+- **A display control returns the output claims** - Your technical profile may have a reference to a [display control](display-controls.md). The display control returns some claims, such as the verified email address. You may want to bubble up the claims and return them to the next orchestration steps in the user journey.

+The Microsoft identity platform uses the cloud service's **Metadata URI** to retrieve the signing key and the logout URI. This way the Microsoft identity platform can send the response to the correct URL. In the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>;

+- Open the app in **Azure Active Directory** and select **App registrations**

+- Under **Manage**, select **Authentication**. From there you can update the Logout URL.

+Azure AD exposes tenant-specific and common (tenant-independent) SSO and single sign-out endpoints. These URLs represent addressable locations, and aren't only identifiers. You can then go to the endpoint to read the metadata.

+- The tenant-specific endpoint is located at `https://login.microsoftonline.com/<TenantDomainName>/FederationMetadata/2007-06/FederationMetadata.xml`. The *\<TenantDomainName>* placeholder represents a registered domain name or TenantID GUID of an Azure AD tenant. For example, the federation metadata of the `contoso.com` tenant is at: https://login.microsoftonline.com/contoso.com/FederationMetadata/2007-06/FederationMetadata.xml

+ `https://login.microsoftonline.com/common/FederationMetadata/2007-06/FederationMetadata.xml`. In this endpoint address, *common* appears instead of a tenant domain name or ID.

+ Title: "How to configure app instance property lock in your applications"

+description: How to increase app security by configuring property modification locks for sensitive properties of the application.

+# Customer intent: As an application developer, I want to learn how to protect properties of my application instance of being modified.

+# How to configure app instance property lock for your applications (Preview)

+Application instance lock is a feature in Azure Active Directory (Azure AD) that allows sensitive properties of a multi-tenant application object to be locked for modification after the application is provisioned in another tenant.

+This feature provides application developers with the ability to lock certain properties if the application doesn't support scenarios that require configuring those properties.

+## What are sensitive properties?

+The following property usage scenarios are considered as sensitive:

+- Credentials (`keyCredentials`, `passwordCredentials`) where usage type is `Sign`. This is a scenario where your application supports a SAML flow.

+- Credentials (`keyCredentials`, `passwordCredentials`) where usage type is `Verify`. In this scenario, your application supports an OIDC client credentials flow.

+- `TokenEncryptionKeyId` which specifies the keyId of a public key from the keyCredentials collection. When configured, Azure AD encrypts all the tokens it emits by using the key to which this property points. The application code that receives the encrypted token must use the matching private key to decrypt the token before it can be used for the signed-in user.

+## Configure an app instance lock

+To configure an app instance lock using the Azure portal:

+1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.

+1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant that contains the app registration you want to configure.

+1. Search for and select **Azure Active Directory**.

+1. Under **Manage**, select **App registrations**, and then select the application you want to configure.

+1. Select **Authentication**, and then select **Configure** under the *App instance property lock* section.

+ :::image type="content" source="media/howto-configure-app-instance-property-locks/app-instance-lock-configure-overview.png" alt-text="Screenshot of an app registration's app instance lock in the Azure portal.":::

+2. In the **App instance property lock** pane, enter the settings for the lock. The table following the image describes each setting and their parameters.

+ :::image type="content" source="media/howto-configure-app-instance-property-locks/app-instance-lock-configure-properties.png" alt-text="Screenshot of an app registration's app instance property lock context pane in the Azure portal.":::

+ | Field | Description |

+ | - | -- |

+ | **Enable property lock** | Specifies if the property locks are enabled. |

+ | **All properties** | Locks all sensitive properties without needing to select each property scenario. |

+ | **Credentials used for verification** | Locks the ability to add or update credential properties (`keyCredentials`, `passwordCredentials`) where usage type is `verify`. |

+ | **Credentials used for signing tokens** | Locks the ability to add or update credential properties (`keyCredentials`, `passwordCredentials`) where usage type is `sign`. |

+ | **Token Encryption KeyId** | Locks the ability to change the `tokenEncryptionKeyId` property. |

+3. Select **Save** to save your changes.

+ npm install --save @azure/msal-node @microsoft/microsoft-graph-client isomorphic-fetch bootstrap jquery popper.js

+# Customer intent: As a tenant administrator, I want to create custom attributes for the self-service sign-up user flows.

+- [Add a self-service sign-up user flow to an app](self-service-sign-up-user-flow.md)

+- [Customize the user flow language](user-flow-customize-language.md)

+After you delete a user, the account remains in a suspended state for 30 days. During that 30-day window, the user account can be restored, along with all its properties. After that 30-day window passes, the permanent deletion process is automatically started and can't be stopped. During this time, the management of soft-deleted users is blocked. This limitation also applies to restoring a soft-deleted user via a match during Tenant sync cycle for on-premises hybrid scenarios.

+Microsoft will stop support for Azure AD provisioning agent with versions 1.1.818.0 and below starting Feb 1,2023. If you're using Azure AD cloud sync, please make sure you have the latest version of the agent. You can info about the agent release history [here](../app-provisioning/provisioning-agent-release-version-history.md). You can download the latest version [here](https://download.msappproxy.net/Subscription/d3c8b69d-6bf7-42be-a529-3fe9c2e70c90/Connector/provisioningAgentInstaller)

+You can find out which version of the agent you're using as follows:

+1. Going to the domain server that you have the agent installed

+1. Select on ΓÇ£DetailsΓÇ¥ tab and you can find the version number there

+This feature provides Machine Learning based recommendations to the reviewers of Azure AD Access Reviews to make the review experience easier and more accurate. The recommendation detects user affiliation with other users within the group, and applies the scoring mechanism we built by computing the userΓÇÖs average distance with other users in the group. For more information, see: [Review recommendations for Access reviews](../governance/review-recommendations-access-reviews.md).

+The number matching feature greatly up-levels the security posture of the Microsoft Authenticator app and protects organizations from MFA fatigue attacks. We highly encourage our customers to adopt this feature applying the rollout controls we have built. Number Matching will begin to be enabled for all users of the Microsoft Authenticator app starting 27th of February 2023.

+1. Under rules, select the **Property**, **Operator**, and give it a **value**. The following picture gives an example of a rule being set up for a sales department. For a full list of user properties supported by Lifecycle Workflows, see [Supported user properties and query parameters](/graph/api/resources/identitygovernance-rulebasedsubjectset?view=graph-rest-beta#supported-user-properties-and-query-parameters)

+ 8. Next, you will configure the scope. The scope determines which users this workflow will run against. In this case, it will be on all users in the Sales department. On the configure scope screen, under **Rule** add the following settings and then select **Next: Review tasks**. For a full list of supported user properties, see: [Supported user properties and query parameters](/graph/api/resources/identitygovernance-rulebasedsubjectset?view=graph-rest-beta#supported-user-properties-and-query-parameters)

+ 8. Next, you will configure the scope. The scope determines which users this workflow will run against. In this case, it will be on all users in the Marketing department. On the configure scope screen, under **Rule** add the following and then select **Next: Review tasks**. For a full list of supported user properties, see: [Supported user properties and query parameters](/graph/api/resources/identitygovernance-rulebasedsubjectset?view=graph-rest-beta#supported-user-properties-and-query-parameters)

+> For a full list of user properties supported by Lifecycle Workflows, see [Supported user properties and query parameters](/graph/api/resources/identitygovernance-rulebasedsubjectset?view=graph-rest-beta#supported-user-properties-and-query-parameters)

+description: Learn how to grant tenant-wide consent to an application so that end-users aren't prompted for consent when signing in to an application.

+zone_pivot_groups: enterprise-apps-minus-aad-powershell

+When you grant tenant-wide admin consent to an application, you give the application access on behalf of the whole organization to the permissions requested. Granting admin consent on behalf of an organization is a sensitive operation, potentially allowing the application's publisher access to significant portions of your organization's data, or the permission to do highly privileged operations. Examples of such operations might be role management, full access to all mailboxes or all sites, and full user impersonation. Carefully review the permissions that the application is requesting before you grant consent.

+Granting tenant-wide admin consent may revoke any permissions that had previously been granted tenant-wide for that application. Permissions that have previously been granted by users on their own behalf won't be affected.

+In the following example, you'll grant delegated permissions defined by a resource enterprise application to a client enterprise application on behalf of all users.

+In the example, the resource enterprise application is Microsoft Graph of object ID `7ea9e944-71ce-443d-811c-71e8047b557a`. The Microsoft Graph defines the delegated permissions, `User.Read.All` and `Group.Read.All`. The consentType is `AllPrincipals`, indicating that you're consenting on behalf of all users in the tenant. The object ID of the client enterprise application is `b0d9b9e3-0ecf-4bfd-8dab-9273dd055a941`.

+> [!CAUTION]

+> Be careful! Permissions granted programmatically are not subject to review or confirmation. They take effect immediately.

+## Grant admin consent for delegated permissions

+1. Connect to Microsoft Graph PowerShell:

+ ```powershell

+ Connect-MgGraph -Scopes "Application.ReadWrite.All", "DelegatedPermissionGrant.ReadWrite.All"

+ ```

+1. Retrieve all the delegated permissions defined by Microsoft graph (the resource application) in your tenant application. Identify the delegated permissions that you'll grant the client application. In this example, the delegation permissions are `User.Read.All` and `Group.Read.All`

+

+ ```powershell

+ Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'" -Property Oauth2PermissionScopes | Select -ExpandProperty Oauth2PermissionScopes | fl

+ ```

+1. Grant the delegated permissions to the client enterprise application by running the following request.

+

+```powershell

+$params = @{

+

+ "ClientId" = "b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94"

+ "ConsentType" = "AllPrincipals"

+ "ResourceId" = "7ea9e944-71ce-443d-811c-71e8047b557a"

+ "Scope" = "User.Read.All Group.Read.All"

+}

+New-MgOauth2PermissionGrant -BodyParameter $params |

+ Format-List Id, ClientId, ConsentType, ResourceId, Scope

+```

+

+1. Confirm that you've granted tenant wide admin consent by running the following request.

+

+ ```powershell

+ Get-MgOauth2PermissionGrant-Filter "clientId eq 'b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94' consentType eq 'AllPrincipals'"

+ ```

+## Grant admin consent for application permissions

+In the following example, you grant the Microsoft Graph enterprise application (the principal of ID `b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94`) an app role (application permission) of ID `df021288-bdef-4463-88db-98f22de89214` that's exposed by a resource enterprise application of ID `7ea9e944-71ce-443d-811c-71e8047b557a`.

+1. Connect to Microsoft Graph PowerShell:

+ ```powershell

+ Connect-MgGraph -Scopes "Application.ReadWrite.All", "AppRoleAssignment.ReadWrite.All"

+ ```

+1. Retrieve the app roles defined by Microsoft graph in your tenant. Identify the app role that you'll grant the client enterprise application. In this example, the app role ID is `df021288-bdef-4463-88db-98f22de89214`.

+ ```powershell

+ Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'" -Property AppRoles | Select -ExpandProperty appRoles |fl

+ ```

+

+1. Grant the application permission (app role) to the client enterprise application by running the following request.

+```powershell

+ $params = @{

+ "PrincipalId" ="b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94"

+ "ResourceId" = "2cab1707-656d-40cc-8522-3178a184e03d"

+ "AppRoleId" = "df021288-bdef-4463-88db-98f22de89214"

+}

+New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId '2cab1707-656d-40cc-8522-3178a184e03d' -BodyParameter $params |

+ Format-List Id, AppRoleId, CreatedDateTime, PrincipalDisplayName, PrincipalId, PrincipalType, ResourceDisplayName

+```

+Use [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) to grant both delegated and application permissions.

+## Grant admin consent for delegated permissions

+In the following example, you'll grant delegated permissions defined by a resource enterprise application to a client enterprise application on behalf of all users.

+In the example, the resource enterprise application is Microsoft Graph of object ID `7ea9e944-71ce-443d-811c-71e8047b557a`. The Microsoft Graph defines the delegated permissions, `User.Read.All` and `Group.Read.All`. The consentType is `AllPrincipals`, indicating that you're consenting on behalf of all users in the tenant. The object ID of the client enterprise application is `b0d9b9e3-0ecf-4bfd-8dab-9273dd055a941`.

+> [!CAUTION]

+> Be careful! Permissions granted programmatically are not subject to review or confirmation. They take effect immediately.

+1. Retrieve all the delegated permissions defined by Microsoft graph (the resource application) in your tenant application. Identify the delegated permissions that you'll grant the client application. In this example, the delegation permissions are `User.Read.All` and `Group.Read.All`

+

+ ```http

+ GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=displayName eq 'Microsoft Graph'&$select=id,displayName,appId,oauth2PermissionScopes

+ ```

+1. Grant the delegated permissions to the client enterprise application by running the following request.

+

+ ```http

+ POST https://graph.microsoft.com/v1.0/oauth2PermissionGrants

+

+ Request body

+ {

+ "clientId": "b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94",

+ "consentType": "AllPrincipals",

+ "resourceId": "7ea9e944-71ce-443d-811c-71e8047b557a",

+ "scope": "User.Read.All Group.Read.All"

+ }

+ ```

+1. Confirm that you've granted tenant wide admin consent by running the following request.

+ ```http

+ GET https://graph.microsoft.com/v1.0/oauth2PermissionGrants?$filter=clientId eq 'b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94' and consentType eq 'AllPrincipals'

+ ```

+## Grant admin consent for application permissions

+In the following example, you grant the Microsoft Graph enterprise application (the principal of ID `b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94`) an app role (application permission) of ID `df021288-bdef-4463-88db-98f22de89214` that's exposed by a resource enterprise application of ID `7ea9e944-71ce-443d-811c-71e8047b557a`.

+1. Retrieve the app roles defined by Microsoft graph in your tenant. Identify the app role that you'll grant the client enterprise application. In this example, the app role ID is `df021288-bdef-4463-88db-98f22de89214`

+ ```http

+ GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=displayName eq 'Microsoft Graph'&$select=id,displayName,appId,appRoles

+ ```

+1. Grant the application permission (app role) to the client enterprise application by running the following request.

+ ```http

+ POST https://graph.microsoft.com/v1.0/servicePrincipals/7ea9e944-71ce-443d-811c-71e8047b557a/appRoleAssignedTo

+

+ Request body

+ {

+ "principalId": "b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94",

+ "resourceId": "7ea9e944-71ce-443d-811c-71e8047b557a",

+ "appRoleId": "df021288-bdef-4463-88db-98f22de89214"

+ }

+ ```

+# Review permissions granted to enterprise applications

+The steps in this article apply to all applications that were added to your Azure Active Directory (Azure AD) tenant via user or admin consent. For more information on consenting to applications, see [User and admin consent](user-admin-consent-overview.md).

+## Review permissions

+## Revoke permissions

+# Remove all application permissions

+# Get all delegated permissions for the service principal

+Depending on where you want to route the audit log data, you need one of the following endpoints:

+If you already have an Azure AD license, you need an Azure subscription to set up the storage account and Event Hubs. The Azure subscription comes at no cost, but you have to pay to utilize Azure resources, including the storage account that you use for archival and the Event Hubs that you use for streaming. The amount of data and, thus, the cost incurred, can vary significantly depending on the tenant size.

+### Event Hubs messages for activity logs

+Events are batched into approximately five-minute intervals and sent as a single message that contains all the events within that timeframe. A message in the Event Hubs has a maximum size of 256 KB. If the total size of all the messages within the timeframe exceeds that volume, multiple messages are sent.

+ Title: Sign-in logs (preview) in Azure Active Directory | Microsoft Docs

+description: Conceptual information about Azure AD sign-in logs, including new features in preview.

+# Sign-in logs in Azure Active Directory (preview)

+Reviewing sign-in errors and patterns provides valuable insight into how your users access applications and services. The sign-in logs provided by Azure Active Directory (Azure AD) are a powerful type of [activity log](overview-reports.md) that IT administrators can analyze. This article explains how to access and utilize the sign-in logs.

+Two other activity logs are also available to help monitor the health of your tenant:

+The classic sign-in logs in Azure AD provide you with an overview of interactive user sign-ins. Three more sign-in logs are now in preview:

+This article gives you an overview of the sign-in activity report with the preview of non-interactive, application, and managed identities for Azure resources sign-ins. For information about the sign-in report without the preview features, see [Sign-in logs in Azure Active Directory](concept-sign-ins.md).

+## How do you access the sign-in logs?

+You can always access your own sign-ins history at [https://mysignins.microsoft.com](https://mysignins.microsoft.com).

+To access the sign-ins log for a tenant, you must have one of the following roles:

+- Global Administrator

+- Security Administrator

+- Security Reader

+- Global Reader

+- Reports Reader

+The sign-in activity report is available in [all editions of Azure AD](reference-reports-data-retention.md#how-long-does-azure-ad-store-the-data). If you have an Azure Active Directory P1 or P2 license, you can access the sign-in activity report through the Microsoft Graph API. See [Getting started with Azure Active Directory Premium](../fundamentals/active-directory-get-started-premium.md) to upgrade your Azure Active Directory edition. It will take a couple of days for the data to show up in Graph after you upgrade to a premium license with no data activities before the upgrade.

+**To access the Azure AD sign-ins log preview:**

+1. Sign in to the [Azure portal](https://portal.azure.com) using the appropriate least privileged role.

+1. Go to **Azure Active Directory** > **Sign-ins log**.

+1. Select the **Try out our new sign-ins preview** link.

+ 

+ To toggle back to the legacy view, select the **Click here to leave the preview** link.

+ 

+You can also access the sign-in logs from the following areas of Azure AD:

+- Users

+- Groups

+- Enterprise applications

+On the sign-in logs page, you can switch between:

+- **Interactive user sign-ins:** Sign-ins where a user provides an authentication factor, such as a password, a response through an MFA app, a biometric factor, or a QR code.

+- **Non-interactive user sign-ins:** Sign-ins performed by a client on behalf of a user. These sign-ins don't require any interaction or authentication factor from the user. For example, authentication and authorization using refresh and access tokens that don't require a user to enter credentials.

+- **Service principal sign-ins:** Sign-ins by apps and service principals that don't involve any user. In these sign-ins, the app or service provides a credential on its own behalf to authenticate or access resources.

+- **Managed identities for Azure resources sign-ins:** Sign-ins by Azure resources that have secrets managed by Azure. For more information, see [What are managed identities for Azure resources?](../managed-identities-azure-resources/overview.md)

+## View the sign-ins log

+To more effectively view the sign-ins log, spend a few moments customizing the view for your needs. You can specify what columns to include and filter the data to narrow things down.

+Interactive user sign-ins provide an authentication factor to Azure AD or interact directly with Azure AD or a helper app, such as the Microsoft Authenticator app. Users can provide passwords, responses to MFA challenges, biometric factors, or QR codes to Azure AD or to a helper app. This log also includes federated sign-ins from identity providers that are federated to Azure AD.

+> The interactive user sign-in log previously contained some non-interactive sign-ins from Microsoft Exchange clients. Although those sign-ins were non-interactive, they were included in the interactive user sign-in log for additional visibility. Once the non-interactive user sign-in log entered public preview in November 2020, those non-interactive sign-in logs were moved to the non-interactive user sign in log for increased accuracy.

+**Report size:** small </br>

+- Whether Conditional Access has been applied

+

+Like interactive user sign-ins, non-interactive sign-ins are done on behalf of a user. These sign-ins were performed by a client app or OS components on behalf of a user and don't require the user to provide an authentication factor. Instead, the device or client app uses a token or code to authenticate or access a resource on behalf of a user. In general, the user will perceive these sign-ins as happening in the background.

+**Report size:** Large </br>

+

+To make it easier to digest the data, non-interactive sign-in events are grouped. Clients often create many non-interactive sign-ins on behalf of the same user in a short time period. The non-interactive sign-ins share the same characteristics except for the time the sign-in was attempted. For example, a client may get an access token once per hour on behalf of a user. If the state of the user or client doesn't change, the IP address, resource, and all other information is the same for each access token request. The only state that does change is the date and time of the sign-in.

+When Azure AD logs multiple sign-ins that are identical other than time and date, those sign-ins will be from the same entity and are aggregated into a single row. A row with multiple identical sign-ins (except for date and time issued) will have a value greater than 1 in the *# sign-ins* column. These aggregated sign-ins may also appear to have the same time stamps. The **Time aggregate** filter can set to 1 hour, 6 hours, or 24 hours. You can expand the row to see all the different sign-ins and their different time stamps.

+Sign-ins are aggregated in the non-interactive users when the following data matches:

+- Application

+- User

+### Service principal sign-ins

+Unlike interactive and non-interactive user sign-ins, service principal sign-ins don't involve a user. Instead, they're sign-ins by any non-user account, such as apps or service principals (except managed identity sign-in, which are in included only in the managed identity sign-in log). In these sign-ins, the app or service provides its own credential, such as a certificate or app secret to authenticate or access resources.

+**Report size:** Large </br>

+### Managed identity for Azure resources sign-ins

+Managed identities for Azure resources sign-ins are sign-ins that were performed by resources that have their secrets managed by Azure to simplify credential management. A VM with managed credentials uses Azure AD to get an Access Token.

+**Report size:** Small </br>

+ You can't customize the fields shown in this report.

+Select an item in the list view to display all sign-ins that are grouped under a node. Select a grouped item to see all details of the sign-in.

+### Filter the results

+Filtering the sign-ins log is a helpful way to quickly find logs that match a specific scenario. For example, you could filter the list to only view sign-ins that occurred in a specific geographic location, from a specific operating system, or from a specific type of credential.

+Some filter options prompt you to select more options. Follow the prompts to make the selection you need for the filter. You can add multiple filters. Take note of the **Date** range in your filter to ensure that Azure AD only returns the data you need. The filter you configure for interactive sign-ins is persisted for non-interactive sign-ins and vice versa.

+Select the **Add filters** option from the top of the table to get started.

+

+There are several filter options to choose from. Below are some notable options and details.

+- **User:** The *user principal name* (UPN) of the user in question.

+- **Status:** Options are *Success*, *Failure*, and *Interrupted*.

+- **Resource:** The name of the service used for the sign-in.

+- **Conditional access:** The status of the Conditional Access (CA) policy. Options are:

+ - *Not applied:* No policy applied to the user and application during sign-in.

+ - *Success:* One or more CA policies applied to the user and application (but not necessarily the other conditions) during sign-in.

+ - *Failure:* The sign-in satisfied the user and application condition of at least one CA policy and grant controls are either not satisfied or set to block access.

+- **IP addresses:** There's no definitive connection between an IP address and where the computer with that address is physically located. Mobile providers and VPNs issue IP addresses from central pools that are often far from where the client device is used. Currently, converting IP address to a physical location is a best effort based on traces, registry data, reverse lookups and other information.

+The following table provides the options and descriptions for the **Client app** filter option.

+> [!NOTE]

+> Due to privacy commitments, Azure AD does not populate this field to the home tenant in the case of a cross-tenant scenario.

+|Name|Modern authentication|Description|

+||:-:||

+|Authenticated SMTP| |Used by POP and IMAP client's to send email messages.|

+|Autodiscover| |Used by Outlook and EAS clients to find and connect to mailboxes in Exchange Online.|

+|Exchange ActiveSync| |This filter shows all sign-in attempts where the EAS protocol has been attempted.|

+|Browser||Shows all sign-in attempts from users using web browsers|

+|Exchange ActiveSync| | Shows all sign-in attempts from users with client apps using Exchange ActiveSync to connect to Exchange Online|

+|Exchange Online PowerShell| |Used to connect to Exchange Online with remote PowerShell. If you block basic authentication for Exchange Online PowerShell, you need to use the Exchange Online PowerShell module to connect. For instructions, see [Connect to Exchange Online PowerShell using multi-factor authentication](/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/mfa-connect-to-exchange-online-powershell).|

+|Exchange Web Services| |A programming interface that's used by Outlook, Outlook for Mac, and third-party apps.|

+|IMAP4| |A legacy mail client using IMAP to retrieve email.|

+|MAPI over HTTP| |Used by Outlook 2010 and later.|

+|Mobile apps and desktop clients||Shows all sign-in attempts from users using mobile apps and desktop clients.|

+|Offline Address Book| |A copy of address list collections that are downloaded and used by Outlook.|

+|Outlook Anywhere (RPC over HTTP)| |Used by Outlook 2016 and earlier.|

+|Outlook Service| |Used by the Mail and Calendar app for Windows 10.|

+|POP3| |A legacy mail client using POP3 to retrieve email.|

+|Reporting Web Services| |Used to retrieve report data in Exchange Online.|

+|Other clients| |Shows all sign-in attempts from users where the client app isn't included or unknown.|

+## Analyze the sign-in logs

+Now that your sign-in logs table is formatted appropriately, you can more effectively analyze the data. Some common scenarios are described here, but they aren't the only ways to analyze sign-in data. Further analysis and retention of sign-in data can be accomplished by exporting the logs to other tools.

+### Sign-in error code

+If a sign-in failed, you can get more information about the reason in the **Basic info** section of the related log item. The error code and associated failure reason appear in the details. Because of the complexity of some Azure AD environments, we can't document every possible error code and resolution. Some errors may require [submitting a support request](../fundamentals/how-to-get-support.md) to resolve the issue.

+

+

+For a list of error codes related to Azure AD authentication and authorization, see the [Azure AD authentication and authorization error codes](../develop/reference-aadsts-error-codes.md) article. In some cases, the [sign-in error lookup tool](https://login.microsoftonline.com/error) may provide remediation steps. Enter the **Error code** provided in the sign-in log details into the tool and select the **Submit** button.

+

+### Authentication details

+The **Authentication Details** tab in the details of a sign-in log provides the following information for each authentication attempt:

+- A list of authentication policies applied, such as Conditional Access or Security Defaults.

+- A list of session lifetime policies applied, such as Sign-in frequency or Remember MFA.

+- The sequence of authentication methods used to sign-in.

+- If the authentication attempt was successful and the reason why.

+This information allows you to troubleshoot each step in a userΓÇÖs sign-in. Use these details to track:

+- The volume of sign-ins protected by MFA.

+- The reason for the authentication prompt, based on the session lifetime policies.

+- Usage and success rates for each authentication method.

+- Usage of passwordless authentication methods, such as Passwordless Phone Sign-in, FIDO2, and Windows Hello for Business.

+- How frequently authentication requirements are satisfied by token claims, such as when users aren't interactively prompted to enter a password or enter an SMS OTP.

+While viewing the sign-ins log, select a sign-in event, and then select the **Authentication Details** tab.

+

+When analyzing authentication details, take note of the following details:

+- **OATH verification code** is logged as the authentication method for both OATH hardware and software tokens (such as the Microsoft Authenticator app).

+- The **Authentication details** tab can initially show incomplete or inaccurate data until log information is fully aggregated. Known examples include:

+ - A **satisfied by claim in the token** message is incorrectly displayed when sign-in events are initially logged.

+ - The **Primary authentication** row isn't initially logged.

+## Sign-in data used by other services

+Sign-in data is used by several services in Azure to monitor risky sign-ins and provide insight into application usage.

+### Risky sign-in data in Azure AD Identity Protection

+Sign-in log data visualization that relates to risky sign-ins is available in the **Azure AD Identity Protection** overview, which uses the following data:

+- Risky users

+- Risky user sign-ins

+- Risky service principals

+- Risky service principal sign-ins

+For more information about the Azure AD Identity Protection tools, see the [Azure AD Identity Protection overview](../identity-protection/overview-identity-protection.md).

+

+### Azure AD application and authentication sign-in activity

+With an application-centric view of your sign-in data, you can answer questions such as:

+- Who is using my applications?

+- What are the top three applications in my organization?

+- How is my newest application doing?

+To view application-specific sign-in data, go to **Azure AD** and select **Usage & insights** from the Monitoring section. These reports provide a closer look at sign-ins for Azure AD application activity and AD FS application activity. For more information, see [Azure AD Usage & insights](concept-usage-insights-report.md).

+

+Azure AD Usage & insights also provides the **Authentication methods activity** report, which breaks down authentication by the method used. Use this report to see how many of your users are set up with MFA or passwordless authentication.

+

+### Microsoft 365 activity logs

+You can view Microsoft 365 activity logs from the [Microsoft 365 admin center](/office365/admin/admin-overview/about-the-admin-center). Microsoft 365 activity and Azure AD activity logs share a significant number of directory resources. Only the Microsoft 365 admin center provides a full view of the Microsoft 365 activity logs.

+You can also access the Microsoft 365 activity logs programmatically by using the [Office 365 Management APIs](/office/office-365-management-api/office-365-management-apis-overview).

+Azure Active Directory (Azure AD) activity logs include audit logs, which is a comprehensive report on every logged event in Azure AD. Changes to applications, groups, users, and licenses are all captured in the Azure AD audit logs.

+Two other activity logs are also available to help monitor the health of your tenant:

+Azure Active Directory (Azure AD) integrates with several third party services to provision users into your tenant. If you need to troubleshoot an issue with a provisioned user, you can use the information captured in the Azure AD provisioning logs to help find a solution.

+Two other activity logs are also available to help monitor the health of your tenant:

+## How do you access the provisioning logs?

+To view the provisioning logs, your tenant must have an Azure AD Premium license associated with it. To upgrade your Azure AD edition, see [Getting started with Azure Active Directory Premium](../fundamentals/active-directory-get-started-premium.md).

+## View the provisioning logs

+To more effectively view the provisioning log, spend a few moments customizing the view for your needs. You can specify what columns to include and filter the data to narrow things down.

+### Customize the layout

+The provisioning log has a default view, but you can customize columns.

+1. Select **Columns** from the menu at the top of the log.

+1. Select the columns you want to view and select the **Save** button at the bottom of the window.

+## Filter the results

+You can search by the name or ID of the object. The ID varies by scenario.

+- If you're provisioning an object *from Azure AD to Salesforce*, the **source ID** is the object ID of the user in Azure AD. The **target ID** is the ID of the user at Salesforce.

+- If you're provisioning *from Workday to Azure AD*, the **source ID** is the Workday worker employee ID. The **target ID** is the ID of the user in Azure AD.

+- Custom time interval (configure a start date and an end date)

+## Analyze the provisioning logs

+When you select an item in the provisioning list view, you get more details about this item, such as the steps taken to provision the user and tips for troubleshooting issues. The details are grouped into four tabs.

+|Conflict,<br>EntryConflict|Correct the conflicting attribute values in either Azure AD or the application. Or, review your matching attribute configuration if the conflicting user account was supposed to be matched and taken over. Review the [documentation](../app-provisioning/customize-application-attributes.md) for more information on configuring matching attributes.|

+|InsufficientRights,<br>MethodNotAllowed,<br>NotPermitted,<br>Unauthorized| Azure AD authenticated with the target application but wasn't authorized to perform the update. Review any instructions that the target application has provided, along with the respective application [tutorial](../saas-apps/tutorial-list.md).|

+|MandatoryFieldsMissing,<br>MissingValues |The user couldn't be created because required values are missing. Correct the missing attribute values in the source record, or review your matching attribute configuration to ensure that the required fields aren't omitted. [Learn more](../app-provisioning/customize-application-attributes.md) about configuring matching attributes.|

+|SystemForCrossDomainIdentity<br>ManagementMultipleEntriesInResponse| A GET request to retrieve a user or group received multiple users or groups in the response. The system expects to receive only one user or group in the response. For example, if you do a [GET Group request](../app-provisioning/use-scim-to-provision-users-and-groups.md#get-group) to retrieve a group, provide a filter to exclude members, and your System for Cross-Domain Identity Management (SCIM) endpoint returns the members, you'll get this error.|

+|SystemForCrossDomainIdentity<br>ManagementServiceIncompatible|The Azure AD provisioning service is unable to parse the response from the third party application. Work with the application developer to ensure that the SCIM server is compatible with the [Azure AD SCIM client](../app-provisioning/use-scim-to-provision-users-and-groups.md#understand-the-azure-ad-scim-implementation).|

+Azure Active Directory provides you with several [reports](overview-reports.md), containing useful information such as security information and event management (SIEM) systems, audit, and business intelligence tools. By using the Microsoft Graph API for Azure AD reports, you can gain programmatic access to the data through a set of REST-based APIs. You can call these APIs from various programming languages and tools.

+This article provides you with an overview of the reporting API, including ways to access it. If you run into issues, see [how to get support for Azure Active Directory](../fundamentals/active-directory-troubleshooting-support-howto.md).

+1. Confirm your roles and licenses

+1. Register an application

+1. Grant permissions

+1. Gather configuration settings

+Microsoft Graph API endpoints:

+- **Audit logs:** `https://graph.microsoft.com/v1.0/auditLogs/directoryAudits`

+- **Sign-in logs:** `https://graph.microsoft.com/v1.0/auditLogs/signIns`

+Programmatic access APIs:

+- **Security detections:** [Identity Protection risk detections API](/graph/api/resources/identityprotection-root)

+- **Tenant provisioning events:** [Provisioning logs API](/graph/api/resources/provisioningobjectsummary)

+Check out the following helpful resources for Microsoft Graph API:

+- [Audit log API reference](/graph/api/resources/directoryaudit)

+- [Sign-in log API reference](/graph/api/resources/signIn)

+- [Get started with Azure Active Directory Identity Protection and Microsoft Graph](../identity-protection/howto-identity-protection-graph-api.md)

+

+You can use the [Microsoft Graph explorer](https://developer.microsoft.com/graph/graph-explorer) to verify your sign-in and audit API data. Sign in to your account using both of the sign-in buttons in the Graph Explorer UI, and set **AuditLog.Read.All** and **Directory.Read.All** permissions for your tenant as shown.

+# Customer intent: As an Azure AD administrator, I want to know the scenarios that are supported by the sign in diagnostics for Azure AD so that I can determine whether the tool can help me with a sign-in issue.

+ - Seamless single sign-on

+description: Conceptual information about Azure AD sign-in logs.

+Reviewing sign-in errors and patterns provides valuable insight into how your users access applications and services. The sign-in logs provided by Azure Active Directory (Azure AD) are a powerful type of [activity log](overview-reports.md) that IT administrators can analyze. This article explains how to access and utilize the sign-in logs.

+Two other activity logs are also available to help monitor the health of your tenant:

+- **[Audit](concept-audit-logs.md)** ΓÇô Information about changes applied to your tenant, such as users and group management or updates applied to your tenantΓÇÖs resources.

+- **[Provisioning](concept-provisioning-logs.md)** ΓÇô Activities performed by a provisioning service, such as the creation of a group in ServiceNow or a user imported from Workday.

+## What can you do with sign-in logs?

+## How do you access the sign-in logs?

+You can always access your own sign-ins history at [https://mysignins.microsoft.com](https://mysignins.microsoft.com).

+To access the sign-ins log for a tenant, you must have one of the following roles:

+- Global Administrator

+- Security Administrator

+- Security Reader

+- Global Reader

+- Reports Reader

+The sign-in activity report is available in [all editions of Azure AD](reference-reports-data-retention.md#how-long-does-azure-ad-store-the-data). If you have an Azure Active Directory P1 or P2 license, you can access the sign-in activity report through the Microsoft Graph API. See [Getting started with Azure Active Directory Premium](../fundamentals/active-directory-get-started-premium.md) to upgrade your Azure Active Directory edition. It will take a couple of days for the data to show up in Graph after you upgrade to a premium license with no data activities before the upgrade.

+**To access the Azure AD sign-ins log:**

+1. Sign in to the [Azure portal](https://portal.azure.com) using the appropriate least privileged role.

+1. Go to **Azure Active Directory** > **Sign-ins log**.

+ 

+You can also access the sign-in logs from the following areas of Azure AD:

+- Users

+- Groups

+- Enterprise applications

+## View the sign-ins log

+To more effectively view the sign-ins log, spend a few moments customizing the view for your needs. You can specify what columns to include and filter the data to narrow things down.

+### Customize the layout

+The sign-ins log has a default view, but you can customize the view using over 30 column options.

+1. Select **Columns** from the menu at the top of the log.

+1. Select the columns you want to view and select the **Save** button at the bottom of the window.

+

+### Filter the results <h3 id="filter-sign-in-activities"></h3>

+Filtering the sign-ins log is a helpful way to quickly find logs that match a specific scenario. For example, you could filter the list to only view sign-ins that occurred in a specific geographic location, from a specific operating system, or from a specific type of credential.

+Some filter options prompt you to select more options. Follow the prompts to make the selection you need for the filter. You can add multiple filters.

+Select the **Add filters** option from the top of the table to get started.

+

+There are several filter options to choose from. Below are some notable options and details.

+- **User:** The *user principal name* (UPN) of the user in question.

+- **Status:** Options are *Success*, *Failure*, and *Interrupted*.

+- **Resource:** The name of the service used for the sign-in.

+- **Conditional access:** The status of the Conditional Access (CA) policy. Options are:

+ - *Not applied:* No policy applied to the user and application during sign-in.

+ - *Success:* One or more CA policies applied to the user and application (but not necessarily the other conditions) during sign-in.

+ - *Failure:* The sign-in satisfied the user and application condition of at least one CA policy and grant controls are either not satisfied or set to block access.

+- **IP addresses:** There is no definitive connection between an IP address and where the computer with that address is physically located. Mobile providers and VPNs issue IP addresses from central pools that are often far from where the client device is actually used. Currently, converting IP address to a physical location is a best effort based on traces, registry data, reverse lookups and other information.

+The following table provides the options and descriptions for the **Client app** filter option.

+|Other clients| |Shows all sign-in attempts from users where the client app isn't included or unknown.|

+## Analyze the sign-in logs

+Now that your sign-in logs table is formatted appropriately, you can more effectively analyze the data. Some common scenarios are described here, but they aren't the only ways to analyze sign-in data. Further analysis and retention of sign-in data can be accomplished by exporting the logs to other tools.

+### Sign-in error codes

+If a sign-in failed, you can get more information about the reason in the **Basic info** section of the related log item. The error code and associated failure reason appear in the details. Because of the complexity of some Azure AD environments, we cannot document every possible error code and resolution. Some errors may require [submitting a support request](../fundamentals/how-to-get-support.md) to resolve the issue.

+

+For a list of error codes related to Azure AD authentication and authorization, see the [Azure AD authentication and authorization error codes](../develop/reference-aadsts-error-codes.md) article. In some cases, the [sign-in error lookup tool](https://login.microsoftonline.com/error) may provide remediation steps. Enter the **Error code** provided in the sign-in log details into the tool and select the **Submit** button.

+

+### Authentication details

+The **Authentication Details** tab in the details of a sign-in log provides the following information for each authentication attempt:

+- A list of authentication policies applied, such as Conditional Access or Security Defaults.

+- A list of session lifetime policies applied, such as Sign-in frequency or Remember MFA.

+- The sequence of authentication methods used to sign-in.

+- If the authentication attempt was successful and the reason why.

+This information allows you to troubleshoot each step in a userΓÇÖs sign-in. Use these details to track:

+- The volume of sign-ins protected by MFA.

+- The reason for the authentication prompt, based on the session lifetime policies.

+- Usage and success rates for each authentication method.

+- Usage of passwordless authentication methods, such as Passwordless Phone Sign-in, FIDO2, and Windows Hello for Business.

+- How frequently authentication requirements are satisfied by token claims, such as when users aren't interactively prompted to enter a password or enter an SMS OTP.

+While viewing the sign-ins log, select a sign-in event, and then select the **Authentication Details** tab.

+

+When analyzing authentication details, take note of the following details:

+- **OATH verification code** is logged as the authentication method for both OATH hardware and software tokens (such as the Microsoft Authenticator app).

+- The **Authentication details** tab can initially show incomplete or inaccurate data until log information is fully aggregated. Known examples include:

+ - A **satisfied by claim in the token** message is incorrectly displayed when sign-in events are initially logged.

+ - The **Primary authentication** row isn't initially logged.

+## Sign-in data used by other services

+Sign-in data is used by several services in Azure to monitor risky sign-ins and provide insight into application usage.

+### Risky sign-in data in Azure AD Identity Protection

+Sign-in log data visualization that relates to risky sign-ins is available in the **Azure AD Identity Protection** overview, which uses the following data:

+- Risky users

+- Risky user sign-ins

+- Risky service principals

+- Risky service principal sign-ins

+ For more information about the Azure AD Identity Protection tools, see the [Azure AD Identity Protection overview](../identity-protection/overview-identity-protection.md).

+

+### Azure AD application and authentication sign-in activity

+To view application-specific sign-in data, go to **Azure AD** and select **Usage & insights** from the Monitoring section. These reports provide a closer look at sign-ins for Azure AD application activity and AD FS application activity. For more information, see [Azure AD Usage & insights](concept-usage-insights-report.md).

+

+Azure AD Usage & insights also provides the **Authentication methods activity** report, which breaks down authentication by the method used. Use this report to see how many of your users are set up with MFA or passwordless authentication.

+

+### Microsoft 365 activity logs

+You can view Microsoft 365 activity logs from the [Microsoft 365 admin center](/office365/admin/admin-overview/about-the-admin-center). Microsoft 365 activity and Azure AD activity logs share a significant number of directory resources. Only the Microsoft 365 admin center provides a full view of the Microsoft 365 activity logs.

+You can access the Microsoft 365 activity logs programmatically by using the [Office 365 Management APIs](/office/office-365-management-api/office-365-management-apis-overview).

+# Usage and insights in Azure Active Directory

+With the Azure Active Directory (Azure AD) **Usage and insights** reports, you can get an application-centric view of your sign-in data. Usage & insights also includes a report on authentication methods activity. You can find answers to the following questions:

+This article provides an overview of three reports that look sign-in data.

+## Access Usage & insights

+Accessing the data from Usage and insights requires:

+* A user in the Global Administrator, Security Administrator, Security Reader, or Report Reader roles.

+To access Usage & insights:

+1. Sign in to the [Azure portal](https://portal.azure.com) using the appropriate least privileged role.

+1. Go to **Azure Active Directory** > **Usage & insights**.

+The **Usage & insights** report is also available from the **Enterprise applications** area of Azure AD. All users can access their own sign-ins at the [My Sign-Ins portal](https://mysignins.microsoft.com/security-info).

+## View the Usage & insights reports

+There are currently three reports available in Azure AD Usage & insights. All three reports use sign-in data to provide helpful information an application usage and authentication methods.

+### Azure AD application activity (preview)

+The **Azure AD application activity (preview)** report shows the list of applications with one or more sign-in attempts. The report allows you to sort by the number of successful sign-ins, failed sign-ins, and the success rate.

+Select the **View sign in activity** link for an application to view more details. The sign-in graph per application counts interactive user sign-ins. The details of any sign-in failures appears below the table.

+

+Select a day in the application usage graph to see a detailed list of the sign-in activities for the application. This detailed list is actually the sign-in log with the filter set to the selected application and date.

+

+### AD FS application activity

+The **AD FS application activity** report in Usage & insights lists all Active Directory Federated Services (AD FS) applications in your organization that have had an active user login to authenticate in the last 30 days. These applications have not been migrated to Azure AD for authentication.

+### Authentication methods activity

+The **Authentication methods activity** in Usage & insights displays visualizations of the different authentication methods used by your organization. The **Registration tab** displays statistics of users registered for each of your available authentication methods. Select the **Usage** tab at the top of the page to see actual usage for each authentication method.

+You can also access several other reports and tools related to authentication.

+Are you planning on running a registration campaign to nudge users to sign up for MFA? Use the **Registration campaign** option from the side menu to set up a registration campaign. For more information, see [Nudge users to set up Microsoft Authenticator](../authentication/how-to-mfa-registration-campaign.md).

+Looking for the details of a user and their authentication methods? Look at the **User registration details** report from the side menu and search for a name or UPN. The default MFA method and other methods registered are displayed. You can also see if the user is capable of registering for one of the authentication methods.

+Looking for the status of an authentication registration or reset event of a user? Look at the **Registration and reset events** report from the side menu and then search for a name or UPN. You'll be able to see the method used to attempt to register or reset an authentication method.

+- [Learn about the sign-ins report](concept-sign-ins.md)

+- [Learn about Azure AD authentication](../authentication/overview-authentication.md)

+Reviewing flagged sign-in events requires permissions to read the Sign-in Report events in the Azure AD portal. For more information, see [who can access it?](concept-sign-ins.md#how-do-you-access-the-sign-in-logs)

+| October | 99.999% | 99.999% |

+* You can connect to and expose applications internally or externally.

+* You can build highly available applications by load balancing your applications.

+* For your more complex applications, you can configure ingress traffic for SSL/TLS termination or routing of multiple components.

+* *Services* logically group pods to allow for direct access on a specific port via an IP address or DNS name.

+* You can distribute traffic using a *load balancer*.

+* More complex routing of application traffic can also be achieved with *Ingress Controllers*.

+* You can *control outbound (egress) traffic* for cluster nodes.

+## Control outbound (egress) traffic

+AKS clusters are deployed on a virtual network and have outbound dependencies on services outside of that virtual network. These outbound dependencies are almost entirely defined with fully qualified domain names (FQDNs). By default, AKS clusters have unrestricted outbound (egress) internet access. This allows the nodes and services you run to access external resources as needed. If desired, you can restrict outbound traffic.

+For more information, see [Control egress traffic for cluster nodes in AKS][limit-egress].

+You don't need to manually configure network security group rules to filter traffic for pods in an AKS cluster. Simply define any required ports and forwarding as part of your Kubernetes Service manifests. Let the Azure platform create or update the appropriate rules.

+[limit-egress]: limit-egress-traffic.md

+- [Validate Azure Active Directory token](#ValidateAAD) - Enforces existence and validity of an Azure Active Directory JWT extracted from either a specified HTTP header, query parameter, or token value.

+- [Validate JWT](#ValidateJWT) - Enforces existence and validity of a JWT extracted from either a specified HTTP header, query parameter, or token value.

+> You can use access restriction policies in different scopes for different purposes. For example, you can secure the whole API with AAD authentication by applying the `validate-azure-ad-token` policy on the API level or you can apply it on the API operation level and use `claims` for more granular control.

+| ignore-error | Boolean. If acquiring the authorization context results in an error (for example, the authorization resource isn't found or is in an error state): <br> - `true`: the context variable is assigned a value of null. <br> - `false`: return `500` | No | false |

+| api | Add one or more of these elements to impose a call rate limit on APIs within the product. Product and API call rate limits are applied independently. API can be referenced either via `name` or `id`. If both attributes are provided, `id` will be used, and `name` will be ignored. | No |

+| operation | Add one or more of these elements to impose a call rate limit on operations within an API. Product, API, and operation call rate limits are applied independently. Operation can be referenced either via `name` or `id`. If both attributes are provided, `id` will be used, and `name` will be ignored. | No |

+| renewal-period | The length in seconds of the sliding window during which the number of allowed requests shouldn't exceed the value specified in `calls`. Maximum allowed value: 300 seconds. | Yes | N/A |

+| renewal-period | The length in seconds of the sliding window during which the number of allowed requests shouldn't exceed the value specified in `calls`. Policy expression is allowed. Maximum allowed value: 300 seconds. | Yes | N/A |

+The `quota-by-key` policy enforces a renewable or lifetime call volume and/or bandwidth quota, on a per key basis. The key can have an arbitrary string value and is typically provided using a policy expression. Optional increment condition can be added to specify which requests should be counted towards the quota. If multiple policies would increment the same key value, it's incremented only once per request. When the quota is exceeded, the caller receives a `403 Forbidden` response status code, and the response includes a `Retry-After` header whose value is the recommended retry interval in seconds.

+## <a name="ValidateAAD"></a> Validate Azure Active Directory token

+The `validate-azure-ad-token` policy enforces the existence and validity of a JSON web token (JWT) that was provided by the Azure Active Directory service. The JWT can be extracted from a specified HTTP header, query parameter, or value provided using a policy expression or context variable.

+### Policy statement

+```xml

+<validate-azure-ad-token

+ tenant-id="tenant ID or URL (for example, "contoso.onmicrosoft.com") of the Azure Active Directory service"

+ header-name="name of HTTP header containing the token (alternatively, use query-parameter-name or token-value attribute to specify token)"

+ query-parameter-name="name of query parameter used to pass the token (alternative, use header-name or token-value attribute to specify token)"

+ token-value="expression returning the token as a string (alternatively, use header-name or query-parameter attribute to specify token)"

+ failed-validation-httpcode="HTTP status code to return on failure"

+ failed-validation-error-message="error message to return on failure"

+ output-token-variable-name="name of a variable to receive a JWT object representing successfully validated token">

+ <client-application-ids>

+ <application-id>Client application ID from Azure Active Directory</application-id>

+ <!-- If there are multiple client application IDs, then add additional application-id elements -->

+ </client-application-ids>

+ <backend-application-ids>

+ <application-id>Backend application ID from Azure Active Directory</application-id>

+ <!-- If there are multiple backend application IDs, then add additional application-id elements -->

+ </backend-application-ids>

+ <audiences>

+ <audience>audience string</audience>

+ <!-- if there are multiple possible audiences, then add additional audience elements -->

+ </audiences>

+ <required-claims>

+ <claim name="name of the claim as it appears in the token" match="all|any" separator="separator character in a multi-valued claim">

+ <value>claim value as it is expected to appear in the token</value>

+ <!-- if there is more than one allowed value, then add additional value elements -->

+ </claim>

+ <!-- if there are multiple possible allowed values, then add additional value elements -->

+ </required-claims>

+</validate-azure-ad-token>

+```

+### Examples

+#### Simple token validation

+The following policy is the minimal form of the `validate-azure-ad-token` policy. It expects the JWT to be provided in the `Authorization` header using the `Bearer` scheme. In this example, the Azure AD tenant ID and client application ID are provided using named values.

+```xml

+<validate-azure-ad-token tenant-id="{{aad-tenant-id}}">

+ <client-application-ids>

+ <application-id>{{aad-client-application-id}}</application-id>

+ </client-application-ids>

+</validate-azure-ad-token>

+```

+#### Validate that audience and claim are correct

+The following policy checks that the audience is the hostname of the API Management instance and that the `ctry` claim is `US`. The hostname is provided using a policy expression, and the Azure AD tenant ID and client application ID are provided using named values. The decoded JWT is provided in the `jwt` variable after validation.

+For more details on optional claims, read [Provide optional claims to your app](/azure/active-directory/develop/active-directory-optional-claims).

+```xml

+<validate-azure-ad-token tenant-id="{{aad-tenant-id}}" output-token-variable-name="jwt">

+ <client-application-ids>

+ <application-id>{{aad-client-application-id}}</application-id>

+ </client-application-ids>

+ <audiences>

+ <audience>@(context.Request.OriginalUrl.Host)</audience>

+ </audiences>

+ <required-claims>

+ <claim name="ctry" match="any">

+ <value>US</value>

+ </claim>

+ </required-claims>

+</validate-azure-ad-token>

+```

+### Elements

+| Element | Description | Required |

+| - | -- | -- |

+| validate-azure-ad-token | Root element. | Yes |

+| audiences | Contains a list of acceptable audience claims that can be present on the token. If multiple audience values are present, then each value is tried until either all are exhausted (in which case validation fails) or until one succeeds. At least one audience must be specified. | No |

+| backend-application-ids | Contains a list of acceptable backend application IDs. This is only required in advanced cases for the configuration of options and can generally be removed. | No |

+| client-application-ids | Contains a list of acceptable client application IDs. If multiple application-id elements are present, then each value is tried until either all are exhausted (in which case validation fails) or until one succeeds. At least one application-id must be specified. | Yes |

+| required-claims | Contains a list of claims expected to be present on the token for it to be considered valid. When the `match` attribute is set to `all`, every claim value in the policy must be present in the token for validation to succeed. When the `match` attribute is set to `any`, at least one claim must be present in the token for validation to succeed. | No |

+### Attributes

+| Name | Description | Required | Default |

+| - | | -- | |

+| failed-validation-error-message | Error message to return in the HTTP response body if the JWT doesn't pass validation. This message must have any special characters properly escaped. | No | Default error message depends on validation issue, for example "JWT not present." |

+| failed-validation-httpcode | HTTP status code to return if the JWT doesn't pass validation. | No | 401 |

+| header-name | The name of the HTTP header holding the token. | One of `header-name`, `query-parameter-name` or `token-value` must be specified. | N/A |

+| match | The `match` attribute on the `claim` element specifies whether every claim value in the policy must be present in the token for validation to succeed. Possible values are:<br /><br /> - `all` - every claim value in the policy must be present in the token for validation to succeed.<br /><br /> - `any` - at least one claim value must be present in the token for validation to succeed. | No | all |

+| output-token-variable-name | String. Name of context variable that will receive token value as an object of type [`Jwt`](api-management-policy-expressions.md) upon successful token validation | No | N/A |

+| query-parameter-name | The name of the query parameter holding the token. | One of `header-name`, `query-parameter-name` or `token-value` must be specified. | N/A |

+| separator | String. Specifies a separator (e.g. ",") to be used for extracting a set of values from a multi-valued claim. | No | N/A |

+| token-value | Expression returning a string containing the token. You must not return `Bearer ` as part of the token value. | One of `header-name`, `query-parameter-name` or `token-value` must be specified. | N/A |

+### Usage

+This policy can be used in the following policy [sections](./api-management-howto-policies.md#sections) and [scopes](./api-management-howto-policies.md#scopes).

+- **Policy sections:** inbound

+- **Policy scopes:** all scopes

+### Limitations

+This policy can only be used with an Azure Active Directory tenant in the public Azure cloud. It doesn't support tenants configured in regional clouds or Azure clouds with restricted access.

+> [!NOTE]

+> Use the [`validate-azure-ad-token`](#ValidateAAD) policy to validate tokens against Azure Active Directory.

+| required-claims | Contains a list of claims expected to be present on the token for it to be considered valid. When the `match` attribute is set to `all`, every claim value in the policy must be present in the token for validation to succeed. When the `match` attribute is set to `any`, at least one claim must be present in the token for validation to succeed. | No |

+| failed-validation-error-message | Error message to return in the HTTP response body if the JWT doesn't pass validation. This message must have any special characters properly escaped. | No | Default error message depends on validation issue, for example "JWT not present." |

+| require-scheme | The name of the token scheme, for example, "Bearer". When this attribute is set, the policy will ensure that specified scheme is present in the Authorization header value. | No | N/A |

+| separator | String. Specifies a separator (for example, ",") to be used for extracting a set of values from a multi-valued claim. | No | N/A |

+| validate-trustΓÇ»| Boolean. Specifies if validation should fail in case the chain can't be successfully built up to a trusted CA. | no | True |

+ > [!NOTE]

+ > When you change the Originating email address, some recipients may not receive the auto-generated emails from API Management or emails may get sent to the Junk/Spam folder. This happens because the email no longer passes SPF Authentication after you change the Originating email address domain. To ensure successful SPF Authentication and delivery of email, create the following TXT record in the DNS database of the domain specified in the email address. For instance, if the email address is `noreply@contoso.com`, you will need to contact the administrator of contoso.com to add the following TXT record: **"v=spf1 include:spf.protection.outlook.com include:_spf-ssg-a.microsoft.com -all"**

+

+ :::image type="content" source="media/api-management-howto-configure-notifications/configure-email-settings.png" alt-text="Screenshot of API Management email settings in the portal":::

+- [Validate Azure Active Directory Token](api-management-access-restriction-policies.md#ValidateAAD) - Enforces existence and validity of an Azure Active Directory JWT extracted from either a specified HTTP Header, query parameter, or token value.

+- [Validate JWT](api-management-access-restriction-policies.md#ValidateJWT) - Enforces existence and validity of a JWT extracted from either a specified HTTP Header, query parameter, or token value.

+ namespace-prefix="namepsace prefix"

+ <json-to-xml apply="always" consider-accept-header="false" parse-date="false" namespace-separator=":" namespace-prefix="xmlns" attribute-block-name="#attrs" />

+|namespace-prefix|The string that identifies property as namespace attribute, usually "xmlns". Properties with names beginning with specified prefix will be added to current element as namespace declarations.|No|N/A|

+>[!IMPORTANT]

+> When using `stv2`, it is required to assign a Network Security Group to your VNet in order for the Azure Load Balancer to work. Learn more in the [Azure Load Balancer documentation](/security/benchmark/azure/baselines/azure-load-balancer-security-baseline#network-security-group-support).

+- Azure Storage is not supported with [Docker Compose Scenarios](configure-custom-container.md?pivots=container-linux#docker-compose-options)

+- volumes ([mapping to Azure Storage is unsupported](configure-connect-to-azure-storage.md?tabs=portal&pivots=container-linux#limitations))

+To review tailored best practice recommendations, check out the Resiliency Score Report. This is available as a downloadable PDF Report. To get it, simply click on the "Get Resilience Score report" button available on the command bar of any of the Troubleshooting categories.

+If you're uploading a certificate chain with root CA and intermediate CA certificates, the certificate chain must be uploaded as a PEM or CER file to the gateway.

+> [!IMPORTANT]

+> Make sure you upload the entire trusted client CA certificate chain to the Application Gateway when using mutual authentication.

+Each SSL profile can support up to five trusted client CA certificate chains.

+Application Gateway supports certificates issued from both public and privately established certificate authorities.

+- CA certificates issued from well-known certificate authorities: Intermediate and root certificates are commonly found in trusted certificate stores and enable trusted connections with little to no additional configuration on the device.

+- CA certificates issued from organization established certificate authorities: These certificates are typically issued privately via your organization and not trusted by other entities. Intermediate and root certificates must be imported in to trusted certificate stores for clients to establish chain trust.

+> [!NOTE]

+> When issuing client certificates from well established certificate authorities, consider working with the certificate authority to see if an intermediate certificate can be issued for your organization to prevent inadvertent cross-organizational client certificate authentication.

+You have the option to verify the client certificate's immediate issuer and only allow the Application Gateway to trust that issuer. This option is off by default but you can enable this through Portal, PowerShell, or Azure CLI.

+When you provision an instance of Azure Metrics Advisor, you can use the APIs and web-based workspace to interact with the service. The web-based workspace can be used as a straightforward way to quickly get started with the service. It also provides a visual way to configure settings, customize your model, and perform root cause analysis.

+To view diagnostic insights, select the red dots on time series visualizations. These red dots represent detected anomalies. A window will appear with a link to the incident analysis page.

+- **x-ms-sevsnpvm-familyId**: Host Compatibility Layer (HCL) family identification string

+This article creates an HTTP triggered function that runs on .NET in-process or isolated worker process with an example of .NET 6. There's also a [Visual Studio Code-based version](create-first-function-vs-code-csharp.md) of this article.

+Verify your prerequisites, which depend on whether you're using Azure CLI or Azure PowerShell for creating Azure resources:

+ `func new` creates an HttpExample.cs code file.

+*HttpExample.cs* contains a `Run` method that receives request data in the `req` variable is an [HttpRequestData](/dotnet/api/microsoft.azure.functions.worker.http.httprequestdata) object that's decorated with the **HttpTriggerAttribute**, which defines the trigger behavior. Because of the isolated worker process model, `HttpRequestData` is a representation of the actual `HttpRequest`, and not the request object itself.

+ This command creates a function app running in your specified language runtime under the [Azure Functions Consumption Plan](consumption-plan.md), which is free for the amount of usage you incur here. The command also creates an associated Azure Application Insights instance in the same resource group, with which you can monitor your function app and view logs. For more information, see [Monitor Azure Functions](functions-monitoring.md). The instance incurs no costs until you activate it.

+This article creates an HTTP triggered function that runs on .NET 6, either in-process or isolated worker process. .NET Functions isolated worker process also lets you run on .NET 7 (in preview). For information about all .NET versions supported by isolated worker process, see [Supported versions](dotnet-isolated-process-guide.md#supported-versions).

+There's also a [CLI-based version](create-first-function-cli-csharp.md) of this article.

+By default, this article shows you how to create C# functions that run on .NET 6 [in the same process as the Functions host](functions-dotnet-class-library.md). These _in-process_ C# functions are only supported on [Long Term Support (LTS)](https://dotnet.microsoft.com/en-us/platform/support/policy/dotnet-core) .NET versions, such as .NET 6. When creating your project, you can choose to instead create a function that runs on .NET 6 in an [isolated worker process](dotnet-isolated-process-guide.md). [Isolated worker process](dotnet-isolated-process-guide.md) supports both LTS and Standard Term Support (STS) versions of .NET. For more information, see [Supported versions](dotnet-isolated-process-guide.md#supported-versions) in the .NET Functions isolated worker process guide.

+ # [In-process](#tab/in-process)

+ # [Isolated process](#tab/isolated-process)

+ > + Make sure you have installed the .NET 6.0 SDK or other available .NET SDK versions, from .NET website [here](https://dotnet.microsoft.com/download).

+# [In-process](#tab/in-process)

+# [Isolated process](#tab/isolated-process)

+ Title: Differences between in-process and isolate worker process .NET Azure Functions

+description: Compares features and functionality differences between running .NET Functions in-process or as an isolated worker process.

+recommendations: false

+#Customer intent: As a developer, I need to understand the differences between running in-process and running in an isolated worker process so that I can choose the best process model for my functions.

+# Differences between in-process and isolate worker process .NET Azure Functions

+Functions supports two process models for .NET class library functions:

+This article describes the current state of the functional and behavioral differences between the two models.

+## Execution mode comparison table

+Use the following table to compare feature and functional differences between the two models:

+| Feature/behavior | In-process³ | Isolated worker process |

+| - | - | - |

+| [Supported .NET versions](./dotnet-isolated-process-guide.md#supported-versions) | Long Term Support (LTS) versions | All supported versions + .NET Framework |

+| Core packages | [Microsoft.NET.Sdk.Functions](https://www.nuget.org/packages/Microsoft.NET.Sdk.Functions/) | [Microsoft.Azure.Functions.Worker](https://www.nuget.org/packages/Microsoft.Azure.Functions.Worker/)<br/>[Microsoft.Azure.Functions.Worker.Sdk](https://www.nuget.org/packages/Microsoft.Azure.Functions.Worker.Sdk) |

+| Binding extension packages | [Microsoft.Azure.WebJobs.Extensions.*](https://www.nuget.org/packages?q=Microsoft.Azure.WebJobs.Extensions) | [Microsoft.Azure.Functions.Worker.Extensions.*](https://www.nuget.org/packages?q=Microsoft.Azure.Functions.Worker.Extensions) |

+| Durable Functions | [Supported](durable/durable-functions-overview.md) | [Supported (public preview)](https://github.com/microsoft/durabletask-dotnet#usage-with-azure-functions) |

+| Model types exposed by bindings | Simple types<br/>JSON serializable types<br/>Arrays/enumerations<br/>Service SDK types such as [BlobClient]<br/>`IAsyncCollector` (for output bindings) | Simple types<br/>JSON serializable types<br/>Arrays/enumerations |

+| HTTP trigger model types| [HttpRequest]/[ObjectResult] | [HttpRequestData]/[HttpResponseData] |

+| Output binding interaction | Return values (single output only)<br/>`out` parameters<br/>`IAsyncCollector` | Return values (expanded model with single or [multiple outputs](dotnet-isolated-process-guide.md#multiple-output-bindings)) |

+| Imperative bindings¹ | [Supported](functions-dotnet-class-library.md#binding-at-runtime) | Not supported |

+| Dependency injection | [Supported](functions-dotnet-dependency-injection.md) | [Supported](dotnet-isolated-process-guide.md#dependency-injection) |

+| Middleware | Not supported | [Supported](dotnet-isolated-process-guide.md#middleware) |

+| Logging | [ILogger] passed to the function<br/>[ILogger&lt;T&gt;] via dependency injection | [ILogger]/[ILogger&lt;T&gt;] obtained from [FunctionContext] or via [dependency injection](dotnet-isolated-process-guide.md#dependency-injection)|

+| Application Insights dependencies | [Supported](functions-monitoring.md#dependencies) | [Supported (public preview)](https://www.nuget.org/packages/Microsoft.Azure.Functions.Worker.ApplicationInsights) |

+| Cancellation tokens | [Supported](functions-dotnet-class-library.md#cancellation-tokens) | [Supported](dotnet-isolated-process-guide.md#cancellation-tokens) |

+| Cold start times² | (Baseline) | Additionally includes process launch |

+| ReadyToRun | [Supported](functions-dotnet-class-library.md#readytorun) | [Supported](dotnet-isolated-process-guide.md#readytorun) |

+¹ When you need to interact with a service using parameters determined at runtime, using the corresponding service SDKs directly is recommended over using imperative bindings. The SDKs are less verbose, cover more scenarios, and have advantages for error handling and debugging purposes. This recommendation applies to both models.

+² Cold start times may be additionally impacted on Windows when using some preview versions of .NET due to just-in-time loading of preview frameworks. This applies to both the in-process and out-of-process models but may be noticeable when comparing across different versions. This delay for preview versions isn't present on Linux plans.

+³ C# Script functions also run in-process and use the same libraries as in-process class library functions. For more information, see the [Azure Functions C# script (.csx) developer reference](functions-reference-csharp.md).

+## Next steps

+To learn more, see:

+ Title: Guide for running C# Azure Functions in an isolated worker process

+description: Learn how to use a .NET isolated worker process to run your C# functions in Azure, which supports non-LTS versions of .NET and .NET Framework apps.

+#Customer intent: As a developer, I need to know how to create functions that run in an isolated worker process so that I can run my function code on current (not LTS) releases of .NET.

+# Guide for running C# Azure Functions in an isolated worker process

+This article is an introduction to working with .NET Functions isolated worker process, which runs your functions in an isolated worker process in Azure. This allows you to run your .NET class library functions on a version of .NET that is different from the version used by the Functions host process. For information about specific .NET versions supported, see [supported version](#supported-versions).

+Use the following links to get started right away building .NET isolated worker process functions.

+If you still need to run your functions in the same process as the host, see [In-process C# class library functions](functions-dotnet-class-library.md).

+For a comprehensive comparison between isolated worker process and in-process .NET Functions, see [Differences between in-process and isolate worker process .NET Azure Functions](dotnet-isolated-in-process-differences.md).

+## Why .NET Functions isolated worker process?

+When it was introduced, Azure Functions only supported a tightly integrated mode for .NET functions. In this _in-process_ mode, your [.NET class library functions](functions-dotnet-class-library.md) run in the same process as the host. This mode provides deep integration between the host process and the functions. For example, when running in the same process .NET class library functions can share binding APIs and types. However, this integration also requires a tight coupling between the host process and the .NET function. For example, .NET functions running in-process are required to run on the same version of .NET as the Functions runtime. This means that your in-process functions can only run on version of .NET with Long Term Support (LTS). To enable you to run on non-LTS version of .NET, you can instead choose to run in an isolated worker process. This process isolation lets you develop functions that use current .NET releases not natively supported by the Functions runtime, including .NET Framework. Both isolated worker process and in-process C# class library functions run on LTS versions. To learn more, see [Supported versions](#supported-versions).

+Because these functions run in a separate process, there are some [feature and functionality differences](./dotnet-isolated-in-process-differences.md) between .NET isolated function apps and .NET class library function apps.

+### Benefits of isolated worker process

+When your .NET functions run in an isolated worker process, you can take advantage of the following benefits:

+## .NET isolated worker process project

+A .NET Functions isolated worker process project uses a unique set of packages, for both core functionality and binding extensions.

+The following packages are required to run your .NET functions in an isolated worker process:

+Because .NET isolated worker process functions use different binding types, they require a unique set of binding extension packages.

+When using .NET isolated functions, you have access to the start-up of your function app, which is usually in Program.cs. You're responsible for creating and starting your own host instance. As such, you also have direct access to the configuration pipeline for your app. With .NET Functions isolated worker process, you can much more easily add configurations, inject dependencies, and run your own middleware.

+> If your project targets .NET Framework 4.8, you also need to add `FunctionsDebugger.Enable();` before creating the HostBuilder. It should be the first line of your `Main()` method. For more information, see [Debugging when targeting .NET Framework](#debugging-when-targeting-net-framework).

+The [ConfigureFunctionsWorkerDefaults] method is used to add the settings required for the function app to run in an isolated worker process, which includes the following functionality:

+ The `UseWhen` extension method can be used to register a middleware that gets executed conditionally. You must pass to this method a predicate that returns a boolean value, and the middleware participates in the invocation processing pipeline when the return value of the predicate is `true`.

+The following is an example of a middleware implementation that reads the `HttpRequestData` instance and updates the `HttpResponseData` instance during function execution. This middleware checks for the presence of a specific request header(x-correlationId), and when present uses the header value to stamp a response header. Otherwise, it generates a new GUID value and uses that for stamping the response header.

+Cancellation tokens are supported in .NET functions when running in an isolated worker process. The following example raises an exception when a cancellation request has been received:

+You can compile your function app as [ReadyToRun binaries](/dotnet/core/deploying/ready-to-run). ReadyToRun is a form of ahead-of-time compilation that can improve startup performance to help reduce the effect of [cold-start](event-driven-scaling.md#cold-start) when running in a [Consumption plan](consumption-plan.md).

+ReadyToRun is available in .NET 3.1, .NET 6 (both in-process and isolated worker process), and .NET 7, and it requires [version 3.0 or later](functions-versions.md) of the Azure Functions runtime.

+For HTTP triggers, you must use [HttpRequestData] and [HttpResponseData] to access the request and response data. This is because you don't have access to the original HTTP request and response objects when using .NET Functions isolated worker process.

+For a complete set of reference samples for using triggers and bindings with isolated worker process functions, see the [binding extensions reference sample](https://github.com/Azure/azure-functions-dotnet-worker/blob/main/samples/Extensions).

+If your isolated project targets .NET Framework 4.8, the current preview scope requires manual steps to enable debugging. These steps aren't required if using another target framework.

+Next, you need to manually attach to the process using a .NET Framework debugger. Visual Studio doesn't do this automatically for isolated worker process .NET Framework apps yet, and the "Start Debugging" operation should be avoided.

+After the debugger is attached, the process execution resumes, and you'll be able to debug.

+Because your isolated worker process app runs outside the Functions runtime, you need to attach the remote debugger to a separate process. To learn more about debugging using Visual Studio, see [Remote Debugging](functions-develop-vs.md?tabs=isolated-process#remote-debugging).

+This setting enables your function app to run in a version 2.x compatible mode on the version 3.x runtime. Use this setting only if encountering issues after upgrading your function app from version 2.x to 3.x of the runtime.

+| `dotnet-isolated` | [C# (isolated worker process)](dotnet-isolated-process-guide.md) |

+By default, the version settings for function apps are specific to each slot. This setting is used when upgrading functions by using [deployment slots](functions-deployment-slots.md). This prevents unanticipated behavior due to changing versions after a swap. Set to `0` in production and in the slot to make sure that all version settings are also swapped. For more information, see [Upgrade using slots](migrate-version-3-version-4.md#upgrade-using-slots).

+Sets the specific version of .NET for C# functions. For more information, see [Upgrade your function app in Azure](migrate-version-3-version-4.md?pivots=programming-language-csharp#upgrade-your-function-app-in-azure).

+Isolated worker process isn't currently supported.

+Isolated worker process isn't currently supported.

+Functions execute in an isolated C# worker process. To learn more, see [Guide for running C# Azure Functions in an isolated worker process](dotnet-isolated-process-guide.md).

+> In the current preview, Azure SQL bindings aren't supported when your function app runs in an isolated worker process.

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use attributes to define the function. C# script instead uses a function.json configuration file.

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use attributes to define the function. C# script instead uses a function.json configuration file.

+An isolated worker process class library compiled C# function runs in a process isolated from the runtime.

+Functions execute in an isolated C# worker process. To learn more, see [Guide for running C# Azure Functions in an isolated worker process](dotnet-isolated-process-guide.md).

+Retry policies aren't yet supported when running in an isolated worker process.

+Retry policies aren't yet supported when running in an isolated worker process.

+* [Isolated worker process class library](dotnet-isolated-process-guide.md): compiled C# function that runs in a worker process isolated from the runtime.

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use attribute to configure the binding. C# script instead uses a function.json configuration file.

+Functions version 1.x doesn't support isolated worker process.

+When running your C# function in an isolated worker process, you need to define a custom type for event properties. The following example defines a `MyEventType` class.

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use the [EventGridTrigger](https://github.com/Azure/azure-functions-eventgrid-extension/blob/master/src/EventGridExtension/TriggerBinding/EventGridTriggerAttribute.cs) attribute. C# script instead uses a function.json configuration file.

+Functions version 1.x doesn't support the isolated worker process.

+Functions execute in an isolated C# worker process. To learn more, see [Guide for running C# Azure Functions in an isolated worker process](dotnet-isolated-process-guide.md).

+Functions version 1.x doesn't support the isolated worker process.

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use attribute to configure the binding. C# script instead uses a function.json configuration file.

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries don't require an attribute. C# script uses a function.json configuration file.

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use the `HttpTriggerAttribute` to define the trigger binding. C# script instead uses a function.json configuration file.

+In [isolated worker process](dotnet-isolated-process-guide.md) function apps, the `HttpTriggerAttribute` supports the following parameters:

+Functions execute in an isolated C# worker process. To learn more, see [Guide for running C# Azure Functions in an isolated worker process](dotnet-isolated-process-guide.md).

+Functions 1.x doesn't support running in an isolated worker process.

+An [isolated worker process class library](dotnet-isolated-process-guide.md) compiled C# function runs in a process isolated from the runtime.

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use the `Kafka` attribute to define the function trigger.

+An [isolated worker process class library](dotnet-isolated-process-guide.md) compiled C# function runs in a process isolated from the runtime.

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use the `KafkaTriggerAttribute` to define the function trigger.

+Functions execute in an isolated C# worker process. To learn more, see [Guide for running C# Azure Functions in an isolated worker process](dotnet-isolated-process-guide.md).

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use the <!--attribute API here--> attribute to define the function. C# script instead uses a function.json configuration file.

+Here's a `RabbitMQTrigger` attribute in a method signature for an isolated worker process library:

+The RabbitMQ bindings currently support only string and serializable object types when running in an isolated worker process.

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use the <!--attribute API here--> attribute to define the function. C# script instead uses a function.json configuration file.

+Here's a `RabbitMQTrigger` attribute in a method signature for an isolated worker process library:

+Functions execute in an isolated C# worker process. To learn more, see [Guide for running C# Azure Functions in an isolated worker process](dotnet-isolated-process-guide.md).

+For compiled C# class library projects ([in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md)), you install the NuGet packages for the extensions that you need as you normally would. For examples see either the [Visual Studio Code developer guide](functions-develop-vs-code.md?tabs=csharp#install-binding-extensions) or the [Visual Studio developer guide](functions-develop-vs.md#add-bindings).

+Functions execute in an isolated C# worker process. To learn more, see [Guide for running C# Azure Functions in an isolated worker process](dotnet-isolated-process-guide.md).

+Functions 1.x doesn't support running in an isolated worker process.

+We don't currently have an example for using the SendGrid binding in a function app running in an isolated worker process.

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use attributes to define the output binding. C# script instead uses a function.json configuration file.

+In [isolated worker process](dotnet-isolated-process-guide.md) function apps, the `SendGridOutputAttribute` supports the following parameters:

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use attributes to define the output binding. C# script instead uses a function.json configuration file.

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use the [ServiceBusTriggerAttribute](https://github.com/Azure/azure-functions-servicebus-extension/blob/master/src/Microsoft.Azure.WebJobs.Extensions.ServiceBus/ServiceBusTriggerAttribute.cs) attribute to define the function trigger. C# script instead uses a function.json configuration file.

+Functions execute in an isolated C# worker process. To learn more, see [Guide for running C# Azure Functions in an isolated worker process](dotnet-isolated-process-guide.md).

+Functions version 1.x doesn't support the isolated worker process.

+Sample code not available for the isolated worker process.

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use attribute to define the function. C# script instead uses a function.json configuration file.

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use attribute to define the function. C# script instead uses a function.json configuration file.

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use the `SignalRTrigger` attribute to define the function. C# script instead uses a function.json configuration file.

+* [SignalR Service Trigger binding sample in isolated worker process](https://github.com/aspnet/AzureSignalR-samples/tree/master/samples/DotnetIsolated-BidirectionChat)

+Functions execute in an isolated C# worker process. To learn more, see [Guide for running C# Azure Functions in an isolated worker process](dotnet-isolated-process-guide.md).

+The following example is a [C# function](dotnet-isolated-process-guide.md) that runs in an isolated worker process and uses a blob trigger with both blob input and blob output blob bindings. The function is triggered by the creation of a blob in the *test-samples-trigger* container. It reads a text file from the *test-samples-input* container and creates a new text file in an output container based on the name of the triggered file.

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use attributes to define the function. C# script instead uses a function.json configuration file.

+isolated worker process defines an input binding by using a `BlobInputAttribute` attribute, which takes the following parameters:

+The following example is a [C# function](dotnet-isolated-process-guide.md) that runs in an isolated worker process and uses a blob trigger with both blob input and blob output blob bindings. The function is triggered by the creation of a blob in the *test-samples-trigger* container. It reads a text file from the *test-samples-input* container and creates a new text file in an output container based on the name of the triggered file.

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use attribute to define the function. C# script instead uses a function.json configuration file.

+The following example is a [C# function](dotnet-isolated-process-guide.md) that runs in an isolated worker process and uses a blob trigger with both blob input and blob output blob bindings. The function is triggered by the creation of a blob in the *test-samples-trigger* container. It reads a text file from the *test-samples-input* container and creates a new text file in an output container based on the name of the triggered file.

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use the [BlobAttribute](/dotnet/api/microsoft.azure.webjobs.blobattribute) attribute to define the function. C# script instead uses a function.json configuration file.

+Functions execute in an isolated C# worker process. To learn more, see [Guide for running C# Azure Functions in an isolated worker process](dotnet-isolated-process-guide.md).

+Functions version 1.x doesn't support isolated worker process.

+When running in an isolated worker process, you use the [QueueOutputAttribute](https://github.com/Azure/azure-functions-dotnet-worker/blob/main/extensions/Worker.Extensions.Storage.Queues/src/QueueOutputAttribute.cs), which takes the name of the queue, as shown in the following example:

+Only returned variables are supported when running in an isolated worker process. Output parameters can't be used.

+An isolated worker process class library compiled C# function runs in a process isolated from the runtime.

+Isolated worker process currently only supports binding to string parameters.

+Isolated worker process currently only supports binding to string parameters.

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use the [QueueTriggerAttribute](https://github.com/Azure/azure-webjobs-sdk/blob/master/src/Microsoft.Azure.WebJobs.Extensions.Storage/Queues/QueueTriggerAttribute.cs) to define the function. C# script instead uses a function.json configuration file.

+An isolated worker process class library compiled C# function runs in a process isolated from the runtime.

+Isolated worker process currently only supports binding to string parameters.

+Isolated worker process currently only supports binding to string parameters.

+Functions execute in an isolated C# worker process. To learn more, see [Guide for running C# Azure Functions in an isolated worker process](dotnet-isolated-process-guide.md).

+Functions version 1.x doesn't support the isolated worker process.

+An [isolated worker process class library](dotnet-isolated-process-guide.md) compiled C# function runs in a process isolated from the runtime.

+The Azure Cosmos DB for Table extension does not currently support isolated worker process. You will instead need to use the combined Azure Storage extension.

+Functions version 1.x doesn't support isolated worker process.

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use attributes to define the function. C# script instead uses a function.json configuration file.

+An isolated worker process class library compiled C# function runs in a process isolated from the runtime.

+The Azure Cosmos DB for Table extension does not currently support isolated worker process. You will instead need to use the combined Azure Storage extension.

+Functions version 1.x doesn't support isolated worker process.

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use attributes to define the function. C# script instead uses a function.json configuration file.

+An isolated worker process class library compiled C# function runs in a process isolated from the runtime.

+The Azure Cosmos DB for Table extension does not currently support isolated worker process. You will instead need to use the combined Azure Storage extension.

+Functions version 1.x doesn't support isolated worker process.

+Functions execute in an isolated C# worker process. To learn more, see [Guide for running C# Azure Functions in an isolated worker process](dotnet-isolated-process-guide.md).

+The Azure Cosmos DB for Table extension does not currently support isolated worker process. You will instead need to use the [Storage extension](#storage-extension).

+Functions version 1.x doesn't support isolated worker process.

+[In-process](functions-dotnet-class-library.md) C# library uses [TimerTriggerAttribute](https://github.com/Azure/azure-webjobs-sdk-extensions/blob/master/src/WebJobs.Extensions/Extensions/Timers/TimerTriggerAttribute.cs) from [Microsoft.Azure.WebJobs.Extensions](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions) whereas [isolated worker process](dotnet-isolated-process-guide.md) C# library uses [TimerTriggerAttribute](https://github.com/Azure/azure-functions-dotnet-worker/blob/main/extensions/Worker.Extensions.Timer/src/TimerTriggerAttribute.cs) from [Microsoft.Azure.Functions.Worker.Extensions.Timer](https://www.nuget.org/packages/Microsoft.Azure.Functions.Worker.Extensions.Timer) to define the function.

+Functions execute in an isolated C# worker process. To learn more, see [Guide for running C# Azure Functions in an isolated worker process](dotnet-isolated-process-guide.md).

+There is currently no support for Twilio for an isolated worker process app.

+Functions 1.x doesn't support running in an isolated worker process.

+The Twilio binding isn't currently supported for a function app running in an isolated worker process.

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use attributes to define the output binding. C# script instead uses a function.json configuration file.

+The Twilio binding isn't currently supported for a function app running in an isolated worker process.

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use the `WarmupTrigger` attribute to define the function. C# script instead uses a *function.json* configuration file.

+ + **Select** a <abbr title="A geographical reference to a specific Azure datacenter in which resources are allocated.See [regions](https://azure.microsoft.com/regions/) for a list of available regions.">location</abbr> from the drop-down.

+By default, this article shows you how to create C# functions that run on .NET 6 [in the same process as the Functions host](functions-dotnet-class-library.md). These _in-process_ C# functions are only supported on [Long Term Support (LTS)](https://dotnet.microsoft.com/en-us/platform/support/policy/dotnet-core) .NET versions, such as .NET 6. When creating your project, you can choose to instead create a function that runs on .NET 6 in an [isolated worker process](dotnet-isolated-process-guide.md). [Isolated worker process](dotnet-isolated-process-guide.md) supports both LTS and Standard Term Support (STS) versions of .NET. For more information, see [Supported versions](dotnet-isolated-process-guide.md#supported-versions) in the .NET Functions isolated worker process guide.

+ # [In-process](#tab/in-process)

+ # [Isolated process](#tab/isolated-process)

+ | **Functions worker** | **.NET 6 Isolated** | When you choose **.NET 6 Isolated**, you create a project that runs in a separate worker process. Choose isolated worker process when you need to run your function app on .NET 7.0 or on .NET Framework 4.8 (preview). To learn more, see [Supported versions](dotnet-isolated-process-guide.md#supported-versions). |

+# [In-process](#tab/in-process)

+# [Isolated process](#tab/isolated-process)

+Visual Studio can publish your local project to Azure. Before you can publish your project, you must have a function app in your Azure subscription. If you don't already have a function app in Azure, Visual Studio publishing creates one for you the first time you publish your project. In this article, you create a function app and related Azure resources.

+You created Azure resources to complete this quickstart. You may be billed for these resources, depending on your [account status](https://azure.microsoft.com/account/) and [service pricing](https://azure.microsoft.com/pricing/). Other quickstarts in this collection build upon this quickstart. If you plan to work with subsequent quickstarts, tutorials, or with any of the services you've created in this quickstart, don't clean up the resources.

+# [In-process](#tab/in-process)

+# [Isolated process](#tab/isolated-process)

+To learn more about working with C# functions that run in an isolated worker process, see the [Guide for running C# Azure Functions in an isolated worker process](dotnet-isolated-process-guide.md). Check out [.NET supported versions](functions-dotnet-class-library.md#supported-versions) to see other versions of supported .NET versions in an isolated worker process.

+- **Minimize restarts**: Changing app settings in a production slot requires a restart of the running app. You can instead change settings in a staging slot and swap the settings change into production with a prewarmed instance. This is the recommended way to upgrade between Functions runtime versions while maintaining the highest availability. To learn more, see [Minimum downtime upgrade](migrate-version-3-version-4.md#minimum-downtime-upgrade).

+|[Visual Studio Code](functions-develop-vs-code.md)| [C# (in-process)](functions-dotnet-class-library.md)<br/>[C# (isolated worker process)](dotnet-isolated-process-guide.md)<br/>[JavaScript](functions-reference-node.md)<br/>[PowerShell](./create-first-function-vs-code-powershell.md)<br/>[Python](functions-reference-python.md) | The [Azure Functions extension for VS Code](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azurefunctions) adds Functions support to VS Code. Requires the Core Tools. Supports development on Linux, macOS, and Windows, when using version 2.x of the Core Tools. To learn more, see [Create your first function using Visual Studio Code](./create-first-function-vs-code-csharp.md). |

+| [Command prompt or terminal](functions-run-local.md) | [C# (in-process)](functions-dotnet-class-library.md)<br/>[C# (isolated worker process)](dotnet-isolated-process-guide.md)<br/>[JavaScript](functions-reference-node.md)<br/>[PowerShell](functions-reference-powershell.md)<br/>[Python](functions-reference-python.md) | [Azure Functions Core Tools] provides the core runtime and templates for creating functions, which enable local development. Version 2.x supports development on Linux, macOS, and Windows. All environments rely on Core Tools for the local Functions runtime. |

+| [Visual Studio](functions-develop-vs.md) | [C# (in-process)](functions-dotnet-class-library.md)<br/>[C# (isolated worker process)](dotnet-isolated-process-guide.md) | The Azure Functions tools are included in the **Azure development** workload of [Visual Studio](https://www.visualstudio.com/vs/), starting with Visual Studio 2019. Lets you compile functions in a class library and publish the .dll to Azure. Includes the Core Tools for local testing. To learn more, see [Develop Azure Functions using Visual Studio](functions-develop-vs.md). |

+During local development, you can use the local [Azurite emulator](../storage/common/storage-use-azurite.md) when testing functions with Azure Storage bindings (Queue Storage, Blob Storage, and Table Storage), without having to connect to remote storage services. Azurite integrates with Visual Studio Code and Visual Studio, and you can also run it from the command prompt using npm. For more information, see [Use the Azurite emulator for local Azure Storage development](../storage/common/storage-use-azurite.md).

+ + [C# (isolated worker process)](create-first-function-vs-code-csharp.md?tabs=isolated-process)

+The way you attach the debugger depends on your execution mode. When debugging an isolated worker process app, you currently need to attach the remote debugger to a separate .NET process, and several other configuration steps are required.

+1. From the **Publish** tab, select the ellipses (**...**) in the **Hosting** section, and then choose **Download publish profile**. This action downloads a copy of the publish profile and opens the download location. You need this file, which contains the credentials used to attach to your isolated worker process running in Azure.

+1. Check **Show process from all users** and then choose **dotnet.exe** and select **Attach**. When the operation completes, you're attached to your C# class library code running in an isolated worker process. At this point, you can debug your function app as normal.

+>This article supports .NET class library functions that run in-process with the runtime. Your C# functions can also run out-of-process and isolated from the Functions runtime. The isolated worker process model is the only way to run non-LTS versions of .NET and .NET Framework apps in current versions of the Functions runtime. To learn more, see [.NET isolated worker process functions](dotnet-isolated-process-guide.md).

+>For a comprehensive comparison between isolated worker process and in-process .NET Functions, see [Differences between in-process and isolate worker process .NET Azure Functions](dotnet-isolated-in-process-differences.md).

+> The guidance in this article applies only to [C# class library functions](functions-dotnet-class-library.md), which run in-process with the runtime. This custom dependency injection model doesn't apply to [.NET isolated functions](dotnet-isolated-process-guide.md), which lets you run .NET functions out-of-process. The .NET isolated worker process model relies on regular ASP.NET Core dependency injection patterns. To learn more, see [Dependency injection](dotnet-isolated-process-guide.md#dependency-injection) in the .NET isolated worker process guide.

+ |**Select a .NET runtime**| Choose `.NET 6.0 LTS`. Event-driven blob triggers aren't yet supported when running in an isolated worker process. |

+Starting with version 2.x of Functions, Application Insights automatically collects data on dependencies for bindings that use certain client SDKs. Application Insights distributed tracing and dependency tracking aren't currently supported for C# apps running in an [isolated worker process](dotnet-isolated-process-guide.md). Application Insights collects data on the following dependencies:

+| C# class library (isolated worker process)| in an isolated worker process | .cs | [Visual Studio](functions-develop-vs.md)<br/>[Visual Studio Code](functions-develop-vs-code.md)<br />[Core Tools](functions-run-local.md) | [.NET isolated worker process functions](dotnet-isolated-process-guide.md) |

+> Beginning on December 3, 2022, function apps running on versions 2.x and 3.x of the Azure Functions runtime can no longer be supported. Before that time, please test, verify, and migrate your function apps to version 4.x of the Functions runtime. For more information, see [Migrate apps from Azure Functions version 3.x to version 4.x](migrate-version-3-version-4.md). After the deadline, function apps can be created and deployed, and existing apps continue to run. However, your apps won't be eligible for new features, security patches, performance optimizations, and support until you upgrade them to version 4.x.

+The version of the Functions runtime used by published apps in Azure is dictated by the [`FUNCTIONS_EXTENSION_VERSION`](functions-app-settings.md#functions_extension_version) application setting. In some cases and for certain languages, other settings may apply.

+By default, function apps created in the Azure portal, by the Azure CLI, or from Visual Studio tools are set to version 4.x. You can modify this version if needed. You can only downgrade the runtime version to 1.x after you create your function app but before you add any functions. Moving to a later version is allowed even with apps that have existing functions.

+### Migrating existing function apps

+When your app has existing functions, you must take precautions before moving to a later runtime version. The following articles detail breaking changes between versions, including language-specific breaking changes. They also provide you with step-by-step instructions for a successful migration of you existing function app.

+The following major runtime version values are supported:

+> Don't arbitrarily change this app setting, because other app setting changes and changes to your function code may be required. You should instead change this setting in the **Function runtime settings** tab of the function app **Configuration** in the Azure portal when you are ready to make a major version upgrade. For existing function apps, [follow the migration instructions](#migrating-existing-function-apps).

+## Locally developed application versions

+### Visual Studio runtime versions

+You can also choose `net6.0`, `net7.0`, or `net48` as the target framework if you are using [.NET isolated worker process functions](dotnet-isolated-process-guide.md). Support for `net7.0` and `net48` is currently in preview.

+You can also choose `net5.0` as the target framework if you're using [.NET isolated worker process functions](dotnet-isolated-process-guide.md).

+### VS Code and Azure Functions Core Tools

+[Azure Functions Core Tools](functions-run-local.md) is used for command-line development and also by the [Azure Functions extension](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azurefunctions) for Visual Studio Code. To develop against version 4.x, install version 4.x of the Core Tools. Version 3.x development requires version 3.x of the Core Tools, and so on. For more information, see [Install the Azure Functions Core Tools](functions-run-local.md#install-the-azure-functions-core-tools).

+ Title: Migrate apps from Azure Functions version 1.x to 4.x

+description: This article shows you how to upgrade your existing function apps running on version 1.x of the Azure Functions runtime to be able to run on version 4.x of the runtime.

+zone_pivot_groups: programming-languages-set-functions

+# Migrate apps from Azure Functions version 1.x to version 4.x

+> [!IMPORTANT]

+> Java isn't supported by version 1.x of the Azure Functions runtime. Perhaps you're instead looking to [migrate your Java app from version 3.x to version 4.x](./migrate-version-3-version-4.md). If you're migrating a version 1.x function app, select either C# or JavaScript above.

+> [!IMPORTANT]

+> TypeScript isn't supported by version 1.x of the Azure Functions runtime. Perhaps you're instead looking to [migrate your TypeScript app from version 3.x to version 4.x](./migrate-version-3-version-4.md). If you're migrating a version 1.x function app, select either C# or JavaScript above.

+> [!IMPORTANT]

+> PowerShell isn't supported by version 1.x of the Azure Functions runtime. Perhaps you're instead looking to [migrate your PowerShell app from version 3.x to version 4.x](./migrate-version-3-version-4.md). If you're migrating a version 1.x function app, select either C# or JavaScript above.

+> [!IMPORTANT]

+> Python isn't supported by version 1.x of the Azure Functions runtime. Perhaps you're instead looking to [migrate your Python app from version 3.x to version 4.x](./migrate-version-3-version-4.md). If you're migrating a version 1.x function app, select either C# or JavaScript above.

+If you're running on version 1.x of the Azure Functions runtime, it's likely because your C# app requires .NET Framework 2.1. Version 4.x of the runtime now lets you run .NET Framework 4.8 apps. At this point, you should consider migrating your version 1.x function apps to run on version 4.x. For more information about Functions runtime versions, see [Azure Functions runtime versions overview](./functions-versions.md).

+Migrating a C# function app from version 1.x to version 4.x of the Functions runtime requires you to make changes to your project code. Many of these changes are a result of changes in the C# language and .NET APIs. JavaScript apps generally don't require code changes to migrate.

+You can upgrade your C# project to one of the following versions of .NET, all of which can run on Functions version 4.x:

+| .NET version | Process model^* |

+| | | |

+| .NET 7 | [Isolated worker process](./dotnet-isolated-process-guide.md) |

+| .NET 6 | [Isolated worker process](./dotnet-isolated-process-guide.md) |

+| .NET 6 | [In-process](./functions-dotnet-class-library.md) |

+| .NET&nbsp;Framework&nbsp;4.8 | [Isolated worker process](./dotnet-isolated-process-guide.md) |

+^* [In-process execution](./functions-dotnet-class-library.md) is only supported for Long Term Support (LTS) releases of .NET. Non-LTS releases and .NET Framework require you to run in an [isolated worker process](./dotnet-isolated-process-guide.md). For a feature and functionality comparison between the two process models, see [Differences between in-process and isolate worker process .NET Azure Functions](./dotnet-isolated-in-process-differences.md).

+This article walks you through the process of safely migrating your function app to run on version 4.x of the Functions runtime.

+## Prepare for migration

+Before you upgrade your app to version 4.x of the Functions runtime, you should do the following tasks:

+* Review the list of [behavior changes after version 1.x](#behavior-changes-after-version-1x). Migrating from version 1.x to version 4.x also can affect bindings.

+* Review [Update your project files](#update-your-project-files) and decide which version of .NET you want to migrate to. Complete the steps to migrate your local project to your chosen version of .NET.

+* Complete the steps in [update your project files](#update-your-project-files) to migrate your local project to run locally on a version 4.x and a supported version of Node.js.

+* After migrating your local project, fully test the app locally using version 4.x of the [Azure Functions Core Tools](functions-run-local.md).

+* Upgrade your function app in Azure to the new version. If you need to minimize downtime, consider using a [staging slot](functions-deployment-slots.md) to test and verify your migrated app in Azure on the new runtime version. You can then deploy your app with the updated version settings to the production slot. For more information, see [Migrate using slots](#upgrade-using-slots).

+* Republished your migrated project to the upgraded function app. When you use Visual Studio to publish a version 4.x project to an existing function app at a lower version, you're prompted to let Visual Studio upgrade the function app to version 4.x during deployment. This upgrade uses the same process defined in [Migrate without slots](#upgrade-without-slots).

+* Republished your migrated project to the upgraded function app.

+* Consider using a [staging slot](functions-deployment-slots.md) to test and verify your app in Azure on the new runtime version. You can then deploy your app with the updated version settings to the production slot. For more information, see [Migrate using slots](#upgrade-using-slots).

+## Update your project files

+The following sections describes the updates you must make to your C# project files to be able to run on one of the supported versions of .NET in Functions version 4.x. The updates shown are ones common to most projects. Your project code may require updates not mentioned in this article, especially when using custom NuGet packages.

+Choose the tab that matches your target version of .NET and the desired process model (in-process or isolated worker process).

+### .csproj file

+The following example is a .csproj project file that runs on version 1.x:

+```xml

+<Project Sdk="Microsoft.NET.Sdk">

+ <PropertyGroup>

+ <TargetFramework>net48</TargetFramework>

+ <AzureFunctionsVersion>v1</AzureFunctionsVersion>

+ </PropertyGroup>

+ <ItemGroup>

+ <PackageReference Include="Microsoft.NET.Sdk.Functions" Version="1.0.24" />

+ </ItemGroup>

+ <ItemGroup>

+ <Reference Include="Microsoft.CSharp" />

+ </ItemGroup>

+ <ItemGroup>

+ <None Update="host.json">

+ <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>

+ </None>

+ <None Update="local.settings.json">

+ <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>

+ <CopyToPublishDirectory>Never</CopyToPublishDirectory>

+ </None>

+ </ItemGroup>

+</Project>

+```

+Use one of the following procedures to update this XML file to run in Functions version 4.x:

+# [.NET Framework 4.8](#tab/v4)

+The following changes are required in the .csproj XML project file:

+1. Change the value of `PropertyGroup`.`AzureFunctionsVersion` to `v4`.

+1. Add the following `OutputType` element to the `PropertyGroup`:

+ :::code language="xml" source="~/functions-quickstart-templates/Functions.Templates/ProjectTemplate_v4.x/CSharp-Isolated/Company.FunctionApp.csproj" range="5-5":::

+1. Replace the existing `ItemGroup`.`PackageReference` with the following `ItemGroup`:

+ :::code language="xml" source="~/functions-quickstart-templates/Functions.Templates/ProjectTemplate_v4.x/CSharp-Isolated/Company.FunctionApp.csproj" range="12-15":::

+1. Add the following new `ItemGroup`:

+ :::code language="xml" source="~/functions-quickstart-templates/Functions.Templates/ProjectTemplate_v4.x/CSharp-Isolated/Company.FunctionApp.csproj" range="31-33":::

+After you make these changes, your updated project should look like the following example:

+```xml

+<Project Sdk="Microsoft.NET.Sdk">

+ <PropertyGroup>

+ <TargetFramework>net48</TargetFramework>

+ <AzureFunctionsVersion>v4</AzureFunctionsVersion>

+ <RootNamespace>My.Namespace</RootNamespace>

+ <OutputType>Exe</OutputType>

+ </PropertyGroup>

+ <ItemGroup>

+ <PackageReference Include="Microsoft.Azure.Functions.Worker" Version="1.8.0" />

+ <PackageReference Include="Microsoft.Azure.Functions.Worker.Sdk" Version="1.7.0" />

+ </ItemGroup>

+ <ItemGroup>

+ <None Update="host.json">

+ <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>

+ </None>

+ <None Update="local.settings.json">

+ <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>

+ <CopyToPublishDirectory>Never</CopyToPublishDirectory>

+ </None>

+ </ItemGroup>

+ <ItemGroup>

+ <Folder Include="Properties\" />

+ </ItemGroup>

+</Project>

+```

+# [.NET 6 (isolated)](#tab/net6-isolated)

+# [.NET 6 (in-process)](#tab/net6-in-proc)

+# [.NET 7](#tab/net7)

+### program.cs file

+In most cases, migrating requires you to add the following program.cs file to your project:

+# [.NET Framework 4.8](#tab/v4)

+# [.NET 6 (isolated)](#tab/net6-isolated)

+# [.NET 6 (in-process)](#tab/net6-in-proc)

+A program.cs file isn't required when running in-process.

+# [.NET 7](#tab/net7)

+### host.json file

+Settings in the host.json file apply at the function app level, both locally and in Azure. In version 1.x, your host.json file is either empty or it contains some settings that apply to all functions in the function app. For more information, see [Host.json v1](./functions-host-json-v1.md). If your host.json file has setting values, review the [host.json v2 format](./functions-host-json.md) for any changes.

+To run on version 4.x, you must add `"version": "2.0"` to the host.json file. You should also consider adding `logging` to your configuration, as in the following examples:

+# [.NET Framework 4.8](#tab/v4)

+# [.NET 6 (isolated)](#tab/net6-isolated)

+# [.NET 6 (in-process)](#tab/net6-in-proc)

+# [.NET 7](#tab/net7)

+### local.settings.json file

+The local.settings.json file is only used when running locally. For information, see [Local settings file](functions-develop-local.md#local-settings-file). In version 1.x, the local.settings.json file has only two required values:

+When you upgrade to version 4.x, make sure that your local.settings.json file has at least the following elements:

+# [.NET Framework 4.8](#tab/v4)

+# [.NET 6 (isolated)](#tab/net6-isolated)

+# [.NET 6 (in-process)](#tab/net6-in-proc)

+# [.NET 7](#tab/net7)

+### Namespace changes

+C# functions that run in an isolated worker process uses libraries in a different namespace than those libraries used in version 1.x. In-process functions use libraries in the same namespace.

+Version 1.x and in-process libraries are generally in the namespace `Microsoft.Azure.WebJobs.*`. Isolated worker process function apps use libraries in the namespace `Microsoft.Azure.Functions.Worker.*`. You can see the effect of these namespace changes on `using` statements in the [HTTP trigger template examples](#http-trigger-template) that follow.

+### Class name changes

+Some key classes changed names between version 1.x and version 4.x. These changes are a result either of changes in .NET APIs or in differences between in-process and isolated worker process. The following table indicates these key .NET classes used by Azure Functions that changed after version 1.x:

+# [.NET Framework 4.8](#tab/v4)

+| Version 1.x | .NET Framework 4.8 |

+| | |

+| `FunctionName` (attribute) | `Function` (attribute) |

+| `TraceWriter` | `ILogger` |

+| `HttpRequestMessage` | `HttpRequestData` |

+| `HttpResonseMessage` | `HttpResonseData` |

+# [.NET 6 (isolated)](#tab/net6-isolated)

+| Version 1.x | .NET 6 (isolated) |

+| | |

+| `FunctionName` (attribute) | `Function` (attribute) |

+| `TraceWriter` | `ILogger` |

+| `HttpRequestMessage` | `HttpRequestData` |

+| `HttpResonseMessage` | `HttpResonseData` |

+# [.NET 6 (in-process)](#tab/net6-in-proc)

+| Version 1.x | .NET 6 (in-process) |

+| | |

+| `FunctionName` (attribute) | `FunctionName` (attribute) |

+| `TraceWriter` | `ILogger` |

+| `HttpRequestMessage` | `HttpRequest` |

+| `HttpResonseMessage` | `OkObjectResult` |

+# [.NET 7](#tab/net7)

+| Version 1.x | .NET 7 |

+| | |

+| `FunctionName` (attribute) | `Function` (attribute) |

+| `TraceWriter` | `ILogger` |

+| `HttpRequestMessage` | `HttpRequestData` |

+| `HttpResonseMessage` | `HttpResonseData` |

+There might also be class name differences in bindings. For more information, see the reference articles for the specific bindings.

+### HTTP trigger template

+Most of the code changes between version 1.x and version 4.x can be seen in HTTP triggered functions. The HTTP trigger template for version 1.x looks like the following example:

+```csharp

+using System.Linq;

+using System.Net;

+using System.Net.Http;

+using System.Threading.Tasks;

+using Microsoft.Azure.WebJobs;

+using Microsoft.Azure.WebJobs.Extensions.Http;

+using Microsoft.Azure.WebJobs.Host;

+namespace Company.Function

+{

+ public static class HttpTriggerCSharp

+ {

+ [FunctionName("HttpTriggerCSharp")]

+ public static async Task<HttpResponseMessage>

+ Run([HttpTrigger(AuthorizationLevel.AuthLevelValue, "get", "post",

+ Route = null)]HttpRequestMessage req, TraceWriter log)

+ {

+ log.Info("C# HTTP trigger function processed a request.");

+ // parse query parameter

+ string name = req.GetQueryNameValuePairs()

+ .FirstOrDefault(q => string.Compare(q.Key, "name", true) == 0)

+ .Value;

+

+ if (name == null)

+ {

+ // Get request body

+ dynamic data = await req.Content.ReadAsAsync<object>();

+ name = data?.name;

+ }

+

+ return name == null

+ ? req.CreateResponse(HttpStatusCode.BadRequest,

+ "Please pass a name on the query string or in the request body")

+ : req.CreateResponse(HttpStatusCode.OK, "Hello " + name);

+ }

+ }

+}

+```

+In version 4.x, the HTTP trigger template looks like the following example:

+# [.NET Framework 4.8](#tab/v4)

+# [.NET 6 (isolated)](#tab/net6-isolated)

+# [.NET 6 (in-process)](#tab/net6-in-proc)

+# [.NET 7](#tab/net7)

+## Update your project files

+To update your project to Azure Functions 4.x:

+1. Update your local installation of [Azure Functions Core Tools](functions-run-local.md#install-the-azure-functions-core-tools) to version 4.x.

+1. Move to one of the [Node.js versions supported on version 4.x](functions-reference-node.md#node-version).

+1. Add both `version` and `extensionBundle` elements to the host.json, so that it looks like the following example:

+ [!INCLUDE [functions-extension-bundles-json-v3](../../includes/functions-extension-bundles-json-v3.md)]

+

+ The `extensionBundle` element is required because after version 1.x, bindings are maintained as external packages. For more information, see [Extension bundles](/functions-bindings-register.md#extension-bundles).

+1. Update your local.settings.json file so that it has at least the following elements:

+ ```json

+ {

+ "IsEncrypted": false,

+ "Values": {

+ "AzureWebJobsStorage": "UseDevelopmentStorage=true",

+ "FUNCTIONS_WORKER_RUNTIME": "node"

+ }

+ }

+ ```

+ The `AzureWebJobsStorage` setting can be either the Azurite storage emulator or an actual Azure storage account. For more information, see [Local storage emulator](/functions-develop-local.md#local-storage-emulator).

+## Behavior changes after version 1.x

+This section details changes made after version 1.x in both trigger and binding behaviors as well as in core Functions features and behaviors.

+### Changes in triggers and bindings

+Starting with version 2.x, you must install the extensions for specific triggers and bindings used by the functions in your app. The only exception for this HTTP and timer triggers, which don't require an extension. For more information, see [Register and install binding extensions](./functions-bindings-register.md).

+There are also a few changes in the *function.json* or attributes of the function between versions. For example, the Event Hubs `path` property is now `eventHubName`. See the [existing binding table](functions-versions.md#bindings) for links to documentation for each binding.

+### Changes in features and functionality

+A few features were removed, updated, or replaced after version 1.x. This section details the changes you see in later versions after having used version 1.x.

+In version 2.x, the following changes were made:

+* Keys for calling HTTP endpoints are always stored encrypted in Azure Blob storage. In version 1.x, keys were stored in Azure Files by default. When you upgrade an app from version 1.x to version 2.x, existing secrets that are in Azure Files are reset.

+* The version 2.x runtime doesn't include built-in support for webhook providers. This change was made to improve performance. You can still use HTTP triggers as endpoints for webhooks.

+* To improve monitoring, the WebJobs dashboard in the portal, which used the [`AzureWebJobsDashboard`](functions-app-settings.md#azurewebjobsdashboard) setting is replaced with Azure Application Insights, which uses the [`APPINSIGHTS_INSTRUMENTATIONKEY`](functions-app-settings.md#appinsights_instrumentationkey) setting. For more information, see [Monitor Azure Functions](functions-monitoring.md).

+* All functions in a function app must share the same language. When you create a function app, you must choose a runtime stack for the app. The runtime stack is specified by the [`FUNCTIONS_WORKER_RUNTIME`](functions-app-settings.md#functions_worker_runtime) value in application settings. This requirement was added to improve footprint and startup time. When developing locally, you must also include this setting in the [local.settings.json file](functions-develop-local.md#local-settings-file).

+* The default timeout for functions in an App Service plan is changed to 30 minutes. You can manually change the timeout back to unlimited by using the [functionTimeout](functions-host-json.md#functiontimeout) setting in host.json.

+* HTTP concurrency throttles are implemented by default for Consumption plan functions, with a default of 100 concurrent requests per instance. You can change this behavior in the [`maxConcurrentRequests`](functions-host-json.md#http) setting in the host.json file.

+* Because of [.NET Core limitations](https://github.com/Azure/azure-functions-host/issues/3414), support for F# script (`.fsx` files) functions has been removed. Compiled F# functions (.fs) are still supported.

+* The URL format of Event Grid trigger webhooks has been changed to follow this pattern: `https://{app}/runtime/webhooks/{triggerName}`.

+## Next steps

+> [!div class="nextstepaction"]

+> [Learn more about Functions versions](functions-versions.md)

+ Title: Migrate apps from Azure Functions version 3.x to 4.x

+description: This article shows you how to upgrade your existing function apps running on version 3.x of the Azure Functions runtime to be able to run on version 4.x of the runtime.

+zone_pivot_groups: programming-languages-set-functions

+# <a name="top"></a>Migrate apps from Azure Functions version 3.x to version 4.x

+Azure Functions version 4.x is highly backwards compatible to version 3.x. Most apps should safely upgrade to 4.x without requiring significant code changes. For more information about Functions runtime versions, see [Azure Functions runtime versions overview](./functions-versions.md).

+This article walks you through the process of safely migrating your function app to run on version 4.x of the Functions runtime. Because project upgrade instructions are language dependent, make sure to choose your development language from the selector at the [top of the article](#top).

+## Choose your target .NET

+On version 3.x of the Functions runtime, your C# function app targets .NET Core 3.1. When you migrate your function app to version 4.x, you have the opportunity to choose the target version of .NET. You can upgrade your C# project to one of the following versions of .NET, all of which can run on Functions version 4.x:

+| .NET version | Process model^* |

+| | | |

+| .NET 7 | [Isolated worker process](./dotnet-isolated-process-guide.md) |

+| .NET 6 | [Isolated worker process](./dotnet-isolated-process-guide.md) |

+| .NET 6 | [In-process](./functions-dotnet-class-library.md) |

+^* [In-process execution](./functions-dotnet-class-library.md) is only supported for Long Term Support (LTS) releases of .NET. Non-LTS releases and .NET Framework require you to run in an [isolated worker process](./dotnet-isolated-process-guide.md).

+Upgrading from .NET Core 3.1 to .NET 6 running in-process requires minimal updates to your project and virtually no updates to code. Switching to the isolated worker process model requires you to make changes to your code, but provides the flexibility of being able to easily run on any future version of .NET. For a feature and functionality comparison between the two process models, see [Differences between in-process and isolate worker process .NET Azure Functions](./dotnet-isolated-in-process-differences.md).

+## Prepare for migration

+Before you upgrade your app to version 4.x of the Functions runtime, you should do the following tasks:

+* Review the list of [breaking changes between 3.x and 4.x](#breaking-changes-between-3x-and-4x).

+* [Run the pre-upgrade validator](#run-the-pre-upgrade-validator).

+* When possible, [upgrade your local project environment to version 4.x](#upgrade-your-local-project). Fully test your app locally using version 4.x of the [Azure Functions Core Tools](functions-run-local.md).

+* Upgrade your function app in Azure to the new version. If you need to minimize downtime, consider using a [staging slot](functions-deployment-slots.md) to test and verify your migrated app in Azure on the new runtime version. You can then deploy your app with the updated version settings to the production slot. For more information, see [Migrate using slots](#upgrade-using-slots).

+* Republished your migrated project to the upgraded function app. When you use Visual Studio to publish a version 4.x project to an existing function app at a lower version, you're prompted to let Visual Studio upgrade the function app to version 4.x during deployment. This upgrade uses the same process defined in [Migrate without slots](#upgrade-without-slots).

+## Run the pre-upgrade validator

+Azure Functions provides a pre-upgrade validator to help you identify potential issues when migrating your function app to 4.x. To run the pre-upgrade validator:

+1. In the [Azure portal](https://portal.azure.com), navigate to your function app.

+1. Open the **Diagnose and solve problems** page.

+1. In **Function App Diagnostics**, start typing `Functions 4.x Pre-Upgrade Validator` and then choose it from the list.

+1. After validation completes, review the recommendations and address any issues in your app. If you need to make changes to your app, make sure to validate the changes against version 4.x of the Functions runtime, either [locally using Azure Functions Core Tools v4](#upgrade-your-local-project) or by [using a staging slot](#upgrade-using-slots).

+## Upgrade your local project

+Upgrading instructions are language dependent. If you don't see your language, choose it from the selector at the [top of the article](#top).

+Choose the tab that matches your target version of .NET and the desired process model (in-process or isolated worker process).

+### .csproj file

+The following example is a .csproj project file that uses .NET Core 3.1 on version 3.x:

+```xml

+<Project Sdk="Microsoft.NET.Sdk">

+ <PropertyGroup>

+ <TargetFramework>netcoreapp3.1</TargetFramework>

+ <AzureFunctionsVersion>v3</AzureFunctionsVersion>

+ </PropertyGroup>

+ <ItemGroup>

+ <PackageReference Include="Microsoft.NET.Sdk.Functions" Version="3.0.13" />

+ </ItemGroup>

+ <ItemGroup>

+ <Reference Include="Microsoft.CSharp" />

+ </ItemGroup>

+ <ItemGroup>

+ <None Update="host.json">

+ <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>

+ </None>

+ <None Update="local.settings.json">

+ <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>

+ <CopyToPublishDirectory>Never</CopyToPublishDirectory>

+ </None>

+ </ItemGroup>

+</Project>

+```

+Use one of the following procedures to update this XML file to run in Functions version 4.x:

+# [.NET 6 (in-process)](#tab/net6-in-proc)

+# [.NET 6 (isolated)](#tab/net6-isolated)

+# [.NET 7](#tab/net7)

+### program.cs file

+When migrating to run in an isolated worker process, you must add the following program.cs file to your project:

+# [.NET 6 (in-process)](#tab/net6-in-proc)

+A program.cs file isn't required when running in-process.

+# [.NET 6 (isolated)](#tab/net6-isolated)

+# [.NET 7](#tab/net7)

+### local.settings.json file

+The local.settings.json file is only used when running locally. For information, see [Local settings file](functions-develop-local.md#local-settings-file). When migrating from running in-process to running in an isolated worker process, you need to change the `FUNCTIONS_WORKER_RUNTIME` value, as in the following example:

+# [.NET 6 (in-process)](#tab/net6-in-proc)

+# [.NET 6 (isolated)](#tab/net6-isolated)

+# [.NET 7](#tab/net7)

+### Namespace changes

+C# functions that run in an isolated worker process uses libraries in a different namespace than those libraries used when running in-process. In-process libraries are generally in the namespace `Microsoft.Azure.WebJobs.*`. Isolated worker process function apps use libraries in the namespace `Microsoft.Azure.Functions.Worker.*`. You can see the effect of these namespace changes on `using` statements in the [HTTP trigger template examples](#http-trigger-template) that follow.

+### Class name changes

+Some key classes change names as a result of differences between in-process and isolated worker process APIs.

+The following table indicates key .NET classes used by Functions that could change when migrating from in-process:

+| .NET Core 3.1 | .NET 6 (in-process) | .NET 6 (isolated) | .NET 7 |

+| | | | |

+| `FunctionName` (attribute) | `FunctionName` (attribute) | `Function` (attribute) | `Function` (attribute) |

+| `HttpRequest` | `HttpRequest` | `HttpRequestData` | `HttpRequestData` |

+| `OkObjectResult` | `OkObjectResult` | `HttpResonseData` | `HttpResonseData` |

+There might also be class name differences in bindings. For more information, see the reference articles for the specific bindings.

+### HTTP trigger template

+The differences between in-process and isolated worker process can be seen in HTTP triggered functions. The HTTP trigger template for version 3.x (in-process) looks like the following example:

+The HTTP trigger template for the migrated version looks like the following example:

+# [.NET 6 (in-process)](#tab/net6-in-proc)

+Sames as version 3.x (in-process).

+# [.NET 6 (isolated)](#tab/net6-isolated)

+# [.NET 7](#tab/net7)

+To update your project to Azure Functions 4.x:

+1. Update your local installation of [Azure Functions Core Tools](functions-run-local.md#install-the-azure-functions-core-tools) to version 4.x.

+1. Update your app's [Azure Functions extensions bundle](functions-bindings-register.md#extension-bundles) to 2.x or above. For more information, see [breaking changes](#breaking-changes-between-3x-and-4x).

+3. If needed, move to one of the [Java versions supported on version 4.x](./functions-reference-java.md#supported-versions).

+4. Update the app's `POM.xml` file to modify the `FUNCTIONS_EXTENSION_VERSION` setting to `~4`, as in the following example:

+ ```xml

+ <configuration>

+ <resourceGroup>${functionResourceGroup}</resourceGroup>

+ <appName>${functionAppName}</appName>

+ <region>${functionAppRegion}</region>

+ <appSettings>

+ <property>

+ <name>WEBSITE_RUN_FROM_PACKAGE</name>

+ <value>1</value>

+ </property>

+ <property>

+ <name>FUNCTIONS_EXTENSION_VERSION</name>

+ <value>~4</value>

+ </property>

+ </appSettings>

+ </configuration>

+ ```

+3. If needed, move to one of the [Node.js versions supported on version 4.x](functions-reference-node.md#node-version).

+3. Take this opportunity to upgrade to PowerShell 7.2, which is recommended. For more information, see [PowerShell versions](functions-reference-powershell.md#powershell-versions).

+3. If you're using Python 3.6, move to one of the [supported versions](functions-reference-python.md#python-version).

+## Breaking changes between 3.x and 4.x

+The following are key breaking changes to be aware of before upgrading a 3.x app to 4.x, including language-specific breaking changes. For a full list, see Azure Functions GitHub issues labeled [*Breaking Change: Approved*](https://github.com/Azure/azure-functions/issues?q=is%3Aissue+label%3A%22Breaking+Change%3A+Approved%22+is%3A%22closed+OR+open%22).

+If you don't see your programming language, go select it from the [top of the page](#top).

+### Runtime

+- Azure Functions proxies is a legacy feature for versions 1.x through 3.x of the Azure Functions runtime. Support for Functions proxies is being returned in version 4.x so that you can successfully upgrade your function apps to the latest runtime version. As soon as possible, you should instead switch to integrating your function apps with Azure API Management. API Management lets you take advantage of a more complete set of features for defining, securing, managing, and monetizing your Functions-based APIs. For more information, see [API Management integration](functions-proxies.md#api-management-integration). For information about the pending return of proxies in version 4.x, [Monitor the App Service announcements page](https://github.com/Azure/app-service-announcements/issues).

+- Logging to Azure Storage using *AzureWebJobsDashboard* is no longer supported in 4.x. You should instead use [Application Insights](./functions-monitoring.md). ([#1923](https://github.com/Azure/Azure-Functions/issues/1923))

+- Azure Functions 4.x now enforces [minimum version requirements for extensions](functions-versions.md#minimum-extension-versions). Upgrade to the latest version of affected extensions. For non-.NET languages, [upgrade](./functions-bindings-register.md#extension-bundles) to extension bundle version 2.x or later. ([#1987](https://github.com/Azure/Azure-Functions/issues/1987))

+- Default and maximum timeouts are now enforced in 4.x for function apps running on Linux in a Consumption plan. ([#1915](https://github.com/Azure/Azure-Functions/issues/1915))

+- Azure Functions 4.x uses `Azure.Identity` and `Azure.Security.KeyVault.Secrets` for the Key Vault provider and has deprecated the use of Microsoft.Azure.KeyVault. For more information about how to configure function app settings, see the Key Vault option in [Secret Repositories](security-concepts.md#secret-repositories). ([#2048](https://github.com/Azure/Azure-Functions/issues/2048))

+- Function apps that share storage accounts now fail to start when their host IDs are the same. For more information, see [Host ID considerations](storage-considerations.md#host-id-considerations). ([#2049](https://github.com/Azure/Azure-Functions/issues/2049))

+- Azure Functions 4.x supports .NET 6 in-process and isolated apps.

+- `InvalidHostServicesException` is now a fatal error. ([#2045](https://github.com/Azure/Azure-Functions/issues/2045))

+- `EnableEnhancedScopes` is enabled by default. ([#1954](https://github.com/Azure/Azure-Functions/issues/1954))

+- Remove `HttpClient` as a registered service. ([#1911](https://github.com/Azure/Azure-Functions/issues/1911))

+- Use single class loader in Java 11. ([#1997](https://github.com/Azure/Azure-Functions/issues/1997))

+- Stop loading worker jars in Java 8. ([#1991](https://github.com/Azure/Azure-Functions/issues/1991))

+- Node.js versions 10 and 12 aren't supported in Azure Functions 4.x. ([#1999](https://github.com/Azure/Azure-Functions/issues/1999))

+- Output serialization in Node.js apps was updated to address previous inconsistencies. ([#2007](https://github.com/Azure/Azure-Functions/issues/2007))

+- Default thread count has been updated. Functions that aren't thread-safe or have high memory usage may be impacted. ([#1962](https://github.com/Azure/Azure-Functions/issues/1962))

+- Python 3.6 isn't supported in Azure Functions 4.x. ([#1999](https://github.com/Azure/Azure-Functions/issues/1999))

+- Shared memory transfer is enabled by default. ([#1973](https://github.com/Azure/Azure-Functions/issues/1973))

+- Default thread count has been updated. Functions that aren't thread-safe or have high memory usage may be impacted. ([#1962](https://github.com/Azure/Azure-Functions/issues/1962))

+## Next steps

+> [!div class="nextstepaction"]

+> [Learn more about Functions versions](functions-versions.md)

+> The OpenAPI and API Management integration featured in this article is currently in preview. This method for exposing a serverless API is only supported for [in-process](functions-dotnet-class-library.md) C# class library functions. [isolated worker process](dotnet-isolated-process-guide.md) C# class library functions and all other language runtimes should instead [use Azure API Management integration from the portal](functions-openapi-definition.md).

+ | **Functions worker** | **.NET 6** | This value creates a function project that runs in-process on version 4.x of the Azure Functions runtime. OpenAPI file generation is only supported for versions 3.x and 4.x of the Functions runtime, and isolated worker process isn't supported. |

+| 4.x | `~4` | [On Windows, enable .NET 6](./migrate-version-3-version-4.md#upgrade-your-function-app-in-azure) |

+*Last updated: November 2022*

+| [Azure Arc-enabled Kubernetes](../../azure-arc/kubernetes/index.yml) | &#x2705; | &#x2705; |

+| [VM Image Builder](../../virtual-machines/image-builder-overview.md) | &#x2705; | &#x2705; |

+- [Prometheus alerts](#prometheus-alerts-preview) (preview)

+# Prometheus alerts in Azure Monitor

+## View Prometheus alerts

+View fired and resolved Prometheus alerts in the Azure portal with other alert types. Use the following steps to filter on only Prometheus alerts.

+Enabling monitoring on your ASP.NET based web applications running on [Azure App Services](../../app-service/index.yml) is now easier than ever. Whereas previously you needed to manually instrument your app, the latest extension/agent is now built into the App Service image by default. This article will walk you through enabling Azure Monitor Application Insights monitoring as well as provide preliminary guidance for automating the process for large-scale deployments.

+| Histogram | Min, Max, Average, Sum and Count |

+| UpDownCounter | Sum |

+| Asynchronous UpDownCounter | Sum |

+| [ACSRoomsIncomingOperations](/azure/azure-monitor/reference/tables/acsroomsincomingoperations) | Communication Services Rooms incoming requests operations. |

+| [AppTraces](/azure/azure-monitor/reference/tables/apptraces) | Application Insights Freeform traces. |

+| [AMSKeyDeliveryRequests](/azure/azure-monitor/reference/tables/AMSKeyDeliveryRequests) | Azure Media Services HTTP request details for key, or license acquisition. |

+| [AMSMediaAccountHealth](/azure/azure-monitor/reference/tables/AMSMediaAccountHealth) | Azure Media Account Health Status. |

+| [ContainerAppConsoleLogs](/azure/azure-monitor/reference/tables/containerappconsoleLogs) | Azure Container Apps logs, generated within a Container Apps environment. |

+| [ContainerLogV2](/azure/azure-monitor/reference/tables/containerlogv2) | Used in [Container insights](../containers/container-insights-overview.md) and includes verbose text-based log records. |

+* Japan West

+Azure NetApp Files volumes have a limit called *`maxfiles`*. The `maxfiles` limit is the number of files a volume can contain. Linux file systems refer to the limit as *inodes*. The `maxfiles` limit for an Azure NetApp Files volume is indexed based on the size (quota) of the volume. The `maxfiles` limit for a volume increases or decreases at the rate of 21,251,126 files per TiB of provisioned volume size.

+The service dynamically adjusts the `maxfiles` limit for a volume based on its provisioned size. For example, a volume configured initially with a size of 1 TiB would have a `maxfiles` limit of 21,251,126. Subsequent changes to the size of the volume would result in an automatic readjustment of the `maxfiles` limit based on the following rules:

+| <= 1 TiB | 21,251,126 |

+| > 1 TiB but <= 2 TiB | 42,502,252 |

+| > 2 TiB but <= 3 TiB | 63,753,378 |

+| > 3 TiB but <= 4 TiB | 85,004,504 |

+| > 4 TiB | 106,255,630 |

+For volumes with at least 4 TiB of quota, you can increase the `maxfiles` (inodes) limit beyond 100 million. For every 100 million files you increase (or a fraction thereof), you need to increase the corresponding volume quota by 4 TiB. For example, if you increase the `maxfiles` limit from 100 million files to 200 million files (or any number in between), you need to increase the volume quota from 4 TiB to 8 TiB.

+ * Peered virtual network topologies with AD DS domain controllers must have peering configured correctly to support Azure NetApp Files to AD DS domain controller network connectivity.

+* [Azure NetApp Files datastores for Azure VMware Solution](../azure-vmware/attach-azure-netapp-files-to-azure-vmware-solution-hosts.md) is now generally available (GA) with expanded regional coverage.

+## Azure Spring Apps limits

+To learn more about the limits for Azure Spring Apps, see [Quotas and service plans for Azure Spring Apps](../../spring-apps/quotas.md).

+# Attach Azure NetApp Files datastores to Azure VMware Solution hosts

+ 2. Verify the subscription is registered to the `ANFAvsDataStore` feature in the `Microsoft.NetApp` namespace. If the subscription isn't registered, register it now.

+>[!NOTE]

+>Azure NetApp Files datastores for Azure VMware Solution are generally available. You must register Azure NetApp Files datastores for Azure VMware Solution before using it.

+**Europe** : France Central, Germany West Central, North Europe, Sweden Central, Sweden North, Switzerland West, UK South, UK West, West Europe

+**North America** : Canada Central, Canada East, Central US, East US, East US 2, North Central US, South Central US, West US, West US 2.

+Under **Manage**, select **Storage**.

+ 1. When the datastore is created, you should see all of your datastores in the **Storage**.

+ Azure NetApp Files supports [snapshots](../azure-netapp-files/azure-netapp-files-manage-snapshots.md) of datastores for quick checkpoints for near term recovery or quick clones. Azure NetApp Files backup lets you offload your Azure NetApp Files snapshots to Azure storage. With snapshots, copies and stores-changed blocks relative to previously offloaded snapshots are stored in an efficient format. This ability decreases Recovery Point Objective (RPO) and Recovery Time Objective (RTO) while lowering backup data transfer burden on the Azure VMware Solution service.

+ The new node sizes increase memory and storage options to optimize your workloads. These gains in performance enable you to do more per server, break storage bottlenecks, and lower transaction costs of latency-sensitive workloads. The availability of these new nodes allows large latency-sensitive services to be hosted efficiently on the Azure VMware Solution infrastructure.

+### UserErrorCrossSubscriptionRestoreInvalidTargetSubscription

+**Error code**: UserErrorCrossSubscriptionRestoreInvalidTargetSubscription

+**Error message**: Operation failed as the target subscription specified for restore is not registered to the Azure Recovery Services Resource Provider.

+**Recommended action**: Ensure that the target subscription is registered to the Recovery Services Resource Provider before you attempt a cross subscription restore. Creating a vault in the target Subscription should typically register the Subscription to Recovery Services vault Provider.

+**Choose a client**

+# [Azure portal](#tab/azure-portal)

+To create the Resource Guard in a tenant different from the vault tenant, follow these steps:

+# [PowerShell](#tab/powershell)

+Use the following command to create a resource guard:

+ ```azurepowershell-interactive

+ New-AzDataProtectionResourceGuard -Location ΓÇ£LocationΓÇ¥ -Name ΓÇ£ResourceGuardNameΓÇ¥ -ResourceGroupName ΓÇ£rgNameΓÇ¥

+ ```

+Choose the operations you want to protect using the Resource Guard out of all supported critical operations. By default, all supported critical operations are enabled. However, you (as the security admin) can exempt certain operations from falling under the purview of MUA using Resource Guard.

+**Choose a client**

+# [Azure portal](#tab/azure-portal)

+To exempt operations, follow these steps:

+# [PowerShell](#tab/powershell)

+Use the following commands to update the operations. These exclude operations from protection by the resource guard.

+ ```azurepowershell-interactive

+ $resourceGuard = Get-AzDataProtectionResourceGuard -SubscriptionId "xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx" -ResourceGroupName "rgName" -Name "resGuardName"

+ $criticalOperations = $resourceGuard.ResourceGuardOperation.VaultCriticalOperation

+ $operationsToBeExcluded = $criticalOperations | Where-Object { $_ -match "backupSecurityPIN/action" -or $_ -match "backupInstances/delete" }

+ Update-AzDataProtectionResourceGuard -SubscriptionId "xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx" -ResourceGroupName "rgName" -Name $resourceGuard.Name -CriticalOperationExclusionList $operationsToBeExcluded

+ ```

+- The first command fetches the resource guard that needs to be updated.

+- The second and third commands fetch the critical operations that you want to update.

+- The fourth command excludes some critical operations from the resource guard.

+After the Reader role assignment on the Resource Guard is complete, enable multi-user authorization on vaults (as the **Backup admin**) that you manage.

+**Choose a client**

+# [Azure portal](#tab/azure-portal)

+To enable MUA on the vaults, follow these steps.

+# [PowerShell](#tab/powershell)

+Use the following command to enable MUA on a Recovery Services vault:

+ ```azurepowershell-interactive

+ $token = (Get-AzAccessToken -TenantId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx").Token

+ Set-AzRecoveryServicesResourceGuardMapping -VaultId ΓÇ£VaultArmIdΓÇ¥ -ResourceGuardId "ResourceGuardArmId" -Token $token

+ ```

+- The first command fetches the access token for the resource guard tenant where the resource guard is present.

+- The second command creates a mapping between the RSVault $vault and Resource guard.

+>[!NOTE]

+>The token parameter is optional and is only needed to authenticate cross tenant protected operations.

+Disabling MUA is a protected operation, so, so, vaults are protected using MUA. If you (the Backup admin) want to disable MUA, you must have the required Contributor role in the Resource Guard.

+**Choose a client**

+# [Azure portal](#tab/azure-portal)

+To disable MUA on a vault, follow these steps:

+# [PowerShell](#tab/powershell)

+Use the following command to disable MUA on a Recovery Services vault:

+ ```azurepowershell-interactive

+ $token = (Get-AzAccessToken -TenantId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx").Token

+ Remove-AzRecoveryServicesResourceGuardMapping -VaultId ΓÇ£VaultArmIdΓÇ¥ -Token $token

+ ```

+- The first command fetches the access token for the resource guard tenant, where the resource guard is present.

+- The second command deletes the mapping between the Recovery Services vault and the resource guard.

+>[!NOTE]

+>The token parameter is optional and is only needed to authenticate the cross tenant protected operations.

+## Shareable link (Preview)

+The Bastion **Shareable Link** feature lets users connect to a target resource using Azure Bastion without accessing the Azure portal.

+When a user without Azure credentials clicks a shareable link, a webpage will open that prompts the user to sign in to the target resource via RDP or SSH. Users authenticate using username and password or private key, depending on what you have configured in the Azure portal for that target resource. Users can connect to the same resources that you can currently connect to with Azure Bastion: VMs or virtual machine scale set.

+| Method | Value | Links | Requires Standard SKU |

+| | | | |

+| Azure portal |Shareable Link | [Configure](shareable-link.md)| Yes |

+ Title: 'Create a shareable link for Azure Bastion'

+description: Learn how to create a shareable link to let a user connect to a target resource via Bastion without using the Azure portal.

+# Create a shareable link for Bastion - preview

+The Bastion **Shareable Link** feature lets users connect to a target resource (virtual machine or virtual machine scale set) using Azure Bastion without accessing the Azure portal. This article helps you use the Shareable Link feature to create a shareable link for an existing Azure Bastion deployment.

+When a user without Azure credentials clicks a shareable link, a webpage opens that prompts the user to sign in to the target resource via RDP or SSH. Users authenticate using username and password or private key, depending on what you have configured for the target resource. The shareable link does not contain any credentials - the admin must provide sign-in credentials to the user.

+By default, users in your org will have only read access to shared links. If a user has read access, they'll only be able to use and view shared links, but can't create or delete a shareable link. For more information, see the [Permissions](#permissions) section of this article.

+## Considerations

+* Shareable Links isn't currently supported on peered VNets.

+* Shareable Links is not supported for national clouds during preview.

+* The Standard SKU is required for this feature.

+## Prerequisites

+* Azure Bastion is deployed to your VNet. See [Tutorial - Deploy Bastion using manual settings](tutorial-create-host-portal.md) for steps.

+* Bastion must be configured to use the **Standard** SKU for this feature. You can update the SKU from Basic to Standard when you configure the shareable links feature.

+* The VNet contains the VM resource to which you want to create a shareable link.

+## Enable Shareable Link feature

+Before you can create a shareable link to a VM, you must first enable the feature.

+1. In the Azure portal, go to your bastion resource.

+1. On your **Bastion** page, in the left pane, click **Configuration**.

+ :::image type="content" source="./media/shareable-link/configuration-settings.png" alt-text="Screenshot of Configuration settings with shareable link selected." lightbox="./media/shareable-link/configuration-settings.png":::

+1. On the **Configuration** page, for **Tier**, select **Standard** if it isn't already selected. This feature requires the **Standard SKU**.

+1. Select **Shareable Link** from the listed features to enable the Shareable Link feature.

+1. Verify that you've selected the settings that you want, then click **Apply**.

+1. Bastion will immediately begin updating the settings for your bastion host. Updates will take about 10 minutes.

+## Create shareable links

+In this section, you specify each resource for which you want to create a shareable link

+1. In the Azure portal, go to your bastion resource.

+1. On your bastion page, in the left pane, click **Shareable links**. Click **+ Add** to open the **Create shareable link** page.

+ :::image type="content" source="./media/shareable-link/add.png" alt-text="Screenshot shareable links page with + add." lightbox="./media/shareable-link/add.png":::

+1. On the **Create shareable link** page, select the resources for which you want to create a shareable link. You can select specific resources, or you can select all. A separate shareable link will be created for each selected resource. Click **Apply** to create links.

+ :::image type="content" source="./media/shareable-link/select-vm.png" alt-text="Screenshot of shareable links page to create a shareable link." lightbox="./media/shareable-link/select-vm.png":::

+1. Once the links are created, you can view them on the **Shareable links** page. The following example shows links for multiple resources. You can see that each resource has a separate link and the link status is **Active**. To share a link, copy it, then send it to the user. The link doesn't contain authentication credentials.

+ :::image type="content" source="./media/shareable-link/copy-link.png" alt-text="Screenshot of shareable links page to show all available resource links." lightbox="./media/shareable-link/copy-link.png":::

+## Connect to a VM

+1. After receiving the link, the user opens the link in their browser.

+1. In the left corner, the user can select whether to see text and images copied to the clipboard. The user inputs the required information, then clicks **Login** to connect. A shared link doesn't contain authentication credentials. The admin must provide sign-in credentials to the user. Custom port and protocols are supported.

+ :::image type="content" source="./media/shareable-link/login.png" alt-text="Screenshot of Sign-in to bastion using the shareable link in the browser." lightbox="./media/shareable-link/login.png":::

+> [!NOTE]

+> If a link is no longer able to be opened, this means that someone in your organization has deleted that resource. While you'll still be able to see the shared links in your list, it will no longer connect to the target resource and will lead to a connection error. You can delete the shared link in your list, or keep it for auditing purposes.

+>

+## Delete a shareable link

+1. In the Azure portal, go to your **Bastion resource -> Shareable Links**.

+1. On the **Shareable Links** page, select the resource link that you want to delete, then click **Delete**.

+ :::image type="content" source="./media/shareable-link/delete.png" alt-text="Screenshot of selecting link to delete." lightbox="./media/shareable-link/delete.png":::

+## Permissions

+Permissions to the Shareable Link feature are configured using Access control (IAM). By default, users in your org will have only read access to shared links. If a user has read access, they'll only be able to use and view shared links, but can't create or delete a shared link.

+To give someone permissions to create or delete a shared link, use the following steps:

+1. In the Azure portal, go to the Bastion host.

+1. Go to the **Access control (IAM)** page.

+1. In the Microsoft.Network/bastionHosts section, configure the following permissions:

+ * Other: Creates shareable urls for the VMs under a bastion and returns the URLs.

+ * Other: Deletes shareable urls for the provided VMs under a bastion.

+ * Other: Deletes shareable urls for the provided tokens under a bastion.

+ These correspond to the following PowerShell cmdlets:

+ * Microsoft.Network/bastionHosts/createShareableLinks/action

+ * Microsoft.Network/bastionHosts/deleteShareableLinks/action

+ * Microsoft.Network/bastionHosts/deleteShareableLinksByToken/action

+ * Microsoft.Network/bastionHosts/getShareableLinks/action - If this isn't enabled, the user won't be able to see a shareable link.

+## Next steps

+* For additional features, see [Bastion features and configuration settings](configuration-settings.md).

+* For more information about Azure Bastion, see [What is Azure Bastion?](bastion-overview.md)

+For more information about Azure Storage billing, see [Plan and manage costs for Azure Storage](../storage/common/storage-plan-manage-costs.md).

+Set the longest TTL possible on your content.

+ "variable": "Variable_1",

+ "variable": "Variable_2",

+ "variable": "Variable_3",

+The face ID is a unique identifier string for each detected face in an image. Note that Face ID requires limited access approval by filling out the [intake form](https://aka.ms/facerecognition). For more information, see the Face [limited access page](/legal/cognitive-services/computer-vision/limited-access-identity?context=%2Fazure%2Fcognitive-services%2Fcomputer-vision%2Fcontext%2Fcontext). You can request a face ID in your [Face - Detect](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395236) API call.

+Image Analysis 4.0 has been released in public preview. The new API includes image captioning, image tagging, object detection, smart crops, people detection, and Read OCR functionality, all available through one Analyze Image operation. The OCR is optimized for general, non-document images in a performance-enhanced synchronous API that makes it easier to embed OCR-powered experiences in your workflows.

+1. Business users may want to download and install our free [DocumentTranslator app for Windows](https://github.com/MicrosoftTranslator/DocumentTranslation/releases).

+|Available pricing tiers|<ul><li>Free (F0) and Standard (S1). See [Translator pricing](https://azure.microsoft.com/pricing/details/cognitive-services/translator/)</li></ul>|

+|Supported Features | <ul><li>[Text Translation](reference/v3-0-reference.md)</li><li>[Document Translation](document-translation/overview.md)</li><li>[Custom Translator](custom-translator/overview.md)</li></ul>|

+> [Azure Government: Translator text reference](/azure/azure-government/documentation-government-cognitiveservices#translator)

+| **1 document/request** | 4 core, 12GB memory | 6 core, 12GB memory |15 | 30|

+ "parameters":

+ {

+ "modelVersion": "2022-08-15-preview"

+ }

+The docker container supports English language, model version 2022-03-01.

+docker pull mcr.microsoft.com/azure-cognitive-services/textanalytics/healthcare:latin

+docker pull mcr.microsoft.com/azure-cognitive-services/textanalytics/healthcare:semitic

+curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/deployments/YOUR_DEPLOYMENT_NAME/completions?api-version=2022-06-01-preview\

+Learn more about the [underlying models that power Azure OpenAI](./concepts/models.md).

+* [Azure SDK client libraries](cognitive-services-apis-create-account-client-library.md?tabs=windows "cognitive-services-apis-create-account-client-library?pivots=programming-language-csharp")

+Azure Communication Services allow developers to record PSTN, WebRTC, Conference, or SIP calls. Call Recording supports mixed video MP4, mixed audio MP3/WAV, and unmixed audio WAV output formats. Call Recording SDKs are available for Java and C#. To learn more view Call Recording [concepts](./voice-video-calling/call-recording.md) and [quickstart](../quickstarts/voice-video-calling/get-started-call-recording.md).

+- Mixed video (audio+video): $0.01/min

+- Mixed audio: $0.002/min

+- Unmixed audio: $0.0012/participant/min

+### Pricing example: Record a video call

+- The call lasts a total of 60 minutes and recording was active during 60 minutes.

+- You'll be charged for the length of the meeting. (Length of the meeting is the timeline between user starts a recording and either explicitly stops or when there's no one left in a meeting).

+### Pricing example: Record an audio call in a mixed format

+- You'll be charged for the length of the recording.

+### Pricing example: Record an audio call in an unmixed format

+Bob starts a call with his financial advisor, Charlie.

+- The call lasts a total of 60 minutes. The recording lasted for 50 minutes.

+**Cost calculations**

+- You'll be charged for the length of the recording per participant.

+- 50 minutes x $0.0012 x 2 per recording per participant per minute = $0.12

+Azure Communication Services Call Automation provides developers the ability to build server-based, intelligent call workflows, and call recording for voice and PSTN channels. The SDKs, available for .NET and Java, uses an action-event model to help you build personalized customer interactions. Your communication applications can listen to real-time call events and perform control plane actions (like answer, transfer, play audio, start recording, etc.) to steer and control calls based on your business logic.

+- Analyze in a post-call process your unmixed audio recordings for quality assurance purposes.

+| Call Recording | Start/pause/resume/stop recording | ✔️ | ✔️ |

+**Record** - You decide when to start/pause/resume/stop recording based on your application business logic, or you can grant control to the end user to trigger those actions. To learn more, view our [concepts](./call-recording.md) and [quickstart](../../quickstarts/voice-video-calling/get-started-call-recording.md).

+> [Get started with Call Automation](./../../quickstarts/voice-video-calling/Callflows-for-customer-interactions.md)

+ "metadataLocation": <string>, // url of the metadata for this chunk

+ "contentLocation": <string>, // url of the mp4, mp3, or wav for this chunk

+ "deleteLocation": <string> // url of the mp4, mp3, or wav to delete this chunk

+Sample applications for use with the guest attestation APIs are [available on GitHub](https://github.com/Azure/confidential-computing-cvm-guest-attestation).

+1. Clone the sample Linux application.

+1. Clone the sample Windows application.

+> While not a built-in feature, [Azure Monitor Application Insights](../azure-monitor/app/app-insights-overview.md) is a powerful tool to monitor your web and background applications. Although Container Apps doesn't support the Application Insights auto-instrumentation agent, you can instrument your application code using Application Insights SDKs.

+ Title: |

+ Tutorial: Store and use Azure Cosmos DB credentials with Azure Key Vault

+description: |

+ Use Azure Key Vault to store and access Azure Cosmos DB connection string, keys, and endpoints.

+# Tutorial: Store and use Azure Cosmos DB credentials with Azure Key Vault

+> [!IMPORTANT]

+> It's recommended to access Azure Cosmos DB is to use a [system-assigned managed identity](managed-identity-based-authentication.md). If your service cannot take advantage of managed identities then use the [certificate-based authentication](certificate-based-authentication.md). If both the managed identity solution and cert based solution do not meet your needs, please use the Azure Key vault solution in this article.

+If you're using Azure Cosmos DB as your database, you connect to databases, container, and items by using an SDK, the API endpoint, and either the primary or secondary key.

+It's not a good practice to store the endpoint URI and sensitive read-write keys directly within application code or configuration file. Ideally, this data is read from environment variables within the host. In Azure App Service, [app settings](/azure/app-service/configure-common#configure-app-settings) allow you to inject runtime credentials for your Azure Cosmos DB account without the need for developers to store these credentials in an insecure clear text manner.

+Azure Key Vault iterates on this best practice further by allowing you to store these credentials securely while giving services like Azure App Service managed access to the credentials. Azure App Service will securely read your credentials from Azure Key Vault and inject those credentials into your running application.

+With this best practice, developers can store the credentials for tools like the [Azure Cosmos DB emulator](local-emulator.md) or [Try Azure Cosmos DB free](try-free.md) during development. Then, the operations team can ensure that the correct production settings are injected at runtime.

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+>

+> - Create an Azure Key Vault instance

+> - Add Azure Cosmos DB credentials as secrets to the key vault

+> - Create and register an Azure App Service resource and grant "read key" permissions

+> - Inject key vault secrets into the App Service resource

+>

+> [!NOTE]

+> This tutorial and the sample application uses an Azure Cosmos DB for NoSQL account. You can perform many of the same steps using other APIs.

+## Prerequisites

+- An existing Azure Cosmos DB for NoSQL account.

+ - If you have an Azure subscription, [create a new account](nosql/how-to-create-account.md?tabs=azure-portal).

+ - If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+ - Alternatively, you can [try Azure Cosmos DB free](try-free.md) before you commit.

+- GitHub account.

+## Before you begin: Get Azure Cosmos DB credentials

+Before you start, you'll get the credentials for your existing account.

+1. Navigate to the [Azure portal](https://portal.azure.com/) page for the existing Azure Cosmos DB for NoSQL account.

+1. From the Azure Cosmos DB for NoSQL account page, select the **Keys** navigation menu option.

+ :::image type="content" source="media/access-secrets-from-keyvault/cosmos-keys-option.png" lightbox="media/access-secrets-from-keyvault/cosmos-keys-option.png" alt-text="Screenshot of an Azure Cosmos DB SQL API account page. The Keys option is highlighted in the navigation menu.":::

+1. Record the values from the **URI** and **PRIMARY KEY** fields. You'll use these values later in this tutorial.

+ :::image type="content" source="media/access-secrets-from-keyvault/cosmos-endpoint-key-credentials.png" lightbox="media/access-secrets-from-keyvault/cosmos-endpoint-key-credentials.png" alt-text="Screenshot of Keys page with various credentials for an Azure Cosmos DB SQL API account.":::

+## Create an Azure Key Vault resource

+First, create a new key vault to store your API for NoSQL credentials.

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Select **Create a resource > Security > Key Vault**.

+1. On the **Create key vault** page, enter the following information:

+ | Setting | Description |

+ | | |

+ | **Subscription** | Select the Azure subscription that you wish to use for this Azure Cosmos account. |

+ | **Resource group** | Select a resource group, or select **Create new**, then enter a unique name for the new resource group. |

+ | **Key vault name** | Enter a globally unique name for your key vault. |

+ | **Region** | Select a geographic location to host your Azure Cosmos DB account. Use the location that is closest to your users to give them the fastest access to the data. |

+ | **Pricing tier** | Select *Standard*. |

+1. Leave the remaining settings to their default values.

+

+1. Select **Review + create**.

+1. Review the settings you provide, and then select **Create**. It takes a few minutes to create the account. Wait for the portal page to display **Your deployment is complete** before moving on.

+## Add Azure Cosmos DB access keys to the Key Vault

+Now, store your Azure Cosmos DB credentials as secrets in the key vault.

+1. Select **Go to resource** to go to the Azure Key Vault resource page.

+1. From the Azure Key Vault resource page, select the **Secrets** navigation menu option.

+1. Select **Generate/Import** from the menu.

+ :::image type="content" source="media/access-secrets-from-keyvault/create-new-secret.png" alt-text="Screenshot of the Generate/Import option in a key vault menu.":::

+1. On the **Create a secret** page, enter the following information:

+ | Setting | Description |

+ | | |

+ | **Upload options** | *Manual* |

+ | **Name** | *cosmos-endpoint* |

+ | **Secret value** | Enter the **URI** you copied earlier in this tutorial. |

+ :::image type="content" source="media/access-secrets-from-keyvault/create-endpoint-secret.png" alt-text="Screenshot of the Create a secret dialog in the Azure portal with details for an URI secret.":::

+1. Select **Create** to create the new **cosmos-endpoint** secret.

+1. Select **Generate/Import** from the menu again. On the **Create a secret** page, enter the following information:

+ | Setting | Description |

+ | | |

+ | **Upload options** | *Manual* |

+ | **Name** | *cosmos-readwrite-key* |

+ | **Secret value** | Enter the **PRIMARY KEY** you copied earlier in this tutorial. |

+ :::image type="content" source="media/access-secrets-from-keyvault/create-key-secret.png" alt-text="Screenshot of the Create a secret dialog in the Azure portal with details for a PRIMARY KEY secret.":::

+1. Select **Create** to create the new **cosmos-readwrite-key** secret.

+1. After the secrets are created, view them in the list of secrets within the **Secrets** page.

+ :::image type="content" source="media/access-secrets-from-keyvault/view-secrets-list.png" alt-text="Screenshot of the list of secrets for a key vault.":::

+1. Select each key, select the latest version, and then copy the **Secret Identifier**. You'll use the identifier for the **cosmos-endpoint** and **cosmos-readwrite-key** secrets later in this tutorial.

+ > [!TIP]

+ > The secret identifier will be in this format `https://<key-vault-name>.vault.azure.net/secrets/<secret-name>/<version-id>`. For example, if the name of the key vault is **msdocs-key-vault**, the name of the key is **cosmos-readwrite-key**, and the version if **83b995e363d947999ac6cf487ae0e12e**; then the secret identifier would be `https://msdocs-key-vault.vault.azure.net/secrets/cosmos-readwrite-key/83b995e363d947999ac6cf487ae0e12e`.

+ >

+ > :::image type="content" source="media/access-secrets-from-keyvault/view-secret-identifier.png" alt-text="Screenshot of a secret identifier for a key vault secret named cosmos-readwrite-key.":::

+ >

+## Create and register an Azure Web App with Azure Key Vault

+In this section, create a new Azure Web App, deploy a sample application, and then register the Web App's managed identity with Azure Key Vault.

+1. Create a new GitHub repository using the [cosmos-db-nosql-dotnet-sample-web-environment-variables template](https://github.com/azure-samples/cosmos-db-nosql-dotnet-sample-web-environment-variables/generate).

+1. In the Azure portal, select **Create a resource > Web > Web App**.

+1. On the **Create Web App** page and **Basics** tab, enter the following information:

+ | Setting | Description |

+ | | |

+ | **Subscription** | Select the Azure subscription that you wish to use for this Azure Cosmos account. |

+ | **Resource group** | Select a resource group, or select **Create new**, then enter a unique name for the new resource group. |

+ | **Name** | Enter a globally unique name for your web app. |

+ | **Publish** | Select *Code*. |

+ | **Runtime stack** | Select *.NET 6 (LTS)*. |

+ | **Operating System** | Select *Windows*. |

+ | **Region** | Select a geographic location to host your Azure Cosmos DB account. Use the location that is closest to your users to give them the fastest access to the data. |

+1. Leave the remaining settings to their default values.

+1. Select **Next: Deployment**.

+1. On the **Deployment** tab, enter the following information:

+ | Setting | Description |

+ | | |

+ | **Continuous deployment** | Select *Enable*. |

+ | **GitHub account** | Select *Authorize*. Follow the GitHub account authorization prompts to grant Azure permission to read your newly created GitHub repository. |

+ | **Organization** | Select the organization for your new GitHub repository. |

+ | **Repository** | Select the name your new GitHub repository. |

+ | **Branch** | Select *main*. |

+1. Select **Review + create**.

+1. Review the settings you provide, and then select **Create**. It takes a few minutes to create the account. Wait for the portal page to display **Your deployment is complete** before moving on.

+1. You may need to wait a few extra minutes for the web application to be initially deployed to the web app. From the Azure Web App resource page, select **Browse** to see the default state of the app.

+ :::image type="content" source="media/access-secrets-from-keyvault/sample-web-app-empty.png" lightbox="media/access-secrets-from-keyvault/sample-web-app-empty.png" alt-text="Screenshot of the web application in it's default state without credentials.":::

+1. Select the **Identity** navigation menu option.

+1. On the **Identity** page, select **On** for **System-assigned** managed identity, and then select **Save**.

+ :::image type="content" source="media/access-secrets-from-keyvault/enable-managed-identity.png" alt-text="Screenshot of system-assigned managed identity being enabled from the Identity page.":::

+## Inject Azure Key Vault secrets as Azure Web App app settings

+Finally, inject the secrets stored in your key vault as app settings within the web app. The app settings will, in turn, inject the credentials into the application at runtime without storing the credentials in clear text.

+1. Return to the key vault page in the Azure portal. Select **Access policies** from the navigation menu.

+1. On the **Access policies** page, select **Create** from the menu.

+ :::image type="content" source="media/access-secrets-from-keyvault/create-access-policy.png" alt-text="Screenshot of the Create option in the Access policies menu.":::

+1. On the **Permissions** tab of the **Create an access policy** page, select the **Get** option in the **Secret permissions** section. Select **Next**.

+ :::image type="content" source="media/access-secrets-from-keyvault/get-secrets-permission.png" alt-text="Screenshot of the Get permission enabled for Secret permissions.":::

+1. On the **Principal** tab, select the name of the web app you created earlier in this tutorial. Select **Next**.

+ :::image type="content" source="media/access-secrets-from-keyvault/assign-principal.png" alt-text="Screenshot of a web app managed identity assigned to a permission.":::

+ > [!NOTE]

+ > In this example screenshot, the web app is named **msdocs-dotnet-web**.

+1. Select **Next** again to skip the **Application** tab. On the **Review + create** tab, review the settings you provide, and then select **Create**.

+1. Return to the web app page in the Azure portal. Select **Configuration** from the navigation menu.

+1. On the **Configuration** page, select **New application setting**. In the **Add/Edit application setting** dialog, enter the following information:

+ | Setting | Description |

+ | | |

+ | **Name** | `CREDENTIALS__ENDPOINT` |

+ | **Key** | Get the **secret identifier** for the **cosmos-endpoint** secret in your key vault that you created earlier in this tutorial. Enter the identifier in the following format: `@Microsoft.KeyVault(SecretUri=<secret-identifier>)`. |

+ > [!TIP]

+ > Ensure that the environment variable has a double underscore (`__`) value instead of a single underscore. The double-underscore is a key delimeter supported by .NET on all platforms. For more information, see [environment variables configuration](/dotnet/core/extensions/configuration-providers#environment-variable-configuration-provider).

+ > [!NOTE]

+ > For example, if the secret identifier is `https://msdocs-key-vault.vault.azure.net/secrets/cosmos-endpoint/69621c59ef5b4b7294b5def118921b07`, then the reference would be `@Microsoft.KeyVault(SecretUri=https://msdocs-key-vault.vault.azure.net/secrets/cosmos-endpoint/69621c59ef5b4b7294b5def118921b07)`.

+ >

+ > :::image type="content" source="media/access-secrets-from-keyvault/create-app-setting.png" alt-text="Screenshot of the Add/Edit application setting dialog with a new app setting referencing a key vault secret.":::

+ >

+1. Select **OK** to persist the new app setting

+1. Select **New application setting** again. In the **Add/Edit application setting** dialog, enter the following information and then select **OK**:

+ | Setting | Description |

+ | | |

+ | **Name** | `CREDENTIALS__KEY` |

+ | **Key** | Get the **secret identifier** for the **cosmos-readwrite-key** secret in your key vault that you created earlier in this tutorial. Enter the identifier in the following format: `@Microsoft.KeyVault(SecretUri=<secret-identifier>)`. |

+1. Back on the **Configuration** page, select **Save** to update the app settings for the web app.

+ :::image type="content" source="media/access-secrets-from-keyvault/save-app-settings.png" alt-text="Screenshot of the Save option in the Configuration page's menu.":::

+1. Wait a few minutes for the web app to restart with the new app settings. At this point, the new app settings should indicate that they're a **Key vault Reference**.

+ :::image type="content" source="media/access-secrets-from-keyvault/app-settings-reference.png" lightbox="media/access-secrets-from-keyvault/app-settings-reference.png" alt-text="Screenshot of the Key vault Reference designation on two app settings in a web app.":::

+1. Select **Overview** from the navigation menu. Select **Browse** to see the app with populated credentials.

+ :::image type="content" source="media/access-secrets-from-keyvault/sample-web-app-populated.png" lightbox="media/access-secrets-from-keyvault/sample-web-app-populated.png" alt-text="Screenshot of the web application with valid Azure Cosmos DB for NoSQL account credentials.":::

+- To configure a firewall for Azure Cosmos DB, see [firewall support](how-to-configure-firewall.md) article.

+- To configure virtual network service endpoint, see [secure access by using VNet service endpoint](how-to-configure-vnet-service-endpoint.md) article.

+## Measuing change feed request unit consumption

+Use Azure Monitor to measure the request unit (RU) consumption of the change feed. For more information, see [monitor throughput or request unit usage in Azure Cosmos DB](monitor-request-unit-usage.md).

+> [!div class="nextstepaction"]

+> [Tutorial: Store and use Azure Cosmos DB credentials with Azure Key Vault](access-secrets-from-keyvault.md)

+description: Learn about Azure Cosmos DB. This globally distributed multi-model database is built for low latency, elastic scalability, high availability, and offers native support for NoSQL and relational data.

+Azure Cosmos DB is a fully managed NoSQL and relational database for modern app development. Single-digit millisecond response times, and automatic and instant scalability, guarantee speed at any scale. Business continuity is assured with [SLA-backed](https://azure.microsoft.com/support/legal/sla/cosmos-db) availability and enterprise-grade security.

+- Choose from multiple database APIs including the native API for NoSQL, MongoDB, PostgreSQL, Apache Cassandra, Apache Gremlin, and Table.

+To prevent your change feed processor from getting "stuck" continuously retrying the same batch of changes, you should add logic in your delegate code to write documents, upon exception, to an errored-message queue. This design ensures that you can keep track of unprocessed changes while still being able to continue to process future changes. The errored-message queue might be another Azure Cosmos DB container. The exact data store does not matter, simply that the unprocessed changes are persisted.

+To prevent your change feed processor from getting "stuck" continuously retrying the same batch of changes, you should add logic in your delegate code to write documents, upon exception, to an errored-message. This design ensures that you can keep track of unprocessed changes while still being able to continue to process future changes. The errored-message might be another Azure Cosmos DB container. The exact data store does not matter, simply that the unprocessed changes are persisted.

+|Workload mode|Select **Steady** option if your workload volume is constant. <br/><br/> Select **Variable** option if your workload volume changes over time. For example, during a specific day or a month. The following setting is available if you choose the variable workload option:<ul><li>Percentage of time at peak: Percentage of time in a month where your workload requires peak (highest) throughput. </li></ul> <br/><br/> For example, if you have a workload that has high activity during 9am ΓÇô 6pm weekday business hours, then the percentage of time at peak is: `(9 hours per weekday at peak * 5 days per week at peak) / (24 hours per day at peak * 7 days in a week) = 45 / 168 = ~27%`.<br/><br/>With peak and off-peak intervals, you can optimize your cost by [programmatically scaling your provisioned throughput](../set-throughput.md#update-throughput-on-a-database-or-a-container) up and down accordingly.|

+ - No Azure subscription? You can [try Azure Cosmos DB free](../try-free.md) with no credit card required.

+> No Azure subscription? You can [try Azure Cosmos DB free](../try-free.md) with no credit card required. If you create an account using the free trial, you can safely skip ahead to the [Create a new .NET app](#create-a-new-net-app) section.

+The [cosmos-db-nosql-dotnet-samples](https://github.com/azure-samples/cosmos-db-nosql-dotnet-samples) GitHub repository includes multiple sample projects. These projects illustrate how to perform common operations on Azure Cosmos DB for NoSQL resources.

+| [Create a client with endpoint and key](https://github.com/azure-samples/cosmos-db-nosql-dotnet-samples/blob/main/101-client-endpoint-key/Program.cs#L11-L14) |[``CosmosClient(string, string)``](/dotnet/api/microsoft.azure.cosmos.cosmosclient.-ctor#microsoft-azure-cosmos-cosmosclient-ctor(system-string-system-string-microsoft-azure-cosmos-cosmosclientoptions)) |

+| [Create a client with connection string](https://github.com/azure-samples/cosmos-db-nosql-dotnet-samples/blob/main/102-client-connection-string/Program.cs#L11-L13) |[``CosmosClient(string)``](/dotnet/api/microsoft.azure.cosmos.cosmosclient.-ctor#microsoft-azure-cosmos-cosmosclient-ctor(system-string-microsoft-azure-cosmos-cosmosclientoptions)) |

+| [Create a client with ``DefaultAzureCredential``](https://github.com/azure-samples/cosmos-db-nosql-dotnet-samples/blob/main/103-client-default-credential/Program.cs#L20-L23) |[``CosmosClient(string, TokenCredential)``](/dotnet/api/microsoft.azure.cosmos.cosmosclient.-ctor#microsoft-azure-cosmos-cosmosclient-ctor(system-string-azure-core-tokencredential-microsoft-azure-cosmos-cosmosclientoptions)) |

+| [Create a client with custom ``TokenCredential``](https://github.com/azure-samples/cosmos-db-nosql-dotnet-samples/blob/main/104-client-secret-credential/Program.cs#L25-L28) |[``CosmosClient(string, TokenCredential)``](/dotnet/api/microsoft.azure.cosmos.cosmosclient.-ctor#microsoft-azure-cosmos-cosmosclient-ctor(system-string-azure-core-tokencredential-microsoft-azure-cosmos-cosmosclientoptions)) |

+| [Create a database](https://github.com/azure-samples/cosmos-db-nosql-dotnet-samples/blob/main/200-create-database/Program.cs#L19-L21) |[``CosmosClient.CreateDatabaseIfNotExistsAsync``](/dotnet/api/microsoft.azure.cosmos.cosmosclient.createdatabaseifnotexistsasync) |

+| [Create a container](https://github.com/azure-samples/cosmos-db-nosql-dotnet-samples/blob/main/225-create-container/Program.cs#L26-L30) |[``Database.CreateContainerIfNotExistsAsync``](/dotnet/api/microsoft.azure.cosmos.database.createcontainerifnotexistsasync) |

+| [Create an item](https://github.com/azure-samples/cosmos-db-nosql-dotnet-samples/blob/main/250-create-item/Program.cs#L35-L46) |[``Container.CreateItemAsync<>``](/dotnet/api/microsoft.azure.cosmos.container.createitemasync) |

+| [Point read an item](https://github.com/azure-samples/cosmos-db-nosql-dotnet-samples/blob/main/275-read-item/Program.cs#L51-L54) |[``Container.ReadItemAsync<>``](/dotnet/api/microsoft.azure.cosmos.container.readitemasync) |

+| [Query multiple items](https://github.com/azure-samples/cosmos-db-nosql-dotnet-samples/blob/main/300-query-items/Program.cs#L64-L80) |[``Container.GetItemQueryIterator<>``](/dotnet/api/microsoft.azure.cosmos.container.getitemqueryiterator) |

+ - If you have an existing Azure subscription, [create a new account](how-to-create-account.md?tabs=azure-portal).

+ - No Azure subscription? You can [try Azure Cosmos DB free](../try-free.md) with no credit card required.

+ - If you have an existing Azure subscription, [create a new account](how-to-create-account.md?tabs=azure-portal).

+ - No Azure subscription? You can [try Azure Cosmos DB free](../try-free.md) with no credit card required.

+ { "op": "incr", "path": "/inventory/quantity", "value": 10 }

+When you reserve capacity for your Azure Cosmos DB resources, you are reserving [provisioned thorughput](set-throughput.md). If the provisioned throughput is exceeded, requests beyond that provisioning will be billed using pay-as-you go rates. For more information on reservations, see the [Azure reservations](../cost-management-billing/reservations/save-compute-costs-reservations.md) article. For more information on provisioned throughput, see [provisioned throughput types](how-to-choose-offer.md#overview-of-provisioned-throughput-types).

+const { TableServiceClient, odata } = require("@azure/data-tables");

+let result = await tableClient.getEntity("hometasks", "1")

+ .catch((error) => {

+ // handle any errors

+ });

+ // result contains the entity

+| Billing account┬╣ | [https://ea.azure.com](https://ea.azure.com/) | Enterprise Admin | None | All subscriptions from the enterprise agreement |

+| Enrollment account┬▓ | [https://ea.azure.com](https://ea.azure.com/) | Account Owner | **AO view charges** enabled | All subscriptions from the enrollment account |

+┬╣ The billing account is also referred to as the Enterprise Agreement or Enrollment.

+┬▓ The enrollment account is also referred to as the account owner.

+Partitioning isn't currently supported for resource groups or management group scopes.

+ Title: Error when you create multiple subscriptions

+description: Provides the solution for a problem where you get an error message when you try to create multiple subscriptions.

+tags: billing

+# Error when you create multiple subscriptions

+When you try to create multiple Azure subscriptions in a short period of time, you might receive an error stating:

+`Subscription not created. Please try again later.`

+The error is normal and expected.

+The error can occur for customers with the following Azure subscription agreement type:

+- Microsoft Customer Agreement purchased directly through Azure.com

+## Solution

+Expect a delay before you can create another subscription.

+## Need help? Contact us.

+If you have questions or need help, [create a support request](https://go.microsoft.com/fwlink/?linkid=2083458).

+## Next steps

+- Learn more about [Programmatically creating Azure subscriptions for a Microsoft Customer Agreement with the latest APIs](programmatically-create-subscription-microsoft-customer-agreement.md).

+- View the monthly usage and charges ┬╣

+ ┬╣ An EA admin must grant the permissions.

+- View the monthly usage and charges ┬╣

+> ┬╣ An enterprise administrator must grant these permissions. If you were given permission to view department monthly usage and charges, but can't see them, contact your partner.

+| India ┬╣ | Indonesia |

+┬╣ Follow the instructions in the next section to add your Goods and Services Taxpayer Identification Number (GSTIN).

+- [Action pack](https://azure.microsoft.com/offers/ms-azr-0025p/)┬╣

+- [Azure in Open Licensing](https://azure.microsoft.com/offers/ms-azr-0111p/)┬╣

+- [Azure Pass Sponsorship](https://azure.microsoft.com/offers/azure-pass/)┬╣

+- [Free Trial](https://azure.microsoft.com/offers/ms-azr-0044p/)┬╣

+- [Microsoft Azure Plan](https://azure.microsoft.com/offers/ms-azr-0017g/)┬▓

+- [Microsoft Azure Sponsored Offer](https://azure.microsoft.com/offers/ms-azr-0036p/)┬╣

+- [Microsoft Cloud Partner Program](https://azure.microsoft.com/offers/ms-azr-0025p/)┬╣

+- [MSDN Platforms](https://azure.microsoft.com/offers/ms-azr-0062p/)┬╣

+- [Visual Studio Enterprise (BizSpark) subscribers](https://azure.microsoft.com/offers/ms-azr-0064p/)┬╣

+- [Visual Studio Enterprise (Cloud Partner Program) subscribers](https://azure.microsoft.com/offers/ms-azr-0029p/)┬╣

+- [Visual Studio Enterprise subscribers](https://azure.microsoft.com/offers/ms-azr-0063p/)┬╣

+- [Visual Studio Professional](https://azure.microsoft.com/offers/ms-azr-0059p/)┬╣

+- [Visual Studio Test Professional subscribers](https://azure.microsoft.com/offers/ms-azr-0060p/)┬╣

+┬╣ Any credit available on the subscription won't be available in the new account after the transfer.

+┬▓ Only supported for products in accounts that are created during sign-up on the Azure website.

+* [Enterprise Dev/Test](https://azure.microsoft.com/offers/ms-azr-0148p/)┬╣

+* Azure Plan┬╣ [(Microsoft Customer Agreement in Enterprise Motion)](https://www.microsoft.com/Licensing/how-to-buy/microsoft-customer-agreement)

+┬╣ You must convert an EA Dev/Test subscription to an EA Enterprise offer using a support ticket and respectively, an Azure Plan Dev/Test offer to Azure plan. A Dev/Test subscription will be billed at a pay-as-you-go rate after conversion. There's no discount currently available through the Dev/Test offer to CSP partners.

+ - Commerce Account ID┬╣:

+┬╣ If you don't know your Commerce Account ID, it's the GUID ID shown on the Properties page for your billing account. To view your Commerce Account ID in the Azure portal, navigate to **Cost Management** > select a billing scope > in the left menu, select **Properties**. On the billing scope Properties page, notice the GUID ID value. It's your Commerce Account ID.

+- Enterprise Administrator (read only)┬╣

+- Account Owner┬▓

+┬╣ The Bill-To contact of the EA contract will be under this role.

+┬▓ The Bill-To contact cannot be added or changed in the Azure EA Portal and will be added to the EA enrollment based on the user who is set up as the Bill-To contact on agreement level. To change the Bill-To contact, a request needs to be made through a partner/software advisor to the Regional Operations Center (ROC).

+|Account Owner|1 per account┬│|

+┬│ Each account requires a unique Microsoft account, or work or school account.

+|View Notification Contacts⁴ |✔|✔|✔|✘|✘|✘|✔|

+|Add or remove Notification Contacts⁴ |✔|✘|✘|✘|✘|✘|✘|

+|View Accounts in the enrollment |✔|✔|✔|✔⁵|✔⁵|✘|✔|

+|Add Accounts to the enrollment and change Account Owner|✔|✘|✘|✔⁵|✘|✘|✘|

+- ⁴ Notification contacts are sent email communications about the Azure Enterprise Agreement.

+- ⁵ Task is limited to accounts in your department.

+|View usage and cost details|✔|✔|✔|✔⁶|✔⁶|✔⁷|✔|

+- ⁶ Requires that the Enterprise Administrator enable **DA view charges** policy in the Enterprise portal. The Department Administrator can then see cost details for the department.

+- ⁷ Requires that the Enterprise Administrator enable **AO view charges** policy in the Enterprise portal. The Account Owner can then see cost details for the account.

+| Through a Microsoft representative | | ✔ | ✔ ⁴ | ✔ ² |

+| Azure website | Γ£ö | Γ£ö ┬╣ | Γ£ö | Γ£ö ┬│ |

+┬╣ By request.

+┬▓ You continue to pay by invoice/wire transfer under the MCA but will need to send your payments to a different bank account. For information about where to send your payment, see [Pay your bill](../understand/pay-bill.md#wire-bank-details) after you select your country in the list.

+┬│ For more information, see [Pay for your Azure subscription by invoice](../manage/pay-by-invoice.md).

+⁴ For more information, see [Pay your bill for Microsoft Azure](../understand/pay-bill.md#pay-now-in-the-azure-portal).

+| SQL Database or Elastic pool┬╣ | Business Critical | 4 per vCore |

+| SQL Database or Elastic pool┬╣ | General Purpose | 1 per vCore |

+| SQL Database or Elastic pool┬╣ | Hyperscale | 1 per vCore |

+| SQL Server Virtual Machines┬▓ | Enterprise | 4 per vCPU |

+| SQL Server Virtual Machines┬▓ | Standard | 1 per vCPU |

+┬╣ *Azure Hybrid Benefit isn't available in the serverless compute tier of Azure SQL Database.*

+┬▓ *Subject to a minimum of four vCore licenses per Virtual Machine.*

+Invoke-AzDataFactoryV2Pipeline -DataFactory $df -PipelineName "Adfv2QuickStartPipeline" -ParameterFile .\PipelineParameters.json -ResourceGroupName "myResourceGroup"

+1. Ensure the build validation for your repository is toggled to **On**.

+ :::image type="content" source="media/tutorial-enable-pr-annotations/build-validation.png" alt-text="Screenshot that shows where the CI Build toggle is located." lightbox="media/tutorial-enable-pr-annotations/build-validation.png":::

+## Alerts disabled by default

+Several alerts are disabled by default, as indicated by asterisks (*) in the tables below. Sensor administrator users can enable or disable alerts from the **Support** page on a specific sensor.

+If you disable alerts that are referenced in other places, such as alert forwarding rules, make sure to update those references as needed.

+| Title | Description | Severity | Category | MITRE ATT&CK <br> tactics and techniques |

+|--|--|--|--|--|

+| **Beckhoff Software Changed** | Firmware was updated on a source device. This may be authorized activity, for example a planned maintenance procedure. | Major | Firmware Change | **Tactics:** <br> - Inhibit Response Function <br> - Persistence <br><br> **Techniques:** <br> - T0857: System Firmware |

+| **Database Login Failed** | A failed sign-in attempt was detected from a source device to a destination server. This might be the result of human error, but could also indicate a malicious attempt to compromise the server or data on it. <br><br> Threshold: 2 sign-in failures in 5 minutes | Major | Authentication | **Tactics:** <br> - Lateral Movement <br> - Collection <br><br> **Techniques:** <br> - T0812: Default Credentials <br> - T0811: Data from Information Repositories|

+| **Emerson ROC Firmware Version Changed** | Firmware was updated on a source device. This may be authorized activity, for example a planned maintenance procedure. | Major | Firmware Change | **Tactics:** <br> - Inhibit Response Function <br> - Persistence <br><br> **Techniques:** <br> - T0857: System Firmware |

+| **External address within the network communicated with Internet** | A source device defined as part of your network is communicating with Internet addresses. The source isn't authorized to communicate with Internet addresses. | Critical | Internet Access | **Tactics:** <br> - Initial Access <br><br> **Techniques:** <br> - T0883: Internet Accessible Device |

+| **Field Device Discovered Unexpectedly** | A new source device was detected on the network but hasn't been authorized. | Major | Discovery | **Tactics:** <br> - Discovery <br><br> **Techniques:** <br> - T0842: Network Sniffing |

+| **Firmware Change Detected** | Firmware was updated on a source device. This may be authorized activity, for example a planned maintenance procedure. | Major | Firmware Change | **Tactics:** <br> - Inhibit Response Function <br> - Persistence <br><br> **Techniques:** <br> - T0857: System Firmware |

+| **Firmware Version Changed** | Firmware was updated on a source device. This may be authorized activity, for example a planned maintenance procedure. | Major | Firmware Change | **Tactics:** <br> - Inhibit Response Function <br> - Persistence <br><br> **Techniques:** <br> - T0857: System Firmware |

+| **Foxboro I/A Unauthorized Operation** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0836: Modify Parameter |

+| **FTP Login Failed** | A failed sign-in attempt was detected from a source device to a destination server. This alert might be the result of human error, but could also indicate a malicious attempt to compromise the server or data on it. | Major | Authentication | **Tactics:** <br> - Lateral Movement <br> - Command And Control <br><br> **Techniques:** <br> - T0812: Default Credentials <br> - T0869: Standard Application Layer Protocol |

+| **Function Code Raised Unauthorized Exception** | A source device (secondary) returned an exception to a destination device (primary). | Major | Command Failures | **Tactics:** <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0835: Manipulate I/O Image |

+| **GOOSE Message Type Settings** | Message (identified by protocol ID) settings were changed on a source device. | Warning | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0836: Modify Parameter |

+| **Honeywell Firmware Version Changed** | Firmware was updated on a source device. This may be authorized activity, for example a planned maintenance procedure. | Major | Firmware Change | **Tactics:** <br> - Inhibit Response Function <br> - Persistence <br><br> **Techniques:** <br> - T0857: System Firmware |

+| **Illegal HTTP Communication [*](#alerts-disabled-by-default)** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Abnormal HTTP Communication Behavior | **Tactics:** <br> - Discovery <br><br> **Techniques:** <br> - T0846: Remote System Discovery |

+| **Internet Access Detected** | A source device defined as part of your network is communicating with Internet addresses. The source isn't authorized to communicate with Internet addresses. | Major | Internet Access | **Tactics:** <br> - Initial Access <br><br> **Techniques:** <br> - T0883: Internet Accessible Device |

+| **Mitsubishi Firmware Version Changed** | Firmware was updated on a source device. This may be authorized activity, for example a planned maintenance procedure. | Major | Firmware Change | **Tactics:** <br> - Inhibit Response Function <br> - Persistence <br><br> **Techniques:** <br> - T0857: System Firmware |

+| **Modbus Address Range Violation** | A primary device requested access to a new secondary memory address. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Discovery <br><br> **Techniques:** <br> - T0842: Network Sniffing |

+| **Modbus Firmware Version Changed** | Firmware was updated on a source device. This may be authorized activity, for example a planned maintenance procedure. | Major | Firmware Change | **Tactics:** <br> - Inhibit Response Function <br> - Persistence <br><br> **Techniques:** <br> - T0857: System Firmware |

+| **New Activity Detected - CIP Class** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Discovery <br><br> **Techniques:** <br> - T0888: Remote System Information Discovery |

+| **New Activity Detected - CIP Class Service** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0836: Modify Parameter |

+| **New Activity Detected - CIP PCCC Command** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0836: Modify Parameter |

+| **New Activity Detected - CIP Symbol** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0836: Modify Parameter |

+| **New Activity Detected - EtherNet/IP I/O Connection** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Discovery <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0846: Remote System Discovery <br> - T0835: Manipulate I/O Image |

+| **New Activity Detected - EtherNet/IP Protocol Command** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0836: Modify Parameter |

+| **New Activity Detected - GSM Message Code** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - CommandAndControl <br><br> **Techniques:** <br> - T0869: Standard Application Layer Protocol |

+| **New Activity Detected - LonTalk Command Codes** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Collection <br> - Impair Process Control <br><br> **Techniques:** <br> - T0861 - Point & Tag Identification <br> - T0855: Unauthorized Command Message |

+| **New Port Discovery** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Warning | Discovery | **Tactics:** <br> - Lateral Movement <br><br> **Techniques:** <br> - T0867: Lateral Tool Transfer |

+| **New Activity Detected - LonTalk Network Variable** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message |

+| **New Activity Detected - Ovation Data Request** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Collection <br> - Discovery <br><br> **Techniques:** <br> - T0801: Monitor Process State <br> - T0888: Remote System Information Discovery |

+| **New Activity Detected - Read/Write Command (AMS Index Group)** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Configuration Changes | **Tactics:** <br> - Impair Process Control <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0836: Modify Parameter |

+| **New Activity Detected - Read/Write Command (AMS Index Offset)** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Configuration Changes | **Tactics:** <br> - Impair Process Control <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0836: Modify Parameter |

+| **New Activity Detected - Unauthorized DeltaV Message Type** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br> - Execution <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0821: Modify Controller Tasking |

+| **New Activity Detected - Unauthorized DeltaV ROC Operation** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br> - Execution <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0821: Modify Controller Tasking |

+| **New Activity Detected - Unauthorized RPC Message Type** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message |

+| **New Activity Detected - Using AMS Protocol Command** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br> - Inhibit Response Function <br> - Execution <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0836: Modify Parameter <br> - T0821: Modify Controller Tasking |

+| **New Activity Detected - Using Siemens SICAM Command** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0836: Modify Parameter |

+| **New Activity Detected - Using Suitelink Protocol command** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0836: Modify Parameter |

+| **New Activity Detected - Using Suitelink Protocol sessions** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0836: Modify Parameter |

+| **New Activity Detected - Using Yokogawa VNetIP Command** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br> - Execution <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0821: Modify Controller Tasking |

+| **New Asset Detected** | A new source device was detected on the network but hasn't been authorized. <br><br>This alert applies to devices discovered in OT subnets. New devices discovered in IT subnets don't trigger an alert.| Major | Discovery | **Tactics:** <br> - Discovery <br><br> **Techniques:** <br> - T0842: Network Sniffing |

+| **New LLDP Device Configuration** | A new source device was detected on the network but hasn't been authorized. | Major | Configuration Changes | **Tactics:** <br> - Discovery <br><br> **Techniques:** <br> - T0842: Network Sniffing |

+| **Omron FINS Unauthorized Command** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0836: Modify Parameter |

+| **S7 Plus PLC Firmware Changed** | Firmware was updated on a source device. This may be authorized activity, for example a planned maintenance procedure. | Major | Firmware Change | **Tactics:** <br> - Inhibit Response Function <br> - Persistence <br><br> **Techniques:** <br> - T0857: System Firmware |

+| **Sampled Values Message Type Settings** | Message (identified by protocol ID) settings were changed on a source device. | Warning | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0836: Modify Parameter |

+| **Suspicion of Illegal Integrity Scan** | A scan was detected on a DNP3 source device (outstation). This scan wasn't authorized as learned traffic on your network. | Major | Scan | **Tactics:** <br> - Discovery <br><br> **Techniques:** <br> - T0842: Network Sniffing |

+| **Toshiba Computer Link Unauthorized Command** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Minor | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br> - Execution <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0821: Modify Controller Tasking |

+| **Unauthorized ABB Totalflow File Operation** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br> - Execution <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0821: Modify Controller Tasking |

+| **Unauthorized ABB Totalflow Register Operation** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br> - Execution <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0821: Modify Controller Tasking |

+| **Unauthorized Access to Siemens S7 Data Block** | A source device attempted to access a resource on another device. An access attempt to this resource between these two devices hasn't been authorized as learned traffic on your network. | Warning | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br> - Initial Access <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0811: Data from Information Repositories |

+| **Unauthorized Access to Siemens S7 Plus Object** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br> - Execution <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0821: Modify Controller Tasking <br> - T0809: Data Destruction |

+| **Unauthorized Access to Wonderware Tag** | A source device attempted to access a resource on another device. An access attempt to this resource between these two devices hasn't been authorized as learned traffic on your network. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Collection <br> - Impair Process Control <br><br> **Techniques:** <br> - T0861: Point & Tag Identification <br> - T0855: Unauthorized Command Message |

+| **Unauthorized BACNet Object Access** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br> - Execution <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0821: Modify Controller Tasking |

+| **Unauthorized BACNet Route** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br> - Execution <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0821: Modify Controller Tasking |

+| **Unauthorized Database Login** | A sign-in attempt between a source client and destination server was detected. Communication between these devices hasn't been authorized as learned traffic on your network. | Major | Authentication | **Tactics:** <br> - Lateral Movement <br> - Persistence <br> - Collection <br><br> **Techniques:** <br> - T0859: Valid Accounts <br> - T0811: Data from Information Repositories |

+| **Unauthorized Database Operation** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Abnormal Communication Behavior | **Tactics:** <br> - Impair Process Control <br> - Initial Access <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0811: Data from Information Repositories |

+| **Unauthorized Emerson ROC Operation** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br> - Execution <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0821: Modify Controller Tasking |

+| **Unauthorized GE SRTP File Access** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Collection <br> - LateralMovement <br> - Persistence <br><br> **Techniques:** <br> - T0801: Monitor Process State <br> - T0859: Valid Accounts |

+| **Unauthorized GE SRTP Protocol Command** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0821: Modify Controller Tasking |

+| **Unauthorized GE SRTP System Memory Operation** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Discovery <br> - Impair Process Control <br><br> **Techniques:** <br> - T0846: Remote System Discovery <br> - T0855: Unauthorized Command Message |

+| **Unauthorized HTTP Activity** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Abnormal HTTP Communication Behavior | **Tactics:** <br> - Initial Access <br> - Command And Control <br><br> **Techniques:** <br> - T0822: External Remote Services <br> - T0869: Standard Application Layer Protocol |

+| **Unauthorized HTTP SOAP Action [*](#alerts-disabled-by-default)** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Abnormal HTTP Communication Behavior | **Tactics:** <br> - Command And Control <br> - Execution <br><br> **Techniques:** <br> - T0869: Standard Application Layer Protocol <br> - T0871: Execution through API |

+| **Unauthorized HTTP User Agent [*](#alerts-disabled-by-default)** | An unauthorized application was detected on a source device. The application hasn't been authorized as a learned application on your network. | Major | Abnormal HTTP Communication Behavior | **Tactics:** <br> - Command And Control <br><br> **Techniques:** <br> - T0869: Standard Application Layer Protocol |

+| **Unauthorized Internet Connectivity Detected** | A source device defined as part of your network is communicating with Internet addresses. The source isn't authorized to communicate with Internet addresses. | Critical | Internet Access | **Tactics:** <br> - Initial Access <br><br> **Techniques:** <br> - T0883: Internet Accessible Device |

+| **Unauthorized Mitsubishi MELSEC Command** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br> - Execution <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0821: Modify Controller Tasking |

+| **Unauthorized MMS Program Access** | A source device attempted to access a resource on another device. An access attempt to this resource between these two devices hasn't been authorized as learned traffic on your network. | Major | Programming | **Tactics:** <br> - Impair Process Control <br> - Execution <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0821: Modify Controller Tasking |

+| **Unauthorized MMS Service** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br> - Execution <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0821: Modify Controller Tasking |

+| **Unauthorized Multicast/Broadcast Connection** | A Multicast/Broadcast connection was detected between a source device and other devices. Multicast/Broadcast communication isn't authorized. | Critical | Abnormal Communication Behavior | **Tactics:** <br> - Discovery <br><br> **Techniques:** <br> - T0842: Network Sniffing |

+| **Unauthorized Name Query** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Abnormal Communication Behavior | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0836: Modify Parameter |

+| **Unauthorized OPC UA Activity** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0836: Modify Parameter |

+| **Unauthorized OPC UA Request/Response** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0836: Modify Parameter |

+| **Unauthorized Operation was detected by a User Defined Rule** | Traffic was detected between two devices. This activity is unauthorized, based on a Custom Alert Rule defined by a user. | Major | Custom Alerts | **Tactics:** <br> - Discovery <br><br> **Techniques:** <br> - T0842: Network Sniffing |

+| **Unauthorized PLC Configuration Read** | The source device isn't defined as a programming device but performed a read/write operation on a destination controller. Programming changes should only be performed by programming devices. A programming application may have been installed on this device. | Warning | Configuration Changes | **Tactics:** <br> - Collection <br><br> **Techniques:** <br> - T0801: Monitor Process State |

+| **Unauthorized PLC Configuration Write** | The source device sent a command to read/write the program of a destination controller. This activity wasn't previously seen. | Major | Configuration Changes | **Tactics:** <br> - Impair Process Control <br> - Persistence <br> - Impact <br><br> **Techniques:** <br> - T0839: Module Firmware <br> - T0831: Manipulation of Control <br> - T0889: Modify Program |

+| **Unauthorized PLC Program Upload** | The source device sent a command to read/write the program of a destination controller. This activity wasn't previously seen. | Major | Programming | **Tactics:** <br> - Impair Process Control <br> - Persistence <br> - Collection <br><br> **Techniques:** <br> - T0839: Module Firmware <br> - T0845: Program Upload |

+| **Unauthorized PLC Programming** | The source device isn't defined as a programming device but performed a read/write operation on a destination controller. Programming changes should only be performed by programming devices. A programming application may have been installed on this device. | Critical | Programming | **Tactics:** <br> - Impair Process Control <br> - Persistence <br> - Lateral Movement <br><br> **Techniques:** <br> - T0839: Module Firmware <br> - T0889: Modify Program <br> - T0843: Program Download |

+| **Unauthorized Profinet Frame Type** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0836: Modify Parameter |

+| **Unauthorized SAIA S-Bus Command** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message |

+| **Unauthorized Siemens S7 Execution of Control Function** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0809: Data Destruction |

+| **Unauthorized Siemens S7 Execution of User Defined Function** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br> - Execution <br><br> **Techniques:** <br> - T0836: Modify Parameter <br> - T0863: User Execution |

+| **Unauthorized Siemens S7 Plus Block Access** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Inhibit Response Function <br> - Persistence <br> - Execution <br><br> **Techniques:** <br> - T0803 - Block Command Message <br> - T0889: Modify Program <br> - T0821: Modify Controller Tasking |

+| **Unauthorized Siemens S7 Plus Operation** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br> - Execution <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0863: User Execution |

+| **Unauthorized SMB Login** | A sign-in attempt between a source client and destination server was detected. Communication between these devices hasn't been authorized as learned traffic on your network. | Major | Authentication | **Tactics:** <br> - Initial Access <br> - Lateral Movement <br> - Persistence <br><br> **Techniques:** <br> - T0886: Remote Services <br> - T0859: Valid Accounts |

+| **Unauthorized SNMP Operation** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Abnormal Communication Behavior | **Tactics:** <br> - Discovery <br> - Command And Control <br><br> **Techniques:** <br> - T0842: Network Sniffing <br> - T0885: Commonly Used Port |

+| **Unauthorized SSH Access** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Remote Access | **Tactics:** <br> - InitialAccess <br> - Lateral Movement <br> - Command And Control <br><br> **Techniques:** <br> - T0886: Remote Services <br> - T0869: Standard Application Layer Protocol |

+| **Unauthorized Windows Process** | An unauthorized application was detected on a source device. The application hasn't been authorized as a learned application on your network. | Major | Abnormal Communication Behavior | **Tactics:** <br> - Execution <br> - Privilege Escalation <br> - Command And Control <br><br> **Techniques:** <br> - T0841: Hooking <br> - T0885: Commonly Used Port |

+| **Unauthorized Windows Service** | An unauthorized application was detected on a source device. The application hasn't been authorized as a learned application on your network. | Major | Abnormal Communication Behavior | **Tactics:** <br> - Initial Access <br> - Lateral Movement <br><br> **Techniques:** <br> - T0866: Exploitation of Remote Services |

+| **Unauthorized Operation was detected by a User Defined Rule** | New traffic parameters were detected. This parameter combination violates a user defined rule | Major | | **Tactics:** <br> - Discovery <br><br> **Techniques:** <br> - T0842: Network Sniffing |

+| **Unpermitted Modbus Schneider Electric Extension** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message |

+| **Unpermitted Usage of ASDU Types** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior |**Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message |

+| **Unpermitted Usage of DNP3 Function Code** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0836: Modify Parameter |

+| **Unpermitted Usage of Internal Indication (IIN)** | A DNP3 source device (outstation) reported an internal indication (IIN) that hasn't authorized as learned traffic on your network. | Major | Illegal Commands | **Tactics:** <br> - Discovery <br><br> **Techniques:** <br> - T0842: Network Sniffing |

+| **Unpermitted Usage of Modbus Function Code** | New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. | Major | Unauthorized Communication Behavior | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0836: Modify Parameter |

+| Title | Description | Severity | Category | MITRE ATT&CK <br> tactics and techniques |

+|--|--|--|--|--|

+| **Abnormal Exception Pattern in Slave** | An excessive number of errors were detected on a source device. This alert may be the result of an operational issue. <br><br> Threshold: 20 exceptions in 1 hour | Minor | Abnormal Communication Behavior | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0806: Brute Force I/O |

+| **Abnormal HTTP Header Length [*](#alerts-disabled-by-default)** | The source device sent an abnormal message. This alert may indicate an attempt to attack the destination device. | Critical | Abnormal HTTP Communication Behavior | **Tactics:** <br> - Initial Access <br> - Lateral Movement <br> - Command And Control <br><br> **Techniques:** <br> - T0866: Exploitation of Remote Services <br> - T0869: Standard Application Layer Protocol |

+| **Abnormal Number of Parameters in HTTP Header [*](#alerts-disabled-by-default)** | The source device sent an abnormal message. This alert may indicate an attempt to attack the destination device. | Critical | Abnormal HTTP Communication Behavior | **Tactics:** <br> - Initial Access <br> - Lateral Movement <br> - Command And Control <br><br> **Techniques:** <br> - T0866: Exploitation of Remote Services <br> - T0869: Standard Application Layer Protocol |

+| **Abnormal Periodic Behavior In Communication Channel** | A change in the frequency of communication between the source and destination devices was detected. | Minor | Abnormal Communication Behavior | **Tactics:** <br> - Discovery <br><br> **Techniques:** <br> - T0842: Network Sniffing |

+| **Abnormal Termination of Applications** | An excessive number of stop commands were detected on a source device. This alert may be the result of an operational issue or an attempt to manipulate the device. <br><br> Threshold: 20 stop commands in 3 hours | Major | Abnormal Communication Behavior | **Tactics:** <br> - Persistence <br> - Impact <br><br> **Techniques:** <br> - T0889: Modify Program <br> - T0831: Manipulation of Control |

+| **Abnormal Traffic Bandwidth** | Abnormal bandwidth was detected on a channel. Bandwidth appears to be lower/higher than previously detected. For details, work with the Total Bandwidth widget. | Warning | Bandwidth Anomalies | **Tactics:** <br> - Discovery <br><br> **Techniques:** <br> - T0842: Network Sniffing |

+| **Abnormal Traffic Bandwidth Between Devices** | Abnormal bandwidth was detected on a channel. Bandwidth appears to be lower/higher than previously detected. For details, work with the Total Bandwidth widget. | Warning | Bandwidth Anomalies | **Tactics:** <br> - Discovery <br><br> **Techniques:** <br> - T0842: Network Sniffing |

+| **Address Scan Detected** | A source device was detected scanning network devices. This device hasn't been authorized as a network scanning device. <br><br> Threshold: 50 connections to the same B class subnet in 2 minutes | Critical | Scan | **Tactics:** <br> - Discovery <br><br> **Techniques:** <br> - T0842: Network Sniffing |

+| **ARP Address Scan Detected** | A source device was detected scanning network devices using Address Resolution Protocol (ARP). This device address hasn't been authorized as valid ARP scanning address. <br><br> Threshold: 40 scans in 6 minutes | Critical | Scan | **Tactics:** <br> - Discovery <br> - Collection <br><br> **Techniques:** <br> - T0842: Network Sniffing <br> - T0830: Man in the Middle |

+| **ARP Spoofing** | An abnormal quantity of packets was detected in the network. This alert could indicate an attack, for example, an ARP spoofing or ICMP flooding attack. <br><br> Threshold: 60 packets in 1 minute | Warning | Abnormal Communication Behavior | **Tactics:** <br> - Collection <br><br> **Techniques:** <br> - T0830: Man in the Middle |

+| **Excessive Login Attempts** | A source device was seen performing excessive sign-in attempts to a destination server. This alert may indicate a brute force attack. The server may be compromised by a malicious actor. <br><br> Threshold: 20 sign-in attempts in 1 minute | Critical | Authentication | **Tactics:** <br> - LateralMovement <br> - Impair Process Control <br><br> **Techniques:** <br> - T0812: Default Credentials <br> - T0806: Brute Force I/O |

+| **Excessive Number of Sessions** | A source device was seen performing excessive sign-in attempts to a destination server. This may indicate a brute force attack. The server may be compromised by a malicious actor. <br><br> Threshold: 50 sessions in 1 minute | Critical | Abnormal Communication Behavior | **Tactics:** <br> - Lateral Movement <br> - Impair Process Control <br><br> **Techniques:** <br> - T0812: Default Credentials <br> - T0806: Brute Force I/O |

+| **Excessive Restart Rate of an Outstation** | An excessive number of restart commands were detected on a source device. These alerts may be the result of an operational issue or an attempt to manipulate the device. <br><br> Threshold: 10 restarts in 1 hour | Major | Restart/ Stop Commands | **Tactics:** <br> - Inhibit Response Function <br> - Impair Process Control <br><br> **Techniques:** <br> - T0814: Denial of Service <br> - T0806: Brute Force I/O |

+| **Excessive SMB login attempts** | A source device was seen performing excessive sign-in attempts to a destination server. This may indicate a brute force attack. The server may be compromised by a malicious actor. <br><br> Threshold: 10 sign-in attempts in 10 minutes | Critical | Authentication | **Tactics:** <br> - Persistence <br> - Execution <br> - LateralMovement <br><br> **Techniques:** <br> - T0812: Default Credentials <br> - T0853: Scripting <br> - T0859: Valid Accounts |

+| **ICMP Flooding** | An abnormal quantity of packets was detected in the network. This alert could indicate an attack, for example, an ARP spoofing or ICMP flooding attack. <br><br> Threshold: 60 packets in 1 minute | Warning | Abnormal Communication Behavior | **Tactics:** <br> - Discovery <br> - Collection <br><br> **Techniques:** <br> - T0842: Network Sniffing <br> - T0830: Man in the Middle |

+| **Illegal HTTP Header Content [*](#alerts-disabled-by-default)** | The source device initiated an invalid request. | Critical | Abnormal HTTP Communication Behavior | **Tactics:** <br> - Initial Access <br> - LateralMovement <br><br> **Techniques:** <br> - T0866: Exploitation of Remote Services |

+| **Inactive Communication Channel** | A communication channel between two devices was inactive during a period in which activity is usually observed. This might indicate that the program generating this traffic was changed, or the program might be unavailable. It's recommended to review the configuration of installed program and verify that it's configured properly. <br><br> Threshold: 1 minute | Warning | Unresponsive | **Tactics:** <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0881: Service Stop |

+| **Long Duration Address Scan Detected** | A source device was detected scanning network devices. This device hasn't been authorized as a network scanning device. <br><br> Threshold: 50 connections to the same B class subnet in 10 minutes | Critical | Scan | **Tactics:** <br> - Discovery <br><br> **Techniques:** <br> - T0842: Network Sniffing |

+| **Password Guessing Attempt Detected** | A source device was seen performing excessive sign-in attempts to a destination server. This may indicate a brute force attack. The server may be compromised by a malicious actor. <br><br> Threshold: 100 attempts in 1 minute | Critical | Authentication | **Tactics:** <br> - Lateral Movement <br><br> **Techniques:** <br> - T0812: Default Credentials <br> - T0806: Brute Force I/O |

+| **PLC Scan Detected** | A source device was detected scanning network devices. This device hasn't been authorized as a network scanning device. <br><br> Threshold: 10 scans in 2 minutes | Critical | Scan | **Tactics:** <br> - Discovery <br><br> **Techniques:** <br> - T0842: Network Sniffing |

+| **Port Scan Detected** | A source device was detected scanning network devices. This device hasn't been authorized as a network scanning device. <br><br> Threshold: 25 scans in 2 minutes | Critical | Scan | **Tactics:** <br> - Discovery <br><br> **Techniques:** <br> - T0842: Network Sniffing |

+| **Unexpected message length** | The source device sent an abnormal message. This alert may indicate an attempt to attack the destination device. <br><br> Threshold: text length - 32768 | Critical | Abnormal Communication Behavior | **Tactics:** <br> - InitialAccess <br> - LateralMovement <br><br> **Techniques:** <br> - T0869: Exploitation of Remote Services |

+| **Unexpected Traffic for Standard Port** | Traffic was detected on a device using a port reserved for another protocol. | Major | Abnormal Communication Behavior | **Tactics:** <br> - Command And Control <br> - Discovery <br><br> **Techniques:** <br> - T0869: Standard Application Layer Protocol <br> - T0842: Network Sniffing |

+| Title | Description | Severity | Category | MITRE ATT&CK <br> tactics and techniques |

+|--|--|--|--|--|

+| **Excessive Malformed Packets In a Single Session** | An abnormal number of malformed packets sent from the source device to the destination device. This alert might indicate erroneous communications, or an attempt to manipulate the targeted device. <br><br> Threshold: 2 malformed packets in 10 minutes | Major | Illegal Commands | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0806: Brute Force I/O |

+| **Firmware Update** | A source device sent a command to update firmware on a destination device. Verify that recent programming, configuration and firmware upgrades made to the destination device are valid. | Warning | Firmware Change | **Tactics:** <br> - Inhibit Response Function <br> - Persistence <br><br> **Techniques:** <br> - T0857: System Firmware |

+| **Function Code Not Supported by Outstation** | The destination device received an invalid request. | Major | Illegal Commands | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message |

+| **Illegal BACNet message** | The source device initiated an invalid request. | Major | Illegal Commands | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0836: Modify Parameter |

+| **Illegal Connection Attempt on Port 0** | A source device attempted to connect to destination device on port number zero (0). For TCP, port 0 is reserved and canΓÇÖt be used. For UDP, the port is optional and a value of 0 means no port. There's usually no service on a system that listens on port 0. This event may indicate an attempt to attack the destination device, or indicate that an application was programmed incorrectly. | Minor | Illegal Commands | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0836: Modify Parameter |

+| **Illegal DNP3 Operation** | The source device initiated an invalid request. | Major | Illegal Commands | **Tactics:** <br> - Initial Access <br> - Lateral Movement <br><br> **Techniques:** <br> - T0866: Exploitation of Remote Services |

+| **Illegal MODBUS Operation (Exception Raised by Master)** | The source device initiated an invalid request. | Major | Illegal Commands | **Tactics:** <br> - Initial Access <br> - Lateral Movement <br><br> **Techniques:** <br> - T0866: Exploitation of Remote Services |

+| **Illegal MODBUS Operation (Function Code Zero)** | The source device initiated an invalid request. | Major | Illegal Commands |**Tactics:** <br> - Initial Access <br> - Lateral Movement <br><br> **Techniques:** <br> - T0866: Exploitation of Remote Services |

+| **Illegal Protocol Version** | The source device initiated an invalid request. | Major | Illegal Commands | **Tactics:** <br> - Initial Access <br> - LateralMovement <br> - Impair Process Control <br><br> **Techniques:** <br> - T0820: Remote Services <br> - T0836: Modify Parameter |

+| **Incorrect Parameter Sent to Outstation** | The destination device received an invalid request. | Major | Illegal Commands | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0836: Modify Parameter |

+| **Initiation of an Obsolete Function Code (Initialize Data)** | The source device initiated an invalid request. | Minor | Illegal Commands | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message |

+| **Initiation of an Obsolete Function Code (Save Config)** | The source device initiated an invalid request. | Minor | Illegal Commands | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message |

+| **Master Requested an Application Layer Confirmation** | The source device initiated an invalid request. | Warning | Illegal Commands | **Tactics:** <br> - Command And Control <br><br> **Techniques:** <br> - T0869: Standard Application Layer Protocol |

+| **Modbus Exception** | A source device (secondary) returned an exception to a destination device (primary). | Major | Illegal Commands | **Tactics:** <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0814: Denial of Service |

+| **Slave Device Received Illegal ASDU Type** | The destination device received an invalid request. | Major | Illegal Commands | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0836: Modify Parameter |

+| **Slave Device Received Illegal Command Cause of Transmission** | The destination device received an invalid request. | Major | Illegal Commands | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0836: Modify Parameter |

+| **Slave Device Received Illegal Common Address** | The destination device received an invalid request. | Major | Illegal Commands | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0836: Modify Parameter |

+| **Slave Device Received Illegal Data Address Parameter** | The destination device received an invalid request. | Major | Illegal Commands | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0836: Modify Parameter |

+| **Slave Device Received Illegal Data Value Parameter** | The destination device received an invalid request. | Major | Illegal Commands | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0836: Modify Parameter |

+| **Slave Device Received Illegal Function Code** | The destination device received an invalid request. | Major | Illegal Commands | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0836: Modify Parameter |

+| **Slave Device Received Illegal Information Object Address** | The destination device received an invalid request. | Major | Illegal Commands | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message <br> - T0836: Modify Parameter |

+| **Unknown Object Sent to Outstation** | The destination device received an invalid request. | Major | Illegal Commands | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message |

+| **Usage of a Reserved Function Code** | The source device initiated an invalid request. | Major | Illegal Commands | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0836: Modify Parameter |

+| **Usage of Improper Formatting by Outstation** | The source device initiated an invalid request. | Warning | Illegal Commands | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message |

+| **Usage of Reserved Status Flags (IIN)** | A DNP3 source device (outstation) used the reserved Internal Indicator 2.6. It's recommended to check the device's configuration. | Warning | Illegal Commands | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0836: Modify Parameter |

+| Title | Description| Severity | Category | MITRE ATT&CK <br> tactics and techniques |

+|--|--|--|--|--|

+| **Connection Attempt to Known Malicious IP** | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Major | Suspicion of Malicious Activity | **Tactics:** <br> - Initial Access <br> - Command And Control <br><br> **Techniques:** <br> - T0883: Internet Accessible Device <br> - T0884: Connection Proxy |

+| **Invalid SMB Message (DoublePulsar Backdoor Implant)** | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Critical | Suspicion of Malware | **Tactics:** <br> - Initial Access <br> - LateralMovement <br><br> **Techniques:** <br> - T0866: Exploitation of Remote Services |

+| **Malicious Domain Name Request** | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Major | Suspicion of Malicious Activity | **Tactics:** <br> - Initial Access <br> - Command And Control <br><br> **Techniques:** <br> - T0883: Internet Accessible Device <br> - T0884: Connection Proxy |

+| **Malware Test File Detected - EICAR AV Success** | An EICAR AV test file was detected in traffic between two devices (over any transport - TCP or UDP). The file isn't malware. It's used to confirm that the antivirus software is installed correctly. Demonstrate what happens when a virus is found, and check internal procedures and reactions when a virus is found. Antivirus software should detect EICAR as if it were a real virus. | Major | Suspicion of Malicious Activity | **Tactics:** <br> - Discovery <br><br> **Techniques:** <br> - T0842: Network Sniffing |

+| **Suspicion of Conficker Malware** | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Major | Suspicion of Malware | **Tactics:** <br> - Initial Access <br> - Impact <br><br> **Techniques:** <br> - T0826: Loss of Availability <br> - T0828: Loss of Productivity and Revenue <br> - T0847: Replication Through Removable Media |

+| **Suspicion of Denial Of Service Attack** | A source device attempted to initiate an excessive number of new connections to a destination device. This may indicate a Denial Of Service (DOS) attack against the destination device, and might interrupt device functionality, affect performance and service availability, or cause unrecoverable errors. <br><br> Threshold: 3000 attempts in 1 minute | Critical | Suspicion of Malicious Activity | **Tactics:** <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0814: Denial of Service |

+| **Suspicion of Malicious Activity** | Suspicious network activity was detected. This activity may be associated with an attack that triggered known 'Indicators of Compromise' (IOCs). Alert metadata should be reviewed by the security team. | Major | Suspicion of Malicious Activity | **Tactics:** <br> - Lateral Movement <br><br> **Techniques:** <br> - T0867: Lateral Tool Transfer |

+| **Suspicion of Malicious Activity (BlackEnergy)** | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Critical | Suspicion of Malware | **Tactics:** <br> - Command And Control <br><br> **Techniques:** <br> - T0869: Standard Application Layer Protocol |

+| **Suspicion of Malicious Activity (DarkComet)** | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Critical | Suspicion of Malware | **Tactics:** <br> - Impact <br><br> **Techniques:** <br> - T0882: Theft of Operational Information |

+| **Suspicion of Malicious Activity (Duqu)** | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Critical | Suspicion of Malware | **Tactics:** <br> - Impact <br><br> **Techniques:** <br> - T0882: Theft of Operational Information |

+| **Suspicion of Malicious Activity (Flame)** | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Critical | Suspicion of Malware | **Tactics:** <br> - Collection <br> - Impact <br><br> **Techniques:** <br> - T0882: Theft of Operational Information <br> - T0811: Data from Information Repositories |

+| **Suspicion of Malicious Activity (Havex)** | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Critical | Suspicion of Malware | **Tactics:** <br> - Collection <br> - Discovery <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0861: Point & Tag Identification <br> - T0846: Remote System Discovery <br> - T0814: Denial of Service |

+| **Suspicion of Malicious Activity (Karagany)** | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Critical | Suspicion of Malware | **Tactics:** <br> - Impact <br><br> **Techniques:** <br> - T0882: Theft of Operational Information |

+| **Suspicion of Malicious Activity (LightsOut)** | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Critical | Suspicion of Malware | **Tactics:** <br> - Evasion <br><br> **Techniques:** <br> - T0849: Masquerading |

+| **Suspicion of Malicious Activity (Name Queries)** | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. <br><br> Threshold: 25 name queries in 1 minute | Major | Suspicion of Malicious Activity | **Tactics:** <br> - Command And Control <br><br> **Techniques:** <br> - T0884: Connection Proxy |

+| **Suspicion of Malicious Activity (Poison Ivy)** | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Critical | Suspicion of Malware | **Tactics:** <br> - Initial Access <br> - Lateral Movement <br><br> **Techniques:** <br> - T0866: Exploitation of Remote Services |

+| **Suspicion of Malicious Activity (Regin)** | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Critical | Suspicion of Malware | **Tactics:** <br> - Initial Access <br> - Lateral Movement <br> - Impact <br><br> **Techniques:** <br> - T0866: Exploitation of Remote Services <br> - T0882: Theft of Operational Information |

+| **Suspicion of Malicious Activity (Stuxnet)** | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Critical | Suspicion of Malware | **Tactics:** <br> - Initial Access <br> - Lateral Movement <br> - Impact <br><br> **Techniques:** <br> - T0818: Engineering Workstation Compromise <br> - T0866: Exploitation of Remote Services <br> - T0831: Manipulation of Control |

+| **Suspicion of Malicious Activity (WannaCry)** | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Major | Suspicion of Malware | **Tactics:** <br> - Initial Access <br> - Lateral Movement <br><br> **Techniques:** <br> - T0866: Exploitation of Remote Services <br> - T0867: Lateral Tool Transfer |

+| **Suspicion of NotPetya Malware - Illegal SMB Parameters Detected** | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Critical | Suspicion of Malware | **Tactics:** <br> - Initial Access <br> - Lateral Movement <br><br> **Techniques:** <br> - T0866: Exploitation of Remote Services |

+| **Suspicion of NotPetya Malware - Illegal SMB Transaction Detected** | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Critical | Suspicion of Malware | **Tactics:** <br> - Lateral Movement <br><br> **Techniques:** <br> - T0867: Lateral Tool Transfer |

+| **Suspicion of Remote Code Execution with PsExec** | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Major | Suspicion of Malicious Activity | **Tactics:** <br> - Lateral Movement <br> - Initial Access <br><br> **Techniques:** <br> - T0866: Exploitation of Remote Services |

+| **Suspicion of Remote Windows Service Management** | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Major | Suspicion of Malicious Activity | **Tactics:** <br> - Initial Access <br><br> **Techniques:** <br> - T0822: NetworkExternal Remote Services |

+| **Suspicious Executable File Detected on Endpoint** | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Major | Suspicion of Malicious Activity | **Tactics:** <br> - Evasion <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0851: Rootkit |

+| **Suspicious Traffic Detected** | Suspicious network activity was detected. This activity may be associated with an attack that triggered known 'Indicators of Compromise' (IOCs). Alert metadata should be reviewed by the security team | Critical | Suspicion of Malicious Activity | **Tactics:** <br> - Discovery <br><br> **Techniques:** <br> - T0842: Network Sniffing |

+| **Backup Activity with Antivirus Signatures** | Traffic detected between the source device and the destination backup server triggered this alert. The traffic includes backup of antivirus software that might contain malware signatures. This is most likely legitimate backup activity. | Warning | Backup | **Tactics:** <br> - Impact <br><br> **Techniques:** <br> - T0882: Theft of Operational Information |

+| Title | Description | Severity | Category | MITRE ATT&CK <br> tactics and techniques |

+|--|--|--|--|--|

+| **An S7 Stop PLC Command was Sent** | The source device sent a stop command to a destination controller. The controller will stop operating until a start command is sent. | Warning | Restart/ Stop Commands | **Tactics:** <br> - Lateral Movement <br> - Defense Evasion <br> - Execution <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0843: Program Download <br> - T0858: Change Operating Mode <br> - T0814: Denial of Service |

+| **BACNet Operation Failed** | A server returned an error code. This alert indicates a server error or an invalid request by a client. | Major | Command Failures | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message |

+| **Bad MMS Device State** | An MMS Virtual Manufacturing Device (VMD) sent a status message. The message indicates that the server may not be configured correctly, partially operational, or not operational at all. | Major | Operational Issues | **Tactics:** <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0814: Denial of Service |

+| **Change of Device Configuration** | A configuration change was detected on a source device. | Minor | Configuration Changes | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0836: Modify Parameter |

+| **Continuous Event Buffer Overflow at Outstation** | A buffer overflow event was detected on a source device. The event may cause data corruption, program crashes, or execution of malicious code. <br><br> Threshold: 3 occurrences in 10 minutes | Major | Buffer Overflow | **Tactics:** <br> - Inhibit Response Function <br> - Impair Process Control <br> - Persistence <br><br> **Techniques:** <br> - T0814: Denial of Service <br> - T0806: Brute Force I/O <br> - T0839: Module Firmware |

+| **Controller Reset** | A source device sent a reset command to a destination controller. The controller stopped operating temporarily and started again automatically. | Warning | Restart/ Stop Commands | **Tactics:** <br> - Defense Evasion <br> - Execution <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0858: Change Operating Mode <br> - T0814: Denial of Service |

+| **Controller Stop** | The source device sent a stop command to a destination controller. The controller will stop operating until a start command is sent. | Warning | Restart/ Stop Commands | **Tactics:** <br> - Lateral Movement <br> - Defense Evasion <br> - Execution <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0843: Program Download <br> - T0858: Change Operating Mode <br> - T0814: Denial of Service |

+| **Device Failed to Receive a Dynamic IP Address** | The source device is configured to receive a dynamic IP address from a DHCP server but didn't receive an address. This indicates a configuration error on the device, or an operational error in the DHCP server. It's recommended to notify the network administrator of the incident | Major | Command Failures | **Tactics:** <br> - Discovery <br><br> **Techniques:** <br> - T0842: Network Sniffing |

+| **Device is Suspected to be Disconnected (Unresponsive)** | A source device didn't respond to a command sent to it. It may have been disconnected when the command was sent. <br><br> Threshold: 8 attempts in 5 minutes | Major | Unresponsive | **Tactics:** <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0881: Service Stop |

+| **EtherNet/IP CIP Service Request Failed** | A server returned an error code. This indicates a server error or an invalid request by a client. | Major | Command Failures | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message |

+| **EtherNet/IP Encapsulation Protocol Command Failed** | A server returned an error code. This indicates a server error or an invalid request by a client. | Major | Command Failures | **Tactics:** <br> - Collection <br><br> **Techniques:** <br> - T0801: Monitor Process State |

+| **Event Buffer Overflow in Outstation** | A buffer overflow event was detected on a source device. The event may cause data corruption, program crashes, or execution of malicious code. | Major | Buffer Overflow | **Tactics:** <br> - Inhibit Response Function <br> - Impair Process Control <br> - Persistence <br><br> **Techniques:** <br> - T0814: Denial of Service <br> - T0839: Module Firmware |

+| **Expected Backup Operation Did Not Occur** | Expected backup/file transfer activity didn't occur between two devices. This alert may indicate errors in the backup / file transfer process. <br><br> Threshold: 100 seconds | Major | Backup | **Tactics:** <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0809: Data Destruction |

+| **GE SRTP Command Failure** | A server returned an error code. This alert indicates a server error or an invalid request by a client. | Major | Command Failures | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message |

+| **GE SRTP Stop PLC Command was Sent** | The source device sent a stop command to a destination controller. The controller will stop operating until a start command is sent. | Warning | Restart/ Stop Commands | **Tactics:** <br> - Lateral Movement <br> - Defense Evasion <br> - Execution <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0843: Program Download <br> - T0858: Change Operating Mode <br> - T0814: Denial of Service |

+| **GOOSE Control Block Requires Further Configuration** | A source device sent a GOOSE message indicating that the device needs commissioning. This means that the GOOSE control block requires further configuration and GOOSE messages are partially or completely non-operational. | Major | Configuration Changes | **Tactics:** <br> - Impair Process Control <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0803: Block Command Message <br> - T0821: Modify Controller Tasking |

+| **GOOSE Dataset Configuration was Changed** | A message (identified by protocol ID) dataset was changed on a source device. This means the device will report a different dataset for this message. | Warning | Configuration Changes | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0836: Modify Parameter |

+| **Honeywell Controller Unexpected Status** | A Honeywell Controller sent an unexpected diagnostic message indicating a status change. | Warning | Operational Issues | **Tactics:** <br> - Evasion <br> - Execution <br><br> **Techniques:** <br> - T0858: Change Operating Mode |

+| **HTTP Client Error [*](#alerts-disabled-by-default)** | The source device initiated an invalid request. | Warning | Abnormal HTTP Communication Behavior | **Tactics:** <br> - Command And Control <br><br> **Techniques:** <br> - T0869: Standard Application Layer Protocol |

+| **Illegal IP Address** | System detected traffic between a source device and an IP address that is an invalid address. This may indicate wrong configuration or an attempt to generate illegal traffic. | Minor | Abnormal Communication Behavior | **Tactics:** <br> - Discovery <br> - Impair Process Control <br><br> **Techniques:** <br> - T0842: Network Sniffing <br> - T0836: Modify Parameter |

+| **Master-Slave Authentication Error** | The authentication process between a DNP3 source device (primary) and a destination device (outstation) failed. | Minor | Authentication | **Tactics:** <br> - Lateral Movement <br> - Persistence <br><br> **Techniques:** <br> - T0859: Valid Accounts |

+| **MMS Service Request Failed** | A server returned an error code. This indicates a server error or an invalid request by a client. | Major | Command Failures | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message |

+| **No Traffic Detected on Sensor Interface** | A sensor stopped detecting network traffic on a network interface. | Critical | Sensor Traffic | **Tactics:** <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0881: Service Stop |

+| **OPC UA Server Raised an Event That Requires User's Attention** | An OPC UA server sent an event notification to a client. This type of event requires user attention | Major | Operational Issues | **Tactics:** <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0838: Modify Alarm Settings |

+| **OPC UA Service Request Failed** | A server returned an error code. This indicates a server error or an invalid request by a client. | Major | Command Failures | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message |

+| **Outstation Restarted** | A cold restart was detected on a source device. This means the device was physically turned off and back on again. | Warning | Restart/ Stop Commands | **Tactics:** <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0816: Device Restart/Shutdown |

+| **Outstation Restarts Frequently** | An excessive number of cold restarts were detected on a source device. This means the device was physically turned off and back on again an excessive number of times. <br><br> Threshold: 2 restarts in 10 minutes | Minor | Restart/ Stop Commands | **Tactics:** <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0814: Denial of Service <br> - T0816: Device Restart/Shutdown |

+| **Outstation's Configuration Changed** | A configuration change was detected on a source device. | Major | Configuration Changes | **Tactics:** <br> - Inhibit Response Function <br> - Persistence <br><br> **Techniques:** <br> - T0857: System Firmware |

+| **Outstation's Corrupted Configuration Detected** | This DNP3 source device (outstation) reported a corrupted configuration. | Major | Configuration Changes | **Tactics:** <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0809: Data Destruction |

+| **Profinet DCP Command Failed** | A server returned an error code. This indicates a server error or an invalid request by a client. | Major | Command Failures | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message |

+| **Profinet Device Factory Reset** | A source device sent a factory reset command to a Profinet destination device. The reset command clears Profinet device configurations and stops its operation. | Warning | Restart/ Stop Commands | **Tactics:** <br> - Defense Evasion <br> - Execution <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0858: Change Operating Mode <br> - T0814: Denial of Service |

+| **RPC Operation Failed [*](#alerts-disabled-by-default)** | A server returned an error code. This alert indicates a server error or an invalid request by a client. | Major | Command Failures | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0855: Unauthorized Command Message |

+| **Sampled Values Message Dataset Configuration was Changed** | A message (identified by protocol ID) dataset was changed on a source device. This means the device will report a different dataset for this message. | Warning | Configuration Changes | **Tactics:** <br> - Impair Process Control <br><br> **Techniques:** <br> - T0836: Modify Parameter |

+| **Slave Device Unrecoverable Failure** | An unrecoverable condition error was detected on a source device. This kind of error usually indicates a hardware failure or failure to perform a specific command. | Major | Command Failures | **Tactics:** <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0814: Denial of Service |

+| **Suspicion of Hardware Problems in Outstation** | An unrecoverable condition error was detected on a source device. This kind of error usually indicates a hardware failure or failure to perform a specific command. | Major | Operational Issues | **Tactics:** <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0814: Denial of Service <br> - T0881: Service Stop |

+| **Suspicion of Unresponsive MODBUS Device** | A source device didn't respond to a command sent to it. It may have been disconnected when the command was sent. <br><br> Threshold: Minimum of 1 valid response for a minimum of 3 requests within 5 minutes | Minor | Unresponsive | **Tactics:** <br> - Inhibit Response Function <br><br> **Techniques:** <br> - T0881: Service Stop |

+| **Traffic Detected on Sensor Interface** | A sensor resumed detecting network traffic on a network interface. | Warning | Sensor Traffic | **Tactics:** <br> - Discovery <br><br> **Techniques:** <br> - T0842: Network Sniffing |

+## View overall sensor status

+When you sign into your sensor, the first page shown is the **Overview** page.

+For example:

+The **Overview** page shows the following widgets:

+| Name | Description |

+|--|--|

+| **General Settings** | Displays a list of the sensor's basic configuration settings |

+| **Traffic Monitoring** | Displays a graph detailing traffic in the sensor. The graph shows traffic as units of Mbps per hour on the day of viewing. |

+| **Top 5 OT Protocols** | Displays a bar graph that details the top five most used OT protocols. The bar graph also provides the number of devices that are using each of those protocols. |

+| **Traffic By Port** | Displays a pie chart showing the types of ports in your network, with the amount of traffic detected in each type of port. |

+| **Top open alerts** | Displays a table listing any currently open alerts with high severity levels, including critical details about each alert. |

+Select the link in each widget to drill down for more information in your sensor.

+Sensor Administrators may be required to update certificates that were uploaded after initial login. This may happen, for example, if a certificate expired.

+1. Enable or disable the **Enable Certificate Validation** toggle. If the option is enabled and validation fails, communication between relevant components is halted, and a validation error is presented in the console. If disabled, certificate validation is not carried out. See [About certificate validation](how-to-deploy-certificates.md#about-certificate-validation) for more information.

+For more information about first-time certificate upload, see,

+- **Alert category**, helpful when you want to investigate alerts that are aggregated by a specific activity or configure SIEM rules to generate incidents based on specific activities.

+- **MITRE ATT&CK for ICS tactics and techniques**, which describe the actions an adversary may take while operating within the network. Use the tactics and techniques listed for each alert to learn about the network areas that might be at risk and collaborate more efficiently across your security and OT teams more as you secure those assets.

+- On a device details page, select the **Vulnerabilities** tab to view current vulnerabilities on the selected device. For example, from the **Device inventory** page, select a specific device and then select **Vulnerabilities**.

+|**Corporate** | **C5600** | A *Corporate* environment, with: <br>16 Cores<br>32-GB RAM<br>5.6-TB disk storage |

+|**Enterprise** | **E1800** | An *Enterprise* environment, with: <br>8 Cores<br>32-GB RAM<br>1.8-TB disk storage |

+|**SMB** | **L500** | A *Production line* environment, with: <br>4 Cores<br>8-GB RAM<br>500-GB disk storage |

+|**Office** | **L100** | A *Production line* environment, with: <br>4 Cores<br>8-GB RAM<br>100-GB disk storage |

+|**Rugged** | **L64** | A *Production line* environment, with: <br>4 Cores<br>8-GB RAM<br>64-GB disk storage |

+We also now support new enterprise hardware profiles, for sensors supporting both 500 GB and 1-TB disk sizes.

+ Title: Visualize Microsoft Defender for IoT data with Azure Monitor workbooks

+# Visualize Microsoft Defender for IoT data with Azure Monitor workbooks

+ Title: Add and configure a catalog item

+description: Learn how to add and configure a catalog item in your repository to use in your Azure Deployment Environments Preview dev center projects.

+# Add and configure a catalog item

+In Azure Deployment Environments Preview, you can use a [catalog](concept-environments-key-concepts.md#catalogs) to provide your development teams with a curated set of predefined [infrastructure as code (IaC)](/devops/deliver/what-is-infrastructure-as-code) templates called [*catalog items*](concept-environments-key-concepts.md#catalog-items).

+A catalog item is combined of least two files:

+- An [Azure Resource Manager template (ARM template)](../azure-resource-manager/templates/overview.md) in JSON file format. For example, *azuredeploy.json*.

+- A manifest YAML file (*manifest.yml*).

+> Azure Deployment Environments Preview currently supports only ARM templates.

+The IaC template contains the environment definition (template), and the manifest file provides metadata about the template. Your development teams use the catalog items that you provide in the catalog to deploy environments in Azure.

+We offer a [sample catalog](https://aka.ms/deployment-environments/SampleCatalog) that you can use as your repository. You also can use your own private repository, or you can fork and customize the catalog items in the sample catalog.

+After you [add a catalog](how-to-configure-catalog.md) to your dev center, the service scans the specified folder path to identify folders that contain an ARM template and an associated manifest file. The specified folder path should be a folder that contains subfolders that hold the catalog item files.

+In this article, you learn how to:

+> [!div class="checklist"]

+>

+> - Add a catalog item

+> - Update a catalog item

+> - Delete a catalog item

+> Azure Deployment Environments currently is in preview. For legal terms that apply to Azure features that are in beta, in preview, or otherwise are not yet released into general availability, see the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+<a name="add-a-new-catalog-item"></a>

+## Add a catalog item

+To add a catalog item:

+1. In your repository, create a subfolder in the repository folder path.

+1. Add two files to the new repository subfolder:

+ - An ARM template as a JSON file.

+ To implement IaC for your Azure solutions, use ARM templates. [ARM templates](../azure-resource-manager/templates/overview.md) help you define the infrastructure and configuration of your Azure solution and repeatedly deploy it in a consistent state.

+ To learn how to get started with ARM templates, see the following articles:

+ - [Understand the structure and syntax of ARM templates](../azure-resource-manager/templates/syntax.md): Describes the structure of an ARM template and the properties that are available in the different sections of a template.

+ - [Use linked templates](../azure-resource-manager/templates/linked-templates.md?tabs=azure-powershell#use-relative-path-for-linked-templates): Describes how to use linked templates with the new ARM template `relativePath` property to easily modularize your templates and share core components between catalog items.

+ - A manifest as a YAML file.

+ The *manifest.yaml* file contains metadata related to the ARM template.

+ The following script is an example of the contents of a *manifest.yaml* file:

+ ```yaml

+ name: WebApp

+ version: 1.0.0

+ summary: Azure Web App Environment

+ description: Deploys a web app in Azure without a datastore

+ runner: ARM

+ templatePath: azuredeploy.json

+ ```

+

+ > [!NOTE]

+ > The `version` field is optional. Later, the field will be used to support multiple versions of catalog items.

+ :::image type="content" source="../deployment-environments/media/configure-catalog-item/create-subfolder-in-path.png" alt-text="Screenshot that shows a folder path with a subfolder that contains an ARM template and a manifest file.":::

+1. In your dev center, go to **Catalogs**, select the repository, and then select **Sync**.

+ :::image type="content" source="../deployment-environments/media/configure-catalog-item/sync-catalog-items.png" alt-text="Screenshot that shows how to sync the catalog." :::

+The service scans the repository to find new catalog items. After you sync the repository, new catalog items are available to all projects in the dev center.

+## Update a catalog item

+To modify the configuration of Azure resources in an existing catalog item, update the associated ARM template JSON file in the repository. The change is immediately reflected when you create a new environment by using the specific catalog item. The update also is applied when you redeploy an environment that's associated with that catalog item.

+To update any metadata related to the ARM template, modify *manifest.yaml*, and then [update the catalog](how-to-configure-catalog.md#update-a-catalog).

+To delete an existing catalog item, in the repository, delete the subfolder that contains the ARM template JSON file and the associated manifest YAML file. Then, [update the catalog](how-to-configure-catalog.md#update-a-catalog).

+After you delete a catalog item, development teams can no longer use the specific catalog item to deploy a new environment. Update the catalog item reference for any existing environments that were created by using the deleted catalog item. If the reference isn't updated and the environment is redeployed, the deployment fails.

+- Learn how to [create and configure a project](./quickstart-create-and-configure-projects.md).

+- Learn how to [create and configure an environment type](quickstart-create-access-environments.md).

+ Title: Add and configure a catalog

+description: Learn how to add and configure a catalog in your Azure Deployment Environments Preview dev center to provide deployment templates for your development teams.

+# Add and configure a catalog

+Learn how to add and configure a [catalog](./concept-environments-key-concepts.md#catalogs) in your Azure Deployment Environments Preview dev center. You can use a catalog to provide your development teams with a curated set of infrastructure as code (IaC) templates called [*catalog items*](./concept-environments-key-concepts.md#catalog-items).

+For more information about catalog items, see [Add and configure a catalog item](./configure-catalog-item.md).

+A catalog is a repository that's hosted in [GitHub](https://github.com) or [Azure DevOps](https://dev.azure.com/).

+- To learn how to host a repository in GitHub, see [Get started with GitHub](https://docs.github.com/get-started).

+- To learn how to host a Git repository in an Azure DevOps project, see [Azure Repos](https://azure.microsoft.com/services/devops/repos/).

+We offer a [sample catalog](https://aka.ms/deployment-environments/SampleCatalog) that you can use as your repository. You also can use your own private repository, or you can fork and customize the catalog items in the sample catalog.

+In this article, you learn how to:

+> [!div class="checklist"]

+>

+> - Add a catalog

+> - Update a catalog

+> - Delete a catalog

+> [!IMPORTANT]

+> Azure Deployment Environments currently is in preview. For legal terms that apply to Azure features that are in beta, in preview, or otherwise are not yet released into general availability, see the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+## Add a catalog

+To add a catalog, you complete these tasks:

+- Get the clone URL for your repository.

+- Create a personal access token

+- Store the personal access token as a key vault secret in Azure Key Vault.

+- Add your repository as a catalog.

+You can choose from two types of repositories:

+- A GitHub repository

+- An Azure DevOps repository

+#### Get the clone URL of a GitHub repository

+#### Get the clone URL of an Azure DevOps repository

+### Create a personal access token

+Next, create a personal access token. Depending on the type of repository you use, create a personal access token either in GitHub or in Azure DevOps.

+1. In the left sidebar, select **Developer settings**.

+1. In **New personal access token**, in **Note**, enter a description for your token.

+1. In the **Expiration** dropdown, select an expiration for your token.

+1. For a private repository, under **Select scopes**, select the **repo** scope.

+1. Select **Generate token**.

+#### Create a personal access token in Azure DevOps

+1. Create a [personal access token](/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate#create-a-pat).

+### Store the personal access token as a key vault secret

+To store the personal access token you generated as a [key vault secret](../key-vault/secrets/about-secrets.md) and copy the secret identifier:

+1. Create a [key vault](../key-vault/general/quick-create-portal.md#create-a-vault).

+1. Add the personal access token as a [secret to the key vault](../key-vault/secrets/quick-create-portal.md#add-a-secret-to-key-vault).

+1. Open the secret and [copy the secret identifier](../key-vault/secrets/quick-create-portal.md#retrieve-a-secret-from-key-vault).

+### Add your repository as a catalog

+1. In the [Azure portal](https://portal.azure.com/), go to your dev center.

+1. Ensure that the [identity](./how-to-configure-managed-identity.md) that's attached to the dev center has [access to the key vault secret](./how-to-configure-managed-identity.md#grant-the-managed-identity-access-to-the-key-vault-secret) where your personal access token is stored.

+1. In the left menu under **Environment configuration**, select **Catalogs**, and then select **Add**.

+1. In **Add catalog**, enter the following information, and then select **Add**:

+ | **Git clone URI** | Enter or paste the [clone URL](#get-the-clone-url-for-your-repository) for either your GitHub repository or your Azure DevOps repository.|

+ | **Branch** | Enter the repository branch to connect to.|

+ | **Folder path** | Enter the folder path relative to the clone URI that contains subfolders with your catalog items. This folder path should be the path to the folder that contains the subfolders with the catalog item manifests, and not the path to the folder with the catalog item manifest itself.|

+ | **Secret identifier**| Enter the [secret identifier](#create-a-personal-access-token) that contains your personal access token for the repository.|

+ :::image type="content" source="media/how-to-configure-catalog/catalog-item-add.png" alt-text="Screenshot that shows how to add a catalog to a dev center.":::

+1. In **Catalogs** for the dev center, verify that your catalog appears. If the connection is successful, **Status** is **Connected**.

+To sync an updated catalog:

+1. In the left menu for your dev center, under **Environment configuration**, select **Catalogs**,

+1. Select the specific catalog, and then select **Sync**. The service scans through the repository and makes the latest list of catalog items available to all the associated projects in the dev center.

+You can delete a catalog to remove it from the dev center. Any templates in a deleted catalog won't be available to development teams when they deploy new environments. Update the catalog item reference for any existing environments that were created by using the catalog items in the deleted catalog. If the reference isn't updated and the environment is redeployed, the deployment fails.

+1. In the left menu for your dev center, under **Environment configuration**, select **Catalogs**.

+1. Select the specific catalog, and then select **Delete**.

+1. In the **Delete catalog** dialog, select **Continue** to delete the catalog.

+When you add or sync a catalog, you might encounter a sync error. A sync error indicates that some or all the catalog items have errors. Use the Azure CLI or the REST API to GET the catalog. The GET response shows you the type of errors:

+- Ignored catalog items that were detected to be duplicates

+- Invalid catalog items that failed due to schema, reference, or validation errors

+### Resolve ignored catalog item errors

+An ignored catalog item error occurs if you add two or more catalog items that have the same name. You can resolve this issue by renaming catalog items so that each catalog item has a unique name within the catalog.

+### Resolve invalid catalog item errors

+An invalid catalog item error might occur for a variety of reasons:

+- **Manifest schema errors**. Ensure that your catalog item manifest matches the [required schema](./configure-catalog-item.md#add-a-catalog-item).

+- **Validation errors**. Check the following items to resolve validation errors:

+ - Ensure that the manifest's engine type is correctly configured as `ARM`.

+ - Ensure that the catalog item name is between 3 and 63 characters.

+ - Ensure that the catalog item name includes only characters that are valid for a URL: alphanumeric characters and the symbols `~` `!` `,` `.` `'` `;` `:` `=` `-` `_` `+` `)` `(` `*` `&` `$` `@`.

+- **Reference errors**. Ensure that the template path that the manifest references is a valid relative path to a file in the repository.

+- Learn how to [create and configure a project](./quickstart-create-and-configure-projects.md).

+- Learn how to [create and configure a project environment type](how-to-configure-project-environment-types.md).

+description: Learn how to configure a managed identity that will be used to deploy environments in your Azure Deployment Environments Preview dev center.

+A [managed identity](../active-directory/managed-identities-azure-resources/overview.md) adds elevated-privileges capabilities and secure authentication to any service that supports Azure Active Directory (Azure AD) authentication. Azure Deployment Environments Preview uses identities to give development teams self-serve deployment capabilities without giving them access to the subscriptions in which Azure resources are created.

+The managed identity that's attached to a dev center should be [assigned the Owner role in the deployment subscriptions](how-to-configure-managed-identity.md#assign-a-subscription-role-assignment-to-the-managed-identity) for each environment type. When an environment deployment is requested, the service grants appropriate permissions to the deployment identities that are set up for the environment type to deploy on behalf of the user.

+The managed identity that's attached to a dev center also is used to add to a [catalog](how-to-configure-catalog.md) and access [catalog items](configure-catalog-item.md) in the catalog.

+In this article, you learn how to:

+> [!div class="checklist"]

+>

+> - Add a managed identity to your dev center

+> - Assign a subscription role assignment to a managed identity

+> - Grant access to a key vault secret for a managed identity

+> Azure Deployment Environments currently is in preview. For legal terms that apply to Azure features that are in beta, in preview, or otherwise are not yet released into general availability, see the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+## Add a managed identity

+In Azure Deployment Environments, you can choose between two types of managed identities:

+- **System-assigned identity**: A system-assigned identity is tied either to your dev center or to the project environment type. A system-assigned identity is deleted when the attached resource is deleted. A dev center or a project environment type can have only one system-assigned identity.

+- **User-assigned identity**: A user-assigned identity is a standalone Azure resource that you can assign to your dev center or to a project environment type. For Azure Deployment Environments Preview, a dev center or a project environment type can have only one user-assigned identity.

+> In Azure Deployment Environments Preview, if you add both a system-assigned identity and a user-assigned identity, only the user-assigned identity is used.

+### Add a system-assigned managed identity to a dev center

+1. Sign in to the [Azure portal](https://portal.azure.com/) and go to Azure Deployment Environments.

+1. In **Dev centers**, select your dev center.

+1. In the left menu under **Settings**, select **Identity**.

+1. Under **System assigned**, set **Status** to **On**.

+1. Select **Save**.

+1. In the **Enable system assigned managed identity** dialog, select **Yes**.

+### Add a user-assigned managed identity to a dev center

+1. Sign in to the [Azure portal](https://portal.azure.com/) and go to Azure Deployment Environments.

+1. In **Dev centers**, select your dev center.

+1. In the left menu under **Settings**, select **Identity**.

+1. Under **User assigned**, select **Add** to attach an existing identity.

+ :::image type="content" source="./media/configure-managed-identity/configure-user-assigned-managed-identity.png" alt-text="Screenshot that shows the user-assigned managed identity.":::

+1. In **Add user assigned managed identity**, enter or select the following information:

+ 1. In **Subscription**, select the subscription in which the identity exists.

+ 1. In **User assigned managed identities**, select an existing identity.

+The identity that's attached to the dev center should be assigned the Owner role for all the deployment subscriptions and the Reader role for all subscriptions that contain the relevant project. When a user creates or deploys an environment, the service grants appropriate access to the deployment identity that's attached to a project environment type. The deployment identity uses the access to perform deployments on behalf of the user. You can use the managed identity to empower developers to create environments without granting them access to the subscription.

+### Add a role assignment to a system-assigned managed identity

+1. In the Azure portal, go to your dev center.

+1. In the left menu under **Settings**, select **Identity**.

+1. Under **System assigned** > **Permissions**, select **Azure role assignments**.

+

+ :::image type="content" source="./media/configure-managed-identity/system-assigned-azure-role-assignment.png" alt-text="Screenshot that shows the Azure role assignment for system-assigned identity.":::

+1. In **Azure role assignments**, select **Add role assignment (Preview)**, and then enter or select the following information:

+ 1. In **Scope**, select **Subscription**.

+ 1. In **Subscription**, select the subscription in which to use the managed identity.

+ 1. In **Role**, select **Owner**.

+ 1. Select **Save**.

+### Add a role assignment to a user-assigned managed identity

+1. In the Azure portal, go to your dev center.

+1. In the left menu under **Settings**, select **Identity**.

+1. Under **User assigned**, select the identity.

+1. In the left menu, select **Azure role assignments**.

+1. In **Azure role assignments**, select **Add role assignment (Preview)**, and then enter or select the following information:

+ 1. In **Scope**, select **Subscription**.

+ 1. In **Subscription**, select the subscription in which to use the managed identity.

+ 1. In **Role**, select **Owner**.

+## Grant the managed identity access to the key vault secret

+You can set up your key vault to use either a [key vault access policy'](../key-vault/general/assign-access-policy.md) or [Azure role-based access control](../key-vault/general/rbac-guide.md).

+> [!NOTE]

+> Before you can add a repository as a catalog, you must grant the managed identity access to the key vault secret that contains the repository's personal access token.

+### Key vault access policy

+If the key vault is configured to use a key vault access policy:

+1. In the Azure portal, go to the key vault that contains the secret with the personal access token.

+1. In the left menu, select **Access policies**, and then select **Create**.

+1. In **Create an access policy**, enter or select the following information:

+ 1. On the **Permissions** tab, under **Secret permissions**, select the **Get** checkbox, and then select **Next**.

+ 1. On the **Principal** tab, select the identity that's attached to the dev center.

+ 1. Select **Review + create**, and then select **Create**.

+### Azure role-based access control

+If the key vault is configured to use Azure role-based access control:

+1. In the Azure portal, go to the key vault that contains the secret with the personal access token.

+1. In the left menu, select **Access control (IAM)**.

+1. Select the identity, and in the left menu, select **Azure role assignments**.

+1. Select **Add role assignment**, and then enter or select the following information:

+ 1. In **Scope**, select the key vault.

+ 1. In **Subscription**, select the subscription that contains the key vault.

+ 1. In **Resource**, select the key vault.

+ 1. In **Role**, select **Key Vault Secrets User**.

+ 1. Select **Save**.

+- Learn how to [add and configure a catalog](how-to-configure-catalog.md).

+- Learn how to [create and configure a project environment type](how-to-configure-project-environment-types.md).

+After you create a dev center, attach an [identity](concept-environments-key-concepts.md#identities) to the dev center. Learn about the two [types of identities](how-to-configure-managed-identity.md#add-a-managed-identity) you can attach:

+1. Complete the steps to create a [system-assigned managed identity](how-to-configure-managed-identity.md#add-a-system-assigned-managed-identity-to-a-dev-center).

+ Make sure that the identity has [access to the key vault secret](how-to-configure-managed-identity.md#grant-the-managed-identity-access-to-the-key-vault-secret) that contains the personal access token to access your repository.

+1. Complete the steps to attach a [user-assigned managed identity](how-to-configure-managed-identity.md#add-a-user-assigned-managed-identity-to-a-dev-center).

+ Make sure that the identity has [access to the key vault secret](how-to-configure-managed-identity.md#grant-the-managed-identity-access-to-the-key-vault-secret) that contains the personal access token to access the repository.

+### Single click upgrade/downgrade (preview)

+You can now easily upgrade your existing Firewall Standard SKU to Premium SKU as well as downgrade from Premium to Standard SKU. The process is fully automated and has no service impact (zero service downtime).

+In the upgrade process, you can select the policy to be attached to the upgraded Premium SKU. You can select an existing Premium Policy or an existing Standard Policy. You can use your existing Standard policy and let the system automatically duplicate, upgrade to Premium Policy, and then attach it to the newly created Premium Firewall.

+This new capability is available through the Azure portal as shown here, as well as via PowerShell and Terraform simply by changing the sku_tier attribute.

+> [!NOTE]

+> This new upgrade/downgrade capability will also support the Basic SKU for GA.

+Azure Firewall Premium provides signature-based IDPS to allow rapid detection of attacks by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware. The IDPS signatures are applicable for both application and network level traffic (Layers 3-7), they're fully managed, and continuously updated. IDPS can be applied to inbound, spoke-to-spoke (East-West), and outbound traffic. Spoke-to-spoke (East-West) includes traffic that goes from/to an on-premises network. You can configure your IDPS private IP address ranges using the **Private IP ranges** preview feature. For more information, see [IDPS Private IP ranges](#idps-private-ip-ranges).

+### IDPS Private IP ranges

+In Azure Firewall Premium IDPS, private IP address ranges are used to identify if traffic is inbound, outbound, or internal (East-West). Each signature is applied on specific traffic direction, as indicated in the signature rules table. By default, only ranges defined by IANA RFC 1918 are considered private IP addresses. So traffic sent from a private IP address range to a private IP address range is considered internal. To modify your private IP addresses, you can now easily edit, remove, or add ranges as needed.

+|Direction |The traffic direction for which the signature is applied.<br>- **Inbound**: Signature is applied only on traffic arriving from the Internet and destined to your [configured private IP address range](#idps-private-ip-ranges).<br>- **Outbound**: Signature is applied only on traffic sent from your [configured private IP address range](#idps-private-ip-ranges) to the Internet.<br>- **Bidirectional**: Signature is always applied on any traffic direction.|

+ Title: Migrate Azure Front Door (classic) to Standard/Premium tier using the Azure portal (Preview)

+description: This article provides step-by-step instructions on how to migrate from an Azure Front Door (classic) profile to an Azure Front Door Standard or Premium tier profile.

+# Migrate Azure Front Door (classic) to Standard/Premium tier using the Azure portal (Preview)

+Azure Front Door Standard and Premium tier bring the latest cloud delivery network features to Azure. With enhanced security features and an all-in-one service, your application content is secured and closer to your end users with the Microsoft global network. This article will guide you through the migration process to migrate your Front Door (classic) profile to either a Standard or Premium tier profile to begin using these latest features.

+## Prerequisites

+* Review the [About Front Door tier migration](tier-migration.md) article.

+* Ensure your Front Door (classic) profile can be migrated:

+ * HTTPS is required for all custom domains. Azure Front Door Standard and Premium enforce HTTPS on all domains. If you don't have your own certificate, you can use an Azure Front Door managed certificate. The certificate is free and managed for you.

+ * If you use BYOC (Bring your own certificate) for Azure Front Door (classic), you'll need to grant Key Vault access to your Azure Front Door Standard or Premium profile by completing the following steps:

+ * Register the service principal for **Microsoft.AzureFrontDoor-Cdn** as an app in your Azure Active Directory using Azure PowerShell.

+ * Grant **Microsoft.AzureFrontDoor-Cdn** access to your Key Vault.

+ * Session affinity gets enabled from the origin group settings in the Azure Front Door Standard or Premium profile. In Azure Front Door (classic), session affinity is managed at the domain level. As part of the migration, session affinity is based on the Classic profile's configuration. If you have two domains in the Classic profile that shares the same backend pool (origin group), session affinity has to be consistent across both domains in order for migration to be compatible.

+

+## Validate compatibility

+1. Go to the Azure Front Door (classic) resource and select **Migration** from under *Settings*.

+ :::image type="content" source="./media/migrate-tier/overview.png" alt-text="Screenshot of the migration button for a Front Door (classic) profile.":::

+1. Select **Validate** to see if your Front Door (classic) profile is compatible for migration. This check can take up to two minutes depending on the complexity of your Front Door profile.

+ :::image type="content" source="./media/migrate-tier/validate.png" alt-text="Screenshot of the validate compatibility button from the migration page.":::

+1. If the migration isn't compatible, you can select **View errors to see a list of errors, and recommendation to resolve them.

+ :::image type="content" source="./media/migrate-tier/validation-failed.png" alt-text="Screenshot of the Front Door validate migration with errors.":::

+1. Once the migration tool has validated that your Front Door profile is compatible to migrate, you can move onto preparing for migration.

+ :::image type="content" source="./media/migrate-tier/validation-passed.png" alt-text="Screenshot of the Front Door migration passing validation.":::

+## Prepare for migration

+1. A default name for the new Front Door profile has been provided for you. You can change this name before proceeding to the next step.

+ :::image type="content" source="./media/migrate-tier/prepare-name.png" alt-text="Screenshot of the prepared name for Front Door migration.":::

+1. A Front Door tier is automatically selected for you based on the Front Door (classic) WAF policy settings.

+ :::image type="content" source="./media/migrate-tier/prepare-tier.png" alt-text="Screenshot of the selected tier for the new Front Door profile.":::

+ * A Standard tier gets selected if you *only have custom WAF rules* associated to the Front Door (classic) profile. You may choose to upgrade to a Premium tier.

+ * A Premium tier gets selected if you *have managed WAF rules* associated to the Classic profile. To use Standard tier, the managed WAF rules must first be removed from the Classic profile.

+1. Select **Configure WAF policy upgrades** to configure the WAF policies to be upgraded. Select the action you would like to happen for each WAF policy. You can either copy the old WAF policy to the new WAF policy or select and existing WAF policy that matches the Front Door tier. If you chose to copy the WAF policy, each WAF policy will be given a default WAF policy name that you can change. Select **Apply** once you finish making changes to the WAF policy configuration.

+ :::image type="content" source="./media/migrate-tier/prepare-waf.png" alt-text="Screenshot of the configure WAF policy link during Front Door migration preparation.":::

+ > [!NOTE]

+ > The **Configure WAF policy upgrades** link only appears if you have WAF policies associated to the Front Door (classic) profile.

+ For each WAF policy associated to the Front Door (classic) profile select an action. You can make copy of the WAF policy that matches the tier you're migrating the Front Door profile to or you can use an existing WAF policy that matches the tier. You may also update the WAF policy names from the default names assigned. Select **Apply** to save the WAF settings.

+ :::image type="content" source="./media/migrate-tier/waf-policy.png" alt-text="Screenshot of the upgrade wAF policy screen.":::

+1. Select **Prepare**, and then select **Yes** to confirm you would like to proceed with the migration process. Once confirmed, you won't be able to make any further changes to the Front Door (classic) settings.

+ :::image type="content" source="./media/migrate-tier/prepare-confirmation.png" alt-text="Screenshot the prepare button and confirmation to proceed with Front Door migration.":::

+1. Select the link that appears to view the configuration of the new Front Door profile. At this time, review each of the settings for the new profile to ensure all settings are correct. Once you're done reviewing the read-only profile, select the **X** in the top right corner of the page to go back to the migration screen.

+ :::image type="content" source="./media/migrate-tier/verify-new-profile.png" alt-text="Screenshot of the link to view the new read-only Front Door profile.":::

+> [!NOTE]

+> If you're not using your own certificate, enabling managed identities and granting access to the Key Vault is not required. You can skip to the [**Migrate**](migrate-tier.md#migrate) step.

+## Enable managed identities

+You're using your own certificate and will need to enable managed identity so Azure Front Door can access the certificate in your Key Vault.

+1. Select **Enable** and then select either **System assigned** or **User assigned** depending on the type of managed identities you want to use. For more information, see [What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md)

+ :::image type="content" source="./media/migrate-tier/enable-managed-identity.png" alt-text="Screenshot of the enable manage identity button for Front Door migration.":::

+ * *System assigned* - Toggle the status to **On** and then select **Save**.

+ * *User assigned* - To create a user assigned managed identity, see [Create a user-assigned identity](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md). If you've already have a user managed identity, select the identity, and then select **Add**.

+1. Select the **X** to return to the migration page. You'll then see that you've successfully enabled managed identities.

+ :::image type="content" source="./media/migrate-tier/enable-managed-identity-successful.png" alt-text="Screenshot of managed identity getting enabled.":::

+## Grant manage identity to Key Vault

+Select **Grant** to add managed identities from the last section to all the Key Vaults used in the Front Door (classic) profile.

+## Migrate

+1. Select **Migrate** to initiate the migration process. When prompted, select **Yes** to confirm you want to move forward with the migration. Once the migration is completed, you can select the banner at the top to go to the new Front Door profile.

+ :::image type="content" source="./media/migrate-tier/migrate.png" alt-text="Screenshot of migrate and confirmation button for Front Door migration.":::

+ > [!NOTE]

+ > If you cancel the migration, only the new Front Door profile will get deleted. Any new WAF policy copies will need to be manually deleted.

+1. Once the migration completes, you can select the banner the top of the page or the link from the successful message to go to the new Front Door profile.

+ :::image type="content" source="./media/migrate-tier/successful-migration.png" alt-text="Screenshot of a successful Front Door migration.":::

+1. The Front Door (classic) profile is now in a **Disabled** state and can be deleted from your subscription.

+ :::image type="content" source="./media/migrate-tier/classic-profile.png" alt-text="Screenshot of the overview page of a Front Door (classic) in a disabled state.":::

+## Next steps

+* Understand the [mapping between Front Door tiers](tier-mapping.md) settings.

+* Learn more about the [Azure Front Door tier migration process](tier-migration.md).

+Deploying origins in two or more locations across the globe can improve the responsiveness of your applications by routing traffic to the destination that is 'closest' to your end users. Latency is the default traffic-routing method for your Front Door configuration. This routing method forwards requests from your end users to the closest origin behind Azure Front Door. This routing mechanism combined with the anycast architecture of Azure Front Door ensures that each of your end users gets the best performance based on their location.

+ Title: Azure Front Door profile mapping between Classic and Standard/Premium tier

+description: This article explains the differences and settings mapping between an Azure Front Door (classic) and Standard/Premium profile.

+# Mapping between Azure Front Door (classic) and Standard/Premium tier

+As you migrate from Azure Front Door (classic) to Front Door Standard or Premium, you'll notice some configurations have been changed, or moved to a new location to provide a better experience when managing the Front Door profile. In this article you'll learn how routing rules, cache duration, rules engine configuration, WAF policy and custom domains gets mapped to new Front Door tiers.

+## Routing rules

+| Front Door (classic) settings | Mapping in Standard and Premium |

+|--|--|

+| Route status - Enable/disable | Same as Front Door (classic) profile. |

+| Accepted protocol | Copied from Front Door (classic) profile. |

+| Frontend/domains | Copied from Front Door (classic) profile. |

+| Patterns to match | Copied from Front Door (classic) profile. |

+| Rules engine configuration | Rules engine changes to Rule Set and will retain route association from Front Door (classic) profile. |

+| Route type: Forwarding | Backend pool changes to Origin group. Forwarding protocol is copied from Front Door (classic) profile. </br> - If URL rewrite is set to `disabled`, the origin path in Standard and Premium profile is set to empty. </br> - If URL rewrite is set to `enabled`, the origin path is copied from *Custom forwarding path* of the Front Door (classic) profile. |

+| Route type: Redirect | URL redirect rule gets created in Rule set. The Rule set name is called *URLRedirectMigratedRuleSet2*. |

+## Cache duration

+In Azure Front Door (classic), the *Minimum cache duration* is located in the routing settings and the *Use default cache duration* is located in the Rules engine. Azure Front Door Standard and Premium tier only support caching in a Rule set.

+| Front Door (classic) | Front Door Standard and Premium |

+|--|--|

+| When caching is *disabled* and the default caching is used. | Caching is *disabled*. |

+| When caching is *enabled* and the default caching duration is used. | Caching is *enabled*, the origin caching behavior is honored. |

+| Caching is *enabled*. | Caching is *enabled*. |

+| When use default cache duration is set to *No*, the input cache duration is used. | Cache behavior is set to override always and the input cache duration is used. |

+| N/A | Caching is *enabled*, the caching behavior is set to override if origin is missing, and the input cache duration is used. |

+## Route configuration override in Rule engine actions

+The route configuration override in Front Door (classic) is split into three different actions in rules engine for Standard and Premium profile. Those three actions are URL Redirect, URL Rewrite and Route Configuration Override.

+| Actions | Mapping in Standard and Premium |

+|--|--|

+| Route type set to forward | 1. Forward with URL rewrites disabled. All configurations are copied to the Standard or Premium profile.</br>2. Forward with URL rewrites enabled. There will be two rule actions, one for URL rewrite and one for the route configuration override in the Standard or Premium profile.</br> For URL rewrites - </br>- Custom forwarding path in Classic profile is the same as source pattern in Standard or Premium profile.</br>- Destination from Classic profile is copied over to Standard or Premium profile. |

+| Route type set to redirect | Mapping is 1:1 in the Standard or Premium profile. |

+| Route configuration override | 1. Backend pool is 1:1 mapping for origin group in Standard or Premium profile.</br>2. Caching</br>- Enabling and disabling caching is 1:1 mapping in the Standard or Premium profile.</br>- Query string is 1:1 mapping in Standard or Premium profile.</br>3. Dynamic compression is 1:1 mapping in the Standard or Premium profile.

+| Use default cache duration | Same as mentioned in the [Cache duration](#cache-duration) section. |

+## Other configurations

+| Front Door (classic) configuration | Mapping in Standard and Premium |

+|--|--|

+| Request and response header | Request and response header in Rules engine actions is copied over to Rule set in Standard/Premium profile. |

+| Enforce certificate name check | Enforce certificate name check is supported at the profile level of Azure Front Door (classic). In a Front Door Standard or Premium profile this setting can be found in the origin settings. This configuration will apply to all origins in the migrated Standard or Premium profile. |

+| Origin response time | Origin response time is copied over to the migrated Standard or Premium profile. |

+| Web Application Firewall (WAF) | If the Azure Front Door (classic) profile has WAF policies associated, the migration will create a copy of WAF policies with a default name for the Standard or Premium profile. The names for each WAF policy can be changed during setup from the default names. You can also select an existing Standard or Premium WAF policy that matches the migrated Front Door profile. |

+| Custom domain | This section will use `www.contoso.com` as an example to show a domain going through the migration. The custom domain `www.contoso.com` points to `contoso.azurefd.net` in Front Door (classic) for the CNAME record. </br></br>When the custom domain `www.contoso.com` gets moved to the new Front Door profile:</br>- The association for the custom domain shows the new Front Door endpoint as `contoso-hashvalue.z01.azurefd.net`. The CNAME of the custom domain will automatically point to the new endpoint name with the hash value in the backend. At this point, you can change the CNAME record with your DNS provider to point to the new endpoint name with the hash value.</br>- The classic endpoint `contoso.azurefd.net` will show as a custom domain in the migrated Front Door profile under the *Migrated domain* tab of the **Domains* page. This domain will be associated to the default migrated route. This default route can only be removed once the domain is disassociated from it. The domain properties can't be updated, for the exception of associating and removing the association from a route. The domain can only be deleted after you've changed the CNAME to the new endpoint name.</br>- The certificate state and DNS state for `www.contoso.com` is the same as the Front Door (classic) profile.</br></br> There are no changes to the managed certificate auto rotation settings. |

+## Next steps

+* Learn more about the [Azure Front Door tier migration process](tier-migration.md).

+* Learn how to [migrate from Classic to Standard/Premium tier](migrate-tier.md) using the Azure portal.

+ Title: About Azure Front Door (classic) to Standard/Premium tier migration (Preview)

+description: This article explains the migration process and changes expected when using the migration tool to Azure Front Door Standard/Premium tier.

+# About Azure Front Door (classic) to Standard/Premium tier migration (Preview)

+Azure Front Door Standard and Premium tiers were released in March 2022 as the next generation content delivery network service. The newer tiers combine the capabilities of Azure Front Door (classic), Microsoft CDN (classic), and Web Application Firewall (WAF). With features such as Private Link integration, enhanced rules engine and advanced diagnostics you have the ability to secure and accelerate your web applications to bring a better experience to your customers.

+Azure recommends migrating to the newer tiers to benefit from the new features and improvements over the Classic tier. To help with the migration process, Azure Front Door provides a zero-downtime migration to migrate your workload from Azure Front Door (class) to either Standard or Premium tier.

+In this article you'll learn about the migration process, understand the breaking changes involved, and what to do before, during and after the migration.

+## Migration process overview

+Azure Front Door zero-down time migration happens in three stages. The first stage is validation, followed by preparing for migration, and then migrate. The time it takes for a migration to complete depends on the complexity of the Azure Front Door profile. You can expect the migration to take a few minutes for a simple Azure Front Door profile and longer for a profile that has many frontend domains, backend pools, routing rules and rule engine rules.

+### Five steps of migration

+**Validate compatibility** - The migration will validate if the Azure Front Door (classic) profile is eligible for migration. You'll be prompted with messages on what needs to be fixed before you can move onto the preparation phase. For more information, see [prerequisites](#prerequisites).

+**Prepare for migration** - Azure Front Door will create a new Standard or Premium profile based on your Classic profile configuration in a disabled state. The new Front Door profile created will depend on the Web Application Firewall (WAF) policy you've associated to the profile.

+* **Premium tier** - If you have *managed WAF* policies associated to the Azure Front Door (classic) profile. A premium tier profile **can't** be downgraded to a standard tier after migration.

+* **Standard tier** - If you have *custom WAF* policies associated to the Azure Front Door (classic) profile. A standard tier profile **can** be upgraded to premium tier after migration.

+ During the preparation stage, Azure Front Door will create copies of WAF policies specific to the Front Door tier with default names. You can change the name for the WAF policies at this time. You can also select an existing WAF policy that matches the tier you're migrating to. At this time, a read-only view of the newly created profile is provided for you to verify configurations.

+ > [!NOTE]

+ > No changes can be to the Front Door (classic) configuration once this step has been initiated.

+**Enable managed identity** - During this step you can configure managed identities for Azure Front Door to access your certificate in a Key Vault.

+**Grant managed identity to Key Vault** - This step adds managed identity access to all the Key Vaults used in the Front Door (classic) profile.

+**Migrate/Abort migration**

+

+* **Migrate** - Once you select this option, the Azure Front Door (classic) profile gets disabled and the Azure Front Door Standard or Premium profile will be activated. Traffic will start going through the new profile once the migration completes.

+* **Abort migration** - If you decided you no longer want to move forward with the migration process, selecting this option will delete the new Front Door profile that was created.

+> [!NOTE]

+> * If you cancel the migration only the new Front Door profile gets deleted, any WAF policy copies will need to be manually deleted.

+> * Traffic to your Azure Front Door (classic) will continue to be serve until migration has been completed.

+> * Each Azure Front Door (classic) profile can create one Azure Front Door Standard or Premium profile.

+Migration is only available can be completed using the Azure portal. Service charges for Azure Front Door Standard or Premium tier will start once migration is completed.

+## Breaking changes between tiers

+### Dev-ops

+Azure Front Door Standard/Premium uses a different resource provider namespace of *Microsoft.Cdn*, while Azure Front Door (classic) uses *Microsoft.Network*. After you've migrated your Azure Front Door profile, you need to change your Dev-ops script to use the new namespace, different Azure PowerShell module and CLI commands and API.

+### Endpoint with hash value

+Azure Front Door Standard and Premium endpoints are generated to include a hash value to prevent your domain from being taken over. The format of the endpoint name is `<endpointname>-<hashvalue>.z01.azurefd.net`. The Classic Front Door endpoint name will continue to work after migration but we recommend replacing it with the newly created endpoint name from the Standard or Premium profile. For more information, see [Endpoint domain names](endpoint.md#endpoint-domain-names).

+### Logs and metrics

+Diagnostic logs and metrics won't be migrated. Azure Front Door Standard/Premium log fields are different from Front Door (classic). The newer tier also has heath probe logs and is recommended you enable diagnostic logging after the migration complete. Standard and Premium tier also supports built-in reports that will start displaying data once the migration is done.

+## Prerequisites

+* HTTPS is required for all custom domains. All Azure Front Door Standard and Premium tiers enforce HTTPS on every domain. If you don't your own certificate, you can use Azure Front Door managed certificate that is free and managed for you.

+* If you use BYOC for Azure Front Door (classic), you need to grant Key Vault access to your Azure Front Door Standard or Premium profile by completing the following steps:

+ * Register the service principal for **Microsoft.AzureFrontDoor-Cdn** as an app in your Azure Active Directory using Azure PowerShell.

+ * Grant **Microsoft.AzureFrontDoor-Cdn** access to your Key Vault.

+* Session affinity is enabled from within the origin group in an Azure Front Door Standard and Premium profile. In Azure Front Door (classic), session affinity is controlled at the domain level. As part of the migration, session affinity gets enabled or disabled based on the Classic profile's configuration. If you have two domains in a Classic profile that shares the same origin group, session affinity has to be consistent across both domains in order for migration can pass validation.

+> [!IMPORTANT]

+> * If your Azure Front Door (classic) profile can qualify to migrate to Standard tier but the number of resources exceeds the Standard tier quota limit, it will be migrated to Premium tier instead.

+> * If you use Azure PowerShell, Azure CLI, API, or Terraform to do the migration, then you need to create WAF policies separately.

+### Web Application Firewall (WAF)

+The default Azure Front Door tier created during migration is determined by the type of rules contain in the WAF policy. In this section we'll, cover scenarios for different rule type for a WAF policy.

+* Classic WAF policy contains only custom rules.

+ * The new Azure Front Door profile defaults to Standard tier and can be upgraded to Premium during migration. If you use the portal for migration, Azure will create custom WAF rules for Standard. If you upgrade to Premium during migration, custom WAF rules will be created by the migration capability, but managed WAF rules will need to be created manually after migration.

+* Classic WAF policy has only managed WAF rules, or both managed and custom WAF rules.

+ * The new Azure Front Door profile defaults to Premium tier and isn't eligible for downgrade during migration. Remove the WAF policy association or delete the manage WAF rules from the Classic WAF policy.

+ > [!NOTE]

+ > To avoid creating duplicate WAF policies during migration, the Azure portal provides the option to either create copies or reuse an existing Azure Front Door Standard or Premium WAF policy.

+

+* If you migrate your Azure Front Door profile using Azure PowerShell or Azure CLI, you need to create the WAF policies separately before migration.

+## Naming convention for migration

+During the migration, a default profile name is used in the format of `<endpointprefix>-migrated`. For example, a Classic endpoint named `myEndpoint.azurefd.net`, will have the default name of `myEndpoint-migrated`.

+WAF policy name will use the format of `<classicWAFpolicyname>-<standard or premium>`. For example, a Classic WAF policy named `contosoWAF1`, will have the default name of `contosoWAF1-premium`. You can rename the Front Door profile and the WAF policy during migration. Renaming of rule engine and routes isn't supported, instead default names will be assigned.

+URL redirect and URL rewrite are supported through rules engine in Azure Front Door Standard and Premium, while Azure Front Door (classic) supports them through routing rules. During migration, these two rules get created as rules engine rules in a Standard and Premium profile. The names of these rules are `urlRewriteMigrated` and `urlRedirectMigrated`.

+## Resource states

+The following table explains the various stages of the migration process and if changes can be made to the profile.

+| Migration state | Front Door (classic) resource state | Can make changes? | Front Door Standard/Premium | Can make changes? |

+|--|--|--|--|--|

+|Before migration| Active | Yes | N/A | N/A |

+| Step 1: Validating compatibility | Active | Yes | N/A | N/A |

+| Step 2: Preparing for migration | Migrating | No | Creating | No |

+| Step 5: Committing migration | Migrating | No | CommittingMigration | No |

+| Step 5: Committed migration | Migrated | No | Active | Yes |

+| Step 5: Aborting migration | AbortingMigration | No | Deleting | No |

+| Step 5: Aborted migration | Active | Yes | Deleted | N/A |

+## Next steps

+* Understand the [mapping between Front Door tiers](tier-mapping.md) settings.

+* Learn how to [migrate from Classic to Standard/Premium tier](migrate-tier.md) using the Azure portal.

+ Title: Upgrade from Azure Front Door Standard to Premium tier (Preview)

+description: This article provides step-by-step instructions on how to upgrade from an Azure Front Door Standard to an Azure Front Door Premium tier profile.

+# Upgrade from Azure Front Door Standard to Premium tier (Preview)

+Azure Front Door supports upgrading from Standard to Premium tier for more advanced capabilities and an increase in quota limits. The upgrade won't cause any downtime to your services or applications. For more information about the differences between Standard and Premium tier, see [Tier comparison](standard-premium/tier-comparison.md).

+This article will walk you through how to perform the tier upgrade on the configuration page of a Front Door Standard profile. Once upgraded, you'll be charge for the Azure Front Door Premium monthly base fee at an hourly rate.

+> [!IMPORTANT]

+> Downgrading from Premium to Standard tier is not supported.

+## Prerequisite

+Confirm you have an Azure Front Door Standard profile available in your subscription to upgrade.

+## Upgrade tier

+1. Go to the Azure Front Door Standard profile you want to upgrade and select **Configuration (preview)** from under *Settings*.

+ :::image type="content" source="./media/tier-upgrade/overview.png" alt-text="Screenshot of the configuration button under settings for a Front Door standard profile.":::

+1. Select **Upgrade** to begin the upgrade process. If you don't have any WAF policies associated to your Front Door Standard profile, then you'll be prompted with a confirmation to proceed with the upgrade.

+ :::image type="content" source="./media/tier-upgrade/upgrade-button.png" alt-text="Screenshot of the upgrade button on the configuration page a Front Door Standard profile.":::

+1. If you have WAF policies associated to the Front Door Standard profile, then you'll be taken to the *Upgrade WAF policies* page. On this page, you'll decide whether you want to make copies of the WAF policies or use an existing premium WAF policy. You can also change the name of the new WAF policy copy during this step.

+ :::image type="content" source="./media/tier-upgrade/upgrade-waf.png" alt-text="Screenshot of the upgrade WAF policies page.":::

+ > [!NOTE]

+ > To use managed WAF rules for the new premium WAF policy copies, you'll need to manually enable them after the upgrade.

+1. Select **Upgrade** once you're done setting up the WAF policies. Select **Yes** to confirm you would like to proceed with the upgrade.

+ :::image type="content" source="./media/tier-upgrade/confirm-upgrade.png" alt-text="Screenshot of the confirmation message from upgrade WAF policies page.":::

+1. The upgrade process will create new premium WAF policy copies and associate them to the upgraded Front Door profile. The upgrade can take a few minutes to complete depending on the complexity of your Front Door profile.

+ :::image type="content" source="./media/tier-upgrade/upgrade-in-progress.png" alt-text="Screenshot of the configuration page with upgrade in progress status.":::

+1. Once the upgrade completes, you'll see **Tier: Premium** display on the *Configuration* page.

+ :::image type="content" source="./media/tier-upgrade/upgrade-complete.png" alt-text="Screenshot of the Front Door tier upgraded to premium on the configuration page.":::

+ > [!NOTE]

+ > You're now being billed for the Azure Front Door Premium base fee at an hourly rate.

+## Next steps

+* Learn more about [Managed rule for WAF policy](../web-application-firewall/afds/waf-front-door-drs.md).

+* Learn how to enable [Private Link to origin resources](private-link.md).

+* [IoT Edge modules](../../iot-edge/iot-edge-modules.md) are containers that run Azure services, partner services, or your own code. Modules are deployed to IoT Edge devices, and run locally on those devices. A [deployment manifest](../../iot-edge/module-composition.md) specifies the modules to deploy to an IoT Edge device.

+* The [IoT Edge runtime](../../iot-edge/iot-edge-runtime.md) runs on each IoT Edge device, and manages the modules deployed to each device. The runtime consists of two IoT Edge modules: [IoT Edge agent and IoT Edge hub](../../iot-edge/module-edgeagent-edgehub.md).

+* Deployment manifest management. An IoT Central application can manage a collection of deployment manifests and assign them to devices.

+ * The telemetry each IoT Edge module sends.

+ * The properties each IoT Edge module reports.

+ * The commands each IoT Edge module responds to.

+IoT Central optionally uses [device templates](concepts-device-templates.md) to define how IoT Central interacts with an IoT Edge device. For example, a device template specifies:

+* The types of telemetry and properties an IoT Edge device sends so that IoT Central can interpret them and create visualizations.

+* The commands an IoT Edge device responds to so that IoT Central can display a UI for an operator to use to call the commands.

+If there's no device template associated with a device, telemetry and property values display as *unmodeled* data. However, you can still use IoT Central data export capabilities to forward telemetry and property values to other backend services.

+## IoT Edge deployment manifests

+An IoT Edge [deployment manifest](../../iot-edge/module-composition.md) lists the IoT Edge modules to deploy on the device and how to configure them.

+In Azure IoT Central, navigate to **Edge manifests** to import and manage the deployment manifests for the IoT Edge devices in your solution.

+* The custom **SimulatedTemperatureSensor** module has two writable properties `"SendData": true` and `"SendInterval": 10`.

+The following screenshot shows this deployment manifest imported into IoT Central:

+If your application uses [organizations](howto-create-organizations.md), you can assign your deployment manifests to specific organizations. The previous screenshot shows the deployment manifest assigned to the **Store Manager / Americas** organization.

+To learn how to use the **Edge manifests** page and assign deployment manifests to IoT Edge devices, see [Manage IoT Edge deployment manifests in your IoT Central application](howto-manage-deployment-manifests.md).

+### Manage an unassigned device

+An IoT Edge device that doesn't have an associated device template is known as an *unassigned* device. You can't use IoT Central features such as dashboards, device groups, analytics, rules, and jobs with unassigned devices. However, you can use the following capabilities with unassigned devices:

+* View raw data such as telemetry and properties.

+* Call device commands.

+* Read and write properties.

+You can also manage individual modules on unassigned devices:

+## IoT Edge device templates

+IoT Central device templates use models to describe the capabilities of IoT Edge devices. Device templates are optional for IoT Edge devices. The device template enables you to interact with telemetry, properties, and commands using IoT Central capabilities such as dashboards and analytics. The following diagram shows the structure of the model for an IoT Edge device:

+IoT Central models an IoT Edge device as follows:

+* Every IoT Edge device template has a capability model.

+* For every custom module listed in the deployment manifest, add a module definition if you want to use IoT Central to interact with that module.

+* A module capability model implements one or more module interfaces.

+* Each module interface contains telemetry, properties, and commands.

+You can generate the basic capability model based on the modules and properties defined in the device manifest. To learn more, see [Add modules and properties to device templates](howto-manage-deployment-manifests.md#add-modules-and-properties-to-device-templates).

+- [Create a group enrollment](#create-a-group-enrollment)

+## Import deployment manifest

+Every IoT Edge device needs a deployment manifest to configure the IoT Edge runtime. To import a deployment manifest for the IoT Edge transparent gateway:

+1. Navigate to **Edge manifests**.

+1. Select **+ New**, enter a name for the deployment manifest such as *Transparent gateway* and then upload the *EdgeTransparentGatewayManifest.json* file you downloaded previously.

+1. Select **Create** to save the deployment manifest in your application.

+1. On the **Customize** page of the wizard, check **This is a gateway device**.

+1. On the **Review** page, select **Create**.

+1. On the **Create a model** page, select **Custom model**.

+1. Add an instance of the transparent gateway IoT Edge device. When you add the device, make sure that you select the **Transparent gateway** deployment manifest. In this article, the gateway device ID is `edgegateway`.

+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure-Samples%2Fiot-central-docs-samples%2Fmain%2Ftransparent-gateway-1-1%2FDeployGatewayVMs.json)

+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure-Samples%2Fiot-central-docs-samples%2Fmain%2Ftransparent-gateway-1-2%2FDeployGatewayVMs.json)

+1. Locate the following settings in the configuration file. Add the certificate settings as follows:

+ > [!TIP]

+ > If you see an error when the downstream device tries to connect. Try re-running the device provisioning steps above.

+* Import a device manifest for an IoT Edge device.

+## Import a deployment manifest

+You use a deployment manifest to specify the modules to run on an IoT Edge device. IoT Central manages the deployment manifests for the IoT Edge devices in your solution. To import the deployment manifest for this example:

+1. In your IoT Central application, navigate to **Edge manifests**.

+1. Select **+ New**. Enter a name such as *Environmental Sensor* for your deployment manifest, and then upload the *EnvironmentalSensorManifest.json* file you downloaded previously.

+1. Select **Next** and then **Create**.

+The example deployment manifest includes a custom module called *SimulatedTemperatureSensor*.

+1. On the **Create a model** page, select **Custom model**.

+1. In the model, select **Modules** and then **Import modules from manifest**. Select the **Environmental Sensor** deployment manifest and then select **Import**.

+1. Select **+ New** to add a new device from the template.

+1. On the **Create new device** page, select the **Environmental Sensor** deployment manifest, and then select **Create**.

+## Clean up resources

+If you want to remove the Azure IoT Edge for Linux on Windows installation from your device, use the following commands.

+1. Open **Settings** on Windows

+1. Select **Add or Remove Programs**

+1. Select **Azure IoT Edge LTS** app

+1. Select **Uninstall**

+- [IoT Edge deployment manifests](concepts-iot-edge.md#iot-edge-deployment-manifests) for deployment manifests associated with specific organizations.

+### Update an IoT Edge device template

+For an IoT Edge device, the model groups capabilities by modules that correspond to the IoT Edge modules running on the device. The deployment manifest is a separate JSON document that tells an IoT Edge device which modules to install, how to configure them, and what properties the module has. If you've modified a deployment manifest, you can update the device template to include the modules and properties defined in the manifest:

+1. Navigate to the **Modules** node in the device template.

+1. On the **Modules summary** page, select **Import modules from manifest**.

+1. Select the appropriate deployment manifest and select **Import**.

+To learn more, see [IoT Edge devices and IoT Central](concepts-iot-edge.md#iot-edge-devices-and-iot-central).

+ Title: Manage Azure IoT Edge deployment manifests | Microsoft Docs

+description: This article describes how to the deployment manifests for the IT Edge devices that connect to your IoT Central application.

+# Manage IoT Edge deployment manifests in your IoT Central application

+A deployment manifest lets you specify the modules the IoT Edge runtime should download and configure. An IoT Edge device can download a deployment manifest when it first connects to your IoT Central application. This article describes how you manage these deployment manifests in your IoT Central application.

+To learn more about IoT Edge and IoT Central, see [Connect Azure IoT Edge devices to an Azure IoT Central application](concepts-iot-edge.md).

+<!-- TODO: Link to REST API article -->

+## Manage deployment manifests

+The **Edge manifests** page lets you manage the deployment manifests in your application. From this page you can:

+- Upload or create deployment manifests

+- Modify existing deployment manifests

+- Delete deployment manifests

+### Upload and create deployment manifests

+When you create a new deployment manifest, you can upload the deployment manifest JSON file or start with an existing manifest:

+1. On the **Edge manifests** page, select **+ New**.

+1. Enter a name for the deployment manifest.

+1. If your application uses organizations, select an organization to associate the deployment manifest with.

+1. Browse for a deployment manifest file to upload or choose an existing deployment manifest as a starting point for your new one. IoT Central validates any uploaded files.

+ :::image type="content" source="media/howto-manage-deployment-manifests/uploaded-deployment-manifest.png" alt-text="Screenshot that shows an uploaded and validated deployment manifest.":::

+1. Select **Next**. The **Review and finish** page shows information about the deployment manifest and the modules it defines. You can also view the raw JSON.

+1. Select **Create**. The **Edge manifests** page now includes the new deployment manifest.

+> [!TIP]

+> If you have a large number of deployment manifest, you can sort and filter the list shown on the **Edge manifests** page.

+### Edit the JSON source of a deployment manifest

+To modify a deployment manifest by editing the JSON directly:

+1. Navigate to the **Edge manifests** page.

+1. Select **Edit JSON** in the context menu for the deployment manifest you want to modify.

+1. Use the JSON editor to make the required changes. Then select **Save**.

+### Replace the content of a deployment manifest

+To completely replace the content of a deployment manifest:

+1. Navigate to the **Edge manifests** page.

+1. Click on the name of the deployment manifest you want to replace.

+1. In the **Customize** dialog, browse for a new deployment manifest file to upload or choose an existing deployment manifest as a starting point. IoT Central validates any uploaded files.

+1. Select **Next**. The **Review and finish** page shows information about the new deployment manifest and the modules it defines. You can also view the raw JSON.

+1. Select **Save**. The **Edge manifests** page now includes the updated deployment manifest.

+## Manage IoT Edge devices

+When you add an IoT Edge device on the devices page, you can choose a deployment manifest for the device. In the **Create a new device** dialog, you can choose from the list of previously uploaded device manifests on the **Edge manifests** page. It's also possible to add a deployment manifest directly to a device after you create the device.

+If you add an IoT Edge device that isn't assigned to a device template, the **Create a new device** dialog looks like the following screenshot:

+To choose the deployment manifest for the device:

+1. Toggle **Azure IoT Edge device?** to **Yes**.

+1. Select the IoT Edge deployment manifest to use. You can also choose to assign a deployment manifest after you create the device.

+1. Select **Create**.

+If you add an IoT Edge device that is assigned to a device template, the **Create a new device** dialog looks like the following screenshot:

+To choose the deployment manifest for the device:

+1. The **Azure IoT Edge device?** toggle is already set to **Yes** because IoT Central recognizes that you're using an IoT Edge device template.

+1. Select the IoT Edge deployment manifest to use. You can also choose to assign a deployment manifest after you create the device.

+1. Select **Create**.

+When an IoT Edge device connects to your application for the first time, it downloads the deployment manifest, configures the modules specified in the deployment manifest, and runs the modules.

+If you don't select a deployment manifest when you create an IoT Edge device, you can assign one later either individually or to multiple devices by using a job.

+### Update the deployment manifest a device uses

+You can manage the deployment manifest for an existing device:

+Use **Assign edge manifest** to select a previously uploaded deployment manifest from the **Edge manifests** page. You can also use this option to manually notify a device if you've modified the deployment manifest on the **Edge manifests** page.

+Use **Edit manifest** to modify the deployment manifest for this device. Changes you make here don't affect the deployment manifest on the **Edge manifests** page.

+### Jobs

+To assign or update the deployment manifest for multiple devices, use a [job](howto-manage-devices-in-bulk.md). Use the **Change edge deployment manifest** job type:

+## Add modules and properties to device templates

+A deployment manifest defines the modules to run on the device and optionally [writable properties](../../iot-edge/module-composition.md?#define-or-update-desired-properties) that you can use to configure modules.

+If you're assigning a device template to an IoT Edge device, you may want to define the modules and writable properties in the device template. To add the modules and property definitions to a device template:

+1. Navigate to the **Modules Summary** page of the IoT Edge device template.

+1. Select **Import modules from manifest**.

+1. Select the appropriate deployment manifest from the list.

+1. Select **Import**. IoT Central adds the custom modules defined in the deployment manifest to the device template. The names of the modules in the device template match the names of the custom modules in the deployment manifest. The generated interface includes property definitions for the properties defined for the custom module in the deployment manifest:

+## Next steps

+Now that you've learned how to manage IoT Edge deployment manifests in your Azure IoT Central application, the suggested next step is to learn how to [How to connect devices through an IoT Edge transparent gateway](how-to-connect-iot-edge-transparent-gateway.md).

+1. Choose **Cloud property**, **Property**, **Command**, **Change device template**, or **Change edge deployment manifest** as the **Job type**:

+ To configure a **Property** job, select a property and set its new value. A property job can set multiple properties. To configure a **Command** job, choose the command to run. To configure a **Change device template** job, select the device template to assign to the devices in the device group. To configure a **Change edge deployment manifest** job, select the IoT Edge deployment manifest to assign to the IoT Edge devices in the device group.

+**Edge deployment manifests**

+| Name | Dependencies |

+| - | -- |

+| Read instance | None <br/> Other dependencies: View device templates, device groups, device instances |

+| Manage instance | Read instance <br /> Other dependencies: View device templates, device groups, device instances |

+| Read global | None |

+| Manage global | Read global |

+| Full Control | Read instance, Manage instance, Read global, Manage global <br/> Other dependencies: View device templates, device groups, device instances. Update device instances |

+1. In the [Azure Cloud Shell](https://shell.azure.com/), clone the GitHub repository that contains the module source code:

+1. In your IoT Central application, navigate to the **Edge manifests** page.

+1. Select **+ New**. Enter a name such as *Transformer* for your deployment manifest, and then upload the *moduledeployment.json* file you downloaded previously. The deployment manifest includes a custom module called *transformmodule*.

+1. Select **Next** and then **Create**.

+1. Enter *IoT Edge gateway device* as the device template name. Don't select **This is a gateway device**.

+1. Select **Next: Review**, then select **Create**.

+1. On the **Create a model** page, select **Custom model**.

+1. In the model, select **Modules** and then **Import modules from manifest**. Select the **Transformer** deployment manifest and then select **Import**.

+1. Select **IoT Edge gateway device** and select **Create a device**. Enter *IoT Edge gateway device* as the device name, enter *gateway-01* as the device ID, make sure **IoT Edge gateway device** is selected as the device template and **No** is selected as **Simulate this device?**. Select **Transformer** as the edge manifest. Select **Create**.

+1. In the list of devices, click on the **Downstream 01** device, and then select **Connect**.

+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure-Samples%2Fiot-central-docs-samples%2Fmain%2Ftransparent-gateway-1-1%2FDeployGatewayVMs.json)

+Set up the data export to send data to your Device bridge:

+1. Add a filter to only export device data for the device template you're using. Select **+ Filter**, select item **Device template**, select the operator **Equals**, and select the **Compute model** device template you created.

+The sample device you use to test the scenario is written in Node.js. Make sure you have Node.js and npm installed on your local machine. If you don't want to install these prerequisites, use the [Azure Cloud Shell](https://shell.azure.com/) that has them preinstalled.

+1. In your IoT Central application, navigate to the device called **computeDevice**. On the **Raw data** view, there are two different telemetry streams that show up around every five seconds. The stream with unmodeled data is the original telemetry, the stream with modeled data is the data that the function transformed:

+1. Select **Import a model** and upload the *FileUploadDeviceDcm.json* model file from the folder `iotc-file-upload-device\setup` in the repository you downloaded previously.

+To manage IoT Edge devices, you can use the IoT Central UI to create and edit [deployment manifests](concepts-iot-edge.md), and then deploy them to your IoT Edge devices. You can also run commands in IoT Edge modules from within IoT Central.

+ **Edge manifests** lets you import and manage deployment manifests for the IoT Edge devices that connect to your application.

+The device templates page is where you can view and create device templates in the application. To learn more, see [Connect Azure IoT Edge devices to an Azure IoT Central application](concepts-iot-edge.md).

+### Edge manifests

+The edge manifests page is where you can import and manage IoT Edge deployment manifests in the application. To learn more, see the [Define a new device type in your Azure IoT Central application](howto-set-up-template.md) tutorial.

+ :::image type="content" source="media/quick-deploy-iot-central/iot-central-create-new-application.png" alt-text="Build your IoT application page" lightbox="media/quick-deploy-iot-central/iot-central-create-new-application.png":::

+ :::image type="content" source="media/quick-deploy-iot-central/iot-central-create-custom.png" alt-text="Azure IoT Central Create an application page" lightbox="media/quick-deploy-iot-central/iot-central-create-custom.png":::

+ :::image type="content" source="media/quick-deploy-iot-central/iot-central-application.png" alt-text="Azure IoT Central application" lightbox="media/quick-deploy-iot-central/iot-central-application.png":::

+ :::image type="content" source="media/quick-deploy-iot-central/create-device.png" alt-text="Screenshot that shows create a device in IoT Central." lightbox="media/quick-deploy-iot-central/create-device.png":::

+ :::image type="content" source="media/quick-deploy-iot-central/device-name.png" alt-text="A screenshot that shows the highlighted device name that you can select." lightbox="media/quick-deploy-iot-central/device-name.png":::

+ :::image type="content" source="media/quick-deploy-iot-central/device-registration.png" alt-text="Screenshot that shows the QR code you can use to connect the smartphone app." lightbox="media/quick-deploy-iot-central/device-registration.png":::

+ :::image type="content" source="media/quick-deploy-iot-central/iot-central-telemetry.png" alt-text="Screenshot of the overview page with telemetry plots." lightbox="media/quick-deploy-iot-central/iot-central-telemetry.png":::

+ :::image type="content" source="media/quick-export-data/data-transformation-query.png" alt-text="Screenshot that shows the data transformation query for the export." lightbox="media/quick-export-data/data-transformation-query.png":::

+> [Tutorial: Use device groups to analyze device telemetry](tutorial-use-device-groups.md)

+ Title: Tutorial - Connect an IoT Edge device to Azure IoT Central | Microsoft Docs

+description: This tutorial shows you how to connect an IoT Edge device to your IoT Central application. You first create an unassigned device, and then add a device template to enable views and forms for an operator to be able to interact with the device.

+# Customer intent: As a solution developer, I want to learn how to connect an IoT Edge device to IoT Central and then configure views and forms so that I can interact with the device.

+# Tutorial: Connect an IoT Edge device to your Azure IoT Central application

+This tutorial shows you how to connect an IoT Edge device to your Azure IoT Central application. The IoT Edge device runs a module that sends temperature, pressure, and humidity telemetry to your application. You use a device template to enable views and forms that let you interact with the module on the IoT Edge device.

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+> * Import an IoT Edge deployment manifest into your IoT Central application.

+> * Add an IoT Edge device that uses this deployment manifest to your application.

+> * Connect the IoT Edge device to your application.

+> * Monitor the IoT Edge runtime from your application.

+> * Add a device template with views and forms to your application.

+> * View the telemetry sent from the device in your application.

+## Prerequisites

+To complete the steps in this tutorial, you need:

+You also need to be able to upload configuration files to your IoT Central application from your local machine.

+## Import a deployment manifest

+A deployment manifest specifies the configuration of an IoT Edge device including the details of any custom modules the device should download and run. IoT Edge devices that connect to an IoT Central application download their deployment manifests from the application.

+To add a deployment manifest to IoT Central to use in this tutorial:

+1. Download and save the [EnvironmentalSensorManifest-1-4.json](https://raw.githubusercontent.com/Azure-Samples/iot-central-docs-samples/main/iotedge/EnvironmentalSensorManifest-1-4.json) deployment manifest to your local machine.

+1. In your IoT Central application, navigate to the **Edge manifests** page.

+1. Select **+ New**.

+1. On the **Customize** page, enter *Environmental Sensor* as the name and then upload the *EnvironmentalSensorManifest-1-4.json* file.

+1. After the manifest file is validated, select **Next**.

+1. The **Review and finish** page shows the modules defined in the manifest, including the **SimulatedTemperatureSensor** custom module. Select **Create**.

+The **Edge manifests** list now includes the **Environmental sensor** manifest:

+## Add an IoT Edge device

+Before the IoT Edge device can connect to your IoT Central application, you need to add it to the list of devices and get its credentials:

+1. In your IoT Central application, navigate to the **Devices** page.

+1. On the **Devices** page, make sure that **All devices** is selected. Then select **+ New**.

+1. On the **Create a new device** page:

+ * Enter *Environmental sensor - 001* as the device name.

+ * Enter *env-sens-001* as the device ID.

+ * Make sure that the device template is **unassigned**.

+ * Make sure that the device isn't simulated.

+ * Set **Azure IoT Edge device** to **Yes**.

+ * Select the **Environmental sensor** IoT Edge deployment manifest.

+1. Select **Create**.

+The list of devices on the **Devices** page now includes the **Environmental sensor - 001** device. The device status is **Registered**:

+Before you deploy the IoT Edge device, you need the:

+* **ID Scope** of your IoT Central application.

+* **Device ID** values for the gateway and downstream devices.

+* **Primary key** values for the gateway and downstream devices.

+To find these values, navigate to the **Environmental sensor - 001** device from the **Devices** page and select **Connect**. Make a note of these values before you continue.

+## Deploy the IoT Edge device

+In this tutorial, you deploy the IoT Edge runtime to a Linux virtual machine in Azure. To deploy and configure the virtual machine, select the following button:

+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure-Samples%2Fiot-central-docs-samples%2Fmain%2Fedge-vm-deploy-1-4%2FedgeDeploy.json)

+On the **Custom deployment** page, use the following values to complete the form:

+| Setting | Value |

+| - | -- |

+| `Resource group` | Create a new resource group with a name such as *MyIoTEdgeDevice_rg*. |

+| `Region` | Select a region close to you. |

+| `Dns Label Prefix` | A unique DNS prefix for your virtual machine. |

+| `Admin Username` | *AzureUser* |

+| `Admin Password` | A password of your choice to access the virtual machine. |

+| `Scope Id` | The ID scope you made a note of previously. |

+| `Device Id` | The device ID you made a note of previously. |

+| `Device Key` | The device key you made a note of previously. |

+Select **Review + create** and then **Create**. Wait for the deployment to finish before you continue.

+## Manage the IoT Edge device

+To verify the deployment of the IoT Edge device was successful:

+1. In your IoT Central application, navigate to the **Devices** page. Check the status of the **Environmental sensor - 001** device is **Provisioned**. You may need to wait for a few minutes while the device connects.

+1. Navigate to the **Environmental sensor - 001** device.

+1. On the **Modules** page, check the status of the three modules is **Running**.

+On the **Modules** page, you can view status information about the modules and perform actions such as viewing their logs and restarting them.

+## View raw data

+On the **Raw data** page for the **Environmental sensor - 001** device, you can see the telemetry it's sending and the property values it's reporting.

+At the moment, the IoT Edge device doesn't have a device template assigned, so all the data from the device is **Unmodeled**. Without a device template, there are no views or dashboards to display custom device information in the IoT Central application. However, you can use data export to forward the data to other services for analysis or storage.

+## Add a device template

+A deployment manifest may include definitions of properties exposed by a module. For example, the configuration in the deployment manifest for the **SimulatedTemperatureSensor** module includes the following:

+```json

+"SimulatedTemperatureSensor": {

+ "properties.desired": {

+ "SendData": true,

+ "SendInterval": 10

+ }

+}

+```

+The following steps show you how to add a device template for an IoT Edge device and the module property definitions from the deployment manifest:

+1. In your IoT Central application, navigate to the **Device templates** page and select **+ New**.

+1. On the **Select type** page, select **Azure IoT Edge**, and then **Next: Customize**.

+1. On the **Customize** page, enter **Environmental sensor** as the device template name.

+1. On the **Review** page, select **Create**.

+1. On the **Create a model** page, select **Custom model**.

+1. On the **Environmental sensor** page, select **Modules**, then **Import modules from manifest**.

+1. In the **Import modules** dialog, select the **Environmental sensor** deployment manifest, then **Import**.

+The device template now includes a module called **SimulatedTemperatureSensor**, with an interface called **management**. This interface includes definitions of the **SendData** and **SendInterval** properties from the deployment manifest.

+A deployment manifest can only define module properties, not commands or telemetry. To add the telemetry definitions to the device template:

+1. Download and save the [EnvironmentalSensorTelemetry.json](https://raw.githubusercontent.com/Azure-Samples/iot-central-docs-samples/main/iotedge/EnvironmentalSensorTelemetry.json) interface definition to your local machine.

+1. Navigate to the **SimulatedTemperatureSensor** module in the **Environmental sensor** device template.

+1. Select **Add inherited interface** (you may need to select **...** to see this option). Select **Import interface**. Then import the *EnvironmentalSensorTelemetry.json* file you previously downloaded.

+The module now includes a **telemetry** interface that defines **machine**, **ambient**, and **timeCreated** telemetry types:

+To add a view that plots telemetry from the device:

+1. In the **Environmental sensor** device template, select **Views**.

+1. On the **Select to add a new view** page, select **Visualizing the device**.

+1. Enter *Environmental telemetry* as the view name.

+1. Select **Start with devices**. Then add the following telemetry types:

+ * **ambient/temperature**

+ * **humidity**

+ * **machine/temperature**

+ * **pressure**

+1. Select **Add tile**, then **Save**.

+1. To publish the template, select **Publish**.

+## View telemetry and control module

+To view the telemetry from your device, you need to attach the device to the device template:

+1. Navigate to the **Devices** page and select the **Environmental sensor - 001** device.

+1. Select **Migrate**.

+1. In the **Migrate** dialog, select the **Environmental sensor** device template, and select **Migrate**.

+1. Navigate to the **Environmental sensor - 001** device and select the **Environmental telemetry** view.

+1. The line chart plots the four telemetry values you selected for the view:

+ :::image type="content" source="media/tutorial-connect-iot-edge-device/environmental-telemetry-view.png" alt-text="Screenshot that shows the telemetry line charts.":::

+1. The **Raw data** page now includes columns for the **ambient**, **machine**, and **timeCreated** telemetry values.

+To control the module by using the properties defined in the deployment manifest, navigate to the **Environmental sensor - 001** device and select the **Manage** view.

+IoT Central created this view automatically from the **manage** interface in the **SimulatedTemperatureSensor** module. The **Raw data** page now includes columns for the **SendData** and **SendInterval** properties.

+## Clean up resources

+## Next steps

+If you'd prefer to continue through the set of IoT Central tutorials and learn more about building an IoT Central solution, see:

+> [!div class="nextstepaction"]

+> [Create a gateway device template](./tutorial-define-gateway-device-type.md)

+Modify the **Overview** view to include the temperature telemetry:

+1. In the **Sensor Controller** device template, select the **Overview** view.

+1. On the **Working Set, SensorAltitude, SensorHumid, SensorLight** tile, select **Edit**.

+1. Update the title to **Telemetry**.

+1. Add the **Temperature** capability to the list of telemetry values shown on the chart. Then **Save** the changes.

+Now publish the device template.

+## Add a simulated device

+To test the rule you create in the next section, add a simulated device to your application:

+1. Select **Devices** in the left-navigation panel. Then select **Sensor Controller**.

+1. Select **+ New**. In the **Create a new device** panel, leave the default device name and device ID values. Toggle **Simulate this device?** to **Yes**.

+1. Select **Create**.

+1. Select the **Sensor Controller** device template. By default, the rule automatically applies to all the devices assigned to the device template:

+ :::image type="content" source="media/tutorial-create-telemetry-rules/device-filters.png" alt-text="Screenshot that shows the selection of the device template in the rule definition." lightbox="media/tutorial-create-telemetry-rules/device-filters.png":::

+ To filter for a subset of the devices, select **+ Filter** and use device properties to identify the devices. To disable the rule, toggle the **Enabled/Disabled** button.

+1. Next, choose **Is greater than** as the **Operator** and enter _70_ as the **Value**:

+ :::image type="content" source="media/tutorial-create-telemetry-rules/aggregate-condition-filled-out.png" alt-text="Screenshot that shows the aggregate condition filled out." lightbox="media/tutorial-create-telemetry-rules/aggregate-condition-filled-out.png":::

+ Optionally, you can set a **Time aggregation**. When you select a time aggregation, you must also select an aggregation type, such as average or sum from the aggregation drop-down.

+ :::image type="content" source="media/tutorial-create-telemetry-rules/configure-action.png" alt-text="Screenshot that shows the email action for the rule." lightbox="media/tutorial-create-telemetry-rules/configure-action.png":::

+* Respond to writable property updates made by an operator. For example, an operator could change the telemetry send interval.

+1. Select **Boolean** as the schema type, set **Writable** on, and then select **Save**.

+1. In the **Smart Building gateway device** template, select **Smart Building gateway device** model.

+ | Display name | Capability type | Semantic type | Schema |

+ | -- | | - | |

+ | Last Service Date | Cloud property | None | Date |

+ | Customer Name | Cloud property | None | String |

+1. Keep the generated **Device ID** and **Device name**. Make sure that the **Simulated** switch is **Yes**. Select **Create**.

+To create simulated downstream devices:

+1. Keep the generated **Device ID** and **Device name**. Make sure that the **Simulated** switch is **Yes**. Select **Create**.

+1. Keep the generated **Device ID** and **Device name**. Make sure that the **Simulated** switch is **Yes**. Select **Create**.

+When you connect a downstream device, you can modify the provisioning payload to include the ID of the gateway device. The model ID lets IoT Central assign the device to the correct downstream device template. The gateway ID lets IoT Central establish the relationship between the downstream device and its gateway. In this case the provisioning payload the device sends looks like the following JSON:

+> [Create a rule and set up notifications in your Azure IoT Central application](tutorial-create-telemetry-rules.md)

+Add two cloud properties to the **Sensor Controller** model in the device template:

+1. Select **+ Add capability** and then use the information in the following table to add two cloud properties to your device template:

+ | Display name | Capability type | Semantic type | Schema |

+ | -- | | - | |

+ | Last Service Date | Cloud property | None | Date |

+ | Customer Name | Cloud property | None | String |

+1. Select the **Contoso devices** device group you created. Then add both the **Temperature** and **SensorHumid** telemetry types.

+ :::image type="content" source="media/tutorial-use-device-groups/export-data.png" alt-text="Screenshot that shows how to export data for the Contoso devices." lightbox="media/tutorial-use-device-groups/export-data.png":::

+Now that you've learned how to use device groups in your Azure IoT Central application, here's the suggested next step:

+> [Connect an IoT Edge device to your Azure IoT Central application](tutorial-connect-iot-edge-device.md)

+01. You'll need to transfer the certificates and keys to each device. You can use a USB drive, a service like [Azure Key Vault](../key-vault/general/overview.md), or with a function like [Secure file copy](https://www.ssh.com/ssh/scp/). Choose one of these methods that best matches your scenario. Copy the files to the preferred directory for certificates and keys. Use `/var/aziot/certs` for certificates and `/var/aziot/secrets` for keys.

+01. Transfer the **root CA certificate**, **parent device CA certificate**, and **parent private key** to the parent device. The examples in this article use the preferred directory `/var/aziot` for the certificates and keys.

+ sudo cp /var/aziot/certs/azure-iot-test-only.root.ca.cert.pem /usr/local/share/ca-certificates/azure-iot-test-only.root.ca.cert.pem.crt

+ sudo cp /var/aziot/certs/azure-iot-test-only.root.ca.cert.pem /etc/pki/ca-trust/source/anchors/azure-iot-test-only.root.ca.cert.pem.crt

+ trust_bundle_cert = "file:///var/aziot/certs/azure-iot-test-only.root.ca.cert.pem"

+ cert = "file:///var/aziot/certs/iot-edge-device-ca-gateway.cert.pem"

+ pk = "file:///var/aziot/secrets/iot-edge-device-ca-gateway.key.pem"

+ trust_bundle_cert = "file:///var/aziot/certs/azure-iot-test-only.root.ca.cert.pem"

+ cert = "file:///var/aziot/certs/iot-edge-device-ca-gateway.cert.pem"

+ pk = "file:///var/aziot/secrets/iot-edge-device-ca-gateway.key.pem"

+01. Transfer the **root CA certificate**, **child device CA certificate**, and **child private key** to the child device. The examples in this article use the directory `/var/aziot` for the certificates and keys directory.

+ sudo cp /var/aziot/certs/azure-iot-test-only.root.ca.cert.pem /usr/local/share/ca-certificates/azure-iot-test-only.root.ca.cert.pem.crt

+ sudo cp /var/aziot/certs/azure-iot-test-only.root.ca.cert.pem /etc/pki/ca-trust/source/anchors/azure-iot-test-only.root.ca.cert.pem.crt

+ trust_bundle_cert = "file:///var/aziot/certs/azure-iot-test-only.root.ca.cert.pem"

+ cert = "file:///var/aziot/certs/iot-edge-device-ca-downstream.cert.pem"

+ pk = "file:///var/aziot/secrets/iot-edge-device-ca-downstream.key.pem"

+ trust_bundle_cert = "file:///var/aziot/certs/azure-iot-test-only.root.ca.cert.pem"

+ cert = "file:///var/aziot/certs/iot-edge-device-ca-downstream.cert.pem"

+ pk = "file:///var/aziot/secrets/iot-edge-device-ca-downstream.key.pem"

+1. If you created the certificates on a different machine, copy them over to your IoT Edge device. You can use a USB drive, a service like [Azure Key Vault](../key-vault/general/overview.md), or with a function like [Secure file copy](https://www.ssh.com/ssh/scp/).

+1. Move the files to the preferred directory for certificates and keys. Use `/var/aziot/certs` for certificates and `/var/aziot/secrets` for keys.

+1. Change the ownership and permissions of the certificates and keys.

+ ```bash

+ sudo chown aziotcs:aziotcs /var/aziot/certs

+ sudo chown -R iotedge /var/aziot/certs

+ sudo chmod 644 /var/aziot/secrets/

+ ```

+1. Copy the certificates to the EFLOW virtual machine to a directory where you have write access. For example, the `/home/iotedge-user` home directory.

+ ```powershell

+ # Copy the IoT Edge device CA certificate and key

+ Copy-EflowVMFile -fromFile <path>\certs\iot-edge-device-ca-<cert name>-full-chain.cert.pem -toFile ~/iot-edge-device-ca-<cert name>-full-chain.cert.pem -pushFile

+ Copy-EflowVMFile -fromFile <path>\private\iot-edge-device-ca-<cert name>.key.pem -toFile ~/iot-edge-device-ca-<cert name>.key.pem -pushFile

+ # Copy the root CA certificate

+ Copy-EflowVMFile -fromFile <path>\certs\azure-iot-test-only.root.ca.cert.pem -toFile ~/azure-iot-test-only.root.ca.cert.pem -pushFile

+ ```

+1. Create the certificates directory. You should store your certificates and keys to the preferred `/var/aziot` directory. Use `/var/aziot/certs` for certificates and `/var/aziot/secrets` for keys.

+ sudo mkdir -p /var/aziot/certs

+ sudo mkdir -p /var/aziot/secrets

+1. Move the certificates and keys to the preferred `/var/aziot` directory.

+ # Move the IoT Edge device CA certificate and key to preferred location

+ sudo mv ~/iot-edge-device-ca-<cert name>-full-chain.cert.pem /var/aziot/certs

+ sudo mv ~/iot-edge-device-ca-<cert name>.key.pem /var/aziot/secrets

+ sudo mv ~/azure-iot-test-only.root.ca.cert.pem /var/aziot/certs

+1. Change the ownership and permissions of the certificates and keys.

+ ```bash

+ sudo chown -R iotedge /var/aziot/certs

+ sudo chmod 644 /var/aziot/secrets/iot-edge-device-ca-<cert name>.key.pem

+

+1. Exit the EFLOW VM connection.

+ ```bash

+ exit

+How does *ContosoIotHub* verify it's communicating with *EdgeGateway*? Verification is done by checking the certificate at the IoTHub application code level. This step happens together with the *TLS handshake* (IoT Hub doesn't support mutual TLS). Authentication of the client doesn't happen at the TLS level, only at the application layer. For simplicity, we'll skip some steps in the following diagram.

+In summary, *ContosoIotHub* can trust *EdgeGateway* because *EdgeGateway* presents a valid **IoT Edge device identity certificate** whose thumbprint matches the one registered in IoT Hub.

+How does *TempSensor* verify it's communicating with the genuine *EdgeGateway?* When *TempSensor* wants to talk to the *EdgeGateway*, *TempSensor* needs *EdgeGateway* to show an ID. The ID must be issued by an authority that *TempSensor* trusts.

+1. On the IoT Edge device, create the `/var/aziot` directory if it doesn't exist then change directory to it.

+ # Create the /var/aziot/certs directory if it doesn't exist

+ sudo mkdir -p /var/aziot/certs

+ # Change directory to /var/aziot/certs

+ cd /var/aziot/certs

+1. Retrieve the CA certificate from the EST server into the `/var/aziot/certs` directory and name it `cacert.crt.pem`.

+ sudo chown aziotks:aziotks /var/aziot/certs/*.pem

+1. Transfer the `cacert.crt.pem` file from your device to a computer with access to the Azure portal such as your development computer. An easy way to transfer the certificate is to remotely connect to your device, display the certificate using the command `cat /var/aziot/certs/cacert.crt.pem`, copy the entire output, and paste the contents to a new file on your development computer.

+ "file:///var/aziot/certs/cacert.crt.pem",

+| DiffGen | [Azure/iot-hub-device-update-delta](https://github.com/Azure/iot-hub-device-update-delta) GitHub repo | Select _Microsoft.Azure.DeviceUpdate.Diffs_ under the Packages section on the right side of the page. From there you can install from the cmd line or select _package.nupkg_ under the Assets section on the right side of the page to download the package. [Learn more about NuGet packages](https://learn.microsoft.com/nuget/).|

+1. From the folder where you downloaded or cloned the SDK, navigate to the `azure-iot-sdk-csharp\iothub\device\samples\how to guides\HubRoutingSample` folder.

+1. Install the Azure IoT C# SDK and necessary dependencies as specified in the `HubRoutingSample.csproj` file:

+For details on certificate creation, see [Certificate creation methods](create-certificate.md).

+- [Certificate creation methods](create-certificate.md)

+description: Learn how to manage access to an Azure load testing resource using Azure role-based access control (Azure RBAC).

+In this article, you learn how to manage access (authorization) to an Azure load testing resource. [Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md) is used to manage access to Azure resources, such as the ability to create new resources or use existing ones. You can grant role-based access to users using the Azure portal, Azure Command-Line tools, or Azure Management APIs.

+## Roles in Azure Load Testing

+In Azure Load Testing, access is granted by assigning the appropriate Azure role to users, groups, and applications at the load testing resource scope. Following are the built-in roles supported by a load testing resource:

+| Role | Description |

+## Role permissions

+The following tables describe the specific permissions given to each role. This can include Actions, which give permissions, and Not Actions, which restrict them.

+### Load Test Owner

+A Load Test Owner can manage everything, including access. The following table shows the permissions granted for the role:

+| Actions | Description |

+| - | -- |

+| Microsoft.Resources/deployments/* | Create and manage resource group deployments. |

+| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |

+| Microsoft.Insights/alertRules/* | Create and manage alert rules. |

+| Microsoft.Authorization/*/read | Read authorization. |

+| Microsoft.LoadTestService/* | Create and manage load testing resources. |

+| DataActions | Description |

+| - | -- |

+| Microsoft.LoadTestService/loadtests/* | Start, stop, and manage load tests. |

+### Load Test Contributor

+A Load Test Contributor can manage everything except access. The following table shows the permissions granted for the role:

+| Actions | Description |

+| - | -- |

+| Microsoft.Resources/deployments/* | Create and manage resource group deployments. |

+| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |

+| Microsoft.Insights/alertRules/* | Create and manage alert rules. |

+| Microsoft.Authorization/*/read | Read authorization. |

+| Microsoft.LoadTestService/*/read | Create and manage load testing resources. |

+| DataActions | Description |

+| - | -- |

+| Microsoft.LoadTestService/loadtests/* | Start, stop, and manage load tests. |

+### Load Test Reader

+A Load Test Reader can view all the resources in a load testing resource but can't make any changes. The following table shows the permissions granted for the role:

+| Actions | Description |

+| - | -- |

+| Microsoft.Resources/deployments/* | Create and manage resource group deployments. |

+| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |

+| Microsoft.Insights/alertRules/* | Create and manage alert rules. |

+| Microsoft.Authorization/*/read | Read authorization. |

+| Microsoft.LoadTestService/*/read | Create and manage load testing resources. |

+| DataActions | Description |

+| - | -- |

+| Microsoft.LoadTestService/loadtests/readTest/action | Read load tests. |

+## Configure Azure RBAC for your load testing resource

+The following section shows you how to configure Azure RBAC on your load testing resource through the Azure portal and PowerShell.

+### Configure Azure RBAC using the Azure portal

+1. Sign in to the [Azure portal](https://portal.azure.com/) and open your load testing resource from the **Azure Load Testing** page.

+1. Select **Access control (IAM)** and select a role from the list of available roles. You can choose any of the available built-in roles that an Azure load testing resource supports or any custom role you might have defined. Assign the role to a user to which you want to give permissions.

+ For detailed steps, see [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal).

+#### Remove role assignments from a user

+You can remove the access permission for a user who isn't managing the Azure load testing resource, or who no longer works for the organization. The following steps show how to remove the role assignments from a user. For detailed steps, see [Remove Azure role assignments](/azure/role-based-access-control/role-assignments-remove):

+1. Open **Access control (IAM)** at a scope, such as management group, subscription, resource group, or resource, where you want to remove access.

+1. Select the **Role assignments** tab to view all the role assignments at this scope.

+1. In the list of role assignments, add a checkmark next to the user with the role assignment you want to remove.

+1. Select **Remove**, and then select **Yes** to confirm.

+### Configure Azure RBAC using PowerShell

+You can also configure role-based access to a load testing resource using the following [Azure PowerShell cmdlets](/azure/role-based-access-control/role-assignments-powershell):

+* [Get-AzRoleDefinition](/powershell/module/Az.Resources/Get-AzRoleDefinition) lists all Azure roles that are available in Azure Active Directory. You can use this cmdlet with the Name parameter to list all the actions that a specific role can perform.

+ ```azurepowershell-interactive

+ Get-AzRoleDefinition -Name 'Load Test Contributor'

+ ```

+

+ The following is the example output:

+ ```output

+ Name : Load Test Contributor

+ Id : 00000000-0000-0000-0000-000000000000

+ IsCustom : False

+ Description : View, create, update, delete and execute load tests. View and list load test resources but can not make any changes.

+ Actions : {Microsoft.LoadTestService/*/read, Microsoft.Authorization/*/read, Microsoft.Resources/deployments/*, Microsoft.Resources/subscriptions/resourceGroups/read…}

+ NotActions : {}

+ DataActions : {Microsoft.LoadTestService/loadtests/*}

+ NotDataActions : {}

+ AssignableScopes : {/}

+ ```

+* [Get-AzRoleAssignment](/powershell/module/az.resources/get-azroleassignment) lists Azure role assignments at the specified scope. Without any parameters, this cmdlet returns all the role assignments made under the subscription. Use the `ExpandPrincipalGroups` parameter to list access assignments for the specified user, as well as the groups that the user belongs to.

+ **Example**: Use the following cmdlet to list all the users and their roles within a load testing resource.

+ ```azurepowershell-interactive

+ Get-AzRoleAssignment -Scope '/subscriptions/<SubscriptionID>/resourcegroups/<Resource Group Name>/Providers/Microsoft.LoadTestService/loadtests/<Load Test Name>'

+ ```

+* Use [New-AzRoleAssignment](/powershell/module/Az.Resources/New-AzRoleAssignment) to assign access to users, groups, and applications to a particular scope.

+ **Example**: Use the following command to assign the "Load Test Reader" role for a user in the load testing resource scope.

+ ```azurepowershell-interactive

+ New-AzRoleAssignment -SignInName <sign-in Id of a user you wish to grant access> -RoleDefinitionName 'Load Test Reader' -Scope '/subscriptions/<SubscriptionID>/resourcegroups/<Resource Group Name>/Providers/Microsoft.LoadTestService/loadtests/<Load Testing resource name>'

+ ```

+* Use [Remove-AzRoleAssignment](/powershell/module/Az.Resources/Remove-AzRoleAssignment) to remove access of a specified user, group, or application from a particular scope.

+ **Example**: Use the following command to remove the user from the Load Test Reader role in the load testing resource scope.

+ ```azurepowershell-interactive

+ Remove-AzRoleAssignment -SignInName <sign-in Id of a user you wish to remove> -RoleDefinitionName 'Load Test Reader' -Scope '/subscriptions/<SubscriptionID>/resourcegroups/<Resource Group Name>/Providers/Microsoft.LoadTestService/loadtests/<Load Testing resource name>'

+ ```

+* Azure API Management

+* Azure App Service

+* Azure App Service plan

+* Azure Application Insights

+ * [Azure Functions Core Tools - 3.x version](https://github.com/Azure/azure-functions-core-tools/releases/tag/3.0.4868) by using the Microsoft Installer (MSI) version, which is `func-cli-X.X.XXXX-x*.msi`. These tools include a version of the same runtime that powers the Azure Functions runtime, which the Azure Logic Apps (Standard) extension uses in Visual Studio Code.

+ Title: Set up long-running tasks by calling workflows with Azure Functions

+description: Set up long-running tasks by creating an Azure Logic Apps workflow that monitors and responds to messages or events and uses Azure Functions to trigger the workflow.

+#Customer intent: As a logic apps developer, I want to set up a long-running task by creating a logic app workflow that monitors and responds to messages or events and uses Azure Functions to call the workflow.

+# Set up long running tasks by calling logic app workflows with Azure Functions

+When you need to deploy a long-running listener or task, you can create a logic app workflow that uses the Request trigger and Azure Functions to call that trigger and run the workflow.

+For example, you can create a function that listens for messages that arrive in an Azure Service Bus queue. When this event happens, the function calls the Request trigger, which works as a push trigger to automatically run your workflow.

+This how-to guide shows how to create a logic app workflow that starts with the Request trigger. You then create a function that listens to a Service Bus queue. When a message arrives in the queue, the function calls the endpoint created by the Request trigger to run your workflow.

+> [!NOTE]

+>

+> Although you can implement this behavior using either a Consumption or Standard logic app workflow,

+> this example continues with a Consumption workflow.

+## Prerequisites

+* An Azure account and subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* A Service Bus namespace. If you don't have a namespace, [create your namespace first](../service-bus-messaging/service-bus-create-namespace-portal.md). For more information, see [What is Azure Service Bus?](../service-bus-messaging/service-bus-messaging-overview.md)

+* A function app, which is a container for your functions. If you don't have a function app, [create your function app first](../azure-functions/functions-get-started.md), and make sure that you select .NET for the **Runtime stack** property.

+* Basic knowledge about [how to create a Consumption logic app workflow](quickstart-create-first-logic-app-workflow.md).

+## Create a logic app workflow

+1. In the [Azure portal](https://portal.azure.com), create a Consumption blank logic app by selecting the **Blank Logic App** template.

+1. After the designer opens, under the designer search box, select **Built-in**. In the search box, enter **request**.

+1. From the triggers list, select the trigger named **When a HTTP request is received**.

+ :::image type="content" source="./media/logic-apps-scenario-function-sb-trigger/when-http-request-received-trigger.png" alt-text="Screenshot of the designer in the portal. The search box contains 'http request.' Under 'Triggers,' 'When a HTTP request is received' is highlighted.":::

+ With the Request trigger, you can optionally enter a JSON schema to use with the queue message. JSON schemas help the designer understand the structure for the input data, and make the outputs easier for you to use in your workflow.

+1. To specify a schema, enter the schema in the **Request Body JSON Schema** box.

+ :::image type="content" source="./media/logic-apps-scenario-function-sb-trigger/when-http-request-received-trigger-schema.png" alt-text="Screenshot of the details of an HTTP request trigger. Some JSON code is visible in the 'Request Body JSON Schema' box.":::

+ :::image type="content" source="./media/logic-apps-scenario-function-sb-trigger/enter-sample-payload.png" alt-text="Screenshot of the details of an HTTP request trigger. Under 'Enter or paste a sample JSON payload,' some payload data is visible.":::

+ The sample payload that's pictured earlier generates the following schema, which appears in the trigger:

+ ```json

+ {

+ "type": "object",

+ "properties": {

+ "address": {

+ "type": "object",

+ "properties": {

+ "number": {

+ "type": "integer"

+ },

+ "street": {

+ "type": "string"

+ },

+ "city": {

+ "type": "string"

+ },

+ "postalCode": {

+ "type": "integer"

+ },

+ "country": {

+ "type": "string"

+ }

+ ```

+1. Under the trigger, add any other actions that you want to use to process the received message.

+ For example, you can add an action that sends email with the Office 365 Outlook connector.

+1. Save your logic app workflow.

+ This step generates the callback URL for the Request trigger in your workflow. Later, you use this callback URL in the code for the Azure Service Bus Queue trigger. The callback URL appears in the **HTTP POST URL** property.

+ :::image type="content" source="./media/logic-apps-scenario-function-sb-trigger/callback-URL-for-trigger.png" alt-text="Screenshot of the details of an HTTP request trigger. Next to 'HTTP POST URL,' a URL is visible.":::

+Next, create the function that listens to the queue and calls the endpoint on the Request trigger when a message arrives.

+1. In the [Azure portal](https://portal.azure.com), open your function app.

+1. On the function app navigation menu, select **Functions**. On the **Functions** pane, select **Create**.

+ :::image type="content" source="./media/logic-apps-scenario-function-sb-trigger/add-new-function-to-function-app.png" alt-text="Screenshot of a function app with 'Functions' highlighted on the function app menu. The 'Functions' page is opened, and 'Create' is highlighted.":::

+1. Under **Select a template**, select the template named **Azure Service Bus Queue trigger**. After the **Template details** section appears, which shows different options based on your template selection, provide the following information:

+ | Property | Value | Description |

+ |-|-|-|

+ | **New Function** | <*function-name*> | Enter a name for your function. |

+ | **Service Bus connection** | <*Service-Bus-connection*> | Select **New** to set up the connection for your Service Bus queue, which uses the Service Bus SDK `OnMessageReceive()` listener. |

+ | **Queue name** | <*queue-name*> | Enter the name for your queue. |

+ :::image type="content" source="./media/logic-apps-scenario-function-sb-trigger/current-add-queue-trigger-template.png" alt-text="Screenshot of the 'Create function' pane with 'Azure Service Bus Queue trigger' highlighted, and template example details entered.":::

+1. When you're done, select **Create**.

+ The Azure portal now shows the **Overview** page for your new Azure Service Bus Queue trigger function.

+1. Now, write a basic function to call the endpoint for the logic app workflow that you created earlier. Before you write your function, review the following considerations:

+ * Trigger the function by using the message from the queue message.

+ The following example uses the [`Task.Run` method](/dotnet/api/system.threading.tasks.task.run) in [asynchronous](/dotnet/csharp/language-reference/keywords/async) mode. For more information, see [Asynchronous programming with async and await](/dotnet/csharp/programming-guide/concepts/async/). The example also uses the `application/json` message content type, but you can change this type as necessary.

+ // Set up the URI for the logic app workflow. You can also get this value on the logic app's 'Overview' pane, under the trigger history, or from an environment variable.

+ // Reuse the instance of HTTP clients if possible. For more information, see https://learn.microsoft.com/azure/azure-functions/manage-connections.

+## Test your logic app workflow

+For testing, add a message to your Service Bus queue by using the following steps or other tool:

+1. In the [Azure portal](https://portal.azure.com), open your Service Bus namespace.

+1. On the Service Bus namespace navigation menu, select **Queues**.

+ :::image type="content" source="./media/logic-apps-scenario-function-sb-trigger/service-bus-namespace-queues.png" alt-text="Screenshot of a Service Bus namespace. On the navigation menu, 'Queues' is highlighted.":::

+1. Select the Service Bus queue that you linked to your function earlier using a Service Bus connection.

+1. On the queue navigation menu, select **Service Bus Explorer**, and then on the toolbar, select **Send messages**.

+ :::image type="content" source="./media/logic-apps-scenario-function-sb-trigger/select-service-bus-explorer.png" alt-text="Screenshot of a Service Bus queue page in the portal, with 'Send messages' highlighted. On the navigation menu, 'Service Bus Explorer' is highlighted.":::

+1. On the **Send messages** pane, specify the message to send to your Service Bus queue.

+ This message triggers your logic app workflow.

+* [Call, trigger, or nest workflows by using HTTP endpoints](logic-apps-http-endpoint.md)

+The information in this article is based on code samples contained in the [azureml-examples](https://github.com/azure/azureml-examples) repository. To run the commands locally without having to copy/paste YAML and other files, clone the repo and then change directories to the `cli/endpoints/batch` if you are using the Azure CLI or `sdk/endpoints/batch` if you are using our SDK for Python.

+```azurecli

+git clone https://github.com/Azure/azureml-examples --depth 1

+cd azureml-examples/cli/endpoints/batch

+```

+## Prerequisites

+* A model registered in the workspace. In this tutorial, we'll use an MLflow model. Particularly, we are using the *heart condition classifier* created in the tutorial [Using MLflow models in batch deployments](how-to-mlflow-batch.md).

+* You must have an endpoint already created. If you don't, follow the instructions at [Use batch endpoints for batch scoring](how-to-use-batch-endpoint.md). This example assumes the endpoint is named `heart-classifier-batch`.

+* You must have a compute created where to deploy the deployment. If you don't, follow the instructions at [Create compute](how-to-use-batch-endpoint.md#create-compute). This example assumes the name of the compute is `cpu-cluster`.

+Batch Endpoints can be used for processing tabular data, but also any other file type like images. Those deployments are supported in both MLflow and custom models. In this tutorial, we will learn how to deploy a model that classifies images according to the ImageNet taxonomy.

+## About this sample

+The model we are going to work with was built using TensorFlow along with the RestNet architecture ([Identity Mappings in Deep Residual Networks](https://arxiv.org/abs/1603.05027)). A sample of this model can be downloaded from `https://azuremlexampledata.blob.core.windows.net/data/imagenet/model.zip`. The model has the following constrains that are important to keep in mind for deployment:

+The information in this article is based on code samples contained in the [azureml-examples](https://github.com/azure/azureml-examples) repository. To run the commands locally without having to copy/paste YAML and other files, clone the repo, and then change directories to the `cli/endpoints/batch` if you are using the Azure CLI or `sdk/endpoints/batch` if you are using our SDK for Python.

+```azurecli

+git clone https://github.com/Azure/azureml-examples --depth 1

+cd azureml-examples/cli/endpoints/batch

+```

+## Prerequisites

+* You must have a batch endpoint already created. This example assumes the endpoint is named `imagenet-classifier-batch`. If you don't have one, follow the instructions at [Use batch endpoints for batch scoring](how-to-use-batch-endpoint.md).

+* You must have a compute created where to deploy the deployment. This example assumes the name of the compute is `cpu-cluster`. If you don't, follow the instructions at [Create compute](how-to-use-batch-endpoint.md#create-compute).

+ import requests

+ requests.get('https://azuremlexampledata.blob.core.windows.net/data/imagenet/model.zip', allow_redirects=True)

+

+We need to create a scoring script that can read the images provided by the batch deployment and return the scores of the model. The following script:

+1. Although you can invoke a specific deployment inside of an endpoint, you will usually want to invoke the endpoint itself, and let the endpoint decide which deployment to use. Such deployment is named the "default" deployment. This gives you the possibility of changing the default deployment - and hence changing the model serving the deployment - without changing the contract with the user invoking the endpoint. Use the following instruction to update the default deployment:

+The information in this article is based on code samples contained in the [azureml-examples](https://github.com/azure/azureml-examples) repository. To run the commands locally without having to copy/paste YAML and other files, clone the repo and then change directories to the `cli/endpoints/batch` if you are using the Azure CLI or `sdk/endpoints/batch` if you are using our SDK for Python.

+```azurecli

+git clone https://github.com/Azure/azureml-examples --depth 1

+cd azureml-examples/cli/endpoints/batch

+```

+## Prerequisites

+* You must have a MLflow model. If your model is not in MLflow format and you want to use this feature, you can [convert your custom ML model to MLflow format](../how-to-convert-custom-model-to-mlflow.md).

+## About this sample

+The information in this article is based on code samples contained in the [azureml-examples](https://github.com/azure/azureml-examples) repository. To run the commands locally without having to copy/paste YAML and other files, clone the repo and then change directories to the `cli/endpoints/batch` if you are using the Azure CLI or `sdk/endpoints/batch` if you are using our SDK for Python.

+```azurecli

+git clone https://github.com/Azure/azureml-examples --depth 1

+cd azureml-examples/cli/endpoints/batch

+## Prerequisites

+* You must have an endpoint already created. If you don't please follow the instructions at [Use batch endpoints for batch scoring](how-to-use-batch-endpoint.md). This example assumes the endpoint is named `text-summarization-batch`.

+* You must have a compute created where to deploy the deployment. If you don't please follow the instructions at [Create compute](how-to-use-batch-endpoint.md#create-compute). This example assumes the name of the compute is `cpu-cluster`.

+* Due to the size of the model, it hasn't been included in this repository. Instead, you can generate a local copy with the following code. A local copy of the model will be placed at `bart-text-summarization/model`. We will use it during the course of this tutorial.

+ ```python

+ from transformers import pipeline

+ model = pipeline("summarization", model="facebook/bart-large-cnn")

+ model_local_path = 'bart-text-summarization/model'

+ summarizer.save_pretrained(model_local_path)

+ ```

+## About this example

+### Follow along in Jupyter Notebooks

+You can follow along this sample in the following notebooks. In the cloned repository, open the notebook: [mnist-batch.ipynb](https://github.com/Azure/azureml-examples/blob/main/sdk/python/endpoints/batch/mnist-batch.ipynb).

+## Prerequisites

+### Connect to your workspace

+First, let's connect to Azure Machine Learning workspace where we are going to work on.

+# [Azure ML CLI](#tab/cli)

+```azurecli

+az account set --subscription <subscription>

+az configure --defaults workspace=<workspace> group=<resource-group> location=<location>

+```

+# [Azure ML SDK for Python](#tab/sdk)

+The workspace is the top-level resource for Azure Machine Learning, providing a centralized place to work with all the artifacts you create when you use Azure Machine Learning. In this section, we'll connect to the workspace in which you'll perform deployment tasks.

+1. Import the required libraries:

+```python

+from azure.ai.ml import MLClient, Input

+from azure.ai.ml.entities import BatchEndpoint, BatchDeployment, Model, AmlCompute, Data, BatchRetrySettings

+from azure.ai.ml.constants import AssetTypes, BatchDeploymentOutputAction

+from azure.identity import DefaultAzureCredential

+```

+2. Configure workspace details and get a handle to the workspace:

+```python

+subscription_id = "<subscription>"

+resource_group = "<resource-group>"

+workspace = "<workspace>"

+ml_client = MLClient(DefaultAzureCredential(), subscription_id, resource_group, workspace)

+```

+# [studio](#tab/studio)

+Open the [Azure ML studio portal](https://ml.azure.com) and log in using your credentials.

+* [Azure Synapse Spark pool](how-to-link-synapse-ml-workspaces.md) (preview)

+ > [!TIP]

+ > Currently this requires the Azure Machine Learning SDK v1.

+* [Kubernetes](how-to-attach-kubernetes-anywhere.md)

+For more information, see [Manage compute resources](how-to-create-attach-compute-studio.md).

+Use the best model iteration to forecast values for data that wasn't used to train the model.

+

+### Evaluating model accuracy with a rolling forecast

+Before you put a model into production, you should evaluate its accuracy on a test set held out from the training data. A best practice procedure is a so-called rolling evaluation which rolls the trained forecaster forward in time over the test set, averaging error metrics over several prediction windows to obtain statistically robust estimates for some set of chosen metrics. Ideally, the test set for the evaluation is long relative to the model's forecast horizon. Estimates of forecasting error may otherwise be statistically noisy and, therefore, less reliable.

+For example, suppose you train a model on daily sales to predict demand up to two weeks (14 days) into the future. If there is sufficient historic data available, you might reserve the final several months to even a year of the data for the test set. The rolling evaluation begins by generating a 14-day-ahead forecast for the first two weeks of the test set. Then, the forecaster is advanced by some number of days into the test set and you generate another 14-day-ahead forecast from the new position. The process continues until you get to the end of the test set.

+To do a rolling evaluation, you call the `rolling_forecast` method of the `fitted_model`, then compute desired metrics on the result. For example, assume you have test set features in a pandas DataFrame called `test_features_df` and the test set actual values of the target in a numpy array called `test_target`. A rolling evaluation using the mean squared error is shown in the following code sample:

+```python

+from sklearn.metrics import mean_squared_error

+rolling_forecast_df = fitted_model.rolling_forecast(

+ test_features_df, test_target, step=1)

+mse = mean_squared_error(

+ rolling_forecast_df[fitted_model.actual_column_name], rolling_forecast_df[fitted_model.forecast_column_name])

+```

+In the above sample, the step size for the rolling forecast is set to 1 which means that the forecaster is advanced 1 period, or 1 day in our demand prediction example, at each iteration. The total number of forecasts returned by `rolling_forecast` thus depends on the length of the test set and this step size. For more details and examples see the [rolling_forecast() documentation](/python/api/azureml-training-tabular/azureml.training.tabular.models.forecasting_pipeline_wrapper_base.forecastingpipelinewrapperbase#azureml-training-tabular-models-forecasting-pipeline-wrapper-base-forecastingpipelinewrapperbase-rolling-forecast) and the [Forecasting away from training data notebook](https://github.com/Azure/azureml-examples/blob/main/v1/python-sdk/tutorials/automl-with-azureml/forecasting-forecast-function/auto-ml-forecasting-function.ipynb).

+

+### Prediction into the future

+With the Azure Machine Learning CLI, we can attach and manage a Synapse Spark pool from the command line interface, using intuitive YAML syntax and commands.

+This sample shows the expected output of the above command:

+This sample shows the expected output of the above command:

+This sample shows the expected output of the above command:

+This sample shows the expected output of the above command:

+This sample shows the expected output of the above command:

+The Azure Machine Learning studio UI also provides a way to detach an attached Synapse Spark pool. Follow these steps to do this:

+An attached Synapse Spark pool can be detached by executing the `az ml compute detach` command with name of the pool passed using `--name` parameter as shown here:

+This sample shows the expected output of the above command:

+ We will use an `MLClient.compute.begin_delete()` function call. Pass the `name` of the attached Synapse Spark pool, along with the action `Detach`, to the function. This code snippet detaches a Synapse Spark pool from an Azure Machine Learning workspace:

+- [Interactive Data Wrangling with Apache Spark in Azure Machine Learning (preview)](./interactive-data-wrangling-with-apache-spark-azure-ml.md)

+- [Submit Spark jobs in Azure Machine Learning (preview)](./how-to-submit-spark-jobs.md)

+Azure Machine Learning provides the ability to submit standalone machine learning jobs or creating a [machine learning pipeline](./concept-ml-pipelines.md) comprising multiple steps in a machine learning workflow. Azure Machine Learning supports creation of a standalone Spark job, and creation of a reusable Spark component that can be used in Azure Machine Learning pipelines. In this article you will learn how to submit Spark jobs using:

+- [An attached Synapse Spark pool in the Azure Machine Learning workspace](./how-to-manage-synapse-spark-pool.md).

+Spark jobs can use either user identity passthrough or a managed identity to access data and other resource. Different mechanisms for accessing resources while using attached Synapse Spark pool and Managed (Automatic) Spark compute are summarized in the following table.

+Once a Python script is developed by [interactive data wrangling](./interactive-data-wrangling-with-apache-spark-azure-ml.md), it can be used for submitting a batch job to process a larger volume of data after making necessary changes for parameterization of the Python script. A simple data wrangling batch job can be submitted as a standalone Spark job.

+A Spark job requires a Python script that takes arguments, which can be developed by modifying the Python code developed from [interactive data wrangling](./interactive-data-wrangling-with-apache-spark-azure-ml.md). A sample Python script is shown here.

+- `environment` - an [Azure Machine Learning environment](./reference-yaml-environment.md) to run the job.

+A Spark component allows the flexibility to use the same component in multiple [Azure Machine Learning pipelines](./concept-ml-pipelines.md) as a pipeline step.

+The Spark component defined in the above YAML specification file can be used in an Azure Machine Learning pipeline job. See [pipeline job YAML schema](./reference-yaml-job-pipeline.md) to learn more about the YAML syntax that defines a pipeline job. This is an example YAML specification file for a pipeline job, with a Spark component:

+- [What are Azure Machine Learning pipelines?](./concept-ml-pipelines.md)

+- [Submit Spark jobs in Azure Machine Learning (preview)](./how-to-submit-spark-jobs.md)

+> [!IMPORTANT]

+> You cannot delete an asset that has child assets.

+>

+> Currently, Microsoft Purview doesn't support cascaded deletes. For example, if you attempt to delete a storage account asset in your catalog the containers, folders and files within them will still exist in the data map and the the storage account asset will still exist in relation to them.

+1. Select **Add Recipient** and select **User**. Enter the Azure log in email address of who you want to share data with. By default, the option to enter email address of user is shown.

+

+Select **Add Recipient** and select **App** if you want to share data with a service principal. Enter the object ID and tenant ID of the recipient you want to share data with.

+Select **Create and Share**. Optionally, you can specify an **Expiration date** for when to terminate the share. You can share the same data with multiple recipients by clicking on **Add Recipient** multiple times.

+|| [SQL Server on Azure-Arc](register-scan-azure-arc-enabled-sql-server.md)| [Yes](register-scan-azure-arc-enabled-sql-server.md#register) | [Yes](register-scan-azure-arc-enabled-sql-server.md#scan) | No* |Preview: [1.DevOps policies](how-to-policies-devops-arc-sql-server.md) [2.Data Owner](how-to-policies-data-owner-arc-sql-server.md) | No |

+ Title: Connect to and manage Azure Arc-enabled SQL Server instances

+description: This guide describes how to connect to Azure Arc-enabled SQL Server in Microsoft Purview, and use Microsoft Purview's features to scan and manage your Azure Arc-enabled SQL Server source.

+# Connect to and manage an Azure Arc-enabled SQL Server instance in Microsoft Purview (Public preview)

+This article outlines how to register Azure Arc-enabled SQL Server instances, and how to authenticate and interact with an Azure Arc-enabled SQL Server instance in Microsoft Purview. For more information about Microsoft Purview, read the [introductory article](overview.md).

+## Supported capabilities

+|**Metadata Extraction**| **Full Scan** |**Incremental Scan**|**Scoped Scan**|**Classification**|**Access Policy**|**Lineage**|**Data Sharing**|

+|||||||||

+| [Yes](#register) | [Yes](#scan) | [Yes](#scan) | [Yes](#scan) | [Yes](#scan) | [1.DevOps policies](how-to-policies-devops-arc-sql-server.md) [2.Data Owner](how-to-policies-data-owner-arc-sql-server.md) | Limited** | No |

+\** Lineage is supported if dataset is used as a source/sink in [Data Factory Copy activity](how-to-link-azure-data-factory.md)

+The supported SQL Server versions are 2012 and above. SQL Server Express LocalDB is not supported.

+When scanning Azure Arc-enabled SQL Server, Microsoft Purview supports:

+- Extracting technical metadata including:

+ - Instance

+ - Databases

+ - Schemas

+ - Tables including the columns

+ - Views including the columns

+When setting up scan, you can choose to specify the database name to scan one database, and you can further scope the scan by selecting tables and views as needed. The whole Azure Arc-enabled SQL Server will be scanned if database name is not provided.

+## Prerequisites

+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* An active [Microsoft Purview account](create-catalog-portal.md).

+* You will need to be a Data Source Administrator and Data Reader to register a source and manage it in the Microsoft Purview governance portal. See our [Microsoft Purview Permissions page](catalog-permissions.md) for details.

+* Set up the latest [self-hosted integration runtime](https://www.microsoft.com/download/details.aspx?id=39717). For more information, see [the create and configure a self-hosted integration runtime guide](manage-integration-runtimes.md).

+## Register

+This section describes how to register an Azure Arc-enabled SQL Server instance in Microsoft Purview using the [Microsoft Purview governance portal](https://web.purview.azure.com/).

+### Authentication for registration

+There are two ways to set up authentication for scanning Azure Arc-enabled SQL Server with self-hosted integration runtime:

+- SQL Authentication

+- Windows Authentication

+#### Set up SQL server authentication

+If SQL Authentication is applied, ensure the SQL Server deployment is configured to allow SQL Server and Windows Authentication.

+To enable this, within SQL Server Management Studio (SSMS), navigate to "Server Properties" and change from "Windows Authentication Mode" to "SQL Server and Windows Authentication mode".

+If Windows Authentication is applied, configure the SQL Server deployment to use Windows Authentication mode.

+A change to the Server Authentication will require a restart of the SQL Server Instance and SQL Server Agent, this can be triggered within SSMS by navigating to the SQL Server instance and selecting "Restart" within the right-click options pane.

+##### Creating a new login and user

+If you would like to create a new login and user to be able to scan your SQL server, follow the steps below:

+The account must have access to the **master** database. This is because the `sys.databases` is in the master database. The Microsoft Purview scanner needs to enumerate `sys.databases` in order to find all the SQL databases on the server.

+> [!Note]

+> All the steps below can be executed using the code provided [here](https://github.com/Azure/Purview-Samples/blob/master/TSQL-Code-Permissions/grant-access-to-on-prem-sql-databases.sql)

+1. Navigate to SQL Server Management Studio (SSMS), connect to the server, navigate to security, select and hold (or right-click) on login and create New login. If Windows Authentication is applied, select "Windows authentication". If SQL Authentication is applied, make sure to select "SQL authentication".

+ :::image type="content" source="media/register-scan-azure-arc-enabled-sql-server/create-new-login-user.png" alt-text="Screenshot that shows how to create a new login and user.":::

+1. Select Server roles on the left navigation and ensure that public role is assigned.

+1. Select User mapping on the left navigation, select all the databases in the map and select the Database role: **db_datareader**.

+ :::image type="content" source="media/register-scan-azure-arc-enabled-sql-server/user-mapping.png" alt-text="Screenshot that shows user mapping.":::

+1. Select OK to save.

+1. If SQL Authentication is applied, navigate again to the user you created, by selecting and holding (or right-clicking) and selecting **Properties**. Enter a new password and confirm it. Select the 'Specify old password' and enter the old password. **It is required to change your password as soon as you create a new login.**

+ :::image type="content" source="media/register-scan-azure-arc-enabled-sql-server/change-password.png" alt-text="Screenshot that shows how to change a password.":::

+##### Storing your SQL login password in a key vault and creating a credential in Microsoft Purview

+1. Navigate to your key vault in the Azure portal1. Select **Settings > Secrets**

+1. Select **+ Generate/Import** and enter the **Name** and **Value** as the *password* from your SQL server login

+1. Select **Create** to complete

+1. If your key vault is not connected to Microsoft Purview yet, you will need to [create a new key vault connection](manage-credentials.md#create-azure-key-vaults-connections-in-your-microsoft-purview-account)

+1. Finally, [create a new credential](manage-credentials.md#create-a-new-credential) using the **username** and **password** to set up your scan. Make sure the right authentication method is selected when creating a new credential. If SQL Authentication is applied, select "SQL authentication" as the authentication method. If Windows Authentication is applied, then select "Windows authentication".

+### Steps to register

+1. Navigate to your Microsoft Purview account

+1. Under Sources and scanning in the left navigation, select **Integration runtimes**. Make sure a self-hosted integration runtime is set up. If it is not set up, follow the steps mentioned [here](manage-integration-runtimes.md) to create a self-hosted integration runtime for scanning on an on-premises or Azure VM that has access to your on-premises network.

+1. Select **Data Map** on the left navigation.

+1. Select **Register**

+1. Select **SQL server** and then **Continue**

+ :::image type="content" source="media/register-scan-azure-arc-enabled-sql-server/set-up-azure-arc-enabled-sql-data-source.png" alt-text="Screenshot that shows how to set up the SQL data source.":::

+1. Provide a friendly name, which will be a short name you can use to identify your server, and the server endpoint.

+1. Select **Finish** to register the data source.

+## Scan

+Follow the steps below to scan Azure Arc-enabled SQL Server instances to automatically identify assets and classify your data. For more information about scanning in general, see our [introduction to scans and ingestion](concept-scans-and-ingestion.md)

+### Create and run scan

+To create and run a new scan, do the following:

+1. Select the **Data Map** tab on the left pane in the [Microsoft Purview governance portal](https://web.purview.azure.com/resource/).

+1. Select the SQL Server source that you registered.

+1. Select **New scan**

+1. Select the credential to connect to your data source. The credentials are grouped and listed under different authentication methods.

+ :::image type="content" source="media/register-scan-azure-arc-enabled-sql-server/azure-arc-enabled-sql-set-up-scan-win-auth.png" alt-text="Screenshot that shows how to set up a scan.":::

+1. You can scope your scan to specific tables by choosing the appropriate items in the list.

+ :::image type="content" source="media/register-scan-azure-arc-enabled-sql-server/azure-arc-enabled-sql-scope-your-scan.png" alt-text="Screenshot that shows how to scope your scan.":::

+1. Then select a scan rule set. You can choose between the system default, existing custom rule sets, or create a new rule set inline.

+ :::image type="content" source="media/register-scan-azure-arc-enabled-sql-server/azure-arc-enabled-sql-scan-rule-set.png" alt-text="Screenshot that shows the scan rule set.":::

+1. Choose your scan trigger. You can set up a schedule or run the scan once.

+ :::image type="content" source="media/register-scan-azure-arc-enabled-sql-server/trigger-scan.png" alt-text="Screenshot that shows how to choose a trigger.":::

+1. Review your scan and select **Save and run**.

+## Next steps

+Now that you have registered your source, follow the below guides to learn more about Microsoft Purview and your data.

+- [Data Estate Insights in Microsoft Purview](concept-insights.md)

+- [Lineage in Microsoft Purview](catalog-lineage-user-guide.md)

+- [Search Data Catalog](how-to-search-catalog.md)

+> | [Azure Kubernetes Fleet Manager RBAC Admin](#azure-kubernetes-fleet-manager-rbac-admin) | This role grants admin access - provides write permissions on most objects within a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces. | 434fb43a-c01c-447e-9f67-c3ad923cfaba |

+> | [Azure Kubernetes Fleet Manager RBAC Writer](#azure-kubernetes-fleet-manager-rbac-writer) | Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. | 5af6afb3-c06c-4fa4-8848-71a8aee05683 |

+> | [Azure Kubernetes Service RBAC Writer](#azure-kubernetes-service-rbac-writer) | Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. | a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb |

+> | [Automation Contributor](#automation-contributor) | Manage Azure Automation resources and other resources using Azure Automation. | f353d9bd-d4a6-484e-a77a-8050b599b867 |

+> | [Load Test Contributor](#load-test-contributor) | View, create, update, delete and execute load tests. View and list load test resources but can not make any changes. | 749a398d-560b-491b-bb21-08924219302e |

+> | [Load Test Owner](#load-test-owner) | Execute all operations on load test resources and load tests. | 45bb0b16-2f0c-4e78-afaa-a07599b003f6 |

+> | [Load Test Reader](#load-test-reader) | View and list all load tests and load test resources but can not make any changes. | 3ae3fb29-0000-4ccd-bf80-542e7b26e081 |

+This role grants admin access - provides write permissions on most objects within a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.

+ "description": "This role grants admin access - provides write permissions on most objects within a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.",

+Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.

+ "description": "Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",

+Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. [Learn more](../aks/manage-azure-rbac.md)

+ "description": "Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",

+### Load Test Contributor

+View, create, update, delete and execute load tests. View and list load test resources but can not make any changes.

+> [!div class="mx-tableFixed"]

+> | Actions | Description |

+> | | |

+> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |

+> | Microsoft.LoadTestService/*/read | Read load testing resources |

+> | **NotActions** | |

+> | *none* | |

+> | **DataActions** | |

+> | Microsoft.LoadTestService/loadtests/* | Create and manage load tests |

+> | **NotDataActions** | |

+> | *none* | |

+```json

+{

+ "id": "/providers/Microsoft.Authorization/roleDefinitions/749a398d-560b-491b-bb21-08924219302e",

+ "properties": {

+ "roleName": "Load Test Contributor",

+ "description": "View, create, update, delete and execute load tests. View and list load test resources but can not make any changes.",

+ "assignableScopes": [

+ "/"

+ ],

+ "permissions": [

+ {

+ "actions": [

+ "Microsoft.LoadTestService/*/read",

+ "Microsoft.Authorization/*/read",

+ "Microsoft.Resources/deployments/*",

+ "Microsoft.Resources/subscriptions/resourceGroups/read",

+ "Microsoft.Insights/alertRules/*"

+ ],

+ "notActions": [],

+ "dataActions": [

+ "Microsoft.LoadTestService/loadtests/*"

+ ],

+ "notDataActions": []

+ }

+ ]

+ }

+}

+```

+### Load Test Owner

+Execute all operations on load test resources and load tests.

+> [!div class="mx-tableFixed"]

+> | Actions | Description |

+> | | |

+> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |

+> | Microsoft.LoadTestService/* | Create and manage load testing resources |

+> | **NotActions** | |

+> | *none* | |

+> | **DataActions** | |

+> | Microsoft.LoadTestService/loadtests/* | Create and manage load tests |

+> | **NotDataActions** | |

+> | *none* | |

+```json

+{

+ "id": "/providers/Microsoft.Authorization/roleDefinitions/45bb0b16-2f0c-4e78-afaa-a07599b003f6",

+ "properties": {

+ "roleName": "Load Test Owner",

+ "description": "Execute all operations on load test resources and load tests",

+ "assignableScopes": [

+ "/"

+ ],

+ "permissions": [

+ {

+ "actions": [

+ "Microsoft.LoadTestService/*",

+ "Microsoft.Authorization/*/read",

+ "Microsoft.Resources/deployments/*",

+ "Microsoft.Resources/subscriptions/resourceGroups/read",

+ "Microsoft.Insights/alertRules/*"

+ ],

+ "notActions": [],

+ "dataActions": [

+ "Microsoft.LoadTestService/*"

+ ],

+ "notDataActions": []

+ }

+ ]

+ }

+}

+```

+### Load Test Reader

+View and list all load tests and load test resources but can not make any changes.

+> [!div class="mx-tableFixed"]

+> | Actions | Description |

+> | | |

+> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |

+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |

+> | Microsoft.LoadTestService/*/Read | Read load testing resources |

+> | **NotActions** | |

+> | *none* | |

+> | **DataActions** | |

+> | Microsoft.LoadTestService/loadtests/readTest/action | Read load tests |

+> | **NotDataActions** | |

+> | *none* | |

+```json

+{

+ "id": "/providers/Microsoft.Authorization/roleDefinitions/3ae3fb29-0000-4ccd-bf80-542e7b26e081",

+ "properties": {

+ "roleName": "Load Test Reader",

+ "description": "View and list all load tests and load test resources but can not make any changes",

+ "assignableScopes": [

+ "/"

+ ],

+ "permissions": [

+ {

+ "actions": [

+ "Microsoft.LoadTestService/*/read",

+ "Microsoft.Authorization/*/read",

+ "Microsoft.Resources/deployments/*",

+ "Microsoft.Resources/subscriptions/resourceGroups/read",

+ "Microsoft.Insights/alertRules/*"

+ ],

+ "notActions": [],

+ "dataActions": [

+ "Microsoft.LoadTestService/loadtests/readTest/action"

+ ],

+ "notDataActions": []

+ }

+ ]

+ }

+}

+```

+> [!NOTE]

+> If needed, you can [update an existing Microsoft Sentinel for SAP data connector](update-sap-data-connector.md) to its latest version.

+Follow your deployment journey through this series of articles, in which you'll learn how to navigate each of the following steps.

+> [!NOTE]

+> If needed, you can [update an existing Microsoft Sentinel for SAP data connector](update-sap-data-connector.md) to its latest version.

+| **6. Microsoft Sentinel Solution for SAP** | [Configure Microsoft Sentinel Solution for SAP](deployment-solution-configuration.md) |

+`{Vault-ID}-asr-pod01-{type}-.{target-geo-code}.privatelink.siterecovery.windowsazure.com`

+ `{Vault-ID}-asr-pod01-{type}-.{target-geo-code}.privatelink.siterecovery.windowsazure.com`

+- [Tutorial: Set up disaster recovery for Azure VMs](./azure-to-azure-tutorial-enable-replication.md)

+|Replicated items in a classic Recovery Services vault| One or more replicated items that are protected using the classic architecture and a healthy configuration server.<br></br>The replicated item should be in a non-critical state and must be replicated from on-premises to Azure with the mobility agent running on version 9.50 or later.|

+- Replication is not happening to an un-managed storage account but rather to managed disk.

+|Classic architecture| Modernized architecture [New]|

+The following runtimes are deprecated in Azure Static Web Apps. For more information about changing your runtime, see [Specify API language runtime version in Azure Static Web Apps](https://azure.microsoft.com/updates/generally-available-specify-api-language-runtime-version-in-azure-static-web-apps/) and [Migrate apps from Azure Functions version 3.x to version 4.x](../azure-functions/migrate-version-3-version-4.md).

+This charge only applies to accounts with geo-replication configured, including GRS, RA-GRS and GZRS. Geo-replication data transfer incurs a per-gigabyte charge.

+To learn more about obtaining read access to secondary regions, see [Read access to data in the secondary region](../common/storage-redundancy.md?toc=/azure/storage/blobs/toc.json#read-access-to-data-in-the-secondary-region).

+To learn more about obtaining read access to secondary regions, see [Read access to data in the secondary region](../common/storage-redundancy.md?toc=/azure/storage/blobs/toc.json#read-access-to-data-in-the-secondary-region).

+Azure CLI commands for data operations against Blob storage support the `--auth-mode` parameter, which enables you to specify how to authorize a given operation. Set the `--auth-mode` parameter to `login` to authorize with Azure AD credentials. For more information, see [Authorize access to blob or queue data with Azure CLI](./authorize-data-operations-cli.md?toc=/azure/storage/blobs/toc.json).

+> [Azure CLI samples for Blob storage](storage-samples-blobs-cli.md?toc=/azure/storage/blobs/toc.json)

+- [Create a storage account](../common/storage-account-create.md?tabs=azure-portal&toc=/azure/storage/blobs/toc.json)

+- [Create a storage account](../common/storage-account-create.md?tabs=azure-portal&toc=/azure/storage/blobs/toc.json)

+- [Create a storage account](../common/storage-account-create.md?tabs=azure-portal&toc=/azure/storage/blobs/toc.json)

+Storage Insights is a dashboard on top of Azure Storage metrics and logs. You can use Storage Insights to examine the transaction volume and used capacity of all your accounts. That information can help you decide which accounts you might want to retire. To configure Storage Insights, see [Monitoring your storage service with Azure Monitor Storage insights](../common/storage-insights-overview.md?toc=/azure/azure-monitor/toc.json).

+From the [Storage Insights view in Azure monitor](../common/storage-insights-overview.md?toc=/azure/azure-monitor/toc.json#view-from-azure-monitor), sort your accounts in ascending order by using the **Transactions** column. The following image shows an account with low transaction volume over the specified period.

+Shared Key and SAS authentication provide no means of auditing individual identities. Therefore, if you want to improve your ability to audit based on identity, we recommended that you transition to Azure AD, and prevent shared key and SAS authentication. To learn how to prevent Shared Key and SAS authentication, see [Prevent Shared Key authorization for an Azure Storage account](../common/shared-key-authorization-prevent.md?toc=/azure/storage/blobs/toc.json&tabs=portal). To get started with Azure AD, see [Authorize access to blobs using Azure Active Directory](authorize-access-azure-active-directory.md).

+# What is BlobFuse? - BlobFuse2 (preview)

+To use client-side encryption from your Python code, reference the [Blob Storage client library](/python/api/overview/azure/storage-blob-readme). Make sure that you are using version 12.13.0 or later. If you need to migrate from an earlier version of the Python client library, see the [Blob Storage migration guide for Python](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/storage/azure-storage-blob/migration_guide.md).

+For step-by-step guidance, see [Create a storage account](../common/storage-account-create.md?toc=/azure/storage/blobs/toc.json).

+For information about how to choose between them, see [storage account overview](../common/storage-account-overview.md?toc=/azure/storage/blobs/toc.json).

+Azure Data Lake Storage Gen2 also supports [Shared Key](/rest/api/storageservices/authorize-with-shared-key) and [SAS](../common/storage-sas-overview.md?toc=/azure/storage/blobs/toc.json) methods for authentication. A characteristic of these authentication methods is that no identity is associated with the caller and therefore security principal permission-based authorization cannot be performed.

+- [Overview of Azure Data Lake Storage for the data management and analytics scenario](/azure/cloud-adoption-framework/scenarios/data-management/best-practices/data-lake-overview?toc=/azure/storage/blobs/toc.json)

+- [Provision three Azure Data Lake Storage Gen2 accounts for each data landing zone](/azure/cloud-adoption-framework/scenarios/data-management/best-practices/data-lake-services?toc=/azure/storage/blobs/toc.json)

+When it completes connecting, Azure Storage Explorer loads with the **Explorer** tab shown. This view gives you insight to all of your Azure storage accounts as well as local storage configured through the [Azurite storage emulator](../common/storage-use-azurite.md?toc=/azure/storage/blobs/toc.json) or [Azure Stack](/azure-stack/user/azure-stack-storage-connect-se?toc=/azure/storage/blobs/toc.json) environments.

+When it completes connecting, Azure Storage Explorer loads with the **Explorer** tab shown. This view gives you insight to all of your Azure storage accounts as well as local storage configured through the [Azurite storage emulator](../common/storage-use-azurite.md?toc=/azure/storage/blobs/toc.json) or [Azure Stack](/azure-stack/user/azure-stack-storage-connect-se?toc=/azure/storage/blobs/toc.json) environments.

+- [Use Azure Data Lake Storage Gen2 with Azure HDInsight clusters](../../hdinsight/hdinsight-hadoop-use-data-lake-storage-gen2.md?toc=/azure/storage/blobs/toc.json)

+Use only the latest version of AzCopy ([AzCopy v10](../common/storage-use-azcopy-v10.md?toc=/azure/storage/tables/toc.json)). Earlier versions of AzCopy such as AzCopy v8.1, are not supported.