-| nonce | Yes | A value included in the request (generated by the application) that is included in the resulting ID token as a claim. The application can then verify this value to mitigate token replay attacks. The value is typically a randomized unique string that can be used to identify the origin of the request. |

-Learn how to enable the Azure Web Application Firewall (WAF) service for an Azure Active Directory B2C (Azure AD B2C) tenant, with a custom domain. WAF protects web applications from common exploits and vulnerabilities.

->[!NOTE]

->This feature is in public preview.

-See, [What is Azure Web Application Firewall?](../web-application-firewall/overview.md)

- * See, [Tutorial: Create an Azure Active Directory B2C tenant](tutorial-create-tenant.md)

-* **Azure Front Door (AFD)** ΓÇô enables custom domains for the Azure AD B2C tenant

- * See, [Azure Front Door and CDN documentation](../frontdoor/index.yml)

- * [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/#overview)

-To use custom domains in Azure AD B2C, use the custom domain features in AFD. See, [Enable custom domains for Azure AD B2C](./custom-domain.md?pivots=b2c-user-flow).

- > [!IMPORTANT]

- > After you configure the custom domain, see [Test your custom domain](./custom-domain.md?pivots=b2c-custom-policy#test-your-custom-domain).

-To enable WAF, configure a WAF policy and associate it with the AFD for protection.

-Create a WAF policy with Azure-managed default rule set (DRS). See, [Web Application Firewall DRS rule groups and rules](../web-application-firewall/afds/waf-front-door-drs.md).

-2. Select **Create a resource**.

-3. Search for Azure WAF.

-4. Select **Azure Web Application Firewall (WAF)**.

-5. Select **Create**.

-6. Go to the **Create a WAF policy** page.

-7. Select the **Basics** tab.

-8. For **Policy for**, select **Global WAF (Front Door)**.

-9. For **Front Door SKU**, select between **Basic**, **Standard**, or **Premium** SKU.

-10. For **Subscription**, select your Front Door subscription name.

-11. For **Resource group**, select your Front Door resource group name.

-12. For **Policy name**, enter a unique name for your WAF policy.

-13. For **Policy state**, select **Enabled**.

-14. For **Policy mode**, select **Detection**.

-15. Select **Review + create**.

-16. Go to the **Association** tab of the Create a WAF policy page.

-17. Select **+ Associate a Front Door profile**.

-18. For **Front Door**, select your Front Door name associated with Azure AD B2C custom domain.

-19. For **Domains**, select the Azure AD B2C custom domains to associate the WAF policy to.

-20. Select **Add**.

-21. Select **Review + create**.

-22. Select **Create**.

-When you create WAF policy, the policy is in Detection mode. We recommend you don't disable Detection mode. In this mode, WAF doesn't block requests. Instead, requests that match the WAF rules are logged in the WAF logs.

-Learn more: [Azure Web Application Firewall monitoring and logging](../web-application-firewall/afds/waf-front-door-monitor.md)

-

- 

- 

-Learn more: [Define exclusion rules based on Web Application Firewall logs](../web-application-firewall/afds/waf-front-door-exclusion.md#define-exclusion-based-on-web-application-firewall-logs)

-To see WAF operating, select **Switch to prevention mode**, which changes the mode from Detection to Prevention. Requests that match the rules in the DRS are blocked and logged in the WAF logs.

- 

-To revert to Detection mode, select **Switch to detection mode**.

- 

-* [Azure Web Application Firewall monitoring and logging](../web-application-firewall/afds/waf-front-door-monitor.md)

-* [Web Application Firewall (WAF) with Front Door exclusion lists](../web-application-firewall/afds/waf-front-door-exclusion.md)

-> Use care when configuring a wildcard operation. This configuration may make an API more vulnerable to certain [API security threats](mitigate-owasp-api-threats.md#improper-assets-management).

-1. Select **APIs**.

-1. Select **Demo Conference API** from your API list.

-1. Select the **GetSpeakers** operation.

- * **Inbound** - Shows the original request API Management received from the caller and the policies applied to the request. For example, if you added policies in [Tutorial: Transform and protect your API](transform-api.md), they'll appear here.

-You can enable tracing for an API when making requests to API Management using `curl`, a REST client such as Visual Studio Code with the REST Client extension, or a client app.

-Enable tracing by the following steps using calls to the API Management REST API.

-> The following steps require API Management REST API version 2023-05-01-preview or later. You must be assigned the Contributor or higher role on the API Management instance to call the REST API.

-1. Obtain trace credentials by calling the [List debug credentials](/rest/api/apimanagement/gateway/list-debug-credentials) API. Pass the gateway ID in the URI, or use "managed" for the instance's managed gateway in the cloud. For example, to obtain trace credentials for the managed gateway, use a call similar to the following:

- In the request body, pass the full resource ID of the API that you want to trace, and specify `purposes` as `tracing`. By default the token credential returned in the response expires after 1 hour, but you can specify a different value in the payload.

- "apiId": "<API resource ID>",

- "token": "aid=api-name&p=tracing&ex=......."

-1. To enable tracing for a request to the API Management gateway, send the token value in an `Apim-Debug-Authorization` header. For example, to trace a call to the demo conference API, use a call similar to the following:

- curl -v GET https://apim-hello-world.azure-api.net/conference/speakers HTTP/1.1 -H "Ocp-Apim-Subscription-Key: <subscription-key>" -H "Apim-Debug-Authorization: aid=api-name&p=tracing&ex=......."

-1. Depending on the token, the response contains different headers:

- * If the token is valid, the response includes an `Apim-Trace-Id` header whose value is the trace ID.

- * If the token was obtained for wrong API, the response includes an `Apim-Debug-Authorization-WrongAPI` header with an error message.

-1. To retrieve the trace, pass the trace ID obtained in the previous step to the [List trace](/rest/api/apimanagement/gateway/list-trace) API for the gateway. For example, to retrieve the trace for the managed gateway, use a call similar to the following:

- "traceId": "<trace ID>"

-> * Trace an example call

-The OWASP [API Security Project](https://owasp.org/www-project-api-security/) focuses on strategies and solutions to understand and mitigate the unique *vulnerabilities and security risks of APIs*. In this article, we'll discuss recommendations to use Azure API Management to mitigate the top 10 API threats identified by OWASP.

-> [!NOTE]

-> In addition to following the recommendations in this article, you can enable [Defender for APIs](/azure/defender-for-cloud/defender-for-apis-introduction), a capability of [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction), for API security insights, recommendations, and threat detection. [Learn more about using Defender for APIs with API Management](protect-with-defender-for-apis.md)

-More information about this threat: [API1:2019 Broken Object Level Authorization](https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa1-broken-object-level-authorization.md)

-

- * Use a custom policy to implement object-level authorization, if it's not implemented in the backend.

- * Implement a custom policy to map identifiers from request to backend and from backend to client, so that internal identifiers aren't exposed.

- In these cases, the custom policy could be a [policy expression](api-management-policy-expressions.md) with a look-up (for example, a dictionary) or integration with another service through the [send request](send-request-policy.md) policy.

-* For GraphQL scenarios, enforce object-level authorization through the [validate GraphQL request](validate-graphql-request-policy.md) policy, using the `authorize` element.

-## Broken user authentication

-Authentication mechanisms are often implemented incorrectly or missing, allowing attackers to exploit implementation flaws to access data.

-More information about this threat: [API2:2019 Broken User Authentication](https://github.com/OWASP/API-Security/blob/master/editions/2019/en/0xa2-broken-user-authentication.md)

-### Recommendations

-Use API Management for user authentication and authorization:

-* **Authentication** - API Management supports the following [authentication methods](api-management-policies.md#authentication-and-authorization):

- * [Basic authentication](authentication-basic-policy.md) policy - Username and password credentials.

- * [Subscription key](api-management-subscriptions.md) - A subscription key provides a similar level of security as basic authentication and may not be sufficient alone. If the subscription key is compromised, an attacker may get unlimited access to the system.

- * [Client certificate](authentication-certificate-policy.md) policy - Using client certificates is more secure than basic credentials or subscription key, but it doesn't allow the flexibility provided by token-based authorization protocols such as OAuth 2.0.

-* **Authorization** - API Management supports a [validate JWT](validate-jwt-policy.md) policy to check the validity of an incoming OAuth 2.0 JWT access token based on information obtained from the OAuth identity provider's metadata endpoint. Configure the policy to check relevant token claims, audience, and expiration time. Learn more about protecting an API using [OAuth 2.0 authorization and Microsoft Entra ID](api-management-howto-protect-backend-with-aad.md).

-More recommendations:

-* Use policies in API Management to increase security. For example, [call rate limiting](rate-limit-policy.md) slows down bad actors using brute force attacks to compromise credentials.

-* APIs should use TLS/SSL (transport security) to protect the credentials or tokens. Credentials and tokens should be sent in request headers and not as query parameters.

-* In the API Management [developer portal](api-management-howto-developer-portal.md), configure [Microsoft Entra ID](api-management-howto-aad.md) or [Azure Active Directory B2C](api-management-howto-aad-b2c.md) as the identity provider to increase the account security. The developer portal uses CAPTCHA to mitigate brute force attacks.

-### Related information

-* [Authentication vs. authorization](../active-directory/develop/authentication-vs-authorization.md)

-## Excessive data exposure

-Good API interface design is deceptively challenging. Often, particularly with legacy APIs that have evolved over time, the request and response interfaces contain more data fields than the consuming applications require.

-A bad actor could attempt to access the API directly (perhaps by replaying a valid request), or sniff the traffic between server and API. Analysis of the API actions and the data available could yield sensitive data to the attacker, which isn't surfaced to, or used by, the frontend application.

-More information about this threat: [API3:2019 Excessive Data Exposure](https://github.com/OWASP/API-Security/blob/master/editions/2019/en/0xa3-excessive-data-exposure.md)

-### Recommendations

-* The best approach to mitigating this vulnerability is to ensure that the external interfaces defined at the backend API are designed carefully and, ideally, independently of the data persistence. They should contain only the fields required by consumers of the API. APIs should be reviewed frequently, and legacy fields deprecated, then removed.

- In API Management, use:

- * [Revisions](api-management-revisions.md) to gracefully control nonbreaking changes, for example, the addition of a field to an interface. You may use revisions along with a versioning implementation at the backend.

- * [Versions](api-management-versions.md) for breaking changes, for example, the removal of a field from an interface.

-* If it's not possible to alter the backend interface design and excessive data is a concern, use API Management [transformation policies](api-management-policies.md#transformation) to rewrite response payloads and mask or filter data. For example, [remove unneeded JSON properties](./policies/filter-response-content.md) from a response body.

-* [Response content validation](validate-content-policy.md) in API Management can be used with an XML or JSON schema to block responses with undocumented properties or improper values. The policy also supports blocking responses exceeding a specified size.

-* Use the [validate status code](validate-status-code-policy.md) policy to block responses with errors undefined in the API schema.

-* Use the [validate headers](validate-headers-policy.md) policy to block responses with headers that aren't defined in the schema or don't comply to their definition in the schema. Remove unwanted headers with the [set header](set-header-policy.md) policy.

-* For GraphQL scenarios, use the [validate GraphQL request](validate-graphql-request-policy.md) policy to validate GraphQL requests, authorize access to specific query paths, and limit response size.

-## Lack of resources and rate limiting

-Lack of rate limiting may lead to data exfiltration or successful DDoS attacks on backend services, causing an outage for all consumers.

-More information about this threat: [API4:2019 Lack of resources and rate limiting](https://github.com/OWASP/API-Security/blob/master/editions/2019/en/0xa4-lack-of-resources-and-rate-limiting.md)

-### Recommendations

-* Use [rate limit](rate-limit-policy.md) (short-term) and [quota limit](quota-policy.md) (long-term) policies to control the allowed number of API calls or bandwidth per consumer.

-* Define strict request object definitions and their properties in the OpenAPI definition. For example, define the max value for paging integers, maxLength and regular expression (regex) for strings. Enforce those schemas with the [validate content](validate-content-policy.md) and [validate parameters](validate-parameters-policy.md) policies in API Management.

-* Enforce maximum size of the request with the [validate content](validate-content-policy.md) policy.

-* Optimize performance with [built-in caching](api-management-howto-cache.md), thus reducing the consumption of CPU, memory, and networking resources for certain operations.

-* Enforce authentication for API calls (see [Broken user authentication](#broken-user-authentication)). Revoke access for abusive users. For example, deactivate the subscription key, block the IP address with the [restrict caller IPs](ip-filter-policy.md) policy, or reject requests for a certain user claim from a [JWT token](validate-jwt-policy.md).

-* Apply a [CORS](cors-policy.md) policy to control the websites that are allowed to load the resources served through the API. To avoid overly permissive configurations, donΓÇÖt use wildcard values (`*`) in the CORS policy.

-* Minimize the time it takes a backend service to respond. The longer the backend service takes to respond, the longer the connection is occupied in API Management, therefore reducing the number of requests that can be served in a given timeframe.

- * Define `timeout` in the [forward request](forward-request-policy.md) policy.

- * Use the [validate GraphQL request](validate-graphql-request-policy.md) policy for GraphQL APIs and configure `max-depth` and `max-size` parameters.

- * Limit the number of parallel backend connections with the [limit concurrency](limit-concurrency-policy.md) policy.

-* While API Management can protect backend services from DDoS attacks, it may be vulnerable to those attacks itself. Deploy a bot protection service in front of API Management (for example, [Azure Application Gateway](api-management-howto-integrate-internal-vnet-appgateway.md), [Azure Front Door](front-door-api-management.md), or [Azure DDoS Protection](protect-with-ddos-protection.md)) to better protect against DDoS attacks. When using a WAF with Azure Application Gateway or Azure Front Door, consider using [Microsoft_BotManagerRuleSet_1.0](../web-application-firewall/afds/afds-overview.md#bot-protection-rule-set).

-Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions lead to authorization flaws. By exploiting these issues, attackers gain access to other usersΓÇÖ resources or administrative functions.

-More information about this threat: [API5:2019 Broken function level authorization](https://github.com/OWASP/API-Security/blob/master/editions/2019/en/0xa5-broken-function-level-authorization.md)

-### Recommendations

-

-* By default, protect all API endpoints in API Management with [subscription keys](api-management-subscriptions.md).

-* Define a [validate JWT](validate-jwt-policy.md) policy and enforce required token claims. If certain operations require stricter claims enforcement, define extra `validate-jwt` policies for those operations only.

-* Use an Azure virtual network or Private Link to hide API endpoints from the internet. Learn more about [virtual network options](virtual-network-concepts.md) with API Management.

-* Don't define [wildcard API operations](add-api-manually.md#add-and-test-a-wildcard-operation) (that is, "catch-all" APIs with `*` as the path). Ensure that API Management only serves requests for explicitly defined endpoints, and requests to undefined endpoints are rejected.

-* Don't publish APIs with [open products](api-management-howto-add-products.md#access-to-product-apis) that don't require a subscription.

-## Mass assignment

-If an API offers more fields than the client requires for a given action, an attacker may inject excessive properties to perform unauthorized operations on data. Attackers may discover undocumented properties by inspecting the format of requests and responses or other APIs, or guessing them. This vulnerability is especially applicable if you donΓÇÖt use strongly typed programming languages.

-More information about this threat: [API6:2019 Mass assignment](https://github.com/OWASP/API-Security/blob/master/editions/2019/en/0xa6-mass-assignment.md)

-### Recommendations

-* External API interfaces should be decoupled from the internal data implementation. Avoid binding API contracts directly to data contracts in backend services. Review the API design frequently, and deprecate and remove legacy properties using [versioning](api-management-versions.md) in API Management.

-* Precisely define XML and JSON contracts in the API schema and use [validate content](validate-content-policy.md) and [validate parameters](validate-parameters-policy.md) policies to block requests and responses with undocumented properties. Blocking requests with undocumented properties mitigates attacks, while blocking responses with undocumented properties makes it harder to reverse-engineer potential attack vectors.

-* If the backend interface can't be changed, use [transformation policies](api-management-policies.md#transformation) to rewrite request and response payloads and decouple the API contracts from backend contracts. For example, mask or filter data or [remove unneeded JSON properties](./policies/filter-response-content.md).

-## Security misconfiguration

-* Missing security hardening

-* Unnecessary enabled features

-* Network connections unnecessarily open to the internet

-* Use of weak protocols or ciphers

-* Other settings or endpoints that may allow unauthorized access to the system

-More information about this threat: [API7:2019 Security misconfiguration](https://github.com/OWASP/API-Security/blob/master/editions/2019/en/0xa7-security-misconfiguration.md)

-### Recommendations

-* Correctly configure [gateway TLS](api-management-howto-manage-protocols-ciphers.MD). Don't use vulnerable protocols (for example, TLS 1.0, 1.1) or ciphers.

-* Configure APIs to accept encrypted traffic only, for example through HTTPS or WSS protocols.

-* Consider deploying API Management behind a [private endpoint](private-endpoint.md) or attached to a [virtual network deployed in internal mode](api-management-using-with-internal-vnet.md). In internal networks, access can be controlled from within the private network (via firewall or network security groups) and from the internet (via a reverse proxy).

-* Use Azure API Management policies:

- * Always inherit parent policies through the `<base>` tag.

- * When using OAuth 2.0, configure and test the [validate JWT](validate-jwt-policy.md) policy to check the existence and validity of the JWT token before it reaches the backend. Automatically check the token expiration time, token signature, and issuer. Enforce claims, audiences, token expiration, and token signature through policy settings.

- * Configure the [CORS](cors-policy.md) policy and don't use wildcard `*` for any configuration option. Instead, explicitly list allowed values.

- * Set [validation policies](api-management-policies.md#content-validation) to `prevent` in production environments to validate JSON and XML schemas, headers, query parameters, and status codes, and to enforce the maximum size for request or response.

- * If API Management is outside a network boundary, client IP validation is still possible using the [restrict caller IPs](ip-filter-policy.md) policy. Ensure that it uses an allowlist, not a blocklist.

- * If client certificates are used between caller and API Management, use the [validate client certificate](validate-client-certificate-policy.md) policy. Ensure that the `validate-revocation`, `validate-trust`, `validate-not-before`, and `validate-not-after` attributes are all set to `true`.

- * Client certificates (mutual TLS) can also be applied between API Management and the backend. The backend should:

- * Have authorization credentials configured

- * Validate the certificate chain where applicable

- * Validate the certificate name where applicable

-* For GraphQL scenarios, use the [validate GraphQL request](validate-graphql-request-policy.md) policy. Ensure that the `authorization` element and `max-size` and `max-depth` attributes are set.

-* Don't store secrets in policy files or in source control. Always use API Management [named values](api-management-howto-properties.md) or fetch the secrets at runtime using custom policy expressions.

- * Named values should be [integrated with Key Vault](api-management-howto-properties.md#key-vault-secrets) or encrypted within API Management by marking them "secret". Never store secrets in plain-text named values.

-* Publish APIs through [products](api-management-howto-add-products.md), which require subscriptions. Don't use [open products](api-management-howto-add-products.md#access-to-product-apis) that don't require a subscription.

-* Use Key Vault integration to manage all certificates ΓÇô this centralizes certificate management and can help to ease operations management tasks such as certificate renewal or revocation.

-* When using the [self-hosted-gateway](self-hosted-gateway-overview.md), ensure that there's a process in place to update the image to the latest version periodically.

-* Represent backend services as [backend entities](backends.md). Configure authorization credentials, certificate chain validation, and certificate name validation where applicable.

-* When using the [developer portal](api-management-howto-developer-portal.md):

- * If you choose to [self-host](developer-portal-self-host.md) the developer portal, ensure there's a process in place to periodically update the self-hosted portal to the latest version. Updates for the default managed version are automatic.

- * Use [Microsoft Entra ID](api-management-howto-aad.md) or [Azure Active Directory B2C](api-management-howto-aad-b2c.md) for user sign-up and sign-in. Disable the default username and password authentication, which is less secure.

- * Assign [user groups](api-management-howto-create-groups.md#-associate-a-group-with-a-product) to products, to control the visibility of APIs in the portal.

-* Use [Azure Policy](security-controls-policy.md) to enforce API Management resource-level configuration and role-based access control (RBAC) permissions to control resource access. Grant minimum required privileges to every user.

-* Use a [DevOps process](devops-api-development-templates.md) and infrastructure-as-code approach outside of a development environment to ensure consistency of API Management content and configuration changes and to minimize human errors.

-* Don't use any deprecated features.

-## Injection

-Any endpoint accepting user data is potentially vulnerable to an injection exploit. Examples include, but aren't limited to:

-* [Command injection](https://owasp.org/www-community/attacks/Command_Injection), where a bad actor attempts to alter the API request to execute commands on the operating system hosting the API

-* [SQL injection](https://owasp.org/www-community/attacks/SQL_Injection), where a bad actor attempts to alter the API request to execute commands and queries against the database an API depends on

-More information about this threat: [API8:2019 Injection](https://github.com/OWASP/API-Security/blob/master/editions/2019/en/0xa8-injection.md)

-* [Modern Web Application Firewall (WAF) policies](https://github.com/SpiderLabs/ModSecurity) cover many common injection vulnerabilities. While API Management doesnΓÇÖt have a built-in WAF component, deploying a WAF upstream (in front) of the API Management instance is strongly recommended. For example, use [Azure Application Gateway](/azure/architecture/reference-architectures/apis/protect-apis) or [Azure Front Door](front-door-api-management.md).

- > [!IMPORTANT]

- > Ensure that a bad actor can't bypass the gateway hosting the WAF and connect directly to the API Management gateway or backend API itself. Possible mitigations include: [network ACLs](../virtual-network/network-security-groups-overview.md), using API Management policy to [restrict inbound traffic by client IP](ip-filter-policy.md), removing public access where not required, and [client certificate authentication](api-management-howto-mutual-certificates-for-clients.md) (also known as mutual TLS or mTLS).

-* Use schema and parameter [validation](api-management-policies.md#content-validation) policies, where applicable, to further constrain and validate the request before it reaches the backend API service.

- The schema supplied with the API definition should have a regex pattern constraint applied to vulnerable fields. Each regex should be tested to ensure that it constrains the field sufficiently to mitigate common injection attempts.

-### Related information

-* [Deployment stamps pattern with Azure Front Door and API Management](/azure/architecture/patterns/deployment-stamp)

-* [Deploy Azure API Management with Azure Application Gateway](api-management-howto-integrate-internal-vnet-appgateway.md)

-## Improper assets management

-* Lack of proper API documentation or ownership information

-* Excessive numbers of older API versions, which may be missing security fixes

-More information about this threat: [API9:2019 Improper assets management](https://github.com/OWASP/API-Security/blob/master/editions/2019/en/0xa9-improper-assets-management.md)

-* Use a well-defined [OpenAPI specification](https://swagger.io/specification/) as the source for importing REST APIs. The specification allows encapsulation of the API definition, including self-documenting metadata.

- * Use API interfaces with precise paths, data schemas, headers, query parameters, and status codes. Avoid [wildcard operations](add-api-manually.md#add-and-test-a-wildcard-operation). Provide descriptions for each API and operation and include contact and license information.

- * Avoid endpoints that donΓÇÖt directly contribute to the business objective. They unnecessarily increase the attack surface area and make it harder to evolve the API.

-* Use [revisions](api-management-revisions.md) and [versions](api-management-versions.md) in API Management to govern and control the API endpoints. Have a strong backend versioning strategy and commit to a maximum number of supported API versions (for example, 2 or 3 prior versions). Plan to quickly deprecate and ultimately remove older, often less secure, API versions.

-* Use an API Management instance per environment (such as development, test, and production). Ensure that each API Management instance connects to its dependencies in the same environment. For example, in the test environment, the test API Management resource should connect to a test Azure Key Vault resource and the test versions of backend services. Use [DevOps automation and infrastructure-as-code practices](devops-api-development-templates.md) to help maintain consistency and accuracy between environments and reduce human errors.

-* Use tags to organize APIs and products and group them for publishing.

-* Publish APIs for consumption through the built-in [developer portal](api-management-howto-developer-portal.md). Make sure the API documentation is up-to-date.

-* Discover undocumented or unmanaged APIs and expose them through API Management for better control.

-## Insufficient logging and monitoring

-Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems to tamper with, and extract or destroy data. Most breach studies demonstrate that the time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.

-More information about this threat: [API10:2019 Insufficient logging and monitoring](https://github.com/OWASP/API-Security/blob/master/editions/2019/en/0xaa-insufficient-logging-monitoring.md)

-* Understand [observability options](observability.md) in Azure API Management and [best practices](/azure/architecture/best-practices/monitoring) for monitoring in Azure.

-* Monitor API traffic with [Azure Monitor](api-management-howto-use-azure-monitor.md).

-* Log to [Application Insights](api-management-howto-app-insights.md) for debugging purposes. Correlate [transactions in Application Insights](/azure/azure-monitor/app/search-and-transaction-diagnostics?tabs=transaction-diagnostics) between API Management and the backend API to [trace them end-to-end](/azure/azure-monitor/app/correlation).

-* If needed, forward custom events to [Event Hubs](api-management-howto-log-event-hubs.md).

-* Set alerts in Azure Monitor and Application Insights - for example, for the [capacity metric](api-management-howto-autoscale.md) or for excessive requests or bandwidth transfer.

-* Use the [emit-metric](emit-metric-policy.md) policy for custom metrics.

-* Use the Azure Activity log for tracking activity in the service.

-* Use custom events in [Azure Application Insights](/azure/azure-monitor/app/api-custom-events-metrics) and [Azure Monitor](/azure/azure-monitor/app/custom-data-correlation) as needed.

-* Configure [OpenTelemetry](how-to-deploy-self-hosted-gateway-kubernetes-opentelemetry.md#introduction-to-opentelemetry) for [self-hosted gateways](self-hosted-gateway-overview.md) on Kubernetes.

-## Next steps

-* [Security controls by Azure policy](security-controls-policy.md)

-* [Exploring the Super Secret Kudu Debug Console](https://azure.microsoft.com/documentation/videos/super-secret-kudu-debug-console-for-azure-web-sites/)

-### How do I deploy a WAR file through Maven plugin and OpenID Connect

-### How do I deploy a WAR file through Az CLI and OpenID Connect

-If you use prefer the Azure CLI to deploy to App Service, you can use the GitHub Action for CLI.

- - name: Azure CLI script

- uses: azure/cli@v2

- with:

- inlineScript: |

- az webapp deploy --src-path '${{ github.workspace }}/target/yourpackage.war' --name ${{ env.AZURE_WEBAPP_NAME }} --resource-group ${{ env.RESOURCE_GROUP }} --async true --type war

-More information on the az webapp deploy command, how to use and the parameter details can be found in the [az webapp deploy documentation](/cli/azure/webapp?view=azure-cli-latest#az-webapp-deploy).

-### How do I deploy to a Container

-### How do I update the Tomcat configuration after deployment

-> In rare cases the upgrade availability might be impacted by a security hotfix superseding the planned upgrade, or a regression found in the planned upgrade before it has been applied to your instance. In these rare cases, the available upgrade will be removed and will transition to automatic upgrade.

- See [Disable cache for auth workflow](../static-web-apps/front-door-manual.md#disable-cache-for-auth-workflow) to learn more on how to configure rules in Azure Front Door to disable caching for authentication and authorization-related pages.

-> * Create a secure-by-default App Service, SQL Database, and Redis cache architecture

-> * Create a secure-by-default architecture for Azure App Service and Azure Cosmos DB with MongoDB API.

-1. The Application Gateway requires at least one active Listener and Rule combination. You thus cannot delete the certificate of a HTTPS listener, if no other active listener exists. This is also true if there are only HTTPS listeners on your gateway, and all of them are referencing the same certificate. Such operations are prevented because deletion of a certificate leads to deletion of all dependent sub resources.

-Configuration Management in Azure Automation is supported by two capabilities:

-* Change Tracking and Inventory

-* Azure Automation State Configuration

-### Change Tracking and Inventory

-[Change Tracking and Inventory](change-tracking/overview.md) combines functions to allow you to track Linux and Windows virtual machine and server infrastructure changes. The service supports change tracking across services, daemons, software, registry, and files in your environment to help you diagnose unwanted changes and raise alerts. Inventory support allows you to query in-guest resources for visibility into installed applications and other configuration items. Change Tracking & Inventory is now supported with the Azure Monitoring Agent version. [Learn more](change-tracking/overview-monitoring-agent.md).

-## Update Management

-Azure Automation includes the [Update Management](./update-management/overview.md) feature for Windows and Linux systems across hybrid environments. Update Management gives you visibility into update compliance across Azure and other clouds, and on-premises. The feature allows you to create scheduled deployments that orchestrate the installation of updates within a defined maintenance window. If an update shouldn't be installed on a machine, you can use Update Management functionality to exclude it from a deployment.

-* **Periodic maintenance** - to execute tasks that need to be performed at set timed intervals like purging stale or old data, or reindex a SQL database.

-> | databaseaccounts | **Yes** | No | No |

- "tenantId": "00000000-0000-0000-0000-000000000000"

- "tenantId": "00000000-0000-0000-0000-000000000000"

-$id = "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/templateSpecsRG/providers/Microsoft.Resources/templateSpecs/storageSpec/versions/1.0a"

-id = "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/templateSpecsRG/providers/Microsoft.Resources/templateSpecs/storageSpec/versions/1.0a"

-| AV36P SKU new private cloud deploys with vSphere 7, not vSphere 8. | September 2024 | The AV36P SKU is waiting for a Hotfix to be deployed, which will resolve this issue. | N/A |

-description: Add calling and chat functionality using the Azure Communication Services UI Library.

-#Customer intent: As a developer, I want to add calling and chat functionality to my App.

-# Integrate Calling and Chat UI Libraries

-## Set up the feature

-To build and run your app on the device.

-The list of [use cases](../../concepts/ui-library/ui-library-use-cases.md?branch=main&pivots=platform-mobile) has detailed information about more features.

-## Next steps

-description: In this quickstart, you learn how to place Microsoft Teams interop group calls with Azure Communication Calling SDK.

-# Quickstart: Place interop group calls between Azure Communication Services and Microsoft Teams

-In this quickstart, you're going to learn how to start a group call from Azure Communication Services user to Teams users. You're going to achieve it with the following steps:

-Replace code in https://docsupdatetracker.net/index.html with following snippet.

-Place a group call to the Teams users by specifying their IDs.

-The text boxes are used to enter the Teams user IDs planning to call and add in a group:

- <h1>Teams interop group call quickstart</h1>

- <input id="teams-ids-input" type="text" placeholder="Teams IDs split by comma"

- <button id="place-group-call-button" type="button" disabled="false">

- Place group call

-const { CallClient, Features } = require('@azure/communication-calling');

-const teamsIdsInput = document.getElementById('teams-ids-input');

-const placeInteropGroupCallButton = document.getElementById('place-group-call-button');

- const callClient = new CallClient();

- const tokenCredential = new AzureCommunicationTokenCredential("<USER ACCESS TOKEN>");

- callAgent = await callClient.createCallAgent(tokenCredential, { displayName: 'ACS user' });

- placeInteropGroupCallButton.disabled = false;

-hangUpButton.addEventListener("click", async () => {

- await call.hangUp();

- hangUpButton.disabled = true;

- placeInteropGroupCallButton.disabled = false;

- callStateElement.innerText = '-';

-});

-placeInteropGroupCallButton.addEventListener("click", () => {

- if (!teamsIdsInput.value) {

- return;

- const participants = teamsIdsInput.value.split(',').map(id => {

- const participantId = id.replace(' ', '');

- return {

- microsoftTeamsUserId: `${participantId}`

- };

- })

- call = callAgent.startCall(participants);

- call.on('stateChanged', () => {

- callStateElement.innerText = call.state;

- })

- hangUpButton.disabled = false;

- placeInteropGroupCallButton.disabled = true;

-## Get the Teams user IDs

-Insert the Teams IDs into the text box split by comma and press *Place Group Call* to start the group call from within your Communication Services application.

-| CPU Usage | Replica, Revision | CPU consumed by the container app, in nano cores (1,000,000,000 nanocores = 1 core) | `UsageNanoCores` | nanocores |

-| Memory Working Set Bytes | Replica, Revision | Container app working set memory used in bytes | `WorkingSetBytes` | bytes |

-| Network In Bytes | Replica, Revision | Network received bytes | `RxBytes` | bytes |

-| Network Out Bytes | Replica, Revision | Network transmitted bytes | `TxBytes` | bytes |

-| Replica count | Revision | Number of active replicas | `Replicas` | n/a |

-| Replica Restart Count | Replica, Revision | Restarts count of container app replicas | `RestartCount` | n/a |

-| Requests | Replica, Revision, Status Code, Status Code Category | Requests processed | `Requests` | n/a |

-| Reserved Cores | Revision | Number of reserved cores for container app revisions | `CoresQuotaUsed` | n/a |

-| Resiliency Connection Timeouts | Revision | Total connection timeouts | `ResiliencyConnectTimeouts` | n/a |

-| Resiliency Ejected Hosts | Revision | Number of currently ejected hosts | `ResiliencyEjectedHosts` | n/a |

-| Resiliency Ejections Aborted | Revision | Number of ejections aborted due to the max ejection % | `ResiliencyEjectionsAborted` | n/a |

-| Resiliency Request Retries | Revision | Total request retries | `ResiliencyRequestRetries` | n/a |

-| Resiliency Request Timeouts | Revision | Total requests that timed out waiting for a response | `ResiliencyRequestTimeouts` | n/a |

-| Resiliency Requests Pending Connection Pool | Replica | Total requests pending a connection pool connection | `ResiliencyRequestsPendingConnectionPool` | n/a |

-| Total Reserved Cores | None | Total cores reserved for the container app | `TotalCoresQuotaUsed` | n/a |

-The metrics namespace is `microsoft.app/containerapps`.

-| EA | MCA-E | ΓÇó Transferring all enrollment products is completed as part of the MCA transition process from an EA. For more information, see [Complete Enterprise Agreement tasks in your billing account for a Microsoft Customer Agreement](mca-enterprise-operations.md).<br><br> ΓÇó If you want to transfer specific products but not all of the products in an enrollment, see [Transfer Azure subscription billing ownership for a Microsoft Customer Agreement](mca-request-billing-ownership.md). <br><br>ΓÇó Self-service reservation transfers with no currency change are supported. When there's a currency change during or after an enrollment transfer, reservations paid for monthly are canceled for the source enrollment. Cancellation happens at the time of the next monthly payment for an individual reservation. The cancellation is intentional and only affects monthly reservation purchases. For more information, see [Transfer Azure Enterprise enrollment accounts and subscriptions](../manage/ea-transfers.md#prerequisites-1).<br><br> ΓÇó You can't transfer a savings plan purchased under an Enterprise Agreement enrollment that was bought in a non-USD currency. You can [change the savings plan scope](../savings-plan/manage-savings-plan.md#change-the-savings-plan-scope) so that it applies to other subscriptions. |

-### Retirement timeline

-The on-premises management console retirement includes the following details:

-1. Select the DNS zone with the suffix of `azurequickstart.org` to verify that the zone is created properly with an `A` record referencing the value of `1.2.3.4` and `1.2.3.5`.

-The host name `www.2lwynbseszpam.azurequickstart.org` resolves to `1.2.3.4` and `1.2.3.5`, just as you configured it. This result verifies that name resolution is working correctly.

-

-The listed services and frameworks can generally acquire event streams and reference data directly from a diverse set of sources through adapters. Kafka Streams can only acquire data from Apache Kafka and your analytics projects are therefore locked into Apache Kafka. To use data from other sources, you're required to first import data into Apache Kafka with the Kafka Connect framework.

-

-If you must use the Kafka Streams framework on Azure, [Apache Kafka on HDInsight](../hdinsight/kafk) provides you with that option. Apache Kafka on HDInsight provides full control over all configuration aspects of Apache Kafka, while being fully integrated with various aspects of the Azure platform, from fault/update domain placement to network isolation to monitoring integration.

-one of the operating systems in the previous table.

- | **Azure Key Vault** | Select an Azure key vault select **Create new**.<br><br>Ensure that your key vault has **Vault access policy** as its permission model. To check this setting, select **Manage selected vault** > **Settings** > **Access configuration**. |

-* Enables secrets and user-assignment managed identity, which are important capabilities for developing a production-ready scenario. Secrets are used whenever Azure IoT Operations components connect to a resource outside of the cluster; for example, an OPC UA server or a dataflow endpoint.

- * Secret Sync Controller

-After you sign in, the web UI displays a list of sites. Each site is a collection of Azure IoT Operations instances where you can configure and manage your assets. A site typically represents a physical location where you have physical assets deployed. Sites make it easier for you to locate and manage assets. Your [IT administrator is responsible for grouping instances in to sites](/azure/azure-arc/site-manager/overview). Any Azure IoT Operations instances that aren't assigned to a site appear in the **Unassigned instances** node. Select the site that you want to use:

-az iot ops asset endpoint create --name opc-ua-connector-0 --target-address opc.tcp://opcplc-000000:50000 -g {your resource group name} --cluster {your cluster name}

- az iot ops asset endpoint create --name opc-ua-connector-0 --target-address opc.tcp://opcplc-000000:50000 -g {your resource group name} --cluster {your cluster name} --username-ref "aio-opc-ua-broker-user-authentication/username" --password-ref "aio-opc-ua-broker-user-authentication/password"

-Use the following command to add a "thermostat" asset by using the Azure CLI. The command adds two tags to the asset by using the `--data` parameter:

-az iot ops asset create --name thermostat -g {your resource group name} --cluster {your cluster name} --endpoint opc-ua-connector-0 --description 'A simulated thermostat asset' --data data_source='ns=3;s=FastUInt10', name=temperature --data data_source='ns=3;s=FastUInt100', name='Tag 10'

-When you create an asset by using the Azure CLI, you can define multiple events by using the `--event` parameter multiple times. The syntax for the `--event` parameter is similar to the `--data` parameter:

-az iot ops asset data-point list --asset thermostat -g {your resource group}

-az iot ops asset data-point add --asset thermostat -g {your resource group} --data-source 'ns=3;s=FastUInt1002' --name 'humidity'

-To delete a tag, use the `az iot ops asset data-point remove` command.

->If data has not arrived in your eventstream, you may want to check your event hub activity to verify that it's receiving messages. This will help you isolate which section of the flow to debug.

-You can also delete your Microsoft Fabric workspace and/or all the resources within it associated with this tutorial, including the eventstream, Eventhouse, and Real-Time Dashboard.

-The sample tags you added in the previous quickstart generate messages from your asset that look like the following example:

- "temperature": {

- "SourceTimestamp": "2024-08-02T13:52:15.1969959Z",

- "Value": 2696

- },

- "Tag 10": {

- "SourceTimestamp": "2024-08-02T13:52:15.1970198Z",

- "Value": 2696

- }

- - Make sure local authentication is enabled on your event hub. You can set this from its Overview page in the Azure portal.

->If data has not arrived in your eventstream, you may want to check your event hub activity to verify that it's receiving messages. This will help you isolate which section of the flow to debug.

- | Spike | boolean |

- * **Value column**: *AssetId*

- - **Label**: *Units*

- **Run** the query to verify that a maximum temperature can be found.

-1. View the finished tile on your dashboard (you may want to resize the tile so the full text is visible).

-You can also delete your Microsoft Fabric workspace and/or all the resources within it associated with this quickstart, including the eventstream, Eventhouse, and Real-Time Dashboard.

-1. In the Azure portal, navigate to your IoT Operations instance.

-Since the [default broker listener](howto-configure-brokerlistener.md#default-brokerlistener) is set to *ClusterIp* service type, you can't connect to the broker from outside the cluster directly. To prevent unintentional disruption to communication between internal AIO components, we recommend keeping the default listener unmodified and dedicated for AIO internal communication. While it's possible to create a separate Kubernetes *LoadBalancer* service to expose the cluster IP service, it's better to create a separate listener with different settings, like more common MQTT port 1883 and 8883, to avoid confusion and potential security risks.

-For example, to create a new BrokerListener with *NodePort* service type and port 1883, create a file named `broker-nodeport.yaml` with configuration like the following, replacing placeholders with your own values, including your own authentication and TLS settings.

-> Removing `authenticationRef` and `tls` settings from the configuration [will turn off authentication and TLS for testing purposes only.](#only-turn-off-tls-and-authentication-for-testing)

-<!-- TODO: Bicep and portal -->

- name: broker-nodeport

- serviceName: broker-nodeport

- authenticationRef: # Add BrokerAuthentication reference

- tls:

- # Add TLS settings

-Next, get the node's external IP address:

-Another way to expose the broker to the internet is to use the *LoadBalancer* service type. This method is more complex and might require additional configuration, like setting up port forwarding. For example, to create a new BrokerListener with *LoadBalancer* service type and port 1883, create a file named `broker-loadbalancer.yaml` with configuration like the following, replacing placeholders with your own values, including your own authentication and TLS settings.

-> Removing `authenticationRef` and `tls` settings from the configuration [will turn off authentication and TLS for testing purposes only.](#only-turn-off-tls-and-authentication-for-testing)

- name: broker-loadbalancer

- serviceName: broker-loadbalancer

- authenticationRef: # Add BrokerAuthentication reference

- tls:

- # Add TLS settings

-Then, use `kubectl` to deploy the configuration:

-Next, get the external IP address for the broker's service:

-kubectl get service broker-loadbalancer --namespace azure-iot-operations

-NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE

-broker-loadbalancer LoadBalancer 10.43.213.246 172.19.0.2 1883:30382/TCP 83s

- broker-loadbalancer LoadBalancer 10.43.107.11 192.168.0.4 1883:30366/TCP 14h

-If you understand the risks and need to use an insecure port in a well-controlled environment, you can turn off TLS and authentication for testing purposes by removing the `tls` and `authenticationRef` settings from the listener configuration.

- name: <NAME>

- serviceName: <NAME>

-**Agentless dependency analysis** | Domain or nondomain (local) account with administrative permissions | Sudo user account with permissions to execute ls and netstat commands. When providing a sudo user account, ensure that you have enabled **NOPASSWD** for the account to run the required commands without prompting for a password every time the sudo command is invoked. <br /><br /> Alternatively, you can create a user account that has the CAP_DAC_READ_SEARCH and CAP_SYS_PTRACE permissions on /bin/netstat and /bin/ls files, set using the following commands:<br /><code>sudo setcap CAP_DAC_READ_SEARCH,CAP_SYS_PTRACE=ep /bin/ls<br /> sudo setcap CAP_DAC_READ_SEARCH,CAP_SYS_PTRACE=ep /bin/netstat</code>

- sed -i 's/systemd.unified_cgroup_hierarchy=1 cgroup_no_v1=all/systemd.unified_cgroup_hierarchy=0/' /boot/grub2/grub.cfg

-`--config global.networkfunctionextension.backgroundJobThreshold=`

-> |-||

-> | Azure Application Gateway | Azure API Management |

-> | Azure Backup | Azure App Configuration |

-> | Azure Cosmos DB for NoSQL | Azure App Service |

-> | Azure Event Hubs | Microsoft Entra Domain Services |

-> | Azure ExpressRoute | Azure Bastion |

-> | Azure Key Vault | Azure Batch |

-> | Azure Load Balancer | Azure Cache for Redis |

-> | Azure Public IP | Azure AI Search |

-> | Azure Service Bus | Azure Container Registry |

-> | Azure Service Fabric | Azure Container Instances |

-> | Azure Site Recovery | Azure Data Explorer |

-> | Azure SQL | Azure Data Factory |

-> | Azure Storage: Disk Storage | Azure Database for MySQL |

-> | Azure Storage Accounts | Azure Database for PostgreSQL |

-> | Azure Storage: Blob Storage | Azure DDoS Protection |

-> | Azure Storage Data Lake Storage | Azure Event Grid |

-> | Azure Virtual Machines | Azure Firewall |

-> | Azure Virtual Machine Scale Sets | Azure Firewall Manager |

-> | Virtual Machines: Av2-series | Azure Functions |

-> | Virtual Machines: Bs-series | Azure HDInsight |

-> | Virtual Machines: Dv2 and DSv2-series | Azure IoT Hub |

-> | Virtual Machines: Dv3 and DSv3-series | Azure Kubernetes Service (AKS) |

-> | Virtual Machines: ESv3 abd ESv3-series | Azure Logic Apps |

-> | Azure Virtual Network | Azure Media Services |

-> | Azure VPN Gateway | Azure Monitor: Application Insights |

-> | | Azure Monitor: Log Analytics |

-> | | Azure Network Watcher |

-> | | Azure Private Link |

-> | | Azure Storage: Files Storage |

-> | | Azure Virtual WAN |

-> | | Premium Blob Storage |

-> | | Virtual Machines: Ddsv4-series |

-> | | Virtual Machines: Ddv4-series |

-> | | Virtual Machines: Dsv4-series |

-> | | Virtual Machines: Dv4-series |

-> | | Virtual Machines: Edsv4-series |

-> | | Virtual Machines: Edv4-series |

-> | | Virtual Machines: Esv4-series |

-> | | Virtual Machines: Ev4-series |

-> | | Virtual Machines: Fsv2-series |

-> | | Virtual Machines: M-series |

-> | Azure API for FHIR |

-> | Azure AI services |

-> | Azure Databricks |

-> | Microsoft Purview |

-> | Azure Spring Apps |

-> | Virtual Machines: DAv4 and DASv4-series |

-> | Virtual Machines: Eav4 and Easv4-series |

-> | Virtual Machines: NCv3-series |

-Yes, to ensure that virtual network routes are successfully advertised over the target NVA connections, and to configure High Availability, we recommend peering each NVA instance with both instances of Route Server.

-[sles-for-sap-bp]:https://documentation.suse.com/en-us/?tab=sbp

-1. Connect the [Azure Activity](./data-connectors/azure-activity.md) data source to start streaming audit events into a new table in the **Logs** screen called AzureActivity.

-1. Then, query the data using KQL, like you would any other table.

-> - The **LAQueryLogs** table only includes queries that have been run in the Logs blade of Microsoft Sentinel. It does not include the queries run by scheduled analytics rules, using the **Investigation Graph** or in the Microsoft Sentinel **Hunting** page.

- - **Workspace Auditing**. Includes information about which users in the environment are performing actions, which actions they have performed, and more.

- - **Analytics Efficiency**. Provides insight into which analytic rules are being used, which MITRE tactics are most covered, and incidents generated from the rules.

- - **Security Operations Efficiency**. Presents metrics on SOC team performance, incidents opened, incidents closed, and more. This workbook can be used to show team performance and highlight any areas that might be lacking that require attention.

- - **Data collection health monitoring**. Helps watch for stalled or stopped ingestions.

- For more information, see [Commonly used Microsoft Sentinel workbooks](top-workbooks.md).

-On the **Tables** page for the table you updated, review the field values for **Interactive retention** and **Total retention**.

-[Microsoft Defender for Cloud](/azure/defender-for-cloud/)'s integrated cloud workload protections allow you to detect and quickly respond to threats across hybrid and multicloud workloads.

-This connector allows you to ingest [security alerts from Defender for Cloud](/azure/defender-for-cloud/alerts-reference) into Microsoft Sentinel, so you can view, analyze, and respond to Defender alerts, and the incidents they generate, in a broader organizational threat context.

-As [Microsoft Defender for Cloud Defender plans](/azure/defender-for-cloud/defender-for-cloud-introduction#protect-cloud-workloads) are enabled per subscription, this data connector is also enabled or disabled separately for each subscription.

-The new **Tenant-based Microsoft Defender for Cloud connector**, in PREVIEW, allows you to collect Defender for Cloud alerts over your entire tenant, without having to enable each subscription separately. It also leverages [Defender for Cloud's integration with Microsoft Defender XDR](ingest-defender-for-cloud-incidents.md) (formerly Microsoft 365 Defender) to ensure that all of your Defender for Cloud alerts are fully included in any incidents you receive through [Microsoft Defender XDR incident integration](microsoft-365-defender-sentinel-integration.md).

-1. In Microsoft Sentinel, select **Data connectors** from the navigation menu.

-1. From the data connectors gallery, select **Microsoft Defender for Cloud**, and select **Open connector page** in the details pane.

- > [!NOTE]

- > - The check boxes and **Connect** toggles will be active only on the subscriptions for which you have the required permissions.

- > - The **Connect** button will be active only if at least one subscription's check box has been marked.

- > [!NOTE]

- > - The check boxes and drop-down lists will be active only on the subscriptions for which you have the [required permissions](#prerequisites).

- > - The **Enable bi-directional sync** button will be active only if at least one subscription's check box has been marked.

-1. In the **Microsoft Defender plans** column of the list, you can see if Microsoft Defender plans are enabled on your subscription (a prerequisite for enabling the connector). The value for each subscription in this column will either be blank (meaning no Defender plans are enabled), "All enabled," or "Some enabled." Those that say "Some enabled" will also have an **Enable all** link you can select, that will take you to your Microsoft Defender for Cloud configuration dashboard for that subscription, where you can choose Defender plans to enable. The **Enable Microsoft Defender for all subscriptions** link button on the bar above the list will take you to your Microsoft Defender for Cloud Getting Started page, where you can choose on which subscriptions to enable Microsoft Defender for Cloud altogether.

- :::image type="content" source="./media/connect-defender-for-cloud/azure-defender-config.png" alt-text="Screenshot of Microsoft Defender for Cloud connector configuration":::

- >

-

-Ingest-time transformation also allows you to normalize logs when ingested into built-in or customer ASIM normalized tables. Using ingest-time normalization improves normalized queries performance.

-For more information on ingest-time normalization using transformations, refer to [Ingest-time normalization](normalization-ingest-time.md).

-Microsoft Sentinel's support for ingestion-time transformation depends on the type of data connector you're using. For more in-depth information on custom logs, ingestion-time transformation, and data collection rules, see the articles linked in the [Next steps](#next-steps) section at the end of this article.

-## Next steps

-[Get started configuring ingestion-time data transformation in Microsoft Sentinel](configure-data-transformation.md).

-Learn more about Microsoft Sentinel data connector types. For more information, see:

-> [!IMPORTANT]

-> The MITRE page in Microsoft Sentinel is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

->

-In Microsoft Sentinel, in the **Threat management** menu on the left, select **MITRE**. By default, both currently active scheduled query and near real-time (NRT) rules are indicated in the coverage matrix.

- - Select **View technique details** for more information about the selected technique in the MITRE ATT&CK framework knowledge base.

- - Select links to any of the active items to jump to the relevant area in Microsoft Sentinel.

-## Simulate possible coverage with available detections

-In the MITRE coverage matrix, *simulated* coverage refers to detections that are available, but not currently configured, in your Microsoft Sentinel workspace. View your simulated coverage to understand your organization's possible security status, were you to configure all detections available to you.

-In Microsoft Sentinel, in the **General** menu on the left, select **MITRE**.

-Select items in the **Simulate** menu to simulate your organization's possible security status.

- - Select **View technique details** for more information about the selected technique in the MITRE ATT&CK framework knowledge base.

- - Select links to any of the simulation items to jump to the relevant area in Microsoft Sentinel.

- For example, select **Hunting queries** to jump to the **Hunting** page. There, you'll see a filtered list of the hunting queries that are associated with the selected technique, and available for you to configure in your workspace.

-## Next steps

-This article provides an overview of the Advanced Security Information Model (ASIM), its use cases and major components. Refer to the [next steps](#next-steps) section for more details.

- :::image type="content" source="media/normalization/asim-architecture.png" alt-text="Non-normalized to normalized data conversion flow and usage in Microsoft Sentinel":::

-### Normalized schemas

-

-

-Content which uses ASIM includes solutions, analytics rules, workbooks, hunting queries, and more. Content for each normalized schema works on any normalized data without the need to create source-specific content.

-## <a name="next-steps"></a>Next steps

-> [!TIP]

-> For optimal results, in the *systemconfig.json* file on your data connector agent machine, under the `[ABAP Table Selector](reference-systemconfig-json.md#abap-table-selector)` section, enable both the `PAHI_FULL` and the `PAHI_INCREMENTAL` parameters. For more information, see [Systemconfig.json file reference](reference-systemconfig-json.md#abap-table-selector).

-If the PAHI table is updated regularly, the `SAP_COLLECTOR_FOR_PERFMONITOR` job is scheduled and runs hourly. If the `SAP_COLLECTOR_FOR_PERFMONITOR` job doesn't exist, make sure to configure it as needed. For more information, see the SAP documentation: [Database Collector in Background Processing](https://help.sap.com/doc/saphelp_nw75/7.5.5/en-US/c4/3a735b505211d189550000e829fbbd/frameset.htm) and [Configuring the Data Collector](https://help.sap.com/docs/SAP_NETWEAVER_AS_ABAP_752/3364beced9d145a5ad185c89a1e04658/c43a818c505211d189550000e829fbbd.html)

-The default **systemconfig** file is configured to cover built-in analytics, the SAP user authorization master data tables, with users and privilege information, and the ability to track changes and activities on the SAP landscape. The default configuration provides more logging information to allow for post-breach investigations and extended hunting abilities.

-However you might want to customize your configuration over time, especially as business processes tend to be seasonal.

-```python

-##############################################################

-# Enter True OR False for each log to send those logs to Microsoft Sentinel

-[Logs Activation Status]

-ABAPAuditLog = True

-ABAPJobLog = True

-ABAPSpoolLog = True

-ABAPSpoolOutputLog = True

-ABAPChangeDocsLog = True

-ABAPAppLog = True

-ABAPWorkflowLog = True

-ABAPCRLog = True

-ABAPTableDataLog = False

-# ABAP SAP Control Logs - Retrieved by using SAP Conntrol interface and OS Login

-ABAPFilesLogs = False

-SysLog = False

-ICM = False

-WP = False

-GW = False

-# Java SAP Control Logs - Retrieved by using SAP Conntrol interface and OS Login

-JAVAFilesLogs = False

-##############################################################

-```python

-##############################################################

-[Logs Activation Status]

-# ABAP RFC Logs - Retrieved by using RFC interface

-ABAPAuditLog = True

-ABAPJobLog = False

-ABAPSpoolLog = False

-ABAPSpoolOutputLog = False

-ABAPChangeDocsLog = True

-ABAPAppLog = False

-ABAPWorkflowLog = False

-ABAPCRLog = True

-ABAPTableDataLog = False

-# ABAP SAP Control Logs - Retrieved by using SAP Conntrol interface and OS Login

-ABAPFilesLogs = False

-SysLog = False

-ICM = False

-WP = False

-GW = False

-# Java SAP Control Logs - Retrieved by using SAP Conntrol interface and OS Login

-JAVAFilesLogs = False

-[ABAP Table Selector]

-AGR_TCODES_FULL = True

-USR01_FULL = True

-USR02_FULL = True

-USR02_INCREMENTAL = True

-AGR_1251_FULL = True

-AGR_USERS_FULL = True

-AGR_USERS_INCREMENTAL = True

-AGR_PROF_FULL = True

-UST04_FULL = True

-USR21_FULL = True

-ADR6_FULL = True

-ADCP_FULL = True

-USR05_FULL = True

-USGRP_USER_FULL = True

-USER_ADDR_FULL = True

-DEVACCESS_FULL = True

-AGR_DEFINE_FULL = True

-AGR_DEFINE_INCREMENTAL = True

-PAHI_FULL = False

-AGR_AGRS_FULL = True

-USRSTAMP_FULL = True

-USRSTAMP_INCREMENTAL = True

-AGR_FLAGS_FULL = True

-AGR_FLAGS_INCREMENTAL = True

-SNCSYSACL_FULL = False

-USRACL_FULL = False

-```python

-[Logs Activation Status]

-# ABAP RFC Logs - Retrieved by using RFC interface

-ABAPAuditLog = True

-ABAPJobLog = False

-ABAPSpoolLog = False

-ABAPSpoolOutputLog = False

-ABAPChangeDocsLog = False

-ABAPAppLog = False

-ABAPWorkflowLog = False

-ABAPCRLog = False

-ABAPTableDataLog = False

-# ABAP SAP Control Logs - Retrieved by using SAP Conntrol interface and OS Login

-ABAPFilesLogs = False

-SysLog = False

-ICM = False

-WP = False

-GW = False

-# Java SAP Control Logs - Retrieved by using SAP Conntrol interface and OS Login

-JAVAFilesLogs = False

-[ABAP Table Selector]

-AGR_TCODES_FULL = False

-USR01_FULL = False

-USR02_FULL = False

-USR02_INCREMENTAL = False

-AGR_1251_FULL = False

-AGR_USERS_FULL = False

-AGR_USERS_INCREMENTAL = False

-AGR_PROF_FULL = False

-UST04_FULL = False

-USR21_FULL = False

-ADR6_FULL = False

-ADCP_FULL = False

-USR05_FULL = False

-USGRP_USER_FULL = False

-USER_ADDR_FULL = False

-DEVACCESS_FULL = False

-AGR_DEFINE_FULL = False

-AGR_DEFINE_INCREMENTAL = False

-PAHI_FULL = False

-AGR_AGRS_FULL = False

-USRSTAMP_FULL = False

-USRSTAMP_INCREMENTAL = False

-AGR_FLAGS_FULL = False

-AGR_FLAGS_INCREMENTAL = False

-SNCSYSACL_FULL = False

-USRACL_FULL = False

-```python

-##############################################################

-[Connector Configuration]

-extractuseremail = True

-apiretry = True

-auditlogforcexal = False

-auditlogforcelegacyfiles = False

-timechunk = 60

-##############################################################

-```python

-[ABAP Table Selector]

-USR01_FULL = True

-USR02_FULL = True

-USR02_INCREMENTAL = True

-UST04_FULL = True

-AGR_USERS_FULL = True

-AGR_USERS_INCREMENTAL = True

-USR21_FULL = True

-AGR_1251_FULL = True

-ADR6_FULL = True

-AGR_TCODES_FULL = True

-DEVACCESS_FULL = True

-AGR_DEFINE_FULL = True

-AGR_DEFINE_INCREMENTAL = True

-AGR_PROF_FULL = True

-PAHI_FULL = True

-This article shows you how to connect to Azure Blob Storage by using the Azure Blob Storage client library for .NET. Once connected, your code can operate on containers, blobs, and features of the Blob Storage service.

-This article shows you how to connect to Azure Blob Storage by using the Azure Blob Storage client module for Go. Once connected, your code can operate on containers, blobs, and features of the Blob Storage service.

-This article shows you how to connect to Azure Blob Storage by using the Azure Blob Storage client library for Java. Once connected, your code can operate on containers, blobs, and features of the Blob Storage service.

-This article shows you how to connect to Azure Blob Storage by using the Azure Blob Storage client library for JavaScript. Once connected, your code can operate on containers, blobs, and features of the Blob Storage service.

-This article shows you how to connect to Azure Blob Storage by using the Azure Blob Storage client library for Python. Once connected, your code can operate on containers, blobs, and features of the Blob Storage service.

-| Azure Monitor | `Microsoft.Insights` | Write monitoring data to a secured storage account, including resource logs, Microsoft Entra sign-in and audit logs, and Microsoft Intune logs. [Learn more](/azure/azure-monitor/roles-permissions-security). |

-The article describes the built-in Synapse RBAC (role-based access control) roles, the permissions they grant, and the scopes at which they can be used.

-> Users with any Synapse RBAC role at any scope automatically have the Synapse User role at workspace scope.

-|Synapse Administrator|workspaces/read</br>workspaces/roleAssignments/write</br>workspaces/roleAssignments/delete</br>workspaces/managedPrivateEndpoint/write</br>workspaces/managedPrivateEndpoint/delete</br>workspaces/bigDataPool/useCompute/action</br>workspaces/bigDataPool/viewLogs/action</br>workspaces/scopePool/useCompute/action</br>workspaces/scopePool/viewLogs/action</br>workspaces/integrationRuntime/useCompute/action</br>workspaces/integrationRuntime/viewLogs/action</br>workspaces/artifacts/read</br>workspaces/notebooks/write</br>workspaces/sparkJobDefinitions/write</br>workspaces/scopeJobDefinitions/write</br>workspaces/sqlScripts/write</br>workspaces/dataFlows/write</br>workspaces/dataMappers/write</br>workspaces/pipelines/write</br>workspaces/triggers/write</br>workspaces/datasets/write</br>workspaces/linkedServices/write</br>workspaces/credentials/write</br>workspaces/notebooks/delete</br>workspaces/sparkJobDefinitions/delete</br>workspaces/scopeJobDefinitions/delete</br>workspaces/sqlScripts/delete</br>workspaces/dataFlows/delete</br>workspaces/dataMappers/delete</br>workspaces/pipelines/delete</br>workspaces/triggers/delete</br>workspaces/datasets/delete</br>workspaces/linkedServices/delete</br>workspaces/credentials/delete</br>workspaces/cancelPipelineRun/action</br>workspaces/notebooksViewOutputs/action</br>workspaces/pipelinesViewOutputs/action</br>workspaces/linkedServicesUseSecret/action</br>workspaces/credentialsUseSecret/action</br>workspaces/libraries/delete</br>workspaces/libraries/write</br>workspaces/kQLScripts/write</br>workspaces/kQLScripts/delete</br>workspaces/sparkConfigurations/write</br>workspaces/sparkConfigurations/delete</br>workspaces/synapseLinkConnections/read</br>workspaces/synapseLinkConnections/write</br>workspaces/synapseLinkConnections/delete</br>workspaces/synapseLinkConnections/useCompute/action|

-|Synapse Apache Spark Administrator|workspaces/read</br>workspaces/bigDataPools/useCompute/action</br>workspaces/bigDataPools/viewLogs/action</br>workspaces/notebooks/viewOutputs/action</br>workspaces/artifacts/read</br>workspaces/notebooks/write, delete</br>workspaces/sparkJobDefinitions/write, delete</br>workspaces/libraries/write, delete</br>workspaces/linkedServices/write, delete</br>workspaces/credentials/write, delete|

-|Synapse Contributor|workspaces/read</br>workspaces/bigDataPool/useCompute/action</br>workspaces/bigDataPool/viewLogs/action</br>workspaces/scopePool/useCompute/action</br>workspaces/scopePool/viewLogs/action</br>workspaces/integrationRuntime/useCompute/action</br>workspaces/integrationRuntime/viewLogs/action</br>workspaces/artifacts/read</br>workspaces/notebooks/write</br>workspaces/sparkJobDefinitions/write</br>workspaces/sqlScripts/write</br>workspaces/dataFlows/write</br>workspaces/dataMappers/write</br>workspaces/pipelines/write</br>workspaces/triggers/write</br>workspaces/datasets/write</br>workspaces/linkedServices/write</br>workspaces/credentials/write</br>workspaces/notebooks/delete</br>workspaces/sparkJobDefinitions/delete</br>workspaces/sqlScripts/delete</br>workspaces/dataFlows/delete</br>workspaces/dataMappers/delete</br>workspaces/pipelines/delete</br>workspaces/triggers/delete</br>workspaces/datasets/delete</br>workspaces/linkedServices/delete</br>workspaces/credentials/delete</br>workspaces/cancelPipelineRun/action</br>workspaces/notebooksViewOutputs/action</br>workspaces/pipelinesViewOutputs/action</br>workspaces/libraries/delete</br>workspaces/libraries/write</br>workspaces/kQLScripts/write</br>workspaces/kQLScripts/delete</br>workspaces/sparkConfigurations/write</br>workspaces/sparkConfigurations/delete</br>workspaces/synapseLinkConnections/read</br>workspaces/synapseLinkConnections/write</br>workspaces/synapseLinkConnections/delete</br>workspaces/synapseLinkConnections/useComputeAction|

-|Synapse Artifact Publisher|workspaces/read</br>workspaces/artifacts/read</br>workspaces/notebooks/write</br>workspaces/sparkJobDefinitions/write</br>workspaces/scopeJobDefinitions/write</br>workspaces/sqlScripts/write</br>workspaces/dataFlows/write</br>workspaces/dataMappers/write</br>workspaces/pipelines/write</br>workspaces/triggers/write</br>workspaces/datasets/write</br>workspaces/linkedServices/write</br>workspaces/credentials/write</br>workspaces/notebooks/delete</br>workspaces/sparkJobDefinitions/delete</br>workspaces/scopeJobDefinitions/delete</br>workspaces/sqlScripts/delete</br>workspaces/dataFlows/delete</br>workspaces/dataMappers/delete</br>workspaces/pipelines/delete</br>workspaces/triggers/delete</br>workspaces/datasets/delete</br>workspaces/linkedServices/delete</br>workspaces/credentials/delete</br>workspaces/notebooksViewOutputs/action</br>workspaces/pipelinesViewOutputs/action</br>workspaces/libraries/delete</br>workspaces/libraries/write</br>workspaces/kQLScripts/write</br>workspaces/kQLScripts/delete</br>workspaces/sparkConfigurations/write</br>workspaces/sparkConfigurationsDeleteAction|

-|Synapse Compute Operator |workspaces/read</br>workspaces/bigDataPools/useCompute/action</br>workspaces/bigDataPools/viewLogs/action</br>workspaces/integrationRuntimes/useCompute/action</br>workspaces/integrationRuntimes/viewLogs/action</br>workspaces/linkConnections/read</br>workspaces/linkConnections/useCompute/action|

-description: Learn how to configure redirection settings for Windows App and the Remote Desktop app for iOS/iPadOS and Android client devices using Microsoft Intune.

- - iOS and iPadOS: 10.5.2 or later.

- - iOS and iPadOS: 10.5.8 or later.

-For iOS and iPadOS devices that are enrolled only, you need to create an [app configuration policy for managed devices](/mem/intune/apps/app-configuration-policies-overview#managed-devices) for the Remote Desktop app.

-You need to create an [app configuration policy for managed apps](/mem/intune/apps/app-configuration-policies-overview#managed-devices) for Windows App and the Remote Desktop app, which enable you to provide configuration settings.

-You need to create an [app protection policy](/mem/intune/apps/app-protection-policy) for Windows App and the Remote Desktop app, which enable you to control how data is accessed and shared by apps on mobile devices.

-To create and apply an app protection policy, follow the steps in [How to create and assign app protection policies](/mem/intune/apps/app-protection-policies) and use the following settings. You need to create an app protection policy for each platform you want to target.

- - For iOS and iPadOS you can configure the following settings:

- - For Android you can configure the following settings:

- For version details, see [What's new in Windows App](/windows-app/whats-new), [What's new in the Remote Desktop client for iOS and iPadOS](whats-new-client-ios-ipados.md), and [What's new in the Remote Desktop client for Android and Chrome OS](whats-new-client-android-chrome-os.md).

-When creating an App Configuration Policy or an App Protection Policy, Remote Desktop is still shown instead of Windows App. This will be updated soon.

-> - The following items are not supported:

->

-> - Support for Windows 7 ended on January 10, 2023.

-> - Support for Windows Server 2012 R2 ended on October 10, 2023.

-* The following BareMetal Infrastructures are supported:

-Newly created or deleted subnets have their route table updated with eventual consistency. The processing time may vary based on the volume of subnet creation and deletion.

-## Limitations of UDR management

-The following are the limitations of UDR management with Azure Virtual Network

-> When you create and deploy a routing configuration, you need to be aware of the impact of existing routing rules. For more information, see [limitations for UDR management](./concept-user-defined-route.md#limitations-of-udr-management).

-### <a name="update-router"></a>Why am I seeing a message and button called "Update router to latest software version" in portal?

-> [!NOTE]

-> As of July 1 2024, hubs on the old version will be retired in phases and stop functioning as expected.

->

-Azure-wide Cloud Services-based infrastructure is deprecating. As a result, the Virtual WAN team has been working on upgrading virtual routers from their current Cloud Services infrastructure to Virtual Machine Scale Sets based deployments. **All newly created Virtual Hubs will automatically be deployed on the latest Virtual Machine Scale Sets based infrastructure.** If you navigate to your Virtual WAN hub resource and see this message and button, then you can upgrade your router to the latest version by clicking on the button. If you would like to take advantage of new Virtual WAN features, such as [BGP peering with the hub](create-bgp-peering-hub-portal.md), you'll have to update your virtual hub router via Azure portal. If the button isn't visible, open a support case.

-YouΓÇÖll only be able to update your virtual hub router if all the resources (gateways/route tables/VNet connections) in your hub are in a succeeded state. Make sure all your spoke virtual networks are in active/enabled subscriptions and that your spoke virtual networks aren't deleted. Additionally, as this operation requires deployment of new virtual machine scale sets based virtual hub routers, youΓÇÖll face an expected downtime of 1-2 minutes for VNet-to-VNet traffic through the same hub and 5-7 minutes for all other traffic flows through the hub. Please plan a maintenance window of at least 30 minutes, as downtime can last up to 30 minutes in the worst-case scenario. Within a single Virtual WAN resource, hubs should be updated one at a time instead of updating multiple at the same time. When the Router Version says ΓÇ£LatestΓÇ¥, then the hub is done updating. There will be no routing behavior changes after this update.

-There are several things to note with the virtual hub router upgrade:

-* If you have already configured BGP peering between your Virtual WAN hub and an NVA in a spoke VNet, then you'll have to [delete and then recreate the BGP peer](create-bgp-peering-hub-portal.md). Since the virtual hub router's IP addresses change after the upgrade, you'll also have to reconfigure your NVA to peer with the virtual hub router's new IP addresses. These IP addresses are represented as the "virtualRouterIps" field in the Virtual Hub's Resource JSON.

-* If you have a network virtual appliance (NVA) in the virtual hub, you'll have to work with your NVA partner to obtain instructions on how to upgrade your Virtual WAN hub.

-* If your virtual hub is configured with more than 15 routing infrastructure units, please scale in your virtual hub to 2 routing infrastructure units before attempting to upgrade. You can scale back out your hub to more than 15 routing infrastructure units after upgrading your hub.

-If the update fails for any reason, your hub will be auto recovered to the old version to ensure there's still a working setup.

-Additional things to note:

-* The user will need to have an **owner** or **contributor** role to see an accurate status of the hub router version. If a user is assigned a **reader** role to the Virtual WAN resource and subscription, the Azure portal displays to that user that the hub router needs to be upgraded to the latest version, even if the hub is already on the latest version.

-* If you change your spoke virtual network's subscription status from disabled to enabled and then upgrade the virtual hub, you'll need to update your virtual network connection after the virtual hub upgrade (Ex: you can configure the virtual network connection to propagate to a dummy label).

-* If your hub is connected to a large number of spoke virtual networks (60 or more), then you might notice that 1 or more spoke VNet peerings will enter a failed state after the upgrade. To restore these VNet peerings to a successful state after the upgrade, you can configure the virtual network connections to propagate to a dummy label, or you can delete and recreate these respective VNet connections.