-Automatic provisioning refers to creating user identities and roles in the cloud applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. Before you start a deployment, you can review this article to learn how Azure AD provision works and get configuration recommendations.

-Azure AD application provisioning refers to automatically creating user identities and roles in the applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. Common scenarios include provisioning an Azure AD user into SaaS applications like [Dropbox](../../active-directory/saas-apps/dropboxforbusiness-provisioning-tutorial.md), [Salesforce](../../active-directory/saas-apps/salesforce-provisioning-tutorial.md), [ServiceNow](../../active-directory/saas-apps/servicenow-provisioning-tutorial.md), and more.

-You can provide single sign-on for on-premises applications published through Application Proxy that are secured with integrated Windows authentication. These applications require a Kerberos ticket for access. Application Proxy uses Kerberos Constrained Delegation (KCD) to support these applications.

-* [Troubleshoot issues you're having with Application Proxy](application-proxy-troubleshoot.md)

-description: Learn about Azure Active Directory certificate-based authentication on iOS devices

-# Azure Active Directory certificate-based authentication on iOS

-## Prerequisites

-## Support for on-device certificates and external storage

-## Supported platforms

-## Microsoft mobile applications support

-## Support for Exchange ActiveSync clients

-As for iOS 16/iPadOS 16.1, Apple devices provide native driver support for USB-C or Lightning connected CCID-compliant smart cards. This means Apple devices on iOS 16/iPadOS 16.1 will see a USB-C or Lightning connected CCID-compliant device as a smart card without the use of additional drivers or 3rd party apps. Azure AD CBA will work on these USB-A or USB-C, or Lightning connected CCID-compliant smart cards.

-Even though the native Smartcard/CCID driver is available on iOS/iPadOS for Lightning connected CCID-compliant smart cards, the YubiKey 5Ci Lightning connector is not seen as a connected smart card on these devices without the use of PIV (Personal Identity Verification) middleware like the Yubico Authenticator.

-1. Click **Continue** and the iOS certificate picker will appear.

-#### What will happen if the user has certificates both on the iOS device and YubiKey?

-The iOS certificate picker will show all the certificates on both iOS device and the ones copied from YubiKey into iOS device. Depending on the certificate user picks they will be either taken to YubiKey authenticator to enter PIN or directly authenticated.

-#### Once CBA fails, clicking on the CBA option again in the ΓÇÿOther ways to signinΓÇÖ link on the error page fails.

-This issue happens because of certificate caching. We are working to add a fix to clear the cache. As a workaround, clicking cancel and restarting the login flow will let the user choose a new certificate and successfully login.

-Certificate based authentication and Conditional Access authentication strength capability makes it powerful for customers to enforce authentication needs. Edge as a profile (add an account) will work with a hardware security key like YubiKey and conditional access policy with authentication strength capability can enforce phishing-resistant authentication with CBA.

-CBA support for YubiKey is available in the latest Microsoft Authentication Library (MSAL) libraries, any third-party application that integrates the latest MSAL, and all Microsoft first party applications can leverage CBA and Conditional Access authentication strength.

-On iOS, users will see a "double prompt", where they must click the option to use certificate-based authentication twice. We're working to create a seamless user experience.

-Most hacking related breaches use either stolen or weak passwords. Often, IT will enforce stronger password complexity or frequent password changes to reduce the risk of a security incident. However, this increases help desk costs and leads to poor user experiences as users are required to memorize or store new, complex passwords.

-FIDO2 security keys offer an alternative. FIDO2 security keys can replace weak credentials with strong hardware-backed public/private-key credentials which can't be reused, replayed, or shared across services. Security keys support shared device scenarios, allowing you to carry your credential with you and safely authenticate to an Azure Active Directory joined Windows 10 device thatΓÇÖs part of your organization.

-Microsoft partners with FIDO2 security key vendors to ensure that security devices work on Windows, the Microsoft Edge browser, and online Microsoft accounts, to enable strong password-less authentication.

-You can become a Microsoft-compatible FIDO2 security key vendor through the following process. Microsoft doesn't commit to do go-to-market activities with the partner and will evaluate partner priority based on customer demand.

-1. First, your authenticator needs to have a FIDO2 certification. We won't be able to work with providers who don't have a FIDO2 certification. To learn more about the certification, please visit this website: [https://fidoalliance.org/certification/](https://fidoalliance.org/certification/)

-2. After you have a FIDO2 certification, please fill in your request to our form here: [https://forms.office.com/r/NfmQpuS9hF](https://forms.office.com/r/NfmQpuS9hF). Our engineering team will only test compatibility of your FIDO2 devices. We won't test security of your solutions.

-3. Once we confirm a move forward to the testing phase, the process usually take about 3-6 months. The steps usually involve:

- - Initial discussion between Microsoft and your team.

- - Verify FIDO Alliance Certification or the path to certification if not complete

- - Receive an overview of the device from the vendor

- - Microsoft will share our test scripts with you. Our engineering team will be able to answer questions if you have any specific needs.

- - You'll complete and send all passed results to Microsoft Engineering team

-4. Upon successful passing of all tests by Microsoft Engineering team, Microsoft will confirm vendor's device is listed in [the FIDO MDS](https://fidoalliance.org/metadata/).

-5. Microsoft will add your FIDO2 Security Key on Azure AD backend and to our list of approved FIDO2 vendors.

-|| Multifactor authentication (MFA) ¹| ✅ |

-|**Frontline workers**|SMS sign-in | Feature not available. |

-|| Delegated user management portal (My Staff) | Feature not available. |

-¹Microsoft Authenticator only shows GUID and not UPN for compliance reasons.

-|Azure AD threat intelligence | Feature not available. |

-|Anomalous Token | Feature not available. |

-|Token Issuer Anomaly| Feature not available. |

-|Azure AD threat intelligence | Feature not available. |

-Some configuration steps to be done before you enable Azure AD CBA. First, an admin must configure the trusted CAs that issue user certificates. As seen in the following diagram, we use role-based access control to make sure only least-privileged administrators are needed to make changes. Only the [Privileged Authentication Administrator](../roles/permissions-reference.md#privileged-authentication-administrator) role can configure the CA.

->Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator. We will remove the admin controls and enforce the number match experience tenant-wide for all users starting February 27, 2023.<br>

-Number matching isn't supported for Apple Watch notifications. Apple Watch users need to use their phone to approve notifications when number matching is enabled.

-### What happens if a user runs an older version of Microsoft Authenticator?

-If a user is running an older version of Microsoft Authenticator that doesn't support number matching, authentication won't work if number matching is enabled. Users need to upgrade to the latest version of Microsoft Authenticator to use it for sign-in.

-### Why is my user prompted to tap on one out of three numbers instead of entering the number in their Microsoft Authenticator app?

-Older versions of Microsoft Authenticator prompt users to tap and select a number instead of entering the number in their Microsoft Authenticator app. These authentications won't fail, but we highly recommend that users update to the latest version of the app to be able to enter the number.

-* Each Azure AD data center tracks lockout independently. A user has (*threshold_limit * datacenter_count*) number of attempts, if the user hits each data center.

-description: Learn how to configure the role claim issued in the SAML token for enterprise applications in Azure Active Directory

-# Configure the role claim issued in the SAML token for enterprise applications

-By using Azure Active Directory (Azure AD), you can customize the claim type for the role claim in the response token that you receive after you authorize an app.

-> This article explains on how to create/update/delete application roles on the service principal using APIs in Azure AD. If you would like to use the new user interface for App Roles then please see the details [here](./howto-add-app-roles-in-azure-ad-apps.md).

-## When to use this feature

-Use this feature if your application expects custom roles in the SAML response returned by Azure AD. You can create as many roles as you need.

-## Create roles for an application

-1. In the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>, in the left pane, select the **Azure Active Directory** icon.

- ![Azure Active Directory icon][1]

-2. Select **Enterprise applications**. Then select **All applications**.

- ![Enterprise applications pane][2]

-3. To add a new application, select the **New application** button on the top of the dialog box.

- !["New application" button][3]

-4. In the search box, type the name of your application, and then select your application from the result panel. Select the **Add** button to add the application.

- 

-5. After the application is added, go to the **Properties** page and copy the object ID.

- 

-6. Open [Microsoft Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) in another window and take the following steps:

- 1. Sign in to the Graph Explorer site by using the Global Administrator or coadmin credentials for your tenant.

- 1. You need sufficient permissions to create the roles. Select **modify permissions** to get the permissions.

- 

- > [!NOTE]

- > Cloud App Administrator and App Administrator role will not work in this scenario as we need the Global Administrator permissions for Directory Read and Write.

- 1. Select the following permissions from the list (if you don't have these already) and select **Modify Permissions**.

- 

- 1. Accept the consent. You're logged in to the system again.

- 1. Change the version to **beta**, and fetch the list of service principals from your tenant by using the following query:

- `https://graph.microsoft.com/beta/servicePrincipals`

- If you're using multiple directories, follow this pattern: `https://graph.microsoft.com/beta/contoso.com/servicePrincipals`

- 

- 1. From the list of fetched service principals, get the one that you need to modify. You can also use Ctrl+F to search the application from all the listed service principals. Search for the object ID that you copied from the **Properties** page, and use the following query to get to the service principal:

- `https://graph.microsoft.com/beta/servicePrincipals/<objectID>`

- 

- 1. Extract the **appRoles** property from the service principal object.

- 

- If you're using the custom app (not the Azure Marketplace app), you see two default roles: user and msiam_access. For the Marketplace app, msiam_access is the only default role. You don't need to make any changes in the default roles.

- > [!NOTE]

- > When you are creating multiple roles, please don't modify the default role content just add the new msiam_access block of code for the new role.

- 1. Generate new roles for your application.

- The following JSON is an example of the **appRoles** object. Create a similar object to add the roles that you want for your application.

- ```json

- "appRoles": [

- {

- "allowedMemberTypes": [

- "User"

- ],

- "description": "msiam_access",

- "displayName": "msiam_access",

- "id": "b9632174-c057-4f7e-951b-be3adc52bfe6",

- "isEnabled": true,

- "origin": "Application",

- "value": null

- },

- {

- "allowedMemberTypes": [

- "User"

- ],

- "description": "Administrators Only",

- "displayName": "Admin",

- "id": "4f8f8640-f081-492d-97a0-caf24e9bc134",

- "isEnabled": true,

- "origin": "ServicePrincipal",

- "value": "Administrator"

- }

- ]

- ```

- You can only add new roles after msiam_access for the patch operation. Also, you can add as many roles as your organization needs. Azure AD will send the value of these roles as the claim value in the SAML response. To generate the GUID values for the ID of new roles use the web tools like [this](https://www.guidgenerator.com/)

- 1. Go back to Graph Explorer and change the method from **GET** to **PATCH**. Patch the service principal object to have the desired roles by updating the **appRoles** property like the one shown in the preceding example. Select **Run Query** to execute the patch operation. A success message confirms the creation of the role.

- 

-1. After the service principal is patched with more roles, you can assign users to the respective roles. You can assign the users by going to portal and browsing to the application. Select the **Users and groups** tab. This tab lists all the users and groups that are already assigned to the app. You can add new users on the new roles. You can also select an existing user and select **Edit** to change the role.

- 

- To assign the role to any user, select the new role and select the **Assign** button on the bottom of the page.

- 

-

- Refresh your session in the Azure portal to see new roles.

-1. Update the **Attributes** table to define a customized mapping of the role claim.

-1. In the **User Claims** section on the **User Attributes** dialog, perform the following steps to add SAML token attribute as shown in the below table:

- | Attribute name | Attribute value |

- | -- | -|

- | Role name | user.assignedroles |

- If the role claim value is null, then Azure AD will not send this value in the token and this is default as per design.

- 1. Click **Edit** icon to open **User Attributes & Claims** dialog.

- 

- 1. In the **Manage user claims** dialog, add the SAML token attribute by clicking on **Add new claim**.

- 

- 

- 1. In the **Name** box, type the attribute name as needed. This example uses **Role Name** as the claim name.

- 1. Leave the **Namespace** box blank.

- 1. From the **Source attribute** list, type the attribute value shown for that row.

- 1. Select **Save**.

-10. To test your application in a single sign-on that's initiated by an identity provider, sign in to the [Access Panel](https://myapps.microsoft.com) and select your application tile. In the SAML token, you should see all the assigned roles for the user with the claim name that you have given.

-## Update an existing role

-1. Sign in to the Graph Explorer site by using the Global Administrator or coadmin credentials for your tenant.

-1. Change the version to **beta**, and fetch the list of service principals from your tenant by using the following query:

- `https://graph.microsoft.com/beta/servicePrincipals`

- If you're using multiple directories, follow this pattern: `https://graph.microsoft.com/beta/contoso.com/servicePrincipals`

- 

-1. From the list of fetched service principals, get the one that you need to modify. You can also use Ctrl+F to search the application from all the listed service principals. Search for the object ID that you copied from the **Properties** page, and use the following query to get to the service principal:

- `https://graph.microsoft.com/beta/servicePrincipals/<objectID>`

- 

-1. Extract the **appRoles** property from the service principal object.

- 

-1. To update the existing role, use the following steps.

- 

- 1. Change the method from **GET** to **PATCH**.

- 1. Copy the existing roles and paste them under **Request Body**.

- 1. Update the value of a role by updating the role description, role value, or role display name as needed.

- 1. After you update all the required roles, select **Run Query**.

-## Delete an existing role

-To delete an existing role, perform the following steps:

-1. Open [Microsoft Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) in another window.

-1. Sign in to the Graph Explorer site by using the Global Administrator or coadmin credentials for your tenant.

-1. Change the version to **beta**, and fetch the list of service principals from your tenant by using the following query:

- `https://graph.microsoft.com/beta/servicePrincipals`

- If you're using multiple directories, follow this pattern: `https://graph.microsoft.com/beta/contoso.com/servicePrincipals`

- 

-1. From the list of fetched service principals, get the one that you need to modify. You can also use Ctrl+F to search the application from all the listed service principals. Search for the object ID that you copied from the **Properties** page, and use the following query to get to the service principal:

- `https://graph.microsoft.com/beta/servicePrincipals/<objectID>`

- 

-1. Extract the **appRoles** property from the service principal object.

- 

-1. To delete the existing role, use the following steps.

- 

- 1. Change the method from **GET** to **PATCH**.

- 1. Copy the existing roles from the application and paste them under **Request Body**.

- 1. Set the **IsEnabled** value to **false** for the role that you want to delete.

- 1. Select **Run Query**.

- Make sure that you have the msiam_access role, and the ID is matching in the generated role.

-1. After the role is disabled, delete that role block from the **appRoles** section. Keep the method as **PATCH**, and select **Run Query**.

-1. After you run the query, the role is deleted.

- The role needs to be disabled before it can be removed.

-For additional steps, see the [app documentation](../saas-apps/tutorial-list.md).

-<!--Image references-->

-[1]: ./media/active-directory-enterprise-app-role-management/tutorial_general_01.png

-[2]: ./media/active-directory-enterprise-app-role-management/tutorial_general_02.png

-[3]: ./media/active-directory-enterprise-app-role-management/tutorial_general_03.png

-[4]: ./media/active-directory-enterprise-app-role-management/tutorial_general_04.png

->This information last updated on February 3rd, 2023.<br/>You can also download a CSV version of this table [here](https://download.microsoft.com/download/e/3/e/e3e9faf2-f28b-490a-9ada-c6089a1fc5b0/Product%20names%20and%20service%20plan%20identifiers%20for%20licensing.csv).

-Teams differentiates between external users (outside your organization) and guest users (guest accounts). You can manage collaboration setting in the [Teams Admin portal](https://admin.teams.microsoft.com/company-wide-settings/external-communications) under Org-wide settings. Authorized account credentials are required to sign in to the Teams Admin portal.

-* [Microsoft 365 identity models and Azure AD](/microsoft-365/enterprise/about-microsoft-365-identity)

-# Azure Active Directory integrations with authentication and synchronization protocols

-Microsoft Azure Active Directory (Azure AD) enables integration with many authentication and synchronization protocols. The authentication integrations enable you to use Azure AD and its security and management features with little or no changes to your applications that use legacy authentication methods. The synchronization integrations enable you to sync user and group data to Azure AD, and then user Azure AD management capabilities. Some sync patterns also enable automated provisioning.

-

-## Synchronization patterns

-The following table presents Azure AD integration with synchronization patterns and their capabilities. Select the name of a pattern to see

-* A detailed description

-* When to use it

-* Architectural diagram

-* Explanation of system components

-* Links for how to implement the integration

-| Synchronization pattern| Directory synchronization| User provisioning |

-| - | - | - |

-| [Directory synchronization](sync-directory.md)| | |

-| [LDAP Synchronization](sync-ldap.md)| | |

-| [SCIM synchronization](sync-scim.md)| |  |

-| Permissions | Apply the principle of least permission:<li>Don't assign permissions to built-in groups, such as administrators<li>Remove local machine permissions, where feasible<li>Tailor access, and use AD delegation for directory access<li>Use granular access permissions<li>Set account expiration and location restrictions on user-based service accounts |

-| Monitor and audit use| <li>Monitor sign-in data, and ensure it matches the intended usage <li>Set alerts for anomalous usage |

-* Account expiration - set the service account to automatically expire, after its review period, unless the account can continue

-* LogonWorkstations - restrict service account sign-in permissions

-* Can't change password - set the parameter to **true** to prevent the service account from changing its own password

-* Sign in to the [LogonWorkstation](/powershell/module/activedirectory/set-aduser)

-* [Password policy](../../active-directory-domain-services/password-policy.md) requirements

-* Create accounts in an [organizational unit location](/windows-server/identity/ad-ds/plan/delegating-administration-of-account-ous-and-resource-ous) that ensures only some users will manage it

-* Set up and collect auditing that detects [service account changes](/windows/security/threat-protection/auditing/audit-directory-service-changes), and [service account usage](https://www.manageengine.com/products/active-directory-audit/how-to/audit-kerberos-authentication-events.html)

- * MSAs - see, [Uninstall the account](/powershell/module/activedirectory/uninstall-adserviceaccount?view=winserver2012-ps&preserve-view=true). Use PowerShell, or delete it manually from the managed service account container.

- * Computer or user accounts - manually delete the account from Active Directory

-## Assess gSMA security posture

-| gMSA is a member of privileged groups | <li>Review your group memberships. Create a PowerShell script to enumerate group memberships. Filter the resultant CSV file by gMSA file names.<li>Remove the gMSA from privileged groups.<li>Grant the gMSA rights and permissions it requires to run its service. See your service vendor.

-| gMSA has read/write access to sensitive resources | <li>Audit access to sensitive resources.<li>Archive audit logs to a SIEM, such as Azure Log Analytics or Microsoft Sentinel, for analysis.<li>Remove unnecessary resource permissions if there's an unnecessary access level. |

-1. Ensure the [Key Distribution Service (KDS) root key](/windows-server/security/group-managed-service-accounts/create-the-key-distribution-services-kds-root-key) is deployed in the forest. This is a one-time operation.

-2. [Create a new gMSA](/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts).

-

- > [!NOTE]

- > Before configuring your service to use the gMSA, see [Get started with group managed service accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj128431(v=ws.11)).

-* [What is Azure RBAC?](../../role-based-access-control/overview.md)

-### Tenant-service principal relationships

-To learn more, see [Application and service principal relationship](../develop/app-objects-and-service-principals.md)

-* Azure command-line interface (CLI)

- ### Challenges and mitigations

-See, [Conditional Access for workload identities](../conditional-access/workload-identity.md#create-a-location-based-conditional-access-policy)

- > For Privileged Access Groups (Preview), you must select **Group owner(s)**. It is mandatory to assign at least one fallback reviewer to the review. The review will only assign active owner(s) as the reviewer(s). Eligible owners are not included. If there are no active owners when the review begins, the fallback reviewer(s) will be assigned to the review.

-Allows users to be added to Microsoft 365 and cloud-only security groups. Mail-enabled, distribution, dynamic and privileged access groups are not supported. To control access to on-premises applications and resources, you need to enable group writeback. For more information, see [Azure AD Connect group writeback](../hybrid/how-to-connect-group-writeback-v2.md).

-Allows users to be removed from Microsoft 365 and cloud-only security groups. Mail-enabled, distribution, dynamic and privileged access groups are not supported. To control access to on-premises applications and resources, you need to enable group writeback. For more information, see [Azure AD Connect group writeback](../hybrid/how-to-connect-group-writeback-v2.md).

-Allows users to be removed from every Microsoft 365 and cloud-only security group they're a member of. Mail-enabled, distribution, dynamic and privileged access groups are not supported. To control access to on-premises applications and resources, you need to enable group writeback. For more information, see [Azure AD Connect group writeback](../hybrid/how-to-connect-group-writeback-v2.md).

-The first time you enable the password hash synchronization feature, it performs an initial synchronization of the passwords of all in-scope users. You cannot explicitly define a subset of user passwords that you want to synchronize. However, if there are multiple connectors, it is possible to disable password hash sync for some connectors but not others using the [Set-ADSyncAADPasswordSyncConfiguration](../../active-directory-domain-services/tutorial-configure-password-hash-sync.md) cmdlet.

-A user must enter their corporate credentials a second time to authenticate to Azure AD, regardless of whether they're signed in to their corporate network. This pattern can be minimized, however, if the user selects the Keep me signed in (KMSI) check box at sign-in. This selection sets a session cookie that bypasses authentication for 180 days. KMSI behavior can be enabled or disabled by the Azure AD administrator. In addition, you can reduce password prompts by turning on [Seamless SSO](how-to-connect-sso.md), which automatically signs users in when they are on their corporate devices connected to your corporate network.

-It is recommended to enable *EnforceCloudPasswordPolicyForPasswordSyncedUsers* prior to enabling password hash sync, so that the initial sync of password hashes does not add the `DisablePasswordExpiration` value to the PasswordPolicies attribute for the users.

->If you are migrating from AD FS (or other federation technologies) to Password Hash Synchronization, we highly recommend that you follow our detailed deployment guide published [here](https://aka.ms/adfstophsdpdownload).

-* [Get a step-by-step deployment plan for migrating from ADFS to Password Hash Synchronization](https://aka.ms/authenticationDeploymentPlan)

->If you are migrating from AD FS (or other federation technologies) to Pass-through Authentication, we highly recommend that you follow our detailed deployment guide published [here](https://aka.ms/adfstoPTADPDownload).

-### In the Azure Active Directory admin center

-2. Install the [latest version of Azure AD Connect](https://www.microsoft.com/download/details.aspx?id=47594) on the server identified in the preceding step. If you already have Azure AD Connect running, ensure that the version is 1.1.750.0 or later.

->Pass-through Authentication is a tenant-level feature. Turning it on affects the sign-in for users across _all_ the managed domains in your tenant. If you're switching from Active Directory Federation Services (AD FS) to Pass-through Authentication, you should wait at least 12 hours before shutting down your AD FS infrastructure. This wait time is to ensure that users can keep signing in to Exchange ActiveSync during the transition. For more help on migrating from AD FS to Pass-through Authentication, check out our detailed deployment plan published [here](https://aka.ms/adfstoptadpdownload).

-1. Sign in to the [Azure Active Directory admin center](https://aad.portal.azure.com) with the Hybrid Identity Administrator credentials for your tenant.

-1. To download the latest version of the Authentication Agent (version 1.5.193.0 or later), sign in to the [Azure Active Directory admin center](https://aad.portal.azure.com) with your tenant's Hybrid Identity Administrator credentials.

-1. Azure AD first requests that a Hybrid Identity Administratoristrator sign in to Azure AD with their credentials. During sign-in, the Authentication Agent acquires an access token that it can use on behalf of the

-> Selective password hash synchronization is supported in 1.6.2.4 or later. If you are using a version lower than that, please upgrade to the latest version.

->[!Note]

-> For groups used for elevating into Azure AD roles, we recommend that you require an approval process for eligible member assignments. Assignments that can be activated without approval can leave you vulnerable to a security risk from less-privileged administrators. For example, the Helpdesk Administrator has permission to reset an eligible user's passwords.

->Every user who is eligible for membership in or ownership of a privileged access group must have an Azure AD Premium P2 license. For more information, see [License requirements to use Privileged Identity Management](subscription-requirements.md).

-1. If the assignment should be permanent (permanently eligible or permanently assigned), select the **Permanently** checkbox. Depending on the group's settings, the check box might not appear or might not be editable. For more information, check out the [Configure privileged access group settings (preview) in Privileged Identity Management](groups-role-settings.md#assignment-duration) article.

-Privileged Identity Management sends email notifications to administrators and affected users of privileged access group assignments that are expiring:

-In Privileged Identity Management (PIM) for groups in Azure Active Directory (Azure AD), part of Microsoft Entra, role settings define membership/ownership assignment properties: MFA and approval requirements for activation, assignment maximum duration, notification settings, etc. Use the following steps to configure role settings ΓÇô i.e., setup the approval workflow to specify who can approve or deny requests to elevate privilege.

-You need to have Global Administrator, Privileged Role Administrator, or group Owner permissions to manage settings for membership/ownership assignments of the group. Role settings are defined per role per group: all assignments for the same role (member/owner) for the same group follow same role settings. Role settings of one group are independent from role settings of another group. Role settings for one role (member) are independent from role settings for another role (owner).

-### Require multi-factor authentication (MFA) on activation

-To learn more about approvals, see [Approve activation requests for privileged access group members and owners (preview)](groups-approval-workflow.md).

-User may not be prompted for multi-factor authentication if they authenticated with strong credential or provided multi-factor authentication earlier in this session.

-In the current iteration, there is no API support for PIM alerts and privileged access groups.

-Once you set up Privileged Identity Management, you'll see **Tasks**, **Manage**, and **Activity** options in the left navigation menu. As an administrator, you'll choose between options such as managing **Azure AD roles**, managing **Azure resource** roles, or privileged access groups. When you choose what you want to manage, you see the appropriate set of options for that option.

-For more information, check out the following articles: [Assign Azure AD roles](pim-how-to-add-role-to-user.md), [Assign Azure resource roles](pim-resource-roles-assign-roles.md), and [Assign eligibility for a privileged access group](groups-assign-member-owner.md)

-For more information, check out the following articles: [Activate Azure AD roles](pim-how-to-activate-role.md), [Activate my Azure resource roles](pim-resource-roles-activate-your-roles.md), and [Activate my privileged access group roles](groups-activate-roles.md)

-For more information, check out the following articles: [Approve or deny requests for Azure AD roles](azure-ad-pim-approval-workflow.md), [Approve or deny requests for Azure resource roles](pim-resource-roles-approval-workflow.md), and [Approve activation requests for privileged access group](groups-approval-workflow.md)

-For more information, check out the following articles: [Extend or renew Azure AD role assignments](pim-how-to-renew-extend.md), [Extend or renew Azure resource role assignments](pim-resource-roles-renew-extend.md), and [Extend or renew privileged access group assignments](groups-renew-extend.md)

-In Privileged Identity Management (PIM), you can now assign eligibility for membership or ownership of privileged access groups. Starting with this preview, you can assign Azure Active Directory (Azure AD) built-in roles to cloud groups and use PIM to manage group member and owner eligibility and activation. For more information about role-assignable groups in Azure AD, see [Use Azure AD groups to manage role assignments](../roles/groups-concept.md).

-> To assign a privileged access group to a role for administrative access to Exchange, Security & Compliance Center, or SharePoint, use the Azure AD portal **Roles and Administrators** experience and not in the Privileged Access Groups experience to make the user or group eligible for activation into the group.

-Some organizations use tools like Azure AD business-to-business (B2B) collaboration to invite their partners as guests to their Azure AD organization. Instead of a single just-in-time policy for all assignments to a privileged role, you can create two different privileged access groups with their own policies. You can enforce less strict requirements for your trusted employees, and stricter requirements like approval workflow for your partners when they request activation into their assigned group.

-With the privileged access groups preview, you can give workload-specific administrators quick access to multiple roles with a single just-in-time request. For example, your Tier 3 Office Admins might need just-in-time access to the Exchange Admin, Office Apps Admin, Teams Admin, and Search Admin roles to thoroughly investigate incidents daily. Before today it would require four consecutive requests, which are a process that takes some time. Instead, you can create a role assignable group called ΓÇ£Tier 3 Office AdminsΓÇ¥, assign it to each of the four roles previously mentioned (or any Azure AD built-in roles) and enable it for Privileged Access in the groupΓÇÖs Activity section. Once enabled for privileged access, you can configure the just-in-time settings for members of the group and assign your admins and owners as eligible. When the admins elevate into the group, theyΓÇÖll become members of all four Azure AD roles.

-* Assign **eligibility for membership or ownership** of privileged access groups

-* **Privileged Access Groups** ΓÇô To set up just-in-time access to member and owner role of an Azure AD security group. Privileged Access Groups not only gives you an alternative way to set up PIM for Azure AD roles and Azure roles, but also allows you to set up PIM for other permissions across Microsoft online services like Intune, Azure Key Vaults, and Azure Information Protection.

-* **Users**- To get just-in-time access to Azure AD roles, Azure roles, and Privileged Access Groups.

-* **Groups**- Anyone in a group to get just-in-time access to Azure AD roles and Azure roles. For Azure AD roles, the group must be a newly created cloud group thatΓÇÖs marked as assignable to a role while for Azure roles, the group can be any Azure AD security group. We do not recommend assigning/nesting a group to a Privileged Access Groups.

->You cannot assign service principals as eligible to Azure AD roles, Azure roles, and Privileged Access groups but you can grant a time limited active assignment to all three.

-* Verify whether all the configuration you set up for the roles or privileged access groups are working correctly.

-| Roles| Azure AD roles| Azure Resource roles| Privileged Access Groups |

-| Privileged access group owner| | | x |

-## Plan and implement PIM for privileged access groups

-Follow these tasks to prepare PIM to manage privileged access groups.

-### Discover privileged access groups

-In this case, you should use privileged access groups. Create a privileged access group and grant it permanent active access to multiple roles. See [Privileged Identity Management (PIM) for Groups (preview)](concept-pim-for-groups.md).

-To manage an Azure AD role-assignable group as a privileged access group, you must [bring it under management in PIM](groups-discover-groups.md).

-### Configure PIM settings for privileged access groups

-[Draft and configure settings](groups-role-settings.md) for the privileged access groups that youΓÇÖve planned to protect with PIM.

-### Assign eligibility for privileged access groups

-You can [assign eligibility to members or owners of the privileged access groups.](groups-assign-member-owner.md) With just one activation, they will have access to all the linked resources.

->You can assign the privileged group to one or more Azure AD and Azure resource roles in the same way as you assign roles to users. A maximum of 400 role-assignable groups can be created in a single Azure AD organization (tenant).

-

-When privileged group assignment nears its expiration, use [PIM to extend or renew the group assignment](groups-renew-extend.md). YouΓÇÖll require an approval from the group owner.

-Configure privileged access group members and owners to require approval for activation and choose users or groups from your Azure AD organization as delegated approvers. We recommend selecting two or more approvers for each group to reduce workload for the privileged role administrator.

-[Approve or deny role activation requests for Privileged Access groups](groups-approval-workflow.md). As a delegated approver, you'll receive an email notification when a request is pending for your approval.

-### View audit history for privileged access groups

-[View audit history for all assignments and activations](groups-audit.md) within past 30 days for privileged access groups.

-## Notifications for Privileged Access groups

-Privileged Identity Management sends emails to Owners only when the following events occur for Privileged Access group assignments:

-Privileged Identity Management sends emails to end users when the following events occur for Privileged Access group role assignments:

-A privileged role administrator can customize Privileged Identity Management (PIM) in their Azure Active Directory (Azure AD) organization, including changing the experience for a user who is activating an eligible role assignment. For information on the PIM events that trigger notifications and which administrators receive them, see [Email notifications in Privileged Identity Management](pim-email-notifications.md#notifications-for-azure-ad-roles)

-1. Sign in to [Azure portal](https://portal.azure.com/) with a user in the [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator) role.

-1. Open **Azure AD Privileged Identity Management** &gt; **Azure AD roles** &gt; **Role settings**.

- 

- 

-1. Select **Edit** to open the Role settings page.

- 

- On the Role setting pane for each role, there are several settings you can configure.

-## Assignment duration

-You can choose from two assignment duration options for each assignment type (eligible and active) when you configure settings for a role. These options become the default maximum duration when a user is assigned to the role in Privileged Identity Management.

-You can choose one of these **eligible** assignment duration options:

-| Setting | Description |

-| | |

-| Allow permanent eligible assignment | Global admins and Privileged role admins can assign permanent eligible assignment. |

-| Expire eligible assignment after | Global admins and Privileged role admins can require that all eligible assignments have a specified start and end date. |

-And, you can choose one of these **active** assignment duration options:

-| Setting | Description |

-| | |

-| Allow permanent active assignment | Global admins and Privileged role admins can assign permanent active assignment. |

-| Expire active assignment after | Global admins and Privileged role admins can require that all active assignments have a specified start and end date. |

-> [!NOTE]

-> All assignments that have a specified end date can be renewed by Global admins and Privileged role admins. Also, users can initiate self-service requests to [extend or renew role assignments](pim-resource-roles-renew-extend.md).

-## Require multifactor authentication

-Privileged Identity Management provides enforcement of Azure AD Multi-Factor Authentication on activation and on active assignment.

-### On activation

-You can require users who are eligible for a role to prove who they are using Azure AD Multi-Factor Authentication before they can activate. Multifactor authentication ensures that the user is who they say they are with reasonable certainty. Enforcing this option protects critical resources in situations when the user account might have been compromised.

-To require multifactor authentication to activate the role assignment, select the **On activation, require Azure MFA** option in the Activation tab of **Edit role setting**.

-### On active assignment

-This option requires admins must complete a multifactor authentication before creating an active (as opposed to eligible) role assignment. Privileged Identity Management can't enforce multifactor authentication when the user uses their role assignment because they are already active in the role from the time that it is assigned.

-To require multifactor authentication when creating an active role assignment, select the **Require Azure Multi-Factor Authentication on active assignment** option in the Assignment tab of **Edit role setting**.

-For more information, see [Multifactor authentication and Privileged Identity Management](pim-how-to-require-mfa.md).

-## Activation maximum duration

-Use the **Activation maximum duration** slider to set the maximum time, in hours, that an activation request for a role assignment remains active before it expires. This value can be from one to 24 hours.

-## Require justification

-You can require that users enter a business justification when they activate. To require justification, check the **Require justification on active assignment** box or the **Require justification on activation** box.

-## Require ticket information on activation

-If your organization uses a ticketing system to track help desk items or change requests for your environment, you can select the **Require ticket information on activation** box to require the elevation request to contain the name of the ticketing system (optional, if your organization uses multiple systems) and the ticket number that prompted the need for role activation.

-## Require approval to activate

-If setting multiple approvers, approval completes as soon as one of them approves or denies. You can't force approval from a second or subsequent approver. To require approval to activate a role, follow these steps.

-1. Check the **Require approval to activate** check box.

-1. Select **Select approvers**.

- 

-1. Select at least one user and then click **Select**. Select at least one approver. If no specific approvers are selected, Privileged Role Administrators and Global Administrators become the default approvers.

- > [!Note]

- > An approver does not have to have an Azure AD administrative role themselves. They can be a regular user, such as an IT executive.

-1. Select **Update** to save your changes.

-When you configure Azure resource role settings, you define the default settings that are applied to Azure role assignments in Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra. Use the following procedures to configure the approval workflow and specify who can approve or deny requests.

-## Open role settings

-Follow these steps to open the settings for an Azure resource role.

-1. Sign in to [Azure portal](https://portal.azure.com/) with a user in the [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator) role.

-1. Open **Azure AD Privileged Identity Management**.

-1. Select **Azure resources**.

- >[!NOTE]

- > Approver doesn't have to have any Azure or Azure AD role assigned.

-1. Select the resource you want to manage, such as a subscription or management group.

- 

-1. Select **Settings**.

- 

-1. Select the role whose settings you want to configure.

- 

-1. Select **Edit** to open the **Edit role setting** pane. The first tab allows you to update the configuration for role activation in Privileged Identity Management.

- 

-1. Select the **Assignment** tab or the **Next: Assignment** button at the bottom of the page to open the assignment setting tab. These settings control role assignments made inside the Privileged Identity Management interface.

- 

-1. Use the **Notification** tab or the **Next: Activation** button at the bottom of the page to get to the notification setting tab for this role. These settings control all the email notifications related to this role.

- 

- In the **Notifications** tab on the role settings page, Privileged Identity Management enables granular control over who receives notifications and which notifications they receive.

- - **Turning off an email**<br>You can turn off specific emails by clearing the default recipient check box and deleting any additional recipients.

- - **Limit emails to specified email addresses**<br>You can turn off emails sent to default recipients by clearing the default recipient checkbox. You can then add additional email addresses as additional recipients. If you want to add more than one email address, separate them using a semicolon (;).

- - **Send emails to both default recipients and additional recipients**<br>You can send emails to both default recipient and additional recipient by selecting the default recipient checkbox and adding email addresses for additional recipients.

- - **Critical emails only**<br>For each type of email, you can select the checkbox to receive critical emails only. What this means is that Privileged Identity Management will continue to send emails to the configured recipients only when the email requires an immediate action. For example, emails asking users to extend their role assignment will not be triggered while an emails requiring admins to approve an extension request will be triggered.

-1. Select the **Update** button at any time to update the role settings.

-## Assignment duration

-You can choose from two assignment duration options for each assignment type (eligible and active) when you configure settings for a role. These options become the default maximum duration when a user is assigned to the role in Privileged Identity Management.

-You can choose one of these **eligible** assignment duration options:

-| | Description |

-| | |

-| **Allow permanent eligible assignment** | Resource administrators can assign permanent eligible assignment. |

-| **Expire eligible assignment after** | Resource administrators can require that all eligible assignments have a specified start and end date. |

-And, you can choose one of these **active** assignment duration options:

-| | Description |

-| | |

-| **Allow permanent active assignment** | Resource administrators can assign permanent active assignment. |

-| **Expire active assignment after** | Resource administrators can require that all active assignments have a specified start and end date. |

-> [!NOTE]

-> All assignments that have a specified end date can be renewed by resource administrators. Also, users can initiate self-service requests to [extend or renew role assignments](pim-resource-roles-renew-extend.md).

-## Require multifactor authentication

-Privileged Identity Management provides optional enforcement of Azure AD Multi-Factor Authentication for two distinct scenarios.

-### On active assignment

-This option requires admins must complete a multifactor authentication before creating an active (as opposed to eligible) role assignment. Privileged Identity Management can't enforce multifactor authentication when the user activates their role assignment because the user is already active in the role from the time that it is assigned.

-To require multifactor authentication when creating an active role assignment, you can enforce multifactor authentication on active assignment by checking the **Require Multi-Factor Authentication on active assignment** box.

-### On activation

-You can require users who are eligible for a role to prove who they are using Azure AD Multi-Factor Authentication before they can activate. Multifactor authentication ensures that the user is who they say they are with reasonable certainty. Enforcing this option protects critical resources in situations when the user account might have been compromised.

-To require multifactor authentication before activation, check the **Require Multi-Factor Authentication on activation** box.

-For more information, see [Multifactor authentication and Privileged Identity Management](pim-how-to-require-mfa.md).

-## Activation maximum duration

-Use the **Activation maximum duration** slider to set the maximum time, in hours, that an activation request for a role assignment remains active before it expires. This value can be from one to 24 hours.

-## Require justification

-You can require that users enter a business justification when they activate. To require justification, check the **Require justification on active assignment** box or the **Require justification on activation** box.

-## Require approval to activate

-If you want to require approval to activate a role, follow these steps.

-1. Check the **Require approval to activate** check box.

-1. Select **Select approvers** to open the **Select a member or group** page.

- 

-1. Select at least one user or group and then click **Select**. You can add any combination of users and groups. You must select at least one approver. There are no default approvers.

- Your selections will appear in the list of selected approvers.

-1. Once you have specified your all your role settings, select **Update** to save your changes.

-## 7. Activate multiple roles at once using privileged access groups

-In this case, you should use [Privileged Identity Management (PIM) for Groups (preview)](../privileged-identity-management/concept-pim-for-groups.md). Create a privileged access group and grant it permanent access to multiple roles (Azure AD and/or Azure). Make that user an eligible member or owner of this group. With just one activation, they will have access to all the linked resources.

-

-> [!NOTE]

-> For privileged access groups that are used to elevate into Azure AD roles, we recommend that you require an approval process for eligible member assignments. Assignments that can be activated without approval might create a security risk from administrators who have a lower level of permissions. For example, the Helpdesk Administrator has permissions to reset an eligible user's password.

-Users in this role can add, remove, and update license assignments on users, groups (using group-based licensing), and manage the usage location on users. The role does not grant the ability to purchase or manage subscriptions, create or manage groups, or create or manage users beyond the usage location. This role has no access to view, create, or manage support tickets.

-| Assign licenses for all users, including all administrators | |

-| AC.L2-3.1.5<br><br>**Practice statement:** Employ the principle of least privilege, including specific security functions and privileged accounts.<br><br>**Objectives:**<br>Determine if:<br>[a.] privileged accounts are identified;<br>[b.] access to privileged accounts is authorized in accordance with the principle of least privilege;<br>[c.] security functions are identified; and<br>[d.] access to security functions is authorized in accordance with the principle of least privilege. | You're responsible for implementing and enforcing the rule of least privilege. This action can be accomplished with Privileged Identity Management for configuring enforcement, monitoring, and alerting. Set requirements and conditions for role membership.<br><br>Once privileged accounts are identified and managed, use [Entitlement Lifecycle Management](../governance/entitlement-management-overview.md) and [Access reviews](../governance/access-reviews-overview.md) to set, maintain and audit adequate access. Use the [MS Graph API](/graph/api/directoryrole-list-members?view=graph-rest-1.0&tabs=http&preserve-view=true) to discover and monitor directory roles.<br><br>**Assign roles**<br>[Assign Azure AD roles in PIM](../privileged-identity-management/pim-how-to-add-role-to-user.md)<br>[Assign Azure resource roles in Privileged Identity Management](../privileged-identity-management/pim-resource-roles-assign-roles.md)<br>[Assign eligible owners and members for privileged access groups](../privileged-identity-management/groups-assign-member-owner.md)<br><br>**Set role settings** <br>[Configure Azure AD role settings in PIM](../privileged-identity-management/pim-how-to-change-default-settings.md)<br>[Configure Azure resource role settings in PIM](../privileged-identity-management/pim-resource-roles-configure-role-settings.md)<br>[Configure privileged access groups settings in PIM](../privileged-identity-management/groups-role-settings.md)<br><br>**Set up alerts**<br>[Security alerts for Azure AD roles in PIM](../privileged-identity-management/pim-how-to-configure-security-alerts.md)<br>[Configure security alerts for Azure resource roles in Privileged Identity Management](../privileged-identity-management/pim-resource-roles-configure-alerts.md) |

- az aks create -n myAKSCluster -g myResourceGroup --enable-addons azure-keyvault-secrets-provider --enable-managed-identity

-|<a id="ref-imessagebody"></a>`IMessageBody`|`As<T>(preserveContent: bool = false): Where T: string, byte[],JObject, JToken, JArray, XNode, XElement, XDocument`<br /><br /> The `context.Request.Body.As<T>` and `context.Response.Body.As<T>` methods are used to read either a request and response message body in specified type `T`. By default, the method:<br /><ul><li>Uses the original message body stream.</li><li>Renders it unavailable after it returns.</li></ul> <br />To avoid that and have the method operate on a copy of the body stream, set the `preserveContent` parameter to `true`, as in [this example](api-management-transformation-policies.md#SetBody).|

-# Use Form Recognizer containers in disconnected environments

-* The Docker `pull` command you'll use to download the container.

-Now that you've downloaded your container, you'll need to execute the `docker run` command with the following parameter:

-* **`DownloadLicense=True`**. This parameter will download a license file that will enable your Docker container to run when it isn't connected to the internet. It also contains an expiration date, after which the license file will be invalid to run the container. You can only use the license file in corresponding approved container.

-The following example shows the formatting for the `docker run` command you'll use, with placeholder values. Replace these placeholder values with your own values.

-| `{LICENSE_MOUNT}` | The path where the license will be downloaded, and mounted. | `/host/license:/path/to/license/directory` |

-| `{LICENSE_MOUNT}` | The path where the license will be located and mounted. | `/host/license:/path/to/license/directory` |

-When run in a disconnected environment, an output mount must be available to the container to store usage logs. For example, you would include `-v /host/output:{OUTPUT_PATH}` and `Mounts:Output={OUTPUT_PATH}` in the following example, replacing `{OUTPUT_PATH}` with the path where the logs will be stored:

-The following endpoint will provide a report summarizing all of the usage collected in the mounted billing record directory.

-The usage-log endpoint will return a JSON response similar to the following example:

-The following endpoint will provide a report summarizing usage over a specific month and year.

-This usage-logs endpoint will return a JSON response similar to the following example:

-Commitment plans for disconnected containers have a calendar year commitment period. When you purchase a plan, you'll be charged the full price immediately. During the commitment period, you can't change your commitment plan, however you can purchase more unit(s) at a pro-rated price for the remaining days in the year. You have until midnight (UTC) on the last day of your commitment, to end a commitment plan.

-If you decide that you don't want to continue purchasing a commitment plan, you can set your resource's auto-renewal to **Do not auto-renew**. Your commitment plan will expire on the displayed commitment end date. After this date, you won't be charged for the commitment plan. You'll be able to continue using the Azure resource to make API calls, charged at pay-as-you-go pricing. You have until midnight (UTC) on the last day of the year to end a commitment plan for disconnected containers. If you cancel at or before that time, you won't be charged for the following year.

-Run the container with an output mount and logging enabled. These settings will enable the container generates log files that are helpful for troubleshooting issues that occur while starting or running the container.

-To get started, you'll need:

-* An [**Azure blob storage account**](https://portal.azure.com/#create/Microsoft.StorageAccount-ARM) in the same region as your Form Recognizer resource. You'll create containers to store and organize your blob data within your storage account.

-* The system-assigned managed identity is tied to your resource throughout its lifecycle. If you delete your resource, the managed identity will be deleted as well.

-In the following steps, we'll enable a system-assigned managed identity and grant Form Recognizer limited access to your Azure blob storage account.

-1. An Azure role assignments page will open. Choose your subscription from the drop-down menu then select **&plus; Add role assignment**.

-> Start/Stop VM during off-hours, version 1 is going to retire soon by CY23 and is unavailable in the marketplace now. We recommend that you start using [version 2](/articles/azure-functions/start-stop-vms/overview.md), which is now generally available. The new version offers all existing capabilities and provides new features, such as multi-subscription support from a single Start/Stop instance. If you have the version 1 solution already deployed, you can still use the feature, and we will provide support until retirement in CY23. The details on announcement will be shared soon.

-* To handle problems during VM management, see [Troubleshoot Start/Stop VMs during off-hours issues](troubleshoot/start-stop-vm.md).

-> Start/Stop VM during off-hours, version 1 is going to retire soon by CY23 and is unavailable in the marketplace now. We recommend that you start using [version 2](/articles/azure-functions/start-stop-vms/overview.md), which is now generally available. The new version offers all existing capabilities and provides new features, such as multi-subscription support from a single Start/Stop instance. If you have the version 1 solution already deployed, you can still use the feature, and we will provide support until retirement in CY23. The details on announcement will be shared soon.

-To re-enable this feature, see [Enable Start/Stop during off-hours](automation-solution-vm-management-enable.md).

-> Start/Stop VM during off-hours, version 1 is going to retire soon by CY23 and is unavailable in the marketplace now. We recommend that you start using [version 2](https://learn.microsoft.com/azure/azure-functions/start-stop-vms/overview), which is now generally available. The new version offers all existing capabilities and provides new features, such as multi-subscription support from a single Start/Stop instance. If you have the version 1 solution already deployed, you can still use the feature, and we will provide support until retirement in CY23. The details on announcement will be shared soon.

-> Start/Stop VM during off-hours, version 1 is going to retire soon by CY23 and is unavailable in the marketplace now. We recommend that you start using [version 2](/articles/azure-functions/start-stop-vms/overview.md), which is now generally available. The new version offers all existing capabilities and provides new features, such as multi-subscription support from a single Start/Stop instance. If you have the version 1 solution already deployed, you can still use the feature, and we will provide support until retirement in CY23. The details on announcement will be shared soon.

-You can use the Bicep template to create a new Hybrid Worker group, create a new Azure Windows VM and add it to an existing Hybrid Worker Group. Learn more about [Bicep](/articles/azure-resource-manager/bicep/overview.md)

-### [Indirectly connected mode](#tab/indirectly)

-az sql mi-arc create -n <instanceName> --storage-class-backups <RWX capable storageclass> --k8s-namespace <namespace> --use-k8s

-az sql mi-arc create -n sqldemo --storage-class-backups mybackups --k8s-namespace my-namespace --use-k8s

-### [Directly connected mode](#tab/directly)

-az sql mi-arc create --name <name> --resource-group <group> -ΓÇôsubscription <subscription> --custom-location <custom-location> --storage-class-backups <RWX capable storageclass>

-az sql mi-arc create --name sqldemo --resource-group rg -ΓÇôsubscription xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --custom-location private-location --storage-class-backups mybackups

-* A new optional parameter was added to `azdata arc postgres server create` called `--volume-claim mounts`. The value is a comma-separated list of volume claim mounts. A volume claim mount is a pair of volume type and PVC name. The only volume type currently supported is `backup`. In PostgreSQL, when volume type is `backup`, the PVC is mounted to `/mnt/db-backups`. This enables sharing backups between PostgresSQL instances so that the backup of one PostgresSQL instance can be restored in another instance.

-* New short names for PostgresSQL custom resource definitions:

-+ [Node.js](https://nodejs.org/) version 12. Node.js version 10 is also supported.

-az functionapp create --resource-group MyResourceGroup --name <APP_NAME> --custom-location <CUSTOM_LOCATION_ID> --storage-account <STORAGE_NAME> --functions-version 4 --runtime node --runtime-version 12

-The following Azure Bot Service **features aren't currently available** in Azure Government (updated 16 August 2021):

- - Teams Channel

-Usage | where DataType !in (freeTables) | where TimeGenerated > ago(30d) | summarize MonthlyGB=sum(Quantity)/1000

-The following examples show how to use the filter function.

-The following example shows how to use the map function.

-The following examples show how to use the reduce function.

-The following example shows how to use the sort function.

- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

- "contentVersion": "1.0.0.0",

- "parameters": {

- "demoParam1":{

- "type": "string",

- "defaultValue": "[[test value]"

- }

- },

- "resources": [],

- "outputs": {

- "exampleOutput": {

- "type": "string",

- "value": "[parameters('demoParam1')]"

- }

- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",

- "contentVersion": "1.0.0.0",

- "parameters": {

- "demoParam1": {

- "value": "[test value]"

- }

- }

-This article describes the lambda functions to use in ARM templates. [Lambda expressions (or lambda functions)](/dotnet/csharp/language-reference/operators/lambda-expressions) are essentially blocks of code that can be passed as an argument. They can take multiple parameters, but are restricted to a single line of code.

-`filter(inputArray, lambda expression)`

-| lambda expression |Yes |expression |The lambda expression applied to each input array element. If false, the item will be filtered out of the output array.|

-The following examples show how to use the filter function.

-`map(inputArray, lambda expression)`

-| lambda expression |Yes |expression |The lambda expression applied to each input array element, in order to generate the output array.|

-The following example shows how to use the map function.

-`reduce(inputArray, initialValue, lambda expression)`

-| lambda expression |Yes |expression |The lambda expression used to aggregate the current value and the next value.|

-The following examples show how to use the reduce function.

-`sort(inputArray, lambda expression)`

-| lambda expression |Yes |expression |The lambda expression used to compare two array elements for ordering. If true, the second element will be ordered after the first in the output array.|

-The following example shows how to use the sort function.

-The Web PubSub service supports two reliable subprotocols `json.reliable.webpubsub.azure.v1` and `protobuf.reliable.webpubsub.azure.v1`. Clients must follow the publisher, subscriber, and reconnection parts of the subprotocol to achieve reliability. Failing to properly implement the subprotocol may result in the message delivery not working as expected or the service terminating the client due to protocol violations.

-## Initialization

-## Reconnection

-Reconnection is the basis of achieving reliability and must be implemented when using the `json.reliable.webpubsub.azure.v1` and `protobuf.reliable.webpubsub.azure.v1` protocols.

-Websocket connections rely on TCP. When the connection doesn't drop, messages are lossless and delivered in order. To prevent message loss over dropped connections, the Web PubSub service retains the connection status information, including group and message information. This information is used to restore the client on reconnection

-Once the WebSocket connection drops, the client should try to reconnect with the same `connectionId` to restore the same session. Clients don't need to negotiate with the server and obtain the `access_token`. Instead, on reconnection the client should make a WebSocket connect request directly to the service with the service host name, `connection_id`, and `reconnection_token`:

-Reconnection may fail if the network issue hasn't been recovered yet. The client should keep retrying to reconnect until:

-2. A reconnection failure continues to occur for more than 1 minute.

-## Publisher

-If the service's ack response is lost because the WebSocket connection dropped, the publisher should resend the message with the same `ackId` after reconnection. When the message was previously processed by the service, it will send an ack containing a `Duplicate` error. The publisher should stop resending this message.

-## Subscriber

-Find more details in [Reconnection](./howto-develop-reliable-clients.md#reconnection)

-When using `json.reliable.webpubsub.azure.v1` subprotocol, the client must follow the [How to create reliable clients](./howto-develop-reliable-clients.md) to implement reconnection, publisher and subscriber.

-* `sequence_id` is a incremental uint64 number from the message received.

-Find more details in [Reconnection](./howto-develop-reliable-clients.md#reconnection)

-* To grant access to an Azure resource, you'll assign an Azure role to a managed identity using [Azure role-based access control (`Azure RBAC`)](../../../../role-based-access-control/overview.md).

-To get started, you'll need:

-* An [**Azure blob storage account**](https://portal.azure.com/#create/Microsoft.StorageAccount-ARM) in the same region as your Translator resource. You'll create containers to store and organize your blob data within your storage account.

-* The system-assigned managed identity is tied to your resource throughout its lifecycle. If you delete your resource, the managed identity will be deleted as well.

-In the following steps, we'll enable a system-assigned managed identity and grant your Translator resource limited access to your Azure blob storage account.

-1. An Azure role assignments page will open. Choose your subscription from the drop-down menu then select **&plus; Add role assignment**.

-* With managed identity and `Azure RBAC`, you'll no longer need to include SAS URLs.

-* The translated documents will appear in your target container.

-\*Models available by request only. Please open a support request.

-\*Models available for Fine-tuning by request only. Please open a support request.

-| Fine-tuning | Ada <br> Babbage <br> Curie <br> Cushman* <br> Davinci* <br> \* available by request. Please open a support request|

-* **New models**: Addition of the latest text model, text-davinci-003

-| | Redirect (forward) a call to one or more endpoints | ✔️ | ✔️ |

-| | Blind Transfer* a call to another endpoint | ✔️ | ✔️ |

-*Transfer of VoIP call to a phone number is currently not supported.

-description: Cross Platform development solutions using the UI library to enable Xamarin and React Native developers build communication applications

-zone_pivot_groups: acs-xamarin-react

-Azure Communication Services introduces Cross Platform development using **Xamarin and React Native** solutions. This sample demonstrates how Azure Communication Services Calling integrates the UI Library for mobile platforms and create the bindings to allow developers to begin building with the calling capabilities.

-## Encryption between Microsoft Teams and Azure Communications Gateway

-All traffic between Azure Communications Gateway and Microsoft Teams is encrypted. SIP traffic is encrypted using TLS. Media traffic is encrypted using SRTP.

-Azure Communications Gateway doesn't store content data, but it does store customer data and provide statistics based on it. This data is stored for a maximum of 30 days. After this period, it's no longer accessible to perform diagnostics or analysis of individual calls. Anonymized statistics and logs produced based on customer data will continue to be available beyond the 30 days limit.

-If you want to see the request unit usage by collection, select **Apply splitting** and choose the collection name as a filter. You will see a chat like the following with a choice of collections within the dashboard. You can then select a specific collection name to view more details:

-| Vulnerability Assessment | View vulnerabilities for running images | AKS | GA | GA | Defender profile | Defender for Containers | Commercial clouds |

-When publishing events to custom topics, create subjects for your events that make it easy for subscribers to know whether they're interested in the event. Subscribers use the subject property to filter and route events. Consider adding the path for where the event happened, so subscribers can filter by segments of that path. The path enables subscribers to narrowly or broadly filter events. If you provide a three segment path like `/A/B/C` in the subject, subscribers can filter by the first segment `/A` to get a broad set of events. Those subscribers get events with subjects like `/A/B/C` or `/A/D/E`. Other subscribers can filter by `/A/B` to get a narrower set of events.

-The JSON syntax for filtering by subject is:

-```json

-"filter": {

- "subjectBeginsWith": "/blobServices/default/containers/mycontainer/blobs/log",

- "subjectEndsWith": ".jpg"

-}

-> Event Hubs Premium supports TLS 1.2 or greater.

-## Standard and Premium policies

-Azure Firewall supports Standard and Premium policies. The following table summarizes the difference between the two:

-Network rule collections inherited from a parent policy are always prioritized above network rule collections defined as part of a new policy. The same logic also applies to application rule collections. However, network rule collections are always processed before application rule collections regardless of inheritance.

-Like Threat Intelligence mode, the Threat Intelligence allowlist is inherited from the parent policy. The child policy can add additional IP addresses to the allowlist.

-You may need to filter traffic from clients either on premises or in Azure destined to services exposed via private endpoints in a Virtual WAN connected virtual network. This article walks you through this task using [secured virtual hub](../firewall-manager/secured-virtual-hub.md) with [Azure Firewall](../firewall/overview.md) as the security provider.

-Use application rules over network rules to inspect traffic destined to private endpoints.

-## Filter traffic using FQDN in network and application rules

-The following steps enable Azure Firewall to filter traffic using FQDN in network and application rules:

-2. Configure [custom DNS settings](../firewall/dns-settings.md#configure-custom-dns-serversazure-portal) to point to the DNS forwarder virtual machine IP address and enable DNS proxy in the firewall policy associated with the Azure Firewall deployed in the secured virtual hub.

-3. Configure [custom DNS servers](../virtual-network/manage-virtual-network.md#change-dns-servers) for the virtual networks connected to the secured virtual hub to point to the private IP address associated with the Azure Firewall deployed in the secured virtual hub.

-4. Configure on premises DNS servers to forward DNS queries for the private endpoints public DNS zones to the private IP address associated with the Azure Firewall deployed in the secured virtual hub.

-5. Configure an [application rule](../firewall/tutorial-firewall-deploy-portal.md#configure-an-application-rule) or [network rule](../firewall/tutorial-firewall-deploy-portal.md#configure-a-network-rule) as necessary in the firewall policy associated with the Azure Firewall deployed in the secured virtual hub with *Destination Type* FQDN and the private link resource public FQDN as *Destination*.

-6. Navigate to *Secured virtual hubs* in the firewall policy associated with the Azure Firewall deployed in the secured virtual hub and select the secured virtual hub where traffic filtering destined to private endpoints will be configured.

-7. Navigate to **Security configuration**, select **Send via Azure Firewall** under **Private traffic**.

-8. Select **Private traffic prefixes** to edit the CIDR prefixes that will be inspected via Azure Firewall in secured virtual hub and add one /32 prefix for each private endpoint as follows:

- > [!IMPORTANT]

- > If these /32 prefixes are not configured, traffic destined to private endpoints will bypass Azure Firewall.

-These steps only work when the clients and private endpoints are deployed in different virtual networks connected to the same secured virtual hub and for on premises clients. If the clients and private endpoints are deployed in the same virtual network, a UDR with /32 routes for the private endpoints must be created. Configure these routes with **Next hop type** set to **Virtual appliance** and **Next hop address** set to the private IP address of the Azure Firewall deployed in the secured virtual hub. **Propagate gateway routes** must be set to **Yes**.

-2. Verify **Security configuration** in the firewall policy associated with the Azure Firewall deployed in the secured virtual hub. Make sure there's a /32 entry for each private endpoint private IP address you want to filter traffic for under **Private traffic prefixes**.

-3. In the secured virtual hub under virtual WAN, inspect effective routes for the route tables associated with the virtual networks and branches connections you want to filter traffic for. Make sure there are /32 entries for each private endpoint private IP address you want to filter traffic for.

-4. Inspect the effective routes on the NICs attached to the virtual machines deployed in the virtual networks you want to filter traffic for. Make sure there are /32 entries for each private endpoint private IP address you want to filter traffic for.

-5. Inspect the routing tables of your on premises routing devices. Make sure you're learning the address spaces of the virtual networks where the private endpoints are deployed.

- Azure virtual WAN doesn't advertise the prefixes configured under **Private traffic prefixes** in firewall policy **Security configuration** to on premises. It's expected that the /32 entries won't show in the routing tables of your on premises routing devices.

-|[CalculatedContentTemplate](how-to-use-calculatedcontenttemplate-mappings.md)|A template that supports writing expressions using one of several expression languages. Supports data transformation via the use of JMESPath functions.|

-|Latency|Average Group Stage Latency|The average latency of the group stage. The [group stage](understand-service.md#group) performs buffering, aggregating, and grouping on normalized messages.|

-|Latency|**Average Group Stage Latency**|The average latency of the group stage. The [group stage](understand-service.md#group) performs buffering, aggregating, and grouping on normalized messages.|

-description: This article will provide you with an understanding of the MedTech service device messaging data transformation to FHIR Observation resources. The MedTech service ingests, normalizes, groups, transforms, and persists device message data into the FHIR service.

-This article provides an overview of the device message data processing stages within the [MedTech service](overview.md). The MedTech service transforms device message data into Fast Healthcare Interoperability Resources (FHIR&#174;) [Observation](https://www.hl7.org/fhir/observation.html) resources for persistence on the [FHIR service](../fhir/overview.md).

-> - Group

-## Group

-If no Device resource for a given device identifier exists in the FHIR service, the outcome depends upon the value of [Resolution Type](deploy-new-config.md#configure-the-destination-tab) set at the time of the MedTech service deployment. When set to `Lookup`, the specific message is ignored, and the pipeline will continue to process other incoming device messages. If set to `Create`, the MedTech service will create minimal Device and Patient resources on the FHIR service.

-Persist is the final stage where the FHIR Observation resources from the transform stage are persisted in the [FHIR service](../fhir/overview.md). If the FHIR Observation resource is new, it will be created in the FHIR service. If the FHIR Observation resource already existed, it will get updated in the FHIR service.

-### MedTech service

-**Qatar Central region is Generally Available (GA)**

-Customers in Qatar Central can now access the MedTech service.

-#### Azure Health Data Services

-**Azure Health Data services General Available (GA) in new regions**

-General availability (GA) of Azure Health Data services in France Central, North Central US and Qatar Central Regions.

-

-See [Use Device mappings](./../healthcare-apis/iot/how-to-use-device-mappings.md) and [Calculated Content Templates](./../healthcare-apis/iot/how-to-use-calculatedcontenttemplate-mappings.md)

-You can now modify your device code to implement the telemetry, properties, and commands defined in your model. To see an example implementation of the thermostat device using the Mosquitto library, see [Using MQTT PnP with Azure IoTHub without the IoT SDK on Windows](https://github.com/Azure-Samples/IoTMQTTSample/tree/master/src/Windows/PnPMQTTWin32) on GitHub.

-> [Communicate with your IoT hub using the MQTT protocol](../iot-hub/iot-hub-mqtt-support.md)

-Azure Machine Learning integration with Azure Synapse Analytics (preview) provides easy access to distributed computing through the Apache Spark framework. This integration offers these Apache Spark computing experiences:

-Azure Machine Learning Managed (Automatic) Spark compute is the easiest way to accomplish distributed computing tasks in the Azure Machine Learning environment by using the Apache Spark framework. Azure Machine Learning users can use a fully managed, serverless, on-demand Apache Spark compute cluster. Those users can avoid the need to create an Azure Synapse workspace and a Synapse Spark pool.

-Managed (Automatic) Spark compute works well for most user scenarios that require quick access to distributed computing through Apache Spark. But to make an informed decision, users should consider the advantages and disadvantages of this approach.

-As of January 2023, creating a Managed (Automatic) Spark compute inside a virtual network and creating a private endpoint to Azure Synapse are not supported.

-A Managed (Automatic) Spark compute (*cold start*) resource might need three to five minutes to start the Spark session when it's first launched. The automated Managed (Automatic) Spark compute provisioning, backed by Azure Synapse, causes this delay. After the Managed (Automatic) Spark compute is provisioned and an Apache Spark session starts, subsequent code executions (*warm start*) won't experience this delay.

-The Spark session configuration offers an option that defines a session timeout (in minutes). The Spark session will end after an inactivity period that exceeds the user-defined timeout. If another Spark session doesn't start in the following 10 minutes, resources provisioned for the Managed (Automatic) Spark compute will be torn down.

-An attached Synapse Spark pool provides access to native Azure Synapse features. The user is responsible for provisioning, attaching, configuring, and managing the Synapse Spark pool.

-You can define Spark cluster size by using three parameter values in Azure Machine Learning Spark jobs:

-You should consider an Azure Machine Learning Apache Spark executor as an equivalent of Azure Spark worker nodes. An example can explain these parameters. Let's say that you defined the number of executors as 6 (equivalent to six worker nodes), executor cores as 4, and executor memory as 28 GB. Your Spark job will then have access to a cluster with 24 cores and 168 GB of memory.

-> To ensure successful Spark job execution, assign **Contributor** and **Storage Blob Data Contributor** roles (on the Azure storage account that's used for data input and output) to the identity that's used for submitting the Spark job.

->

-> If an [attached Synapse Spark pool](./how-to-manage-synapse-spark-pool.md) points to a Synapse Spark pool in an Azure Synapse workspace, and that workspace has an associated managed virtual network, [configure a managed private endpoint to a storage account](../synapse-analytics/security/connect-to-a-secure-storage-account.md). This configuration will help ensure data access.

-[This quickstart](./quickstart-spark-jobs.md) describes how to start using Managed (Automatic) Spark compute to submit your Spark jobs in Azure Machine Learning.

- <!-- :::code language="yaml" source="~/azureml-examples-main/cli/endpoints/online/mlflow/create-endpoint.yaml"::: -->

- <!-- :::code language="azurecli" source="~/azureml-examples-main/cli/deploy-managed-online-endpoint-mlflow.sh" ID="create_endpoint"::: -->

- <!-- :::code language="yaml" source="~/azureml-examples-main/cli/endpoints/online/mlflow/sklearn-deployment.yaml"::: -->

- <!-- :::code language="azurecli" source="~/azureml-examples-main/cli/deploy-managed-online-endpoint-mlflow.sh" ID="create_sklearn_deployment"::: -->

-<!-- :::code language="json" source="~/azureml-examples-main/cli/endpoints/online/mlflow/sample-request-sklearn.json"::: -->

-<!-- :::code language="azurecli" source="~/azureml-examples-main/cli/deploy-managed-online-endpoint-mlflow.sh" ID="test_sklearn_deployment"::: -->

- <!-- :::code language="json" source="~/azureml-examples-main/cli/endpoints/online/mlflow/sample-request-sklearn.json"::: -->

-<!-- :::code language="azurecli" source="~/azureml-examples-main/cli/deploy-managed-online-endpoint-mlflow.sh" ID="delete_endpoint"::: -->

-In Azure Machine Learning, you can export or delete your workspace data using either the portal's graphical interface or the Python SDK. This article describes both options.

-In-product data stored by Azure Machine Learning is available for export and deletion. You can export and delete using Azure Machine Learning studio, CLI, and SDK. Telemetry data can be accessed through the Azure Privacy portal.

-In Azure Machine Learning, personal data consists of user information in job history documents.

-These resources can be deleted by selecting them from the list and choosing **Delete**:

-> If the resource is configured for soft delete, the data won't be deleted unless you optionally select to delete the resource permanently. For more information, see the following articles:

-Job history documents, which may contain personal user information, are stored in the storage account in blob storage, in subfolders of `/azureml`. You can download and delete the data from the portal.

-Azure Machine Learning studio provides a unified view of your machine learning resources, such as notebooks, data assets, models, and jobs. Azure Machine Learning studio emphasizes preserving a record of your data and experiments. Computational resources such as pipelines and compute resources can be deleted using the browser. For these resources, navigate to the resource in question and choose **Delete**.

-Data assets can be unregistered and jobs can be archived, but these operations don't delete the data. To entirely remove the data, data assets and job data must be deleted at the storage level. Deleting at the storage level is done using the portal, as described previously. An individual Job can be deleted directly in studio. Deleting a Job deletes the Job's data.

-You can download training artifacts from experimental jobs using the Studio. Choose the **Job** in which you're interested. Choose **Output + logs** and navigate to the specific artifacts you wish to download. Choose **...** and **Download** or select **Download all**.

-You can download a registered model by navigating to the **Model** and choosing **Download**.

-To control who can access your Azure Machine Learning workspace, use Azure Active Directory [Conditional Access](../active-directory/conditional-access/overview.md).

-Azure AD Conditional Access can be used to further control or restrict access to the workspace for each authentication workflow. For example, an admin can allow workspace access from managed devices only.

-As an administrator, you can enforce [Azure AD Conditional Access policies](../active-directory/conditional-access/overview.md) for users signing in to the workspace. For example, you

-can require two-factor authentication, or allow sign in only from managed devices. To use Conditional Access for Azure Machine Learning workspaces specifically, [assign the Conditional Access policy](../active-directory/conditional-access/concept-conditional-access-cloud-apps.md) to Machine Learning Cloud app.

-* [OutOfCapacity](#error-outofcapacity)

-This issue happens when the size of the model is larger than the available disk space and the model is not able to be downloaded. Try a SKU with more disk space.

-* Try a [Managed online endpoints SKU list](reference-managed-online-endpoints-vm-sku-list.md) with more disk space.

-* Try reducing image and model size.

-This issue happens when the memory footprint of the model is larger than the available memory. Try a [Managed online endpoints SKU list](reference-managed-online-endpoints-vm-sku-list.md) with more memory.<br>

-#### Endpoint quota

-Try to delete some unused endpoints in this subscription.

-When you are creating a managed online endpoint, role assignment is required for the [managed identity](../active-directory/managed-identities-azure-resources/overview.md) to access workspace resources. If you've reached the [role assignment limit](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-rbac-limits), try to delete some unused role assignments in this subscription. You can check all role assignments in the Azure portal by going to the Access Control menu.

-#### Kubernetes quota

-This issue happens when the requested CPU or memory couldn't be satisfied, such as nodes are cordoned or nodes are unavailable, which means all nodes are unschedulable.

-Try to delete some unused endpoints in this subscription. Alternatively, follow [How to manage quotas](how-to-manage-quotas.md#endpoint-quota-increases) to request endpoint quota increase.

-Adjust your request in the cluster, you can directly [adjust resource request of the instance type](how-to-manage-kubernetes-instance-types.md).

-##### Container can't be scheduled

-When you are deploying a model to a Kubernetes compute target, Azure Machine Learning will attempt to schedule the service with the requested amount of resources. If there are no nodes available in the cluster with the appropriate amount of resources after 5 minutes, the deployment will fail. The failure message is `Couldn't Schedule because the kubernetes cluster didn't have available resources after trying for 00:05:00`. You can address this error by either adding more nodes, changing the SKU of your nodes, or changing the resource requirements of your service.

-The error message will typically indicate which resource you need more of - for instance, if you see an error message indicating `0/3 nodes are available: 3 Insufficient nvidia.com/gpu` that means that the service requires GPUs and there are three nodes in the cluster that don't have available GPUs. This could be addressed by adding more nodes if you're using a GPU SKU, switching to a GPU enabled SKU if you aren't or changing your environment to not require GPUs.

-### ERROR: OutOfCapacity

-For managed online endpoint, the specified VM Size failed to provision due to a lack of Azure Machine Learning capacity. Retry later or try deploying to a different region.

-> [!NOTE]

-* SDK v2: Below is a sample AutoML classification task. For the entire code, check out our [examples repo](https://github.com/Azure/azureml-examples/blob/main/sdk/python/jobs/automl-standalone-jobs/automl-classification-task-bankmarketing/automl-classification-task-bankmarketing-mlflow.ipynb).

-1. In the Microsoft Azure portal, navigate to the Azure Data Lake Storage (ADLS) Gen 2 storage account page

-> Data wrangling with a Managed (Automatic) Spark compute, and user identity passthrough for data access in a Azure Data Lake Storage (ADLS) Gen 2 storage account, both require the lowest number of configuration steps.

-The data wrangling code shown here uses the `titanic.csv` file, available [here](https://github.com/Azure/azureml-examples/blob/main/sdk/python/jobs/spark/data/titanic.csv). Upload this file to a container created in the Azure Data Lake Storage (ADLS) Gen 2 storage account. This Python code snippet shows interactive data wrangling with an Azure Machine Learning Managed (Automatic) Spark compute, user identity passthrough, and an input/output data URI, in format `abfss://<FILE_SYSTEM_NAME>@<STORAGE_ACCOUNT_NAME>.dfs.core.windows.net/<PATH_TO_DATA>`:

-In this quickstart guide, you'll learn how to submit a Spark job using Azure Machine Learning Managed (Automatic) Spark compute, Azure Data Lake Storage (ADLS) Gen 2 storage account, and user identity passthrough in a few simple steps.

-See [this resource](./apache-spark-azure-ml-concepts.md) for more information about **Apache Spark in Azure Machine Learning** concepts.

-1. Navigate to the Azure Data Lake Storage (ADLS) Gen 2 storage account page in the Microsoft Azure portal.

-> - Please ensure that `titanic.py` file is uploaded to a folder named `src`. The `src` folder should be located in the same directory where you have created the Python script/notebook or the YAML specification file defining the standalone Spark job.

-The above script takes two arguments `--titanic_data` and `--wrangled_data`, which pass the path of input data and output folder respectively. The script uses `titanic.csv` file, which can be [found here](https://github.com/Azure/azureml-examples/blob/main/sdk/python/jobs/spark/data/titanic.csv). This file should be uploaded to the Azure Data Lake Storage (ADLS) Gen 2 storage account.

-This example YAML specification shows a standalone Spark job. It uses an Azure Machine Learning Managed (Automatic) Spark compute, user identity passthrough, and input/output data URI in format `abfss://<FILE_SYSTEM_NAME>@<STORAGE_ACCOUNT_NAME>.dfs.core.windows.net/<PATH_TO_DATA>`:

-This Python code snippet shows the creation of a standalone Spark job, with an Azure Machine Learning Managed (Automatic) Spark compute, user identity passthrough, and input/output data URI in format `abfss://<FILE_SYSTEM_NAME>@<STORAGE_ACCOUNT_NAME>.dfs.core.windows.net/<PATH_TO_DATA>`:

- :::image type="content" source="media/quickstart-spark-jobs/create-standalone-spark-job-compute.png" lightbox="media/quickstart-spark-jobs/create-standalone-spark-job-compute.png" alt-text="Expandable screenshot showing compute selection screen for a new Spark job in Azure Machine Learning studio UI.":::

- 5. Enter an Azure Data Lake Storage (ADLS) Gen 2 data URI for `titanic.csv` file in format `abfss://<FILE_SYSTEM_NAME>@<STORAGE_ACCOUNT_NAME>.dfs.core.windows.net/<PATH_TO_DATA>`.

- 3. For **Output URI destination**, enter an Azure Data Lake Storage (ADLS) Gen 2 folder URI in format `abfss://<FILE_SYSTEM_NAME>@<STORAGE_ACCOUNT_NAME>.dfs.core.windows.net/<PATH_TO_DATA>`.

-> You may have an existing Synapse Spark pool in your Azure Synapse workspace. If you want to use an existing Synapse Spark pool, please follow the instructions to [attach a Synapse Spark pool in Azure Machine Learning workspace](./how-to-manage-synapse-spark-pool.md).

-Azure AD Conditional Access can be used to further control or restrict access to the workspace for each authentication workflow. For example, an admin can allow workspace access from managed devices only.

-As an administrator, you can enforce [Azure AD Conditional Access policies](../../active-directory/conditional-access/overview.md) for users signing in to the workspace. For example, you

-can require two-factor authentication, or allow sign in only from managed devices. To use Conditional Access for Azure Machine Learning workspaces specifically, [assign the Conditional Access policy](../../active-directory/conditional-access/concept-conditional-access-cloud-apps.md) to Machine Learning Cloud app.

-tags: azure-resource-manager

-# Customer intent: I need to diagnose virtual machine (VM) network routing problem that prevents communication to different destinations.

-When you deploy a virtual machine (VM), Azure creates several default routes for it. You may create custom routes to override Azure's default routes. Sometimes, a custom route can result in a VM not being able to communicate with other resources. In this tutorial, you learn how to:

-> * Create a VM

-> * Test communication to a URL using the next hop capability of Network Watcher

-> * Test communication to an IP address

-> * Diagnose a routing problem, and learn how you can resolve it

-If you prefer, you can diagnose a virtual machine network routing problem using the [Azure CLI](diagnose-vm-network-routing-problem-cli.md) or [Azure PowerShell](diagnose-vm-network-routing-problem-powershell.md).

-## Log in to Azure

-Log in to the Azure portal at https://portal.azure.com.

-## Create a VM

-1. Select **+ Create a resource** found on the upper-left corner of the Azure portal.

-2. Select **Compute** and then select **Windows Server 2016 Datacenter** or **Ubuntu Server 17.10 VM**.

-3. Enter, or select, the following information, accept the defaults for the remaining settings, and then select **OK**:

- |Setting|Value|

- |||

- |Name|myVm|

- |User name| Enter a user name of your choosing.|

- |Password| Enter a password of your choosing. The password must be at least 12 characters long and meet the [defined complexity requirements](../virtual-machines/windows/faq.yml?toc=%2fazure%2fnetwork-watcher%2ftoc.json#what-are-the-password-requirements-when-creating-a-vm-).|

- |Subscription| Select your subscription.|

- |Resource group| Select **Create new** and enter **myResourceGroup**.|

- |Location| Select **East US**|

-4. Select a size for the VM and then select **Select**.

-5. Under **Settings**, accept all the defaults, and select **OK**.

-6. Under **Create** of the **Summary**, select **Create** to start VM deployment. The VM takes a few minutes to deploy. Wait for the VM to finish deploying before continuing with the remaining steps.

-## Test network communication

-To test network communication with Network Watcher, you must first enable a network watcher in at least one Azure region and then use Network Watcher's next hop capability to test communication.

-### Enable network watcher

-If you already have a network watcher enabled in at least one region, skip to [Use next hop](#use-next-hop).

-1. In the portal, select **All services**. In the **Filter box**, enter *Network Watcher*. When **Network Watcher** appears in the results, select it.

-2. Select **Regions**, to expand it, and then select **...** to the right of **East US**, as shown in the following picture:

- 

-3. Select **Enable Network Watcher**.

-### Use next hop

-Azure automatically creates routes to default destinations. You may create custom routes that override the default routes. Sometimes, custom routes can cause communication to fail. Use the next hop capability of Network Watcher to determine which route Azure is using to route traffic.

-1. In the Azure portal, select **Next hop** under **Network Watcher**.

-2. Select your subscription, enter or select the following values, and then select **Next hop**, as shown in the picture that follows:

- |Setting |Value |

- | | |

- | Resource group | Select myResourceGroup |

- | Virtual machine | Select myVm |

- | Network interface | myvm - Your network interface name may be different. |

- | Source IP address | 10.0.0.4 |

- | Destination IP address | 13.107.21.200 - One of the addresses for <www.bing.com>. |

- 

- After a few seconds, the result informs you that the next hop type is **Internet** and that the **Route table ID** is **System Route**. This result lets you know that there is a valid system route to the destination.

-3. Change the **Destination IP address** to *172.31.0.100* and select **Next hop** again. The result returned informs you that **None** is the **Next hop type** and that the **Route table ID** is also **System Route**. This result lets you know that, while there is a valid system route to the destination, there is no next hop to route the traffic to the destination.

-1. To analyze routing further, review the effective routes for the network interface. In the search box at the top of the portal, enter *myvm* (or whatever the name was of the network interface you checked). When **myvm** appears in the search results, select it.

-2. Select **Effective routes** under **SUPPORT + TROUBLESHOOTING**, as shown in the following picture:

- 

- When you ran the test using 13.107.21.200 in [Use next hop](#use-next-hop), the route with the address prefix 0.0.0.0/0 was used to route traffic to the address since no other route includes the address. By default, all addresses not specified within the address prefix of another route are routed to the internet.

- However, when you ran the test using 172.31.0.100, the result informed you that there was no next hop type. As you can see in the previous picture, though there is a default route to the 172.16.0.0/12 prefix, which includes the 172.31.0.100 address, the **NEXT HOP TYPE** is **None**. Azure creates a default route to 172.16.0.0/12 but doesn't specify a next hop type until there is a reason to. If, for example, you added the 172.16.0.0/12 address range to the address space of the virtual network, Azure changes the **NEXT HOP TYPE** to **Virtual network** for the route. A check would then show **Virtual network** as the **NEXT HOP TYPE**.

-1. Enter *myResourceGroup* in the **Search** box at the top of the portal. When you see **myResourceGroup** in the search results, select it.

-In this tutorial, you created a VM and diagnosed network routing from the VM. You learned that Azure creates several default routes and tested routing to two different destinations. Learn more about [routing in Azure](../virtual-network/virtual-networks-udr-overview.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json) and how to [create custom routes](../virtual-network/manage-route-table.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json#create-a-route).

-For outbound VM connections, you can also determine the latency, allowed and denied network traffic between the VM and an endpoint, and the route used to an endpoint, using Network Watcher's [connection troubleshoot](network-watcher-connectivity-portal.md) capability. Learn how you can monitor communication between a VM and an endpoint, such as an IP address or URL, over time using the Network Watcher connection monitor capability.

-To install TimescaleDB, you need to include it in the server's shared preload libraries. A change to Postgres's `shared_preload_libraries` parameter requires a **server restart** to take effect. You can change parameters using the [Azure portal](howto-configure-server-parameters-using-portal.md) or the [Azure CLI](howto-configure-server-parameters-using-cli.md).

-1. Create a storage account for diagnostics.

- 1. [Create a storage account](../storage/common/storage-account-create.md) with the following additional configuration:

- 1. In the **Advanced** tab, select **Enable storage account key access**. This will allow your support representative to download traces stored in this account using the URLs you share with them.

- 1. In the **Data protection** tab, under **Access control**, select **Enable version-level immutability support**. This will allow you to specify a time-based retention policy for the account in the next step.

- > Make sure same User-assigned identity is used during site creation.

-1. Enter the **Storage account blob URL** that was configured for diagnostics storage. For example:

- `https://storageaccount.blob.core.windows.net/diags/diagsPackage_1.zip`

- - If an invalid storage account blob URL was passed, the request will be rejected and report **400 Bad Request**. Repeat the process with the correct storage account blob URL.

-description: Step-by-step guide on provisioning access to Azure Arc-enabled SQL Server through Microsoft Purview DevOps policies

-# Provision access to system metadata in Azure Arc-enabled SQL Server

-[DevOps policies](concept-policies-devops.md) are a type of Microsoft Purview access policies. They allow you to manage access to system metadata on data sources that have been registered for *Data use management* in Microsoft Purview. These policies are configured directly in the Microsoft Purview governance portal, and after being saved they get automatically published and then get enforced by the data source.

-This how-to guide covers how to provision access from Microsoft Purview to Azure Arc-enabled SQL Server system metadata (DMVs and DMFs) *SQL Performance Monitoring* or *SQL Security Auditing* actions. Microsoft Purview access policies apply to Azure AD Accounts only.

-description: Step-by-step guide on provisioning access through Microsoft Purview DevOps policies

-[DevOps policies](concept-policies-devops.md) are a type of Microsoft Purview access policies. They allow you to manage access to system metadata on data sources that have been registered for *Data use management* in Microsoft Purview. These policies are configured directly in the Microsoft Purview governance portal, and after being saved they get automatically published and then get enforced by the data source.

-This how-to guide covers how to provision access from Microsoft Purview to SQL-type data sources via *SQL Performance Monitoring* or *SQL Security Auditing* actions. Microsoft Purview access policies apply to Azure AD Accounts only.

-description: Step-by-step guide on provisioning access to Azure SQL Database through Microsoft Purview DevOps policies

-[DevOps policies](concept-policies-devops.md) are a type of Microsoft Purview access policies. They allow you to manage access to system metadata on data sources that have been registered for *Data use management* in Microsoft Purview. These policies are configured directly in the Microsoft Purview governance portal, and after being saved they get automatically published and then get enforced by the data source.

-This how-to guide covers how to provision access from Microsoft Purview to Azure SQL Database system metadata (DMVs and DMFs) via *SQL Performance Monitoring* or *SQL Security Auditing* actions. Microsoft Purview access policies apply to Azure AD Accounts only.

-description: Step-by-step guide showing how to provision access to entire resource groups and subscriptions through Microsoft Purview DevOps policies

-[DevOps policies](concept-policies-devops.md) are a type of Microsoft Purview access policies. They allow you to manage access to system metadata (DMVs and DMFs) via *SQL Performance Monitoring* or *SQL Security Auditing* actions. They can be created only on data sources that have been registered for *Data use management* in Microsoft Purview. These policies are configured directly in the Microsoft Purview governance portal, and after being saved they get automatically published and then get enforced by the data source. Microsoft Purview access policies apply to Azure AD Accounts only.

-In this guide we cover how to register an entire resource group or subscription and then create a single policy that will manage access to **all** data sources in that resource group or subscription. That single policy will cover all existing data sources and any data sources that are created afterwards.

->[!NOTE]

->Supported version for SAP HANA is 15.

-Azure is a cloud computing platform and infrastructure for building, deploying, and managing applications and services through a network of datacenters. Microsoft manages these datacenters. Based on the number of resources you specify, Azure creates virtual machines (VMs) based on resource need. These VMs run on an Azure hypervisor, which is designed for use in the cloud and is not accessible to the public.

-On each Azure physical server node, there is a hypervisor that runs directly over the hardware. The hypervisor divides a node into a variable number of guest VMs. Each node also has one root VM, which runs the host operating system. Windows Firewall is enabled on each VM. You define which ports are addressable by configuring the service definition file. These ports are the only ones open and addressable, internally or externally. All traffic and access to the disk and network is mediated by the hypervisor and root operating system.

-At the host layer, Azure VMs run a customized and hardened version of the latest Windows Server. Azure uses a version of Windows Server that includes only those components necessary to host VMs. This improves performance and reduces attack surface. Machine boundaries are enforced by the hypervisor, which doesnΓÇÖt depend on the operating system security.

-The host and native FC-managed operating systems are designed for use in the cloud, and are not publicly accessible.

-Various engineering groups, known as service teams, manage the support of the Azure service. Each service team is responsible for an area of support for Azure. Each service team must make an engineer available 24x7 to investigate and resolve failures in the service. Service teams do not, by default, have physical access to the hardware operating in Azure.

-| Azure datacenter engineer | Internal | No access to customer data | Manage the physical security of the premises. Conduct patrols in and out of the datacenter, and monitor all entry points. Escort into and out of the datacenter certain non-cleared personnel who provide general services (such as dining or cleaning) or IT work within the datacenter. Conduct routine monitoring and maintenance of network hardware. Perform incident management and break-fix work by using a variety of tools. Conduct routine monitoring and maintenance of the physical hardware in the datacenters. Access to environment on demand from property owners. Capable to perform forensic investigations, log incident reports, and require mandatory security training and policy requirements. Operational ownership and maintenance of critical security tools, such as scanners and log collection. | Persistent access to the environment. |

-Microsoft uses encryption based on the FCΓÇÖs master identity public key. This occurs at FC setup and FC reconfiguration times, to transfer the credentials used to access networking hardware devices. When the FC needs the credentials, the FC retrieves and decrypts them.

-Web applications are increasingly targets of malicious attacks that exploit common known vulnerabilities. Common among these exploits are SQL injection attacks, cross site scripting attacks to name a few. Preventing such attacks in application code can be challenging and may require rigorous maintenance, patching and monitoring at many layers of the application topology. A centralized web application firewall helps make security management much simpler and gives better assurance to application administrators against threats or intrusions. A WAF solution can also react to a security threat faster by patching a known vulnerability at a central location versus securing each of individual web applications. Existing application gateways can be converted to a web application firewall enabled application gateway easily.

-[Web application firewall (WAF)](../../web-application-firewall/afds/afds-overview.md) is a feature of Application Gateway that provides centralized protection of your web applications from common exploits and vulnerabilities. WAF is based on rules from the [Open Web Application Security Project (OWASP) core rule sets](https://owasp.org/www-project-modsecurity-core-rule-set/) 3.0 or 2.2.9.

-[Rollup 61](https://support.microsoft.com/topic/update-rollup-61-for-azure-site-recovery-kb5012960-a1cc029b-03ad-446f-9365-a00b41025d39) | 9.48.6349.1 | 5.1.7387.0 | 9.48.6349.1 | 5.1.7387.0 | 2.0.9245.0

-**VMware VM/physical disaster recovery to Azure** | Added support for Debian 11 and SUSE Linux Enterprise Server 15 SP 4 Linux distro.<br/><br/> Added Modernized VMware to Azure DR support for government clouds. [Learn more](deploy-vmware-azure-replication-appliance-modernized.md#allow-urls-for-government-clouds).

-An authorized `BlobServiceClient` object allows your app to interact with resources at the storage account level.

-A common scenario is to instantiate a single service client, then create container clients and blob clients from the service client, as needed. `BlobServiceClient` provides methods to retrieve and configure account properties, as well as list, create, and delete containers within the storage account. This client object is the starting point for interacting with resources in the storage account.

-To work with a specific container or blob, you can use the `BlobServiceClient` object to create a [container client](#create-a-blobcontainerclient-object) or [blob client](#create-a-blobclient-object). Clients created from a `BlobServiceClient` will inherit its client configuration, including client options and credentials.

-To connect to Blob Storage, create an instance of the [BlobServiceClient](/dotnet/api/azure.storage.blobs.blobserviceclient) class. This object is your starting point. You can use it to operate on the blob service instance and its containers. You can authorize access and create a [BlobServiceClient](/dotnet/api/azure.storage.blobs.blobserviceclient) object by using an Azure Active Directory (Azure AD) authorization token, an account access key, or a shared access signature (SAS).

-| Local machine (developing and testing) | User identity | In this method, a developer must be signed-in to Azure from either Visual Studio, the Azure Tools extension for VS Code, the Azure CLI, or Azure PowerShell on their local workstation. The application then can access the developer's credentials from the credential store and use those credentials to access Azure resources from the app.<br><br>This method has the advantage of easier setup since a developer only needs to sign in to their Azure account from Visual Studio, VS Code or the Azure CLI. The disadvantage of this approach is that the developer's account likely has more permissions than required by the application, therefore not properly replicating the permissions the app will run with in production.<br><br>[Authorize access using developer credentials](/dotnet/azure/sdk/authentication-local-development-dev-accounts?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json) |

-The easiest way to authorize access and connect to Blob Storage is to obtain an OAuth token by creating a [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential) instance. You can then use that credential to create a [BlobServiceClient](/dotnet/api/azure.storage.blobs.blobserviceclient) object.

-## [SAS token](#tab/sas-token)

-Create a [Uri](/dotnet/api/system.uri) by using the blob service endpoint and SAS token. Then, create a [BlobServiceClient](/dotnet/api/azure.storage.blobs.blobserviceclient) by using the [Uri](/dotnet/api/system.uri).

-```csharp

-public static void GetBlobServiceClientSAS(ref BlobServiceClient blobServiceClient,

- string accountName, string sasToken)

-{

- string blobUri = "https://" + accountName + ".blob.core.windows.net";

- blobServiceClient = new BlobServiceClient

- (new Uri($"{blobUri}?{sasToken}"), null);

-}

-```

-To generate and manage SAS tokens, see any of these articles:

-To connect to Blob Storage, create an instance of the [BlobServiceClient](/java/api/com.azure.storage.blob.blobserviceclient) class. This object is your starting point. You can use it to operate on the blob service instance and its containers. You can create a `BlobServiceClient` object by using an Azure Active Directory (Azure AD) authorization token, an account access key, or a shared access signature (SAS).

-To learn more about each of these authorization mechanisms, see [Authorize access to data in Azure Storage](../common/authorize-data-access.md).

-| Local machine (developing and testing) | User identity | In this method, a developer must be signed-in to Azure from either the Azure Tools extension for VS Code, the Azure CLI, or Azure PowerShell on their local workstation. The application then can access the developer's credentials from the credential store and use those credentials to access Azure resources from the app.<br><br>This method has the advantage of easier setup since a developer only needs to sign in to their Azure account from VS Code or the Azure CLI. The disadvantage of this approach is that the developer's account likely has more permissions than required by the application, therefore not properly replicating the permissions the app will run with in production.<br><br>To learn how to set up an Azure AD group, assign roles, and sign in to Azure, see [Authorize access using developer credentials](/dotnet/azure/sdk/authentication-local-development-dev-accounts?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json). To authorize access and connect to Blob Storage using `DefaultAzureCredential`, see the code example in the [next section](#authorize-access-using-defaultazurecredential). |

-The easiest way to authorize access and connect to Blob Storage is to obtain an OAuth token by creating a [DefaultAzureCredential](/java/api/com.azure.identity.defaultazurecredential) instance. You can then use that credential to create a [BlobServiceClient](/java/api/com.azure.storage.blob.blobserviceclient) object.

-The following example uses [BlobServiceClientBuilder](/java/api/com.azure.storage.blob.blobserviceclientbuilder) to build a [BlobServiceClient](/java/api/com.azure.storage.blob.blobserviceclient) object using `DefaultAzureCredential`:

-| [Manage properties and metadata (blobs)](storage-blob-properties-metadata-java.md) | Get and set properties and metadata for blobs. |

-To connect to Blob Storage, create an instance of the [BlobServiceClient](/python/api/azure-storage-blob/azure.storage.blob.blobserviceclient) class. This object is your starting point. You can use it to operate on the blob service instance and its containers. You can create a `BlobServiceClient` object by using an Azure Active Directory (Azure AD) authorization token, an account access key, or a shared access signature (SAS).

-To learn more about each of these authorization mechanisms, see [Authorize access to data in Azure Storage](../common/authorize-data-access.md).

-The easiest way to authorize access and connect to Blob Storage is to obtain an OAuth token by creating a [DefaultAzureCredential](/python/api/azure-identity/azure.identity.defaultazurecredential) instance. You can then use that credential to create a [BlobServiceClient](/python/api/azure-storage-blob/azure.storage.blob.blobserviceclient) object.

-## [SAS token](#tab/sas-token)

-To use a shared access signature (SAS) token, provide the token as a string and initialize a [BlobServiceClient](/python/api/azure-storage-blob/azure.storage.blob.blobserviceclient) object. If your account URL includes the SAS token, omit the credential parameter.

-To generate and manage SAS tokens, see [Grant limited access to Azure Storage resources using shared access signatures (SAS)](../common/storage-sas-overview.md?toc=/azure/storage/blobs/toc.json).

-Disallowing Shared Key access for a storage account does not affect SMB connections to Azure Files.

-# What is Delta Lake

-| **ACID Transactions** | Data lakes are typically populated via multiple processes and pipelines, some of which are writing data concurrently with reads. Prior to Delta Lake and the addition of transactions, data engineers had to go through a manual error prone process to ensure data integrity. Delta Lake brings familiar ACID transactions to data lakes. It provides serializability, the strongest level of isolation level. Learn more at [Diving into Delta Lake: Unpacking the Transaction Log](https://databricks.com/blog/2019/08/21/diving-into-delta-lake-unpacking-the-transaction-log.html).|

-| **Scalable Metadata Handling** | In big data, even the metadata itself can be "big data". Delta Lake treats metadata just like data, leveraging Spark's distributed processing power to handle all its metadata. As a result, Delta Lake can handle petabyte-scale tables with billions of partitions and files at ease. |

-| **100% Compatible with Apache Spark API** | Developers can use Delta Lake with their existing data pipelines with minimal change as it is fully compatible with existing Spark implementations. |

-### Manually set a device-wide Internet Explorer proxy

-You can set a device-wide proxy or Proxy Auto Configuration (.PAC) file that applies to all interactive, LocalSystem, and NetworkService users with the [Network Proxy CSP](/windows/client-management/mdm/networkproxy-csp).

-You can also configure the proxy server for the local system account by running the following **bitsadmin** command, as shown in the following example:

-bitsadmin /util /setieproxy LOCALSYSTEM AUTOSCRIPT http://server/proxy.pac

-1. If the client has a direct connection to the session host, the client establishes a secure TLS connection.

-1. After the initial packet exchange, the client and session host may establish one or many data flows. From these data flows, RDP chooses the fastest network path. The client then establishes a secure TLS connection with the session host and initiates RDP Shortpath transport.

-| STUN/TURN UDP | VM subnet | Any | 20.202.0.0/16 | 3478-3481 | UDP | Allow |

-| STUN/TURN UDP | Client network | Any | 20.202.0.0/16 | 3478-3481 | UDP | Allow |

-RDP Shortpath uses a TLS connection between the client and the session host using the session host's certificates. By default, the certificate used for RDP encryption is self-generated by the operating system during the deployment. RDP Shortpath uses a TLS connection between the client and the session host using the session host's certificates. By default, the certificate used for RDP encryption is self-generated by the operating system during the deployment. You can also deploy centrally managed certificates issued by an enterprise certification authority. For more information about certificate configurations, see [Remote Desktop listener certificate configurations](/troubleshoot/windows-server/remote/remote-desktop-listener-certificate-configurations).

-> The security offered by RDP Shortpath is the same as that offered by reverse connect transport.

-After you've signed in, make sure everything works by testing a few Azure Virtual Desktop PowerShell cmdlets with the service principal.

-# Convert Azure managed disks storage from Standard to Premium or Premium to Standard

-# Update the storage type of a managed disk

-tags:

-> This is a simple deployment of a VPN Gateway. For advanced configuration and setup, see [Tutorial: Create and manage a VPN gateway using Azure portal](../../vpn-gateway/tutorial-create-gateway-portal.md).

-> For more information on Azure VPN Gateway, see [What is VPN Gateway?](../../vpn-gateway/vpn-gateway-about-vpngateways.md).

-VPN gateway doesn't support changing the public IP address after creation.

-In this article, you learned how to create a VPN Gateway using an existing public IP address.

-2. In the search box at the top of the portal, enter **NAT gateway**. Select **NAT gateways** in the search results.

-3. Select **+ Create**.

-4. In **Create network address translation (NAT) gateway**, enter or select this information in the **Basics** tab:

- | Idle timeout (minutes) | Enter **10**. |

-5. Select the **Outbound IP** tab, or select the **Next: Outbound IP** button at the bottom of the page.

-6. In the **Outbound IP** tab, enter or select the following information:

-7. Select the **Review + create** tab, or select the blue **Review + create** button at the bottom of the page.

-8. Select **Create**.

-2. Select **Create**.

-3. In **Create virtual network**, enter or select this information in the **Basics** tab:

-4. Select the **IP Addresses** tab or select the **Next: IP Addresses** button at the bottom of the page.

-5. Accept the default IPv4 address space of **10.1.0.0/16**.

-6. In the subnet section in **Subnet name**, select the **default** subnet.

-7. In **Edit subnet**, enter this information:

- | Subnet name | Enter **mySubnet** |

- | Subnet address range | Enter **10.1.0.0/24** |

- | **NAT GATEWAY** |

-8. Select **Save**.

-9. Select the **Security** tab.

-10. Under **BastionHost**, select **Enable**. Enter this information:

- | Bastion name | Enter **myBastionHost** |

- | AzureBastionSubnet address space | Enter **10.1.1.0/26** |

- | Public IP Address | Select **Create new**. </br> For **Name**, enter **myBastionIP**. </br> Select **OK**. |

-11. Select the **Review + create** tab or select the **Review + create** button.

-12. Select **Create**.

-2. Select **+ Create** > **Azure virtual machine**.

-2. In the **Create a virtual machine** page in the **Basics** tab, enter, or select the following information:

-3. Select the **Disks** tab, or select the **Next: Disks** button at the bottom of the page.

-4. Leave the default in the **Disks** tab.

-5. Select the **Networking** tab, or select the **Next: Networking** button at the bottom of the page.

-6. In the **Networking** tab, enter or select the following information:

-7. Select the **Review + create** tab, or select the blue **Review + create** button at the bottom of the page.

-8. Select **Create**.

-2. Select **myPublicIP**.

-3. Make note of the public IP address:

-4. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines** in the search results.

-5. Select **myVM**.

-4. On the **Overview** page, select **Connect**, then **Bastion**.

-6. Enter the username and password entered during VM creation. Select **Connect**.

-7. Open **Microsoft Edge** on **myTestVM**.

-8. Enter **https://whatsmyip.com** in the address bar.

-9. Verify the IP address displayed matches the NAT gateway address you noted in the previous step:

-2. Select the **myResourceGroupNAT** resource group.

-3. Select **Delete resource group**.

-4. Enter **myResourceGroupNAT** and select **Delete**.

-tags:

-tags:

-tags:

-# Configure IPv6 frontend in virtual network script sample with Standard Load Balancer(preview)