secret with the new *cert.pem* and *key.pem* configuration in your Kubernetes cluster. Then run the extension update command to update the certificate:

+

+ If you directly configured the PEM files in the extension deployment command before, you need to run the extension update command and specify the new PEM file's path:

+To disable TLS for a model deployed to Kubernetes:

+1. Update the Azure Machine Learning extension with `allowInsercureconnection` set to `True`.

+1. Remove the `sslCname` configuration setting, along with the `sslSecret` or `sslPem` configuration settings.

+1. Run the following Azure CLI command in your Kubernetes cluster, and then perform an update. This command assumes that you're using AKS.

+ ```azurecli

+ az k8s-extension create --name <extension-name> --extension-type Microsoft.AzureML.Kubernetes --config enableInference=True inferenceRouterServiceType=LoadBalancer allowInsercureconnection=True --cluster-type managedClusters --cluster-name <your-AKS-cluster-name> --resource-group <your-RG-name> --scope cluster

+ ```

+> [!WARNING]

+> By default, the Azure Machine Learning extension deployment expects configuration settings for HTTPS support. We recommend HTTP support only for development or testing purposes. The `allowInsecureConnections=True` configuration setting provides HTTP support.

+- [Secure a Kubernetes inferencing environment](how-to-secure-kubernetes-inferencing-environment.md)

+- [Use your workspace with a custom DNS server](how-to-custom-dns.md)

+To use and access your own data, see [how to read and write data in a job](how-to-read-write-data-v2.md) to make data available during training.

+| China North 3 | :heavy_check_mark: | :heavy_check_mark: | :x: | :x: |

+

+ :::image type="content" source="./media/network-insights-topology/topology-scope-inline.png" alt-text="Screenshot of selecting the scope of the topology." lightbox="./media/network-insights-topology/topology-scope-expanded.png":::

+ :::image type="content" source="./media/network-insights-topology/topology-start-screen-inline.png" alt-text="Screenshot of the generated resource topology." lightbox="./media/network-insights-topology/topology-start-screen-expanded.png":::

+ :::image type="content" source="./media/network-insights-topology/add-resources-inline.png" alt-text="Screenshot of the add resources and regions pane." lightbox="./media/network-insights-topology/add-resources-expanded.png":::

+ :::image type="content" source="./media/network-insights-topology/resource-details-inline.png" alt-text="Screenshot of the details of each resource." lightbox="./media/network-insights-topology/resource-details-expanded.png":::

+

+ :::image type="content" source="./media/network-insights-topology/drill-down-inline.png" alt-text="Screenshot of drilling down a resource." lightbox="./media/network-insights-topology/drill-down-expanded.png":::

+When you drill down to a VM within the topology, the summary pane contains the **Insights + Diagnostics** section from where you can find the next hop.

+ :::image type="content" source="./media/network-insights-topology/resource-summary-inline.png" alt-text="Screenshot of the summary and insights of each resource." lightbox="./media/network-insights-topology/resource-summary-expanded.png":::

+Follow these steps to find the next hop.

+ :::image type="content" source="./media/network-insights-topology/next-hop-inline.png" alt-text="Screenshot of the next hop option in the summary and insights tab." lightbox="./media/network-insights-topology/next-hop-expanded.png":::

+> Try the new [Topology (Preview)](network-insights-topology.md) experience which offers visualization of Azure resources for ease of inventory management and monitoring network at scale. Leverage it to visualize resources and their dependencies across subscriptions, regions and locations. [Click](https://ms.portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/overview) to navigate to the experience.

+Change the `spec.architectures.managementState` value from `Removed` to `Managed`.

+Change the `Spec.Sources.Disabled` value from `true` to `false` for any sources you want enabled.

+1. Register the `Microsoft.Compute` resource provider (if you haven't already):

+1. Register the `Microsoft.Network` resource provider (if you haven't already):

+ ```azurecli-interactive

+ az provider register -n Microsoft.Network --wait

+ ```

+1. Register the `Microsoft.Storage` resource provider (if you haven't already):

+> By default OpenShift uses self-signed certificates for all of the routes created on `*.apps.<random>.<location>.aroapp.io`. If you choose Custom DNS, after connecting to the cluster, you will need to follow the OpenShift documentation to [configure a custom certificate for your ingress controller](https://docs.openshift.com/container-platform/4.8/security/certificates/replacing-default-ingress-certificate.html) and [custom certificate for your API server](https://docs.openshift.com/container-platform/4.8/security/certificates/api-server.html).

+az ad app credential list --id $SP_ID --query "[].endDate" -o tsv

+var contributorRoleDefinitionId = resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')

+var resourceGroupId = '/subscriptions/${subscription().subscriptionId}/resourceGroups/aro-${domain}-${location}'

+var masterSubnetId=resourceId('Microsoft.Network/virtualNetworks/subnets', clusterVnetName, 'master')

+var workerSubnetId=resourceId('Microsoft.Network/virtualNetworks/subnets', clusterVnetName, 'worker')

+resource clusterVnetName_Microsoft_Authorization_id_name_aadObjectId 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {

+ name: guid(aadObjectId, clusterVnetName_resource.id, contributorRoleDefinitionId)

+ scope: clusterVnetName_resource

+ roleDefinitionId: contributorRoleDefinitionId

+ principalType: 'ServicePrincipal'

+resource clusterVnetName_Microsoft_Authorization_id_name_rpObjectId 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {

+ name: guid(rpObjectId, clusterVnetName_resource.id, contributorRoleDefinitionId)

+ scope: clusterVnetName_resource

+ roleDefinitionId: contributorRoleDefinitionId

+ principalType: 'ServicePrincipal'

+ resourceGroupId: resourceGroupId

+ subnetId: masterSubnetId

+ subnetId: workerSubnetId

+az ad sp create-for-rbac --name "sp-$RG_NAME-${RANDOM}" > app-service-principal.json

+> Having issues? Let us know on GitHub by opening an issue in the [Azure Red Hat Openshift (ARO) repo](https://github.com/Azure/OpenShift).

+Red Hat releases minor versions of Red Hat OpenShift Container Platform (OCP) roughly every four months. These releases include new features and improvements. Patch releases are more frequent (typically weekly) and are only intended for critical bug fixes within a minor version. These patch releases may include fixes for security vulnerabilities or major bugs.

+ --address-prefixes 10.0.0.0/23

+ --address-prefixes 10.0.2.0/23

+| Azure Web Apps (Microsoft.Web/sites) / sites | privatelink.azurewebsites.net </br> scm.privatelink.azurewebsites.net | azurewebsites.net </br> scm.azurewebsites.net |

+| Azure File Sync (Microsoft.StorageSync/storageSyncServices) / afs | {region}.privatelink.afs.azure.net | {region}.afs.azure.net |

+| Azure Arc (Microsoft.HybridCompute) / hybridcompute | privatelink.his.arc.azure.com <br/> privatelink.guestconfiguration.azure.com </br> privatelink.kubernetesconfiguration.azure.com | his.arc.azure.com <br/> guestconfiguration.azure.com </br> kubernetesconfiguration.azure.com |

+| Tool Type | Tool | Scenario | Management | Catalog | Scanning | Logs |

+| | | | | | | |

+**Resource Management** | <ul><li><a href="/azure/templates/microsoft.purview/accounts" target="_blank">ARM Templates</a></li><li><a href="https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/purview_account" target="_blank">Terraform</a></li></ul> | Infrastructure as Code | Γ£ô | | | |

+**Command Line** | <ul><li><a href="/cli/azure/service-page/azure%20purview" target="_blank">Azure CLI</a></li></ul> | Interactive | Γ£ô | | | |

+**Command Line** | <ul><li><a href="/powershell/module/az.purview" target="_blank">Azure PowerShell</a></li></ul> | Interactive | Γ£ô | Γ£ô | | |

+**API** | <ul><li><a href="/rest/api/purview/" target="_blank">REST API</a></li></ul> | On-Demand | Γ£ô | Γ£ô | Γ£ô | |

+**Streaming** (Apache Atlas) | <ul><li><a href="/azure/purview/manage-kafka-dotnet" target="_blank">Event Hubs</a></li></ul> | Real-Time | | Γ£ô | | |

+**Monitoring** | <ul><li><a href="/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#destinations" target="_blank">Azure Monitor</a></li></ul> | Monitoring | | | | Γ£ô |

+**SDK** | <ul><li><a href="/dotnet/api/overview/azure/purviewresourceprovider" target="_blank">.NET</a></li><li><a href="/java/api/overview/azure/purview" target="_blank">Java</a></li><li><a href="/javascript/api/overview/azure/purview" target="_blank">JavaScript</a></li><li><a href="/python/api/overview/azure/purview" target="_blank">Python</a></li></ul> | Custom Development | Γ£ô | Γ£ô | Γ£ô | |

+## Streaming (Apache Atlas)

+## Monitoring

+* Applications or processes that need to consume diagnostic events.

+* [.NET](/dotnet/api/overview/azure/purviewresourceprovider)

+* [Java](/java/api/overview/azure/purview)

+* [JavaScript](/javascript/api/overview/azure/purview)

+* [Python](/python/api/overview/azure/purview)

+* [Microsoft Purview REST API](/rest/api/purview)

+ - [Publish and consume events for Microsoft Purview with Atlas Kafka](concept-best-practices-automation.md#streaming-apache-atlas)

+## Set up authentication

+There are two ways to set up authentication for SQL server on-premises:

+- Windows Authentication

+This tutorial includes steps to use SQL authentication. For more information about scanning on-premises SQL Server with Windows authentication, see [Set up SQL server authentication](/register-scan-on-premises-sql-server.md#set-up-sql-server-authentication)

+> [Use Microsoft Purview REST APIs](tutorial-using-rest-apis.md)

+Some Azure services enable the Host Your Own Key (HYOK) key management model. This management mode is useful in scenarios where there is a need to encrypt the data at rest and manage the keys in a proprietary repository outside of Microsoft's control. In this model, the service must use the key from an external site to decrypt the Data Encryption Key (DEK). Performance and availability guarantees are impacted, and configuration is more complex. Additionally, since the service does have access to the DEK during the encryption and decryption operations the overall security guarantees of this model are similar to when the keys are customer-managed in Azure Key Vault. As a result, this model is not appropriate for most organizations unless they have specific key management requirements. Due to these limitations, most Azure services do not support server-side encryption using customer-managed keys in customer-controlled hardware. One of two keys in [Double Key Encryption](/microsoft-365/compliance/double-key-encryption) follows this model.

+When server-side encryption using customer-managed keys in customer-controlled hardware is used, the key encryption keys are maintained on a system configured by the customer. Azure services that support this model provide a means of establishing a secure connection to a customer supplied key store.

+### The "next update" date of the Azure-internal caching service API, used by Microsoft Azure Attestation, seems to be out of date. Is it still in operation and can it be used?

+The "tcbinfo" field contains the TCB information. The THIM service by default provides an older tcbinfo -- updating to the latest tcbinfo from Intel would cause attestation failures for those customers who haven't migrated to the latest Intel SDK, and could results in outages.

+Open Enclave SDK and Microsoft Azure Attestation don't look at nextUpdate date, however, and will pass attestation.

+THIM and Intel provide different baseline levels of the trusted computing base. While Intel can be viewed as having the latest and greatest, this imposes requirements upon the consumer to ensure that all the requirements are satisfied, thus leading to a potential breakage of customers if they haven't updated to the specified requirements. THIM takes a slower approach to updating the TCB baseline to allow customers to make the necessary changes at their own pace. This approach, while does provide an older TCB baseline, ensures that customers will not break if they haven't been able to meet the requirements of the new TCB baseline. This reason is why THIM's TCB baseline is of a different version from Intel's. We're customer-focused and want to empower the customer to meet the requirements imposed by the new TCB baseline on their pace, instead of forcing them to update and causing them a disruption that would require reprioritization of their workstreams.

+### How do I request collateral in a Confidential Virtual Machine (CVM)?

+#### Request body

+#### Sample request

+#### Responses

+#### Definitions

+| <a name="anomaly"></a>**Anomaly** | Anomaly rule templates use machine learning to detect specific types of anomalous behavior. Each rule has its own unique parameters and thresholds, appropriate to the behavior being analyzed. <br><br>While the configurations of out-of-the-box rules can't be changed or fine-tuned, you can duplicate a rule and then change and fine-tune the duplicate. In such cases, run the duplicate in **Flighting** mode and the original concurrently in **Production** mode. Then compare results, and switch the duplicate to **Production** if and when its fine-tuning is to your liking. <br><br>For more information, see [Use customizable anomalies to detect threats in Microsoft Sentinel](soc-ml-anomalies.md) and [Work with anomaly detection analytics rules in Microsoft Sentinel](work-with-anomaly-rules.md). |

+> The rule templates so indicated above are currently in **PREVIEW**, as are some of the **Fusion** detection templates (see [Advanced multistage attack detection in Microsoft Sentinel](fusion.md) to see which ones). See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+Microsoft SentinelΓÇÖs [customizable anomalies feature](soc-ml-anomalies.md) provides [built-in anomaly templates](detect-threats-built-in.md#anomaly) for immediate value out-of-the-box. These anomaly templates were developed to be robust by using thousands of data sources and millions of events, but this feature also enables you to change thresholds and parameters for the anomalies easily within the user interface. Anomaly rules are enabled, or activated, by default, so they will generate anomalies out-of-the-box. You can find and query these anomalies in the **Anomalies** table in the **Logs** section.

+ 1. **Capacity reservation**: Capacity Reservation lets you purchase capacity in the recovery region, and then failover to that capacity. You can either create a new Capacity Reservation Group or use an existing one. For more information, see [how capacity reservation works](../virtual-machines/capacity-reservation-overview.md).

+ 1. **Capacity reservation**: Capacity Reservation lets you purchase capacity in the recovery region, and then failover to that capacity. You can either create a new Capacity Reservation Group or use an existing one. For more information, see [how capacity reservation works](../virtual-machines/capacity-reservation-overview.md).

+ 1. **Capacity reservation**: Capacity Reservation lets you purchase capacity in the recovery region, and then failover to that capacity. You can either create a new Capacity Reservation Group or use an existing one. For more information, see [how capacity reservation works](../virtual-machines/capacity-reservation-overview.md).