+You can optionally include protocol message extension elements that are agreed to by both Azure AD B2C and your identity provider. The extension is presented in XML format. You include extension elements by adding XML data inside the CDATA element `<![CDATA[Your Custom XML]]>`. Check your identity providerΓÇÖs documentation to see if the extensions element is supported.

+ Title: 'Provisioning insights workbook'

+description: This article describes the Azure Monitor workbook for provisioning.

+# Provisioning insights workbook

+The Provisioning workbook provides a flexible canvas for data analysis. This workbook brings together all of the provisioning logs from various sources and allows you to gain insight, in a single area. The workbook allows you to create rich visual reports within the Azure portal. To learn more, see Azure Monitor Workbooks overview.

+This workbook is intended for Hybrid Identity Admins who use provisioning to sync users from various data sources to various data repositories. It allows admins to gain insights into sync status and details.

+This workbook:

+- Provides a synchronization summary of users and groups synchronized from all of you provisioning sources to targets

+- Provides and aggregated and detailed view of information captured by the provisioning logs.

+- Allows you to customize the data to tailor it to your specific needs

+## Enabling provisioning logs

+You should already be familiar with Azure monitoring and Log Analytics. If not, jump over to learn about them and then come back to learn about application provisioning logs. To learn more about Azure monitoring, see [Azure Monitor overview](../../azure-monitor/overview.md). To learn more about Azure Monitor logs and Log Analytics, see [Overview of log queries in Azure Monitor](../../azure-monitor/logs/log-query-overview.md) and [Provisioning Logs for troubleshooting cloud sync](../cloud-sync/how-to-troubleshoot.md).

+## Source and Target

+At the top of the workbook, using the drop-down, specify the source and target identities.

+Theses fields are the source and target of identities. The rest of the filters that appear are based on the selection of source and target.

+You can scope your search so that it is more granular using the additional fields. Use the table below as a reference for queries.

+For example, if you wanted to see data from your cloud sync workflow, your source would be Active Directory and your target would be Azure AD.

+>[!NOTE]

+>Source and target are required. If you do not select a source and target, you won't see any data.

+|Field|Description|

+|--|--|

+|Source|The provisioning source repository|

+|Target|The provisioning target repository|

+|Time Range|The range of provisioning information you want to view. This can be anywhere from 4 hours to 90 days. You can also set a custom value.|

+|Status|View the provisioning status such as Success or Skipped.|

+|Action|View the provisioning actions taken such as Create or Delete.|

+|App Name|Allows you to filter by the application name. In the case of Active Directory, you can filter by domains.|

+|Job Id|Allows you to target specific Job Ids.|

+|Sync type|Filter by type of synchronization such as object or password.|

+>[!NOTE]

+> All of the charts and grids in Sync Summary, Sync Details, and Sync Details by grid, change based on source,target and the parameter selections.

+## Sync Summary

+The sync summary section provides a summary of your organizations synchronization activities. These activities include:

+ - Total synced objects by type

+ - Provisioning events by action

+ - Provisioning events by status

+ - Unique sync count by status

+ - Provisioning success rate

+ - Top provisioning errors

+ :::image type="content" source="media/provisioning-workbook/sync-summary-1.png" alt-text="Screenshot of the synchronization summary." lightbox="media/provisioning-workbook/sync-summary-1.png":::

+## Sync details

+The sync details tab allows you to drill into the synchronization data and get more information. This information includes:

+ - Objects sync by status

+ - Objects synced by action

+ - Sync log details

+

+ >[!NOTE]

+ >The grid is filterable on any of the above filters but you can also click the tiles under under **Objects synced by Status** and **Action**.

+

+ :::image type="content" source="media/provisioning-workbook/sync-details-1.png" alt-text="Screenshot of the synchronization details." lightbox="media/provisioning-workbook/sync-details-1.png":::

+You can further drill in to the sync log details for additional information.

+>[!NOTE]

+>Clicking on the Source ID it will dive deeper and provide more information on the synchronized object.

+

+## Sync details by cycle

+The sync details by cycle tab allow you to get more granular with the synchronization data. This information includes:

+ - Objects sync by status

+ - Objects synced by action

+ - Sync log details

+

+ :::image type="content" source="media/provisioning-workbook/sync-details-2.png" alt-text="Screenshot of the synchronization details by cycle tab." lightbox="media/provisioning-workbook/sync-details-2.png":::

+You can further drill in to the sync log details for additional information.

+>[!NOTE]

+>The grid is filterable on any of the above filters but you can also click the tiles under under **Objects synced by Status** and **Action**.

+## Single user view

+The user provisioning view tab allows you to get synchronization data on individual users.

+>[!NOTE]

+>This section does not involve using source and target.

+In this section, you enter a time range and select a specific user to see which applications a user has been provisioned or deprovisioned in.

+Once you select a time range, it will filter for users that have events in that time range.

+To target a specific user, you can add one of the following parameters, for that user.

+ - UPN

+ - UserID

+

+

+## Details

+By clicking on the Source ID in the **Sync details** or the **Sync details by cycle** views, you can see additional information on the object synchronized.

+## Custom queries

+You can create custom queries and show the data on Azure dashboards. To learn how, see [Create and share dashboards of Log Analytics data](../../azure-monitor/logs/get-started-queries.md). Also, be sure to check out [Overview of log queries in Azure Monitor](../../azure-monitor/logs/log-query-overview.md).

+## Custom alerts

+Azure Monitor lets you configure custom alerts so that you can get notified about key events related to Provisioning. For example, you might want to receive an alert on spikes in failures. Or perhaps spikes in disables or deletes. Another example of where you might want to be alerted is a lack of any provisioning, which indicates something is wrong.

+To learn more about alerts, see [Azure Monitor Log Alerts](../../azure-monitor/alerts/alerts-log.md).

+## Next steps

+- [What is provisioning?](../cloud-sync/what-is-provisioning.md)

+- [Error codes](../cloud-sync/reference-error-codes.md)

+For detailed guidance on developing a SCIM endpoint to automate the provisioning and deprovisioning of users and groups to an application, see [Build a SCIM endpoint and configure user provisioning](use-scim-to-provision-users-and-groups.md). Many applications integrate directly with Azure Active Directory. Some examples include Slack, Azure Databricks, and Snowflake. For these apps, skip the developer documentation and use the tutorials provided in [Tutorials for integrating SaaS applications with Azure Active Directory](../../active-directory/saas-apps/tutorial-list.md).

+* **Manual** provisioning means there's no automatic Azure AD provisioning connector for the app yet. You must create them manually. Examples are adding users directly into the app's administrative portal or uploading a spreadsheet with user account detail. Consult the documentation provided by the app, or contact the app developer to determine what mechanisms are available.

+* **Automatic** means that an Azure AD provisioning connector is available this application. Follow the setup tutorial specific to setting up provisioning for the application. Find the app tutorials at [Tutorials for integrating SaaS applications with Azure Active Directory](../../active-directory/saas-apps/tutorial-list.md).

+The number of applications used in modern organizations continues to grow. IT admins must manage access management at scale. Admins use standards such as SAML or OIDC for single sign-on (SSO), but access also requires users to be provisioned into the app. To many admins, provisioning means manually creating every user account or uploading CSV files each week. These processes are time-consuming, expensive, and error prone. Solutions such as SAML just-in-time (JIT) have been adopted to automate provisioning. Enterprises also need a solution to deprovision users when they leave the organization or no longer require access to certain apps based on role change.

+For pre-integrated applications listed in the gallery, use existing step-by-step guidance to set up automatic provisioning, see [Tutorials for integrating SaaS applications with Azure Active Directory](../saas-apps/tutorial-list.md). The following video shows you how to set up automatic user provisioning for SalesForce.

+>[!IMPORTANT]

+> If a user supplies a username login hint (X509UserNameHint), the value provided **MUST** be in UPN Format.

+Federated deployments that use AD FS 2016 and AD FS 2019 can enable similar benefits using [AD FS Extranet Lockout and Extranet Smart Lockout](/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection). It is recommended to move to [managed authentication](https://www.microsoft.com/security/business/identity-access/upgrade-adfs).

+* Lockout state across Azure AD data centers is synchronized. However, the total number of failed sign-in attempts allowed before an account is locked out will have slight variance from the configured lockout threshold. Once an account is locked out, it will be locked out everywhere across all Azure AD data centers.

+* Smart Lockout uses familiar location vs unfamiliar location to differentiate between a bad actor and the genuine user. Both unfamiliar and familiar locations have separate lockout counters.

+1. Sign in to the [Entra portal](https://entra.microsoft.com/#home).

+When you test smart lockout, your sign-in requests might be handled by different datacenters due to the geo-distributed and load-balanced nature of the Azure AD authentication service.

+- To customize the experience further, you can [configure custom banned passwords for Azure AD password protection](tutorial-configure-custom-password-protection.md).

+- To help users reset or change their password from a web browser, you can [configure Azure AD self-service password reset](tutorial-enable-sspr.md).

+ - For **Platform** choose *Windows 10 and later*

+ - For **Profile type**, choose Templates then select the Custom template below

+The **Autopilot** dashboard in Permissions Management provides a table of information about Autopilot rules for administrators. Creating Autopilot rules allows you to automate right-sizing policies so you can automatically remove unused roles and permissions assigned to identities in your authorization system.

+ - **State**: The status of the rule: idle (not in use) or active (in use).

+ - **Rule Type**: The type of rule that's applied.

+ - **Subscription**: Provides an **On** or **Off** subscription that allows you to receive email notifications when recommendations are generated, applied, or unapplied.

+ - **Notification Settings**: Displays the users subscribed to this rule. Only the user who created the selected rule can add other users to receive notifications.

+| Synchronize customer defined AD attributes (directory extensions) |ΓùÅ |ΓùÅ|

+> * Search and select **Azure Active Directory** > **Overview** > **Tenant ID** in the Azure portal.

+### Comparing External Identities Conditional Access policies

+The following table gives a detailed comparison of the security policy and compliance options in Azure AD External Identities. Security policy and compliance are managed by the host/inviting organization under Conditional Access policies.

+|**Policy** |**B2B collaboration users** |**B2B direct connect users**|

+| : | :-- | :-- |

+|**Grant controlsΓÇöBlock access** | Supported | Supported |

+|**Grant controls ΓÇö Require multifactor authentication** | Supported | Supported, requires configuring your [inbound trust settings](cross-tenant-access-settings-b2b-direct-connect.md#to-change-inbound-trust-settings-for-mfa-and-device-state) to accept MFA claims from the external organization |

+|**Grant controls ΓÇö Require compliant device** | Supported, requires configuring your [inbound trust settings](cross-tenant-access-settings-b2b-collaboration.md#to-change-inbound-trust-settings-for-mfa-and-device-claims) to accept compliant device claims from the external organization. | Supported, requires configuring your [inbound trust settings](cross-tenant-access-settings-b2b-direct-connect.md#to-change-inbound-trust-settings-for-mfa-and-device-state) to accept compliant device claims from the external organization. |

+|**Grant controls ΓÇö Require Hybrid Azure AD joined device** | Supported, requires configuring your [inbound trust settings](cross-tenant-access-settings-b2b-collaboration.md#to-change-inbound-trust-settings-for-mfa-and-device-claims) to accept hybrid Azure AD joined device claims from the external organization | Supported, requires configuring your [inbound trust settings](cross-tenant-access-settings-b2b-direct-connect.md#to-change-inbound-trust-settings-for-mfa-and-device-state) to accept hybrid Azure AD joined device claims from the external organization |

+|**Grant controls ΓÇö Require approved client app** | Not supported | Not supported |

+|**Grant controls ΓÇö Require app protection policy** | Not supported | Not supported |

+|**Grant controls ΓÇö Require password change** | Not supported | Not supported |

+|**Grant controls ΓÇö Terms of Use** | Supported | Not supported |

+|**Session controls ΓÇö Use app enforced restrictions** | Supported | Not supported |

+|**Session controls ΓÇö Use Conditional Access App control** | Supported | Not supported |

+|**Session controls ΓÇö Sign-in frequency** | Supported | Not supported |

+|**Session controls ΓÇö Persistent browser session** | Supported | Not supported |

+In this quickstart, you'll learn how to add a new guest user to your Azure AD directory in the Azure portal. You'll also send an invitation and see what the guest user's invitation redemption process looks like.

+In this quickstart, you created a guest user in the Azure portal and sent an invitation to share apps. Then you viewed the redemption process from the guest user's perspective, and verified that the guest user was able to access their My Apps page.

+To learn more about adding guest users for collaboration, see [Add Azure Active Directory B2B collaboration users in the Azure portal](add-users-administrator.md).

+To learn more about adding guest users with PowerShell, see [Add and invite guests with PowerShell](b2b-quickstart-invite-powershell.md).

+You can also bulk invite guest users [via the portal](tutorial-bulk-invite.md) or [via PowerShell](bulk-invite-powershell.md).

+| **Security policy and compliance** | Managed by the host/inviting organization (for example, with [Conditional Access policies](authentication-conditional-access.md) and cross-tenant access settings). | Managed by the host/inviting organization (for example, with [Conditional Access policies](authentication-conditional-access.md) and cross-tenant access settings). See also the [Teams documentation](/microsoftteams/security-compliance-overview). | Managed by the organization via [Conditional Access and Identity Protection](../../active-directory-b2c/conditional-access-identity-protection-overview.md). |

+| **Multi-factor Authentication (MFA)** | If inbound trust settings to accept MFA claims from the user's home tenant are configured, and MFA policies have already been met in the user's home tenant, the external user can sign in. If MFA trust isn't enabled, the user is presented with an MFA challenge from the resource organization. [Learn more](authentication-conditional-access.md#mfa-for-azure-ad-external-users) about MFA for Azure AD external users. | If inbound trust settings to accept MFA claims from the user's home tenant are configured, and MFA policies have already been met in the user's home tenant, the external user can sign in. If MFA trust isn't enabled, and Conditional Access policies require MFA, the user is blocked from accessing resources. You *must* configure your inbound trust settings to accept MFA claims from the organization. [Learn more](authentication-conditional-access.md#mfa-for-azure-ad-external-users) about MFA for Azure AD external users. | [Integrates directly](../../active-directory-b2c/multi-factor-authentication.md) with Azure AD Multi-Factor Authentication. |

+| **Microsoft cloud settings** | [Supported.](cross-cloud-settings.md) | [Not supported.](cross-cloud-settings.md) | Not applicable. |

+| **Entitlement management** | [Supported.](../governance/entitlement-management-overview.md) | Not supported. | Not applicable. |

+| **Line-of-business (LOB) apps** | Supported. | Not supported. Only B2B direct connect-enabled apps can be shared (currently, Teams Connect shared channels). | Works with [RESTful API](../../active-directory-b2c/technical-overview.md#add-your-own-business-logic-and-call-restful-apis). |

+| **Conditional Access** | Managed by the host/inviting organization. [Learn more](authentication-conditional-access.md) about Conditional Access policies. | Managed by the host/inviting organization. [Learn more](authentication-conditional-access.md) about Conditional Access policies. | Managed by the organization via [Conditional Access and Identity Protection](../../active-directory-b2c/conditional-access-identity-protection-overview.md). |

+To resolve this problem, you must take over the abandoned tenant. Refer to [Take over an unmanaged directory as administrator in Azure Active Directory](../enterprise-users/domains-admin-takeover.md). You must also access the internet-facing DNS for the domain suffix in question in order to provide direct evidence that you are in control of the namespace. After the tenant is returned to a managed state, discuss with the customer whether leaving the users and verified domain name is the best option for their organization.

+When you try to invite a B2B collaboration user, you might see this error message: "This invitation is blocked by cross-tenant access settings. Admins in both your organization and the invited user's organization must configure cross-tenant access settings to allow the invitation." This error message will appear, if B2B collaboration is supported, but is blocked by cross-tenant access settings. Check your cross-tenant access settings, and make sure that your settings allow B2B collaboration with the user.

+When you try to collaborate with another Azure AD organization in a separate Microsoft Azure cloud, you can use [Microsoft cloud settings](cross-cloud-settings.md) to enable Azure AD B2B collaboration.

+Rarely, you might see this message: ΓÇ£This action can't be completed because the Microsoft B2B Cross Cloud Worker application has been disabled in the invited userΓÇÖs tenant. Ask the invited userΓÇÖs admin to re-enable it, then try again.ΓÇ¥ This error means that the Microsoft B2B Cross Cloud Worker application has been disabled in the B2B collaboration userΓÇÖs home tenant. This app is typically enabled, but it might have been disabled by an admin in the userΓÇÖs home tenant, either through PowerShell or the portal (see [Disable how a user signs in](../manage-apps/disable-user-sign-in-portal.md)). An admin in the userΓÇÖs home tenant can re-enable the app through PowerShell or the Azure portal. In the portal, search for ΓÇ£Microsoft B2B Cross Cloud WorkerΓÇ¥ to find the app, select it, and then choose to re-enable it.

+## Limits

+|Category |Limit |

+1. Sign in to the [Entra admin center](https://entra.microsoft.com) with the Hybrid Identity Administrator credentials for your tenant.

+2. Select **Azure Active Directory**.

+ 

+ 

+1. To download the latest version of the Authentication Agent (version 1.5.193.0 or later), sign in to the [Entra admin center](https://entra.microsoft.com) with your tenant's Hybrid Identity Administrator credentials.

+2. Select **Azure Active Directory**.

+ [](./media/how-to-connect-pta-quick-start/download-agent.png#lightbox)

+You can combine Pass-through Authentication with the [Seamless single sign-on](how-to-connect-sso.md) feature. If you have Windows 10 or later machines, use [Hybrid Azure AD Join (AADJ)](../devices/howto-hybrid-azure-ad-join.md). This way, when your users are accessing applications on their corporate machines inside your corporate network, they don't need to type in their passwords to sign in.

+- [Migrate your apps to Azure AD](../manage-apps/migration-resources.md): Resources to help you migrate application access and authentication to Azure AD.

+Ensure that the Pass-through Authentication feature is still **Enabled** on your tenant and the status of Authentication Agents shows **Active**, and not **Inactive**. You can check status by going to the **Azure AD Connect** blade on the [Entra admin center](https://entra.microsoft.com/).

+

+

+If your tenant has an Azure AD Premium license associated with it, you can also look at the [sign-in activity report](../reports-monitoring/concept-sign-ins.md) on the [Entra admin center](https://entra.microsoft.com/).

+[](./media/tshoot-connect-pass-through-authentication/sign-in-report.png#lightbox)

+| [Deployment plan: Extending apps to Azure AD with Application Proxy](../app-proxy/application-proxy-deployment-plan.md)| Providing access from employee laptops and other devices to on-premises applications has traditionally involved virtual private networks (VPNs) or demilitarized zones (DMZs). Not only are these solutions complex and hard to make secure, but they are costly to set up and manage. Azure AD Application Proxy makes it easier to access on-premises applications. |

+Users with this role have access to all administrative features in Azure Active Directory, as well as services that use Azure Active Directory identities like the Microsoft 365 Defender portal, the Microsoft Purview compliance portal, Exchange Online, SharePoint Online, and Skype for Business Online. Furthermore, Global Administrators can [elevate their access](../../role-based-access-control/elevate-access-global-admin.md) to manage all Azure subscriptions and management groups. This allows Global Administrators to get full access to all Azure resources using the respective Azure AD Tenant. The person who signs up for the Azure AD organization becomes a Global Administrator. There can be more than one Global Administrator at your company. Global Administrators can reset the password for any user and all other administrators. A Global Administrator cannot remove their own Global Administrator assignment. This is to prevent a situation where an organization has zero Global Administrators.

+> This role can reset passwords and invalidate refresh tokens for only non-administrators. This role should not be used because it is deprecated.

+> This role can reset passwords and invalidate refresh tokens for all non-administrators and administrators (including Global Administrators). This role should not be used because it is deprecated.

+> [!IMPORTANT]

+> The [Partner Tier2 Support](#partner-tier2-support) role can reset passwords and invalidate refresh tokens for all non-administrators and administrators (including Global Administrators). The [Partner Tier1 Support](#partner-tier1-support) role can reset passwords and invalidate refresh tokens for only non-administrators. These roles should not be used because they are deprecated.

+The ability to reset a password includes the ability to update the following sensitive properties required for [self-service password reset](../authentication/concept-sspr-howitworks.md):

+- businessPhones

+- mobilePhone

+- otherMails

+1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click the copy icon to copy the **App Federation Metadata URL** and save this to use in the Anaplan SSO configuration.

+ 

+## Configure Anaplan SSO

+1. Log in to Anaplan website as an administrator.

+1. In the Administration page, navigate to **Security > Single Sign-On**.

+1. Click **New**.

+1. Perform the following steps in the **Metadata** tab:

+ 

+ a. Enter a **Connection Name**, should match the name of your connection in the identity provider interface.

+ b. Select **Load from XML file** and paste the App Federation Metadata URL you copied from Azure portal into the **Metadata URL** textbox.

+ c. Click **Save** to create the connection.

+

+ d. Enable the connection by setting the **Enabled** toggle.

+1. From the **Config** tab, copy the following values to save them back to the Azure portal:

+ a. **Service Provider URL**.

+ b. **Assertion Consumer Service URL**.

+ c. **Entity ID**.

+

+### Complete the Azure AD SSO Configuration

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier (Entity ID)** text box, paste the Entity ID that you copied from above, in the format:

+ `https://sdp.anaplan.com/<optional extension>`

+ b. In the **Sign on URL** text box, paste the Service Provider URL that you copied from above, in the format:

+ `https://us1a.app.anaplan.com/samlsp/<connection name>`

+

+ c. In the **Reply URL (Assertion Consumer Service URL)** text box, paste the Assertion Consumer Service URL that you copied from above, in the format:

+ `https://us1a.app.anaplan.com/samlsp/login/callback?connection=<connection name>`

+### Complete the Anaplan SSO Configuration

+1. Perform the following steps in the **Advanced** tab:

+ 

+ a. Select **Name ID Format** as Email Address from the dropdown and keep the remaining values as default.

+ b. Click **Save**.

+1. In the **Workspaces** tab, specify the workspaces that will use the identity provider from the dropdown and Click **Save**.

+ 

+ > [!NOTE]

+ > Workspace connections are unique. If you have another connection already configured with a workspace, you cannot associate that workspace with a new connection.

+To access the original connection and update it, remove the workspace from the connection and then reassociate it with the new connection.

+In this section, you create a user called Britta Simon in Anaplan. Work with [Anaplan support team](mailto:support@anaplan.com) to add the users in the Anaplan platform. Users must be created and activated before you use single sign-on.

+Once you configure Anaplan you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

+ Title: 'Tutorial: Configure Atmos for automatic user provisioning with Azure Active Directory | Microsoft Docs'

+description: Learn how to automatically provision and de-provision user accounts from Azure AD to Atmos.

+writer: twimmers

+ms.assetid: 769b98d7-009f-44ed-8569-a5acc52d7552

+# Tutorial: Configure Atmos for automatic user provisioning

+This tutorial describes the steps you need to do in both Atmos and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Atmos](https://www.axissecurity.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

+## Capabilities Supported

+> [!div class="checklist"]

+> * Create users in Atmos.

+> * Remove users in Atmos when they do not require access anymore.

+> * Keep user attributes synchronized between Azure AD and Atmos.

+> * Provision groups and group memberships in Atmos.

+## Prerequisites

+The scenario outlined in this tutorial assumes that you already have the following prerequisites:

+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md).

+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).

+* A user account in [Axis Security](https://www.axissecurity.com) with Admin permissions.

+## Step 1. Plan your provisioning deployment

+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).

+1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. Determine what data to [map between Azure AD and Atmos](../app-provisioning/customize-application-attributes.md).

+## Step 2. Configure Atmos to support provisioning with Azure AD

+1. Log in to the [Management Console](https://auth.axissecurity.com/).

+1. Navigate to **Settings**-> **Identity Providers** screen.

+1. Hover over the **Azure Identity Provider** and select **edit**.

+1. Navigate to **Advanced Settings**.

+1. Navigate to **User Auto-Provisioning (SCIM)**.

+1. Click **Generate new token**.

+1. Copy the **SCIM Service Provider Endpoint** and **SCIM Provisioning Token** and paste them into a text editor. You need them for Step 5.

+## Step 3. Add Atmos from the Azure AD application gallery

+Add Atmos from the Azure AD application gallery to start managing provisioning to Atmos. If you have previously setup Atmos for SSO, you can use the same application. However the recommendation is to create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).

+## Step 4. Define who will be in scope for provisioning

+The Azure AD provisioning service allows you to scope provisioning based on assignment to the application and or based on attributes of the user / group. If you choose to scope provisioning to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope provisioning based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* If you need more roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles.

+## Step 5. Configure automatic user provisioning to Atmos

+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and groups in Atmos based on user and/or group assignments in Azure AD.

+### To configure automatic user provisioning for Atmos in Azure AD:

+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.

+ 

+1. In the applications list, select **Atmos**.

+ 

+1. Select the **Provisioning** tab.

+ 

+1. Set the **Provisioning Mode** to **Automatic**.

+ 

+1. In the **Admin Credentials** section, paste the **SCIM Service Provider Endpoint** obtained from the Axis SCIM configuration (step 2) in Tenant URL, and paste the **SCIM Provisioning Token** obtained from the Axis SCIM configuration (step 2) in **Secret Token**. Click **Test Connection** to ensure Azure AD can connect to Atmos. If the connection fails, contact Axis to check your account setup.

+ 

+1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.

+ 

+1. Select **Save**.

+1. In the **Mappings** section, select **Synchronize Azure Active Directory Users to Atmos**.

+1. Review the synchronized user attributes from Azure AD to Atmos, in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Atmos for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you need to ensure that the Atmos API supports filtering users based on that attribute. Select the **Save** button to commit any changes.

+ |Attribute|Type|Supported for filtering|Required by Atmos|

+ |||||

+ |userName|String|&check;|&check;|

+ |active|Boolean|||

+ |displayName|String||&check;|

+ |emails[type eq "work"].value|String|||

+ |name.givenName|String|||

+ |name.familyName|String|||

+ |externalId|String|||

+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department|String|||

+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:division|String|||

+1. Under the **Mappings** section, select **Synchronize Azure Active Directory Groups to Atmos**.

+1. Review the synchronized group attributes from Azure AD to Atmos, in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the groups in Atmos for update operations. Select the **Save** button to commit any changes.

+ |Attribute|Type|Supported for filtering|Required by Atmos|

+ |||||

+ |displayName|String|&check;|&check;

+ |members|Reference||

+ |externalId|String||&check;

+1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. To enable the Azure AD provisioning service for Atmos, change the **Provisioning Status** to **On** in the **Settings** section.

+ 

+1. Define the users and groups that you would like to provision to Atmos by choosing the appropriate values in **Scope** in the **Settings** section.

+ 

+1. When you're ready to provision, click **Save**.

+ 

+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to execute than next cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.

+## Step 6. Monitor your deployment

+Once you've configured provisioning, use the following resources to monitor your deployment:

+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users provisioned successfully or unsuccessfully

+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it's to completion

+* If the provisioning configuration seems to be in an unhealthy state, the application goes into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).

+## More resources

+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)

+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+## Next steps

+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)

+ Title: Azure Active Directory SSO integration with courses.work

+description: Learn how to configure single sign-on between Azure Active Directory and courses.work.

+# Azure Active Directory SSO integration with courses.work

+In this article, you learn how to integrate courses.work with Azure Active Directory (Azure AD). courses.work is a product of Succeed Technologies®, a ISO 27001-2013 company with rich experience in developing engaging and interactive eLearning. When you integrate courses.work with Azure AD, you can:

+* Control in Azure AD who has access to courses.work.

+* Enable your users to be automatically signed-in to courses.work with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You'll configure and test Azure AD single sign-on for courses.work in a test environment. courses.work supports **IDP** initiated single sign-on and **Just In Time** user provisioning.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Prerequisites

+To integrate Azure Active Directory with courses.work, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* courses.work single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the courses.work application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add courses.work from the Azure AD gallery

+Add courses.work from the Azure AD application gallery to configure single sign-on with courses.work. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **courses.work** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, the user does not have to perform any step as the app is already pre-integrated with Azure.

+1. courses.work application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

+ 

+1. In addition to above, courses.work application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.

+ | Name | Source Attribute|

+ | | |

+ | email | user.mail |

+ | firstname | user.givenname |

+ | lastname | user.surname |

+ | username | user.userprincipalname |

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.

+ 

+## Configure courses.work SSO

+To configure single sign-on on **courses.work** side, you need to send the **App Federation Metadata Url** to [courses.work support team](mailto:support@succeedtech.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create courses.work test user

+In this section, a user called B.Simon is created in courses.work. courses.work supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in courses.work, a new one is created after authentication.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on Test this application in Azure portal and you should be automatically signed in to the courses.work for which you set up the SSO.

+* You can use Microsoft My Apps. When you click the courses.work tile in the My Apps, you should be automatically signed in to the courses.work for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure courses.work you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+* Kallidus supports **SP** initiated SSO.

+4. On the **Basic SAML Configuration** section, enter the values for the following fields:

+ a. In the **Identifier** box, enter the URL:`https://login.kallidus-suite.com/core/saml`.

+ b. In the **Reply URL** box, type a URL using the following pattern: `https://login.kallidus-suite.com/core/<SCHEME>/acs`

+ c. In the **Sign on URL** box, type a URL using the following pattern: `https://login.kallidus-suite.com/core/<SCHEME>/acs`

+ > These values are not real. Update these values with the actual Sign on URL and Reply URL. Contact [Kallidus Client support team](https://kallidus.zendesk.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+* Click on **Test this application** in Azure portal. This will redirect to Kallidus Sign-on URL where you can initiate the login flow.

+* Go to Kallidus Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the Kallidus tile in the My Apps, you should be automatically signed in to the Kallidus for which you set up the SSO. For more information about the My Apps, [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

+ Title: Azure Active Directory SSO integration with LeanDNA

+description: Learn how to configure single sign-on between Azure Active Directory and LeanDNA.

+# Azure Active Directory SSO integration with LeanDNA

+In this article, you learn how to integrate LeanDNA with Azure Active Directory (Azure AD). Connect to the LeanDNA app via SAML 2.0 SSO using Azure. When you integrate LeanDNA with Azure AD, you can:

+* Control in Azure AD who has access to LeanDNA.

+* Enable your users to be automatically signed-in to LeanDNA with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You'll configure and test Azure AD single sign-on for LeanDNA in a test environment. LeanDNA supports only **SP** initiated single sign-on.

+## Prerequisites

+To integrate Azure Active Directory with LeanDNA, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* LeanDNA single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the LeanDNA application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add LeanDNA from the Azure AD gallery

+Add LeanDNA from the Azure AD application gallery to configure single sign-on with LeanDNA. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **LeanDNA** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a URL using one of the patterns:

+ | **Identifier** |

+ |-|

+ |`https://www.leandna.com/auth/1/saml2/metadata/customer/<ID>`|

+ | `https://app.leandna.com/auth/1/saml2/metadata/customer/<ID>` |

+ b. In the **Reply URL** textbox, type a URL using one of the patterns:

+ | **Reply URL** |

+ |-|

+ | `https://www.leandna.com/auth/1/saml2/login/customer/<ID>` |

+ | `https://app.leandna.com/auth/1/saml2/login/customer/<ID>` |

+ c. In the **Sign on URL** textbox, type the URL:

+ `https://www.leandna.com/application/sso.html`

+ > [!Note]

+ > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [LeanDNA Client support team](mailto:it@leandna.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up LeanDNA** section, copy the appropriate URL(s) based on your requirement.

+ 

+## Configure LeanDNA SSO

+To configure single sign-on on **LeanDNA** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [LeanDNA support team](mailto:it@leandna.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create LeanDNA test user

+In this section, you create a user called Britta Simon at LeanDNA. Work with [LeanDNA support team](mailto:it@leandna.com) to add the users in the LeanDNA platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to LeanDNA Sign-on URL where you can initiate the login flow.

+* Go to LeanDNA Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you select the LeanDNA tile in the My Apps, this will redirect to LeanDNA Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure LeanDNA you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: Azure Active Directory SSO integration with Oracle IDCS for JD Edwards

+description: Learn how to configure single sign-on between Azure Active Directory and Oracle IDCS for JD Edwards.

+# Azure Active Directory SSO integration with Oracle IDCS for JD Edwards

+In this article, you'll learn how to integrate Oracle IDCS for JD Edwards with Azure Active Directory (Azure AD). When you integrate Oracle IDCS for JD Edwards with Azure AD, you can:

+* Control in Azure AD who has access to Oracle IDCS for JD Edwards.

+* Enable your users to be automatically signed-in to Oracle IDCS for JD Edwards with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You'll configure and test Azure AD single sign-on for Oracle IDCS for JD Edwards in a test environment. Oracle IDCS for JD Edwards supports only **SP** initiated single sign-on.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Prerequisites

+To integrate Azure Active Directory with Oracle IDCS for JD Edwards, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Oracle IDCS for JD Edwards single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the Oracle IDCS for JD Edwards application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add Oracle IDCS for JD Edwards from the Azure AD gallery

+Add Oracle IDCS for JD Edwards from the Azure AD application gallery to configure single sign-on with Oracle IDCS for JD Edwards. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **Oracle IDCS for JD Edwards** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a URL using the following pattern: ` https://<SUBDOMAIN>.oraclecloud.com/`

+ b. In the **Reply URL** textbox, type a URL using the following pattern: `https://<SUBDOMAIN>.oraclecloud.com/v1/saml/<UNIQUEID>`

+ c. In the **Sign on URL** textbox, type a URL using the following pattern:

+ ` https://<SUBDOMAIN>.oraclecloud.com/`

+ >[!NOTE]

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Oracle IDCS for JD Edwards support team](https://www.oracle.com/support/advanced-customer-services/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. Your Oracle IDCS for JD Edwards application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows an example for this. The default value of **Unique User Identifier** is **user.userprincipalname** but Oracle IDCS for JD Edwards expects this to be mapped with the user's email address. For that you can use **user.mail** attribute from the list or use the appropriate attribute value based on your organization configuration.

+ 

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.

+ 

+## Configure Oracle IDCS for JD Edwards SSO

+To configure single sign-on on Oracle IDCS for JD Edwards side, you need to send the downloaded Federation Metadata XML file from Azure portal to [Oracle IDCS for JD Edwards support team](https://www.oracle.com/support/advanced-customer-services/). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Oracle IDCS for JD Edwards test user

+In this section, you create a user called Britta Simon at Oracle IDCS for JD Edwards. Work with [Oracle IDCS for JD Edwards support team](https://www.oracle.com/support/advanced-customer-services/) to add the users in the Oracle IDCS for JD Edwards platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to Oracle IDCS for JD Edwards Sign-on URL where you can initiate the login flow.

+* Go to Oracle IDCS for JD Edwards Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you select the Oracle IDCS for JD Edwards tile in the My Apps, this will redirect to Oracle IDCS for JD Edwards Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure Oracle IDCS for JD Edwards you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: Azure Active Directory SSO integration with Tanium Cloud SSO

+description: Learn how to configure single sign-on between Azure Active Directory and Tanium Cloud SSO.

+# Azure Active Directory SSO integration with Tanium Cloud SSO

+In this article, you learn how to integrate Tanium Cloud SSO with Azure Active Directory (Azure AD). Tanium, the industryΓÇÖs only provider of converged endpoint management (XEM), leads the paradigm shift in legacy approaches to managing complex security and technology environments. When you integrate Tanium Cloud SSO with Azure AD, you can:

+* Control in Azure AD who has access to Tanium Cloud SSO.

+* Enable your users to be automatically signed-in to Tanium Cloud SSO with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You'll configure and test Azure AD single sign-on for Tanium Cloud SSO in a test environment. Tanium Cloud SSO supports both **SP** and **IDP** initiated single sign-on and also **Just In Time** user provisioning.

+## Prerequisites

+To integrate Azure Active Directory with Tanium Cloud SSO, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Tanium Cloud SSO single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the Tanium Cloud SSO application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add Tanium Cloud SSO from the Azure AD gallery

+Add Tanium Cloud SSO from the Azure AD application gallery to configure single sign-on with Tanium Cloud SSO. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **Tanium Cloud SSO** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a URL using the following pattern:

+ `urn:amazon:cognito:sp:InstanceName`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://InstanceName-tanium.auth.<SUBDOMAIN>.amazoncognito.com/saml2/idpresponse`

+1. If you wish to configure the application in **SP** initiated mode, then perform the following step:

+ In the **Sign on URL** textbox, type a URL using the following pattern:

+ https://InstanceName.cloud.tanium.com

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Tanium Cloud SSO Client support team](mailto:integrations@tanium.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.

+ 

+## Configure Tanium Cloud SSO

+To configure single sign-on on **Tanium Cloud SSO** side, you need to send the **App Federation Metadata Url** to [Tanium Cloud SSO support team](mailto:integrations@tanium.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Tanium Cloud SSO test user

+In this section, a user called B.Simon is created in Tanium Cloud SSO. Tanium Cloud SSO supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in Tanium Cloud SSO, a new one is created after authentication.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to Tanium Cloud SSO Sign-on URL where you can initiate the login flow.

+* Go to Tanium Cloud SSO Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Tanium Cloud SSO for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the Tanium Cloud SSO tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Tanium Cloud SSO for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure Tanium Cloud SSO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: Azure Active Directory SSO integration with Udemy Business SAML

+description: Learn how to configure single sign-on between Azure Active Directory and Udemy Business SAML.

+# Azure Active Directory SSO integration with Udemy Business SAML

+In this article, you learn how to integrate Udemy Business SAML with Azure Active Directory (Azure AD). Udemy for Business helps employees do whatever comes next - whether thatΓÇÖs the next project to tackle, skill to learn or role to master. When you integrate Udemy Business SAML with Azure AD, you can:

+* Control in Azure AD who has access to Udemy Business SAML.

+* Enable your users to be automatically signed-in to Udemy Business SAML with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You'll configure and test Azure AD single sign-on for Udemy Business SAML in a test environment. Udemy Business SAML supports **SP** initiated single sign-on and **Just In Time** user provisioning.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Prerequisites

+To integrate Azure Active Directory with Udemy Business SAML, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Udemy Business SAML single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the Udemy Business SAML application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add Udemy Business SAML from the Azure AD gallery

+Add Udemy Business SAML from the Azure AD application gallery to configure single sign-on with Udemy Business SAML. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **Udemy Business SAML** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type the URL:

+ `https://www.udemy.com/sso/saml`

+ b. In the **Reply URL** textbox, type the URL:

+ `https://sso.connect.pingidentity.com/sso/sp/ACS.saml2`

+ c. In the **Sign on URL** textbox, type a URL using the following pattern:

+ `https://<SUBDOMAIN>.udemy.com`

+ > [!Note]

+ > This value is not real. Update this value with the actual Sign-on URL. Contact [Udemy Business SAML Client support team](mailto:ufbsupport@udemy.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. Udemy Business SAML application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

+ 

+1. In addition to above, Udemy Business SAML application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.

+ | Name | Source Attribute|

+ | | |

+ | email | user.mail |

+ | firstName | user.givenname |

+ | lastName | user.surname |

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.

+ 

+## Configure Udemy Business SAML SSO

+To configure single sign-on on **Udemy Business SAML** side, you need to send the **App Federation Metadata Url** to [Udemy Business SAML support team](mailto:ufbsupport@udemy.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Udemy Business SAML test user

+In this section, a user called B.Simon is created in Udemy Business SAML. Udemy Business SAML supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Udemy Business SAML, a new one is created after authentication.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to Udemy Business SAML Sign-on URL where you can initiate the login flow.

+* Go to Udemy Business SAML Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the Udemy Business SAML tile in the My Apps, this will redirect to Udemy Business SAML Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure Udemy Business SAML you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+## Why use cluster auto-upgrade

+Cluster auto-upgrade provides a set once and forget mechanism that yields tangible time and operational cost benefits. By enabling auto-upgrade, you can ensure your clusters are up to date and don't miss the latest AKS features or patches from AKS and upstream Kubernetes.

+## Cluster auto-upgrade limitations

+If youΓÇÖre using cluster auto-upgrade, you can no longer upgrade the control plane first and then upgrade the individual node pools. Cluster auto-upgrade will always upgrade the control plane and the node pools together. There is no ability of upgrading the control plane only, and trying to run the command `az aks upgrade --control-plane-only` will raise the error: `NotAllAgentPoolOrchestratorVersionSpecifiedAndUnchanged: Using managed cluster api, all Agent pools' OrchestratorVersion must be all specified or all unspecified. If all specified, they must be stay unchanged or the same with control plane.`

+If using the `node-image` cluster auto-upgrade channel or the `NodeImage` node image auto-upgrade channel, Linux [unattended upgrades][unattended-upgrades] will be disabled by default.

+## Using cluster auto-upgrade

+| `node-image`| automatically upgrade the node image to the latest version available.| Microsoft provides patches and new images for image nodes frequently (usually weekly), but your running nodes won't get the new images unless you do a node image upgrade. Turning on the node-image channel will automatically update your node images whenever a new version is available. If you use this channel, Linux [unattended upgrades] will be disabled by default.|

+> [!NOTE]

+> If using the preview API `11-02-preview` or later, if you select the `node-image` cluster auto-upgrade channel the [node image auto-upgrade channel][node-image-auto-upgrade] will automatically be set to `NodeImage`.

+If youΓÇÖre using Planned Maintenance and cluster auto-upgrade, your upgrade will start during your specified maintenance window.

+## Best practices for cluster auto-upgrade

+- To automatically upgrade node images while using a different cluster upgrade channel, consider using the [node image auto-upgrade][node-image-auto-upgrade] `NodeImage` channel.

+[node-image-auto-upgrade]: auto-upgrade-node-image.md

+[k8s-deprecation]: https://kubernetes.io/blog/2022/11/18/upcoming-changes-in-kubernetes-1-26/#:~:text=A%20deprecated%20API%20is%20one%20that%20has%20been,point%20you%20must%20migrate%20to%20using%20the%20replacement

+[unattended-upgrades]: https://help.ubuntu.com/community/AutomaticSecurityUpdates

+ Title: Automatically upgrade Azure Kubernetes Service (AKS) cluster node operating system images

+description: Learn how to automatically upgrade Azure Kubernetes Service (AKS) cluster node operating system images.

+# Automatically upgrade Azure Kubernetes Service cluster node operating system images

+AKS supports upgrading the images on a node so your cluster is up to date with the newest operating system (OS) and runtime updates. AKS regularly provides new node OS images with the latest updates, so it's beneficial to upgrade your node's images regularly for the latest AKS features and to maintain security. Before learning about auto-upgrade, make sure you understand upgrade fundamentals by reading [Upgrade an AKS cluster][upgrade-aks-cluster].

+The latest AKS node image information can be found by visiting the [AKS release tracker][release-tracker].

+## Why use node OS auto-upgrade

+Node OS auto-upgrade provides a set once and forget mechanism that yields tangible time and operational cost benefits. By enabling auto-upgrade, you can ensure your clusters are up to date and don't miss the latest AKS features or patches from AKS.

+## Prerequisites

+- Must be using API version `11-02-preview` or later

+- If using Azure CLI, the `aks-preview` CLI extension version `0.5.127` or later must be installed

+- If using the `SecurityPatch` channel, the `NodeOsUpgradeChannelPreview` feature flag must be enabled on your subscription

+### Register the 'NodeOsUpgradeChannelPreview' feature flag

+Register the `NodeOsUpgradeChannelPreview` feature flag by using the [az feature register][az-feature-register] command, as shown in the following example:

+```azurecli-interactive

+az feature register --namespace "Microsoft.ContainerService" --name "NodeOsUpgradeChannelPreview"

+```

+It takes a few minutes for the status to show *Registered*. Verify the registration status by using the [az feature show][az-feature-show] command:

+```azurecli-interactive

+az feature show --namespace "Microsoft.ContainerService" --name "NodeOsUpgradeChannelPreview"

+```

+When the status reflects *Registered*, refresh the registration of the *Microsoft.ContainerService* resource provider by using the [az provider register][az-provider-register] command:

+```azurecli-interactive

+az provider register --namespace Microsoft.ContainerService

+```

+## Limitations

+If using the `node-image` cluster auto-upgrade channel or the `NodeImage` node image auto-upgrade channel, Linux [unattended upgrades][unattended-upgrades] will be disabled by default.

+## Using node OS auto-upgrade

+Automatically completed upgrades are functionally the same as manual upgrades. The timing of upgrades is determined by the selected channel. When making changes to auto-upgrade, allow 24 hours for the changes to take effect. By default, a cluster's node OS auto-upgrade channel is set to `Unmanaged`.

+> [!NOTE]

+> Node OS image auto-upgrade won't affect the cluster's Kubernetes version, but it still still requires the cluster to be in a supported version to function properly.

+The following upgrade channels are available:

+|Channel|Description|OS-specific behavior|

+|||

+| `None`| Your nodes won't have security updates applied automatically. This means you're solely responsible for your security updates|N/A|

+| `Unmanaged`|OS updates will be applied automatically through the OS built-in patching infrastructure. Newly allocated machines will be unpatched initially and will be patched at some point by the OS's infrastructure|Ubuntu applies security patches through unattended upgrade roughly once a day around 06:00 UTC. Windows and Mariner don't apply security patches automatically, so this option behaves equivalently to `None`|

+| `SecurityPatch`|AKS will update the node's virtual hard disk (VHD) with patches from the image maintainer labeled "security only" on a regular basis. Where possible, patches will also be applied without disruption to existing nodes. Some patches, such as kernel patches, can't be applied to existing nodes without disruption. For such patches, the VHD will be updated and existing machines will be upgraded to that VHD following maintenance windows and surge settings. This option incurs the extra cost of hosting the VHDs in your node resource group.|N/A|

+| `NodeImage`|AKS will update the nodes with a newly patched VHD containing security fixes and bug fixes on a weekly cadence. The update to the new VHD is disruptive, following maintenance windows and surge settings. No extra VHD cost is incurred when choosing this option. If you use this channel, Linux [unattended upgrades] will be disabled by default.|

+To set the node OS auto-upgrade channel when creating a cluster, use the *node-os-upgrade-channel* parameter, similar to the following example.

+```azurecli-interactive

+az aks create --resource-group myResourceGroup --name myAKSCluster --node-os-upgrade-channel SecurityPatch

+```

+To set the auto-upgrade channel on existing cluster, update the *node-os-upgrade-channel* parameter, similar to the following example.

+```azurecli-interactive

+az aks update --resource-group myResourceGroup --name myAKSCluster --node-os-upgrade-channel SecurityPatch

+```

+## Using node OS auto-upgrade with Planned Maintenance

+If youΓÇÖre using Planned Maintenance and node OS auto-upgrade, your upgrade will start during your specified maintenance window.

+> [!NOTE]

+> To ensure proper functionality, use a maintenance window of four hours or more.

+For more information on Planned Maintenance, see [Use Planned Maintenance to schedule maintenance windows for your Azure Kubernetes Service (AKS) cluster][planned-maintenance].

+<!-- LINKS -->

+[planned-maintenance]: planned-maintenance.md

+[release-tracker]: release-tracker.md

+[az-provider-register]: /cli/azure/provider#az-provider-register

+[az-feature-register]: /cli/azure/feature#az-feature-register

+[az-feature-show]: /cli/azure/feature#az-feature-show

+[upgrade-aks-cluster]: upgrade-cluster.md

+[unattended-upgrades]: https://help.ubuntu.com/community/AutomaticSecurityUpdates

+There are currently three available configuration types: `default`, `aksManagedAutoUpgradeSchedule`, `aksManagedNodeOSUpgradeSchedule`:

+- `default` corresponds to a basic configuration that will update your control plane and your kube-system pods on a Virtual Machine Scale Sets instance. It's a legacy configuration that is mostly suitable for basic scheduling of [weekly releases][release-tracker].

+- `aksManagedAutoUpgradeSchedule` controls when cluster upgrades scheduled by your designated auto-upgrade channel are performed. More finely controlled cadence and recurrence settings are possible than in a `default` configuration. For more information on cluster auto-upgrade, see [Automatically upgrade an Azure Kubernetes Service (AKS) cluster][aks-upgrade].

+- `aksManagedNodeOSUpgradeSchedule` controls when node operating system upgrades scheduled by your node OS auto-upgrade channel are performed. More finely controlled cadence and recurrence settings are possible than in a `default configuration. For more information on node OS auto-upgrade, see [Automatically patch and update AKS cluster node images][node-image-auto-upgrade]

+We recommend using `aksManagedAutoUpgradeSchedule` for all cluster upgrade scenarios and `aksManagedNodeOSUpgradeSchedule` for all node image upgrade scenarios, while `default` is meant exclusively for weekly releases. You can port `default` configurations to `aksManagedAutoUpgradeSchedule` configurations via the `az aks maintenanceconfiguration update` command.

+- Currently, performing maintenance operations are considered *best-effort only* and aren't guaranteed to occur within a specified window.

+- Updates can't be blocked for more than seven days.

+To create a maintenance window, you can use the `az aks maintenanceconfiguration add` command using the `--name` value `default`, `aksManagedAutoUpgradeSchedule`, or `aksManagedNodeOSUpgradeSchedule`. The name value should reflect the desired configuration type. Using any other name will cause your maintenance window not to run.

+|`notAllowedTime`|Specifies a range of dates that maintenance can't run, determined by `start` and `end` child properties. Only applicable when creating the maintenance window using a config file|N/A|

+An `aksManagedAutoUpgradeSchedule` or `aksManagedNodeOSUpgradeSchedule` maintenance window has the following properties:

+|`intervalDays`|The interval in days for maintenance runs. Only applicable to `aksManagedNodeOSUpgradeSchedule`|N/A|

+There are currently four available schedule types: `Daily`, `Weekly`, `AbsoluteMonthly`, and `RelativeMonthly`. These schedule types are only applicable to `aksManagedClusterAutoUpgradeSchedule` and `aksManagedNodeOSUpgradeSchedule` configurations. `Daily` schedules are only applicable to `aksManagedNodeOSUpgradeSchedule` types.

+#### Daily schedule

+> [!NOTE]

+> Daily schedules are only applicable to `aksManagedNodeOSUpgradeSchedule` configuration types.

+A `Daily` schedule may look like *"every three days"*:

+```json

+"schedule": {

+ "daily": {

+ "intervalDays": 2

+ }

+}

+```

+The above JSON file specifies maintenance windows every Tuesday at 1:00am - 3:00am and every Wednesday at 1:00am - 2:00am and at 6:00am - 7:00am in the `UTC` timezone. There's also an exception from *2021-05-26T03:00:00Z* to *2021-05-30T12:00:00Z* where maintenance isn't allowed even if it overlaps with a maintenance window.

+The above JSON file specifies maintenance windows every three months on the first of the month between 9:00 AM - 1:00 PM in the `UTC-08` timezone. There's also an exception from *2023-12-23* to *2024-01-05* where maintenance isn't allowed even if it overlaps with a maintenance window.

+az aks maintenanceconfiguration delete -g myResourceGroup --cluster-name myAKSCluster --name autoUpgradeSchedule

+[node-image-auto-upgrade]: auto-upgrade-node-image.md

+> Migration to V2 will disable management of the App Service Authentication/Authorization feature for your application through some clients, such as its existing experience in the Azure portal, Azure CLI, and Azure PowerShell. This cannot be reversed.

+The V2 API does not support creation or editing of Microsoft Account as a distinct provider as was done in V1. Rather, it leverages the converged [Microsoft identity platform](../active-directory/develop/v2-overview.md) to sign-in users with both Azure AD and personal Microsoft accounts. When switching to the V2 API, the V1 Azure Active Directory (Azure AD) configuration is used to configure the Microsoft identity platform provider. The V1 Microsoft Account provider will be carried forward in the migration process and continue to operate as normal, but it is recommended that you move to the newer Microsoft Identity Platform model. See [Support for Microsoft Account provider registrations](#support-for-microsoft-account-provider-registrations) to learn more.

+1. If the app is configured using the V1 model, you'll see an **Upgrade** button.

+1. Review the description in the confirmation prompt. If you're ready to perform the migration, click **Upgrade** in the prompt.

+ In the resulting JSON payload, make note of the secret value used for each provider you've configured:

+ * Azure AD: `clientSecret`

+1. Create slot-sticky application settings for each secret value. You may choose the name of each application setting. Its value should match what you obtained in the previous step or [reference a Key Vault secret](./app-service-key-vault-references.md?toc=/azure/azure-functions/toc.json) that you've created with that value.

+1. Create a new JSON file named `authsettings.json`. Take the output that you received previously and remove each secret value from it. Write the remaining output to the file, making sure that no secret is included. In some cases, the configuration may have arrays containing empty strings. Make sure that `microsoftAccountOAuthScopes` does not, and if it does, switch that value to `null`.

+ * Azure AD: `clientSecretSettingName`

+ An example file after this operation might look similar to the following, in this case only configured for Azure AD:

+You've now migrated the app to store identity provider secrets as application settings.

+If your existing configuration contains a Microsoft Account provider and does not contain an Azure AD provider, you can switch the configuration over to the Azure AD provider and then perform the migration. To do this:

+1. Configure the Azure AD provider using the "Advanced" management mode, supplying the client ID and client secret values you collected in the previous step. For the Issuer URL, use Use `<authentication-endpoint>/<tenant-id>/v2.0`, and replace *\<authentication-endpoint>* with the [authentication endpoint for your cloud environment](../active-directory/develop/authentication-national-cloud.md#azure-ad-authentication-endpoints) (e.g., "https://login.microsoftonline.com" for global Azure), also replacing *\<tenant-id>* with your **Directory (tenant) ID**.

+1. Once you've saved the configuration, test the login flow by navigating in your browser to the `/.auth/login/aad` endpoint on your site and complete the sign-in flow.

+1. At this point, you've successfully copied the configuration over, but the existing Microsoft Account provider configuration remains. Before you remove it, make sure that all parts of your app reference the Azure AD provider through login links, etc. Verify that all parts of your app work as expected.

+1. Once you've validated that things work against the Azure AD provider, you may remove the Microsoft Account provider configuration.

+> It is possible to converge the two registrations by modifying the [supported account types](../active-directory/develop/supported-accounts-validation.md) for the Azure AD app registration. However, this would force a new consent prompt for Microsoft Account users, and those users' identity claims may be different in structure, `sub` notably changing values since a new App ID is being used. This approach is not recommended unless thoroughly understood. You should instead wait for support for the two registrations in the V2 API surface.

+When you enable authentication/authorization, platform middleware is injected into your HTTP request pipeline as described in the [feature overview](overview-authentication-authorization.md#how-it-works). This platform middleware is periodically updated with new features and improvements as part of routine platform updates. By default, your web or function app will run on the latest version of this platform middleware. These automatic updates are always backwards compatible. However, in the rare event that this automatic update introduces a runtime issue for your web or function app, you can temporarily roll back to the previous middleware version. This article explains how to temporarily pin an app to a specific version of the authentication middleware.

+You'll see the `runtimeVersion` field in the CLI output. It will resemble the following example output, which has been truncated for clarity:

+At this time, the migration feature doesn't support migrations to App Service Environment v3 in the following regions:

+- Japan West

+- Jio India West

+- UAE Central

+- US DoD Central

+- US Gov Arizona

+### Azure China:

+- China East 2

+- China North 2

+| Brazil Southeast | ✅ | | ✅ |

+Repeat this step to add your second origin. Pay attention to the `--priority` parameter. For this origin, it's set to "2". This priority setting tells Azure Front Door to direct all traffic to the primary origin unless the primary goes down. If you set the priority for this origin to "1", Azure Front Door will treat both origins as active and direct traffic to both regions. Be sure to replace both instances of the placeholder for `<web-app-west-us>` with the name of that web app.

+> [Highly available zone-redundant web application](/azure/architecture/reference-architectures/app-service-web-app/zone-redundant)

+ --public-ip-address myAGPublicIPAddress \

+ --priority 100

+ --address-pool videoBackendPool \

+ --http-settings appGatewayBackendHttpSettings

+ --address-pool appGatewayBackendPool \

+ --priority 200

+**Hybrid Worker extension settings**

+```powershell-interactive

+$settings = @{

+ "AutomationAccountURL" = "<registrationurl>";

+};

+```

+| `--repository-url` | http[s]://server/repo[.git]

+For more information, see [Azure Arc resource bridge (preview) network requirements](network-requirements.md).

+* Review the [system requirements](system-requirements.md) for deploying and managing Arc resource bridge.

+ Title: Azure Arc resource bridge (preview) system requirements

+description: Learn about system requirements for Azure Arc resource bridge (preview).

+# Azure Arc resource bridge (preview) system requirements

+This article describes the system requirements for deploying Azure Arc resource bridge (preview).

+Arc resource bridge is used with other partner products, such as [Azure Stack HCI](/azure-stack/hci/manage/azure-arc-vm-management-overview), [Arc-enabled VMware vSphere](../vmware-vsphere/index.yml), and [Arc-enabled System Center Virtual Machine Manager (SCVMM)](../system-center-virtual-machine-manager/index.yml). These products may have additional requirements.

+## Management tool requirements

+[Azure CLI](/cli/azure/install-azure-cli) is required to deploy the Azure Arc resource bridge on supported private cloud environments.

+If you're deploying on VMware, a x64 Python environment is required. The [pip](https://pypi.org/project/pip/) package installer for Python is also required.

+If you're deploying on Azure Stack HCI, the x32 Azure CLI installer can be used to install Azure CLI.

+## Minimum resource requirements

+Arc resource bridge has the following minimum resource requirements:

+- 50 GB disk space

+- 4 vCPUs

+- 8 GB memory

+These minimum requirements enable most scenarios. However, a partner product may support a higher resource connection count to Arc resource bridge, which requires the bridge to have higher resource requirements. Failure to provide sufficient resources may cause errors during deployment, such as disk copy errors. Review the partner product's documentation for specific resource requirements.

+> [!NOTE]

+> To [use Arc resource bridge with Azure Kubernetes Service (AKS) on Azure Stack HCI](#aks-and-arc-resource-bridge-on-azure-stack-hci), the AKS clusters must be deployed prior to deploying Arc resource bridge. If Arc resource bridge has already been deployed, AKS clusters can't be installed unless you delete Arc resource bridge first. Once your AKS clusters are deployed to Azure Stack HCI, you can deploy Arc resource bridge again.

+## Management machine requirements

+The machine used to run the commands to deploy Arc resource bridge, and maintain it, is called the *management machine*. The management machine should be considered part of the Arc resource bridge ecosystem, as it has specific requirements and is necessary to manage the appliance VM.

+Because the management machine needs these specific requirements to manage Arc resource bridge, once the machine is set up, it should continue to be the primary machine used to maintain Arc resource bridge.

+The management machine has the following requirements:

+- [Azure CLI x64](/cli/azure/install-azure-cli-windows?tabs=azure-cli) installed.

+- Open communication to Control Plane IP (`controlplaneendpoint` parameter in `createconfig` command).

+- Open communication to Appliance VM IP (`k8snodeippoolstart` parameter in `createconfig` command).

+- Open communication to the reserved Appliance VM IP for upgrade (`k8snodeippoolend` parameter in `createconfig` command).

+- Internal and external DNS resolution. The DNS server must resolve internal names, such as the vCenter endpoint for vSphere or cloud agent service endpoint for Azure Stack HCI. The DNS server must also be able to resolve external addresses that are [required URLs](network-requirements.md#outbound-connectivity) for deployment.

+- If using a proxy, the proxy server configuration on the management machine must allow the machine to have internet access and to connect to [required URLs](network-requirements.md#outbound-connectivity) needed for deployment, such as the URL to download OS images.

+## Appliance VM requirements

+Arc resource bridge consists of an appliance VM that is deployed on-premises. The appliance VM has visibility into the on-premises infrastructure and can tag on-premises resources (guest management) for availability in Azure Resource Manager (ARM). The appliance VM is assigned an IP address from the `k8snodeippoolstart` parameter in the `createconfig` command.

+The appliance VM has the following requirements:

+- Open communication with the management machine, vCenter endpoint (for VMware), MOC cloud agent service endpoint (for Azure Stack HCI), or other control center for the on-premises environment.

+- The appliance VM needs to be able to resolve the management machine and vice versa.

+- Internet access.

+- Connectivity to [required URLs](network-requirements.md#outbound-connectivity) enabled in proxy and firewall.

+- Static IP assigned, used for the `k8snodeippoolstart` in configuration command. (If using DHCP, then the address must be reserved.)

+- Ability to reach a DNS server that can resolve internal names, such as the vCenter endpoint for vSphere or cloud agent service endpoint for Azure Stack HCI. The DNS server must also be able to resolve external addresses, such as Azure service addresses, container registry names, and other [required URLs](network-requirements.md#outbound-connectivity).

+- If using a proxy, the proxy server configuration is provided when running the `createconfig` command, which is used to create the configuration files of the appliance VM. The proxy should allow internet access on the appliance VM to connect to [required URLs](network-requirements.md#outbound-connectivity) needed for deployment, such as the URL to download OS images.

+## Reserved appliance VM IP requirements

+Arc resource bridge reserves an additional IP address to be used for the appliance VM upgrade. During upgrade, a new appliance VM is created with the reserved appliance VM IP. Once the new appliance VM is created, the old appliance VM is deleted, and its IP address becomes reserved for a future upgrade. The reserved appliance VM IP is assigned an IP address from the `k8snodeippoolend` parameter in the `az arcappliance createconfig` command.

+The reserved appliance VM IP has the following requirements:

+- Open communication with the management machine, vCenter endpoint (for VMware), MOC cloud agent service endpoint (for Azure Stack HCI), or other control center for the on-premises environment.

+- The appliance VM needs to be able to resolve the management machine and vice versa.

+- Internet access.

+- Connectivity to [required URLs](network-requirements.md#outbound-connectivity) enabled in proxy and firewall.

+- Static IP assigned, used for the `k8snodeippoolend` in configuration command. (If using DHCP, then the address must be reserved.)

+- Ability to reach a DNS server that can resolve internal names, such as the vCenter endpoint for vSphere or cloud agent service endpoint for Azure Stack HCI. The DNS server must also be able to resolve external addresses, such as Azure service addresses, container registry names, and other [required URLs](network-requirements.md#outbound-connectivity).

+## Control plane IP requirements

+The appliance VM hosts a management Kubernetes cluster with a control plane that should be given a static IP. This IP is assigned from the `controlplaneendpoint` parameter in the `createconfig` command.

+The control plane IP has the following requirements:

+- Open communication with the management machine.

+- The control plane needs to be able to resolve the management machine and vice versa.

+- Static IP address assigned; the IP should be outside the DHCP range but still available on the network segment. This IP address can't be assigned to any other machine on the network. If you're using Azure Kubernetes Service on Azure Stack HCI (AKS hybrid) and installing resource bridge, then the control plane IP for the resource bridge can't be used by the AKS hybrid cluster. For specific instructions on deploying Arc resource bridge with AKS on Azure Stack HCI, see [AKS on HCI (AKS hybrid) - Arc resource bridge deployment](/azure/aks/hybrid/deploy-arc-resource-bridge-windows-server).

+## User account and credentials

+Arc resource bridge may require a separate user account with the necessary roles to view and manage resources in the on-premises infrastructure (such as Arc-enabled VMware vSphere or Arc-enabled SCVMM). If so, during creation of the configuration files, the `username` and `password` parameters will be required. The account credentials are then stored in a configuration file locally within the appliance VM.

+If the user account is set to periodically change passwords, the credentials must be immediately updated on the resource bridge. This user account may also be set with a lockout policy to protect the on-premises infrastructure, in case the credentials aren't updated and the resource bridge makes multiple attempts to use expired credentials to access the on-premises control center.

+For example, with Arc-enabled VMware, Arc resource bridge needs a separate user account for vCenter with the necessary roles. If the [credentials for the user account change](troubleshoot-resource-bridge.md#insufficient-permissions), then the credentials stored in Arc resource bridge must be immediately updated by running `az arcappliance update-infracredentials` from the [management machine](#management-machine-requirements). Otherwise, the appliance will make repeated attempts to use the expired credentials to access vCenter, which will result in a lockout of the account.

+## Configuration files

+Arc resource bridge consists of an appliance VM that is deployed in the on-premises infrastructure. To maintain the appliance VM, the configuration files generated during deployment must be saved in a secure location and made available on the management machine.

+There are several different types of configuration files, based on the on-premises infrastructure.

+### Appliance configuration files

+Three configuration files are created when the `createconfig` command completes (or the equivalent commands used by Azure Stack HCI and AKS hybrid): resource.yaml, appliance.yaml and infra.yaml.

+By default, these files are generated in the current CLI directory when `createconfig` completes. These files should be saved in a secure location on the management machine, because they're required for maintaining the appliance VM. Because the configuration files reference each other, all three files must be stored in the same location. If the files are moved from their original location at deployment, open the files to check that the reference paths to the configuration files are accurate.

+### Kubeconfig

+The appliance VM hosts a management Kubernetes cluster. The kubeconfig is a low-privilege Kubernetes configuration file that is used to maintain the appliance VM. By default, it's generated in the current CLI directory when the `deploy` command completes. The kubeconfig should be saved in a secure location to the management machine, because it's required for maintaining the appliance VM.

+### HCI login configuration file (Azure Stack HCI only)

+Arc resource bridge uses a MOC login credential called [KVA token](/azure-stack/hci/manage/deploy-arc-resource-bridge-using-command-line#set-up-arc-vm-management) (kvatoken.tok) to interact with Azure Stack HCI. The KVA token is generated with the appliance configuration files when deploying Arc resource bridge. This token is also used when collecting logs for Arc resource bridge, so it should be saved in a secure location with the rest of the appliance configuration files. This file is saved in the directory provided during configuration file creation or the default CLI directory.

+## AKS and Arc Resource Bridge on Azure Stack HCI

+To use AKS and Arc resource bridge together on Azure Stack HCI, the AKS cluster must be deployed prior to deploying Arc resource bridge. If Arc resource bridge has already been deployed, AKS can't be deployed unless you delete Arc resource bridge first. Once your AKS cluster is deployed to Azure Stack HCI, you can deploy Arc resource bridge.

+The following example shows a network configuration setup for Arc resource bridge and AKS clusters when deployed on Azure Stack HCI. Key details are that Arc resource bridge and AKS share the same switch and `ipaddressprefix`, but require different IP addresses for `vippoolstart/end` and `k8snodeippoolstart/end`.

+### AKS hybrid

+```

+azurestackhciprovider:

+ virtualnetwork:

+   name: "mgmtvnet"

+   vswitchname: "Default Switch"

+   type: "Transparent"

+   macpoolname: 

+   vlanid: 0

+   ipaddressprefix: 172.16.0.0/16

+   gateway: 17.16.1.1 

+   dnsservers: 17.16.1.1

+   vippoolstart: 172.16.255.0

+   vippoolend: 172.16.255.254

+   k8snodeippoolstart: 172.16.10.0

+   k8snodeippoolend: 172.16.10.254 

+```

+### Arc resource bridge

+```

+azurestackhciprovider:

+ virtualnetwork:

+      name: "mgmtvnet"

+      vswitchname: "Default Switch"

+      type: "Transparent"

+      macpoolname: 

+      vlanid: 0

+      ipaddressprefix: 172.16.0.0/16

+      gateway: 17.16.1.1

+      dnsservers: 17.16.0.1

+      vippoolstart: 172.16.250.0

+      vippoolend: 172.16.250.254

+      k8snodeippoolstart: 172.16.30.0

+      k8snodeippoolend: 172.16.30.254

+```

+For instructions for how to deploy Arc resource bridge on Hybrid AKS, see [How to install Azure Arc Resource Bridge on Windows Server - AKS hybrid](/azure/aks/hybrid/deploy-arc-resource-bridge-windows-server).

+## Next steps

+- Review the [Azure Arc resource bridge (preview) overview](overview.md) to understand more about requirements and technical details.

+- Learn about [security configuration and considerations for Azure Arc resource bridge (preview)](security-overview.md).

+# Deployment options for Azure Monitor agent on Azure Arc-enabled servers

+* Monitor the operating system and any workloads running on the machine or server using [VM insights](../../azure-monitor/vm/vminsights-overview.md)

+* Analyze and alert using [Azure Monitor](../../azure-monitor/overview.md)

+* Perform security monitoring in Azure by using [Microsoft Defender for Cloud](../../defender-for-cloud/defender-for-cloud-introduction.md) or [Microsoft Sentinel](../../sentinel/overview.md)

+* Collect inventory and track changes by using [Azure Automation Change Tracking and Inventory](../../automation/change-tracking/overview.md)

+* Can be useful for testing purposes

+* Useful if you have a few machines to manage

+* Limited automation when using an Azure Resource Manager template

+* Can only focus on a single Arc-enabled server, and not multiple instances

+* Only supports specifying a single workspace to report to; requires using PowerShell or the Azure CLI to configure the Log Analytics Windows agent VM extension to report to up to four workspaces

+* Doesn't support deploying the Dependency agent from the portal; you can only use PowerShell, the Azure CLI, or ARM template

+* Reinstalls the VM extension if removed (after policy evaluation)

+* Identifies and installs the VM extension when a new Azure Arc-enabled server is registered with Azure

+* Can use a scripted method to automate its deployment and configuration using scripting languages you're familiar with

+* Runs on a schedule that you define and control

+* Authenticate securely to Arc-enabled servers from the Automation account using a managed identity

+* Requires an Azure Automation account

+* Experience authoring and managing runbooks in Azure Automation

+* Must create a runbook based on PowerShell or Python, depending on the target operating system

+### Use Azure portal

+The Azure Monitor agent VM extension can be installed using the Azure portal. See [Automatic extension upgrade for Azure Arc-enabled servers](manage-automatic-vm-extension-upgrade.md) for more information about installing extensions from the Azure portal.

+#### Advantages

+* Point and click directly from Azure portal

+* Useful for testing with small set of servers

+* Immediate deployment of extension

+#### Disadvantages

+* Not scalable to many servers

+* Limited automation

+# [Confluent (in-process)](#tab/confluent/in-process)

+# [Event Hubs (in-process)](#tab/event-hubs/in-process)

+# [Confluent (isolated process)](#tab/confluent/isolated-process)

+# [Event Hubs (isolated process)](#tab/event-hubs/isolated-process)

+[Avro schema]: http://avro.apache.org/docs/current/

+| **Monitoring** | [Azure Application Insights](../azure-monitor/app/app-insights-overview.md) | [Azure portal](../logic-apps/quickstart-create-first-logic-app-workflow.md), [Azure Monitor Logs](../logic-apps/monitor-workflows-collect-diagnostic-data.md), [Microsoft Defender for Cloud](../logic-apps/healthy-unhealthy-resource.md) |

+| **Network bandwidth** | You can incur costs for data transfer depending on the direction and scenario of the data movement. To learn more, see [Bandwidth pricing details](https://azure.microsoft.com/pricing/details/bandwidth/). |

+|South Africa West| 20 | 20 |

+|[Cloud Unity LLC](https://cloudunity.com)|

+## Next steps

+Learn more about Creator for indoor maps by reading:

+> [!div class="nextstepaction"]

+> [Creator for indoor maps](creator-indoor-maps.md)

+Learn more by reading:

+Learn more by reading:

+> [Creator for indoor maps](creator-indoor-maps.md)

+```

+## Next steps

+Learn more about Creator for indoor maps by reading:

+> [!div class="nextstepaction"]

+> [Creator for indoor maps](creator-indoor-maps.md)

+> [!NOTE]

+> If you want to use standalone ILogger provider, use [Microsoft.Extensions.Logging.ApplicationInsight](./ilogger.md).

+For more information, see [ILogger configuration](/dotnet/core/extensions/logging#configure-logging).

+In this article, you'll learn how to capture logs with Application Insights in .NET apps by using the [`Microsoft.Extensions.Logging.ApplicationInsights`][nuget-ai] provider package. If you use this provider, you can query and analyze your logs by using the Application Insights tools.

+> [!NOTE]

+> If you want to implement the full range of Application Insights telemetry along with logging, see [Configure Application Insights for your ASP.NET websites](./asp-net.md) or [Application Insights for ASP.NET Core applications](./asp-net-core.md).

+To add Application Insights logging to ASP.NET Core applications, use the `Microsoft.Extensions.Logging.ApplicationInsights` NuGet provider package.

+1. Install the [`Microsoft.Extensions.Logging.ApplicationInsights`][nuget-ai] NuGet package.

+1. Add `ApplicationInsightsLoggerProvider`:

+ using Microsoft.Extensions.Logging;

+ using Microsoft.Extensions.Logging.ApplicationInsights;

+ public class Program

+ public static void Main(string[] args)

+ var host = CreateHostBuilder(args).Build();

+

+ var logger = host.Services.GetRequiredService<ILogger<Program>>();

+ logger.LogInformation("From Program, running the host now.");

+

+ host.Run();

+

+ public static IHostBuilder CreateHostBuilder(string[] args) =>

+ Host.CreateDefaultBuilder(args)

+ .ConfigureWebHostDefaults(webBuilder =>

+ {

+ webBuilder.UseStartup<Startup>();

+ })

+ .ConfigureLogging((context, builder) =>

+ {

+ builder.AddApplicationInsights(

+ configureTelemetryConfiguration: (config) => config.ConnectionString = context.Configuration["APPLICATIONINSIGHTS_CONNECTION_STRING"],

+ configureApplicationInsightsLoggerOptions: (options) => { }

+ );

+

+ // Capture all log-level entries from Startup

+ builder.AddFilter<ApplicationInsightsLoggerProvider>(

+ typeof(Startup).FullName, LogLevel.Trace);

+ });

+To add Application Insights logging to console applications, first install the [`Microsoft.Extensions.Logging.ApplicationInsights`][nuget-ai] NuGet provider package.

+The following example uses the Microsoft.Extensions.Logging.ApplicationInsights package and demonstrates the default behavior for a console application. The Microsoft.Extensions.Logging.ApplicationInsights package should be used in a console application or whenever you want a bare minimum implementation of Application Insights without the full feature set such as metrics, distributed tracing, sampling, and telemetry initializers.

+ connection_string='InstrumentationKey=00000000-0000-0000-0000-000000000000',

+ export_interval=60, # Application Insights backend assumes aggregation on a 60s interval

+ )

+1. The exporter sends metric data to Azure Monitor at a fixed interval. You must set this value to 60s as Application Insights backend assumes aggregation of metrics points on a 60s time interval. We're tracking a single metric, so this metric data, with whatever value and time stamp it contains, is sent every interval. The data is cumulative, can only increase, and resets to 0 on restart.

+`export_interval`| Used to specify the frequency in seconds of exporting. Defaults to `15s`. For metrics you MUST set this to 60s or else your metric aggregations will not make sense in the metrics explorer.|

+- [Availability overview](availability-overview.md)

+- [Availability overview](availability-overview.md)

+- [Availability overview](availability-overview.md)

+* [Availability overview](availability-overview.md)

+Logs emitted via `ILogger` with the severity Warning or greater are automatically captured. To change this behavior, explicitly override the logging configuration for the provider `ApplicationInsights`, as shown in the following code. The following configuration allows Application Insights to capture all `Information` logs and more severe logs.

+```json

+{

+ "Logging": {

+ "LogLevel": {

+ "Default": "Warning"

+ },

+ "ApplicationInsights": {

+ "LogLevel": {

+ "Default": "Information"

+ }

+ }

+ }

+}

+```

+It's important to note that the following example doesn't cause the Application Insights provider to capture `Information` logs. It doesn't capture it because the SDK adds a default logging filter that instructs `ApplicationInsights` to capture only `Warning` logs and more severe logs. Application Insights requires an explicit override.

+```json

+{

+ "Logging": {

+ "LogLevel": {

+ "Default": "Information"

+ }

+ }

+}

+```

+For more information, follow [ILogger docs](/dotnet/core/extensions/logging#configure-logging) to customize which log levels are captured by Application Insights.

+This article will not cover how to create data or [upload it to an Azure Blob Storage account](../../storage/blobs/blob-upload-function-trigger.md). Rather, we pick the flow up as soon as a new file is uploaded to the blob. From here:

+1. A process will detect that new data has been uploaded. Our example uses an [logic app workflow](../../logic-apps/logic-apps-overview.md), which has available a trigger to detect new data being uploaded to a blob.

+2. A processor reads this new data and converts it to JSON, the format required by Azure Monitor In this example, we use an [Azure Function](../../azure-functions/functions-overview.md) as a lightweight, cost-efficient way of executing our processing code. The function is kicked off by the same logic app workflow that we used to detect the new data.

+3. Finally, once the JSON object is available, it is sent to Azure Monitor. The same logic app workflow sends the data to Azure Monitor using the built in Log Analytics Data Collector activity.

+While the detailed setup of the blob storage, logic app workflow, or Azure Function is not outlined in this article, detailed instructions are available on the specific productsΓÇÖ pages.

+To monitor this pipeline, we use Application Insights to [monitor our Azure Function](../../azure-functions/functions-monitoring.md), and Azure Monitor to [monitor our logic app workflow](../../logic-apps/monitor-workflows-collect-diagnostic-data.md).

+Ingesting JSON data is trivial with Azure Logic Apps, and since no transformation needs to take place, we can encase the entire pipeline in a single logic app workflow. Once both the blob container and the Log Analytics workspace have been configured, create a new logic app workflow and configure it as follows:

+Save your logic app workflow and proceed to test it.

+monitor-workflows-collect-diagnostic-data today does not have built-in capabilities to easily transform XML, CSV, or other types into JSON format. Therefore, we need to use another means to complete this transformation. For this article, we use the serverless compute capabilities of Azure Functions as a very lightweight and cost-friendly way of doing so.

+ string filePath = await req.Content.ReadAsStringAsync(); //get the CSV URI being passed from logic app workflow

+Now we need to go back and modify the logic app we started building earlier to include the data ingested and converted to JSON format. Using View Designer, configure as follows and then save your logic app:

+

+Now you can upload a new file to the blob configured earlier and have it monitored by your logic app workflow. Soon, you should see a new instance of the logic app workflow kick off, call out to your Azure Function, and then successfully send the data to Azure Monitor.

+* Add error handling and retry logic in your logic app workflow and Function.

+* Leverage source control to manage the code for your function and logic app workflow.

+* Ensure that a proper change management policy is followed, such that if the schema changes, the function and logic app are modified accordingly.

+For example, you can create a logic app workflow to use Azure Monitor log data in an email notification from Office 365, create a bug in Azure DevOps, or post a Slack message. You can trigger a workflow by a simple schedule or from some action in a connected service such as when a mail or a tweet is received.

+1. Select a **Subscription**, **Resource group**, and **Region** to store the new logic app and then give it a unique name. You can turn on the **Log Analytics** setting to collect information about runtime data and events as described in [Set up Azure Monitor logs and collect diagnostics data for Azure Logic Apps](../../logic-apps/monitor-workflows-collect-diagnostic-data.md). This setting isn't required for using the Azure Monitor Logs connector.

+ 

+### Create a trigger for the logic app workflow

+ This creates a logic app workflow that automatically runs at a regular interval.

+This tutorial shows how to create a logic app workflow that sends the results of an Azure Monitor log query by email.

+ 

+### Save and test your workflow

+1. Select **Save** and then **Run** to perform a test run of the workflow.

+ When the workflow completes, check the mail of the recipient that you specified. You should receive a mail with a body similar to the following:

+ > The workflow generates an email with a JPG file that depicts the query result set. If your query doesn't return results, the workflow won't create a JPG file.

+- Learn more about [Azure Logic Apps](../../logic-apps/index.yml)

+### Create a logic app workflow

+1. Go to **Logic Apps** in the Azure portal and select **Add**. Select a **Subscription**, **Resource group**, and **Region** to store the new logic app. Then give it a unique name. You can turn on the **Log Analytics** setting to collect information about runtime data and events as described in [Set up Azure Monitor Logs and collect diagnostics data for Azure Logic Apps](../../logic-apps/monitor-workflows-collect-diagnostic-data.md). This setting isn't required for using the Azure Monitor Logs connector.

+### Create a trigger for the workflow

+Under **Start with a common trigger**, select **Recurrence**. This setting creates a logic app workflow that automatically runs at a regular interval. In the **Frequency** box of the action, select **Day**. In the **Interval** box, enter **1** to run the workflow once per day.

+### Test the workflow

+* Korea Central

+* Norway West

+* Sweden Central

+* Switzerland North

+* US Gov Virginia

+Create your Azure VMware Solution and create Azure NetApp Files NFS volumes in the virtual network connected to it using an ExpressRoute. Ensure there's connectivity from the private cloud to the NFS volumes created. Use those volumes to create NFS datastores and attach the datastores to clusters of your choice in a private cloud. As a native integration, you need no other permissions configured via vSphere.

+ 1. If you're using [export policies](../azure-netapp-files/azure-netapp-files-configure-export-policy.md) to control, access to Azure NetApp Files volumes, enable the Azure VMware private cloud IP range, not individual host IPs. Faulty hosts in a private cloud could get replaced so if the IP isn't enabled, connectivity to datastore will be impacted.

+>Azure NetApp Files datastores for Azure VMware Solution are generally available. To use it, you must register Azure NetApp Files datastores for Azure VMware Solution.

+- Based on your performance requirements, select the correct service level needed for the Azure NetApp Files capacity pool. See [Service levels for Azure NetApp Files](../azure-netapp-files/azure-netapp-files-service-levels.md) to understand the throughput allowed per provisioned TiB for each service level.

+ >[!IMPORTANT]

+ > If you've changed the Azure NetApp Files volumes performance tier after creating the volume and datastore, see [Service level change for Azure NetApp files datastore](#service-level-change-for-azure-netapp-files-datastore) to ensure that volume/datastore metadata is in sync to avoid unexpected behavior in the portal or the API due to metadata mismatch.

+- Create one or more volumes based on the required throughput and capacity. See [Performance considerations](../azure-netapp-files/azure-netapp-files-performance-considerations.md) for Azure NetApp Files to understand how volume size, service level, and capacity pool QoS type will determine volume throughput. For assistance calculating workload capacity and performance requirements, contact your Azure VMware Solution or Azure NetApp Files field expert. The default maximum number of Azure NetApp Files datastores is 64, but it can be increased to a maximum of 256 by submitting a support ticket. To submit a support ticket, see [Create an Azure support request](../azure-portal/supportability/how-to-create-azure-support-request.md).

+- Ensure that the Azure VMware Solution private cloud and the Azure NetApp Files volumes are deployed within the same [availability zone](../availability-zones/az-overview.md#availability-zones) using the [the availability zone volume placement](../azure-netapp-files/manage-availability-zone-volume-placement.md) in the same subscription. Information regarding your AVS private cloud's availability zone can be viewed from the overview pane within the AVS private cloud.

+

+For performance benchmarks that Azure NetApp Files datastores deliver for virtual machines on Azure VMware Solution, see [Azure NetApp Files datastore performance benchmarks for Azure VMware Solution](../azure-netapp-files/performance-benchmarks-azure-vmware-solution.md).

+1. Verify the protocol is NFS. You need to verify the virtual network and subnet to ensure connectivity to the Azure VMware Solution private cloud.

+## Service level change for Azure NetApp Files datastore

+Based on the performance requirements of the datastore, you can change the service level of the Azure NetApp Files volume used for the datastore by following the instructions to [dynamically change the service level of a volume for Azure NetApp Files](../azure-netapp-files/dynamic-change-volume-service-level.md)

+This has no impact to the Datastore or private cloud as there is no downtime involved and the IP address/mount path remain unchanged. However, the volume Resource Id will be changed due to the capacity pool change. Therefore to avoid any metadata mismatch re-issue the datastore create command via Azure CLI as follows: `az vmware datastore netapp-volume create`.

+>[!IMPORTANT]

+> The input values for **cluster** name, datastore **name**, **private-cloud** (SDDC) name, and **resource-group** must be **exactly the same as the current one**, and the **volume-id** is the new Resource Id of the volume.

+ -**cluster**

+ -**name**

+ -**private-cloud**

+ -**resource-group**

+ -**volume-id**

+ Yes, you can select multiple clusters at the time of creating the datastore. Additional clusters may be added or removed after the initial creation as well.

+> [!NOTE]

+> If connecting more than four Azure VMware Solution private clouds in the same Azure region to the same Azure virtual network is a requirement, use [Azure VMware Solution Interconnect](connect-multiple-private-clouds-same-region.md) to aggregate private cloud connectivity within the Azure region.

+For a Recovery Services vault with private endpoint setup, the name resolution for the FQDNs (`privatelink.<geo>.backup.windowsazure.com`, `*.blob.core.windows.net`, `*.queue.core.windows.net`, `*.blob.storage.azure.net`) should return a private IP address. This can be achieved by using:

+If the private URL doesn't resolve, it tries the public URL `<azure_backup_svc>.<geo>.backup.windowsazure.com`. If the public network access for Recovery Services vault is configured to *Allow from all networks*, the Recovery Services vault allows the requests coming from the extension over public URLs. If the public network access for Recovery Services vault is configured to *Deny*, the recovery services vault denies the requests coming from the extension over public URLs.

+These private URLs are specific for the vault. Only extensions and agents registered to the vault can communicate with the Azure Backup service over these endpoints. If the public network access for Recovery Services vault is configured to *Deny*, this restricts the clients that aren't running in the VNet from requesting the backup and restore operations on the vault. We recommend that public network access is set to *Deny* along with private endpoint setup. As the extension and agent attempt the private URL first, the `*.privatelink.<geo>.backup.windowsazure.com` DNS resolution of the URL should return the corresponding private IP associated with the private endpoint.

+There are multiple solutions for DNS resolution:

+For the manual management of DNS records after the VM discovery for communication channel - blob or queue, see [DNS records for blobs and queues (only for custom DNS servers/host files) after the first registration](backup-azure-private-endpoints-configure-manage.md#dns-records-for-blobs-and-queues-only-for-custom-dns-servershost-files-after-the-first-registration). For the manual management of DNS records after the first backup for backup storage account blob, see [DNS records for blobs (only for custom DNS servers/host files) after the first backup](backup-azure-private-endpoints-configure-manage.md#dns-records-for-blobs-only-for-custom-dns-servershost-files-after-the-first-backup).

+The private IP addresses for the FQDNs can be found in **DNS configuration** pane for the private endpoint created for the Recovery Services vault.

+In addition to the Azure Backup cloud services, the workload extension and agent require connectivity to the Azure Storage accounts and Azure Active Directory (Azure AD).

+As a pre-requisite, Recovery Services vault requires permissions for creating additional private endpoints in the same Resource Group. We also recommend providing the Recovery Services vault the permissions to create DNS entries in the private DNS zones (`privatelink.blob.core.windows.net`, `privatelink.queue.core.windows.net`). Recovery Services vault searches for private DNS zones in the resource groups where VNet and private endpoint are created. If it has the permissions to add DNS entries in these zones, theyΓÇÖll be created by the vault; otherwise, you must create them manually.

+>[!Note]

+>Integration with private DNS zone present in different subscriptions is unsupported in this experience.

+The following diagram shows how the name resolution works for storage accounts using a private DNS zone.

+| Allow access to service FQDNs/IPs | No additional costs. <br><br> Works with all network security appliances and firewalls. <br><br> You can also use service endpoints for *Storage*. However, for *Azure Backup* and *Azure Active Directory*, you need to assign the access to the corresponding IPs/FQDNs. | A broad set of IPs or FQDNs may be required to be accessed. |

+| [Virtual Network Service Endpoint](../virtual-network/virtual-network-service-endpoints-overview.md) | Can be used for Azure Storage. <br><br> Provides large benefit to optimize performance of data plane traffic. | Can't be used for Azure AD, Azure Backup service. |

+For a Recovery Services vault with private endpoint setup, the name resolution for the FQDNs (`privatelink.<geo>.backup.windowsazure.com`, `*.blob.core.windows.net`, `*.queue.core.windows.net`, `*.blob.storage.azure.net`) should return a private IP address. This can be achieved by using:

+These private URLs are specific for the vault. Only extensions and agents registered to the vault can communicate with Azure Backup over these endpoints. If the public network access for Recovery Services vault is configured to *Deny*, this restricts the clients that aren't running in the VNet from requesting backup and restore on the vault. We recommend setting the public network access to *Deny*, along with private endpoint setup. As the extension and agent attempt the private URL initially, the `*.privatelink.<geo>.backup.windowsazure.com` DNS resolution of the URL should return the corresponding private IP associated with the private endpoint.

+For a private endpoint enabled vault, the Azure Backup service creates private endpoint for these storage accounts. This prevents any network traffic related to Azure Backup (control plane traffic to service and backup data to storage blob) from leaving the virtual network. In addition to Azure Backup cloud services, the workload extension and agent require connectivity to Azure Storage accounts and Azure Active Directory (Azure AD).

+NC2 on Azure supports the following regions using AN36:

+NC2 on Azure supports the following regions using AN36P:

+* Southeast Asia

+* Australia East

+|`diarization`|Indicates that diarization analysis should be carried out on the input, which is expected to be a mono channel that contains multiple voices. Specify the minimum and maximum number of people who might be speaking. You must also set the `diarizationEnabled` property to `true`. The [transcription file](batch-transcription-get.md#transcription-result-file) will contain a `speaker` entry for each transcribed phrase.<br/><br/>You need to use this property when you expect three or more speakers. For two speakers setting `diarizationEnabled` property to `true` is enough. See an example of the property usage in [Transcriptions_Create](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-1/operations/Transcriptions_Create) operation description.<br/><br/>Diarization is the process of separating speakers in audio data. The batch pipeline can recognize and separate multiple speakers on mono channel recordings. The feature isn't available with stereo recordings.<br/><br/>When this property is selected, source audio length can't exceed 240 minutes per file.<br/><br/>**Note**: This property is only available with Speech-to-text REST API version 3.1.|

+|`diarizationEnabled`|Specifies that diarization analysis should be carried out on the input, which is expected to be a mono channel that contains two voices. The default value is `false`.<br/><br/>For three or more voices you also need to use property `diarization` (only with Speech-to-text REST API version 3.1).<br/><br/>When this property is selected, source audio length can't exceed 240 minutes per file.|

+ Title: Azure OpenAI Service content filtering

+description: Learn about the content filtering capabilities of Azure OpenAI in Azure Cognitive Services

+ Title: Azure OpenAI Service models

+# Azure OpenAI Service models

+ Title: Azure OpenAI Service embeddings

+# Understanding embeddings in Azure OpenAI Service

+ Title: Azure OpenAI Service encryption of data at rest

+# Azure OpenAI Service encryption of data at rest

+ Title: 'Business Continuity and Disaster Recovery (BCDR) with Azure OpenAI Service'

+# Business Continuity and Disaster Recovery (BCDR) considerations with Azure OpenAI Service

+Azure OpenAI is available in two regions. Since subscription keys are region bound, when a customer acquires a key, they select the region in which their deployments will reside and from then on, all operations stay associated with that Azure server region.

+ Title: 'How to generate text with Azure OpenAI Service'

+The best way to start exploring completions is through our playground in [Azure OpenAI Studio](https://oai.azure.com). It's a simple text box where you can submit a prompt to generate a completion. You can start with a simple example like the following:

+ Title: 'How-to - Create a resource and deploy a model using Azure OpenAI Service'

+ Title: 'How to generate embeddings with Azure OpenAI Service'

+ Title: 'How to customize a model with Azure OpenAI Service'

+Azure OpenAI Service lets you tailor our models to your personal datasets using a process known as *fine-tuning*. This customization step will let you get more out of the service by providing:

+ Title: 'How-to - Use Azure OpenAI Service with large datasets'

+Azure OpenAI can be used to solve a large number of natural language tasks through prompting the completion API. To make it easier to scale your prompting workflows from a few examples to large datasets of examples, we have integrated the Azure OpenAI service with the distributed machine learning library [SynapseML](https://www.microsoft.com/research/blog/synapseml-a-simple-multilingual-and-massively-parallel-machine-learning-library/). This integration makes it easy to use the [Apache Spark](https://spark.apache.org/) distributed computing framework to process millions of prompts with the OpenAI service. This tutorial shows how to apply large language models at a distributed scale using Azure Open AI and Azure Synapse Analytics.

+- Access granted to Azure OpenAI in the desired Azure subscription

+ Currently, access to this service is granted only by application. You can apply for access to Azure OpenAI by completing the form at <a href="https://aka.ms/oai/access" target="_blank">https://aka.ms/oai/access</a>. Open an issue on this repo to contact us if you have an issue.

+Next, edit the cell in the notebook to point to your service. In particular, set the `resource_name`, `deployment_name`, `location`, and `key` variables to the corresponding values for your Azure OpenAI resource.

+# Replace the following values with your Azure OpenAI resource information

+Azure OpenAI can solve many different natural language tasks through [prompt engineering](completions.md). Here, we show an example of prompting for language translation:

+ Title: Plan to manage costs for Azure OpenAI Service

+description: Learn how to plan for and manage costs for Azure OpenAI by using cost analysis in the Azure portal.

+## Estimate costs before using Azure OpenAI

+ Title: How to Configure Azure OpenAI Service with Managed Identities

+# How to Configure Azure OpenAI Service with Managed Identities

+ Currently, access to this service is granted only by application. You can apply for access to Azure OpenAI by completing the form at <a href="https://aka.ms/oai/access" target="_blank">https://aka.ms/oai/access</a>. Open an issue on this repo to contact us if you have an issue.

+* Learn more about the [underlying models that power Azure OpenAI Service](../concepts/models.md)

+description: Learn how to use the Codex models on Azure OpenAI to handle a variety of coding tasks

+# Codex models and Azure OpenAI Service

+Here are a few examples of using Codex that can be tested in [Azure OpenAI Studio's](https://oai.azure.com) playground with a deployment of a Codex series model, such as `code-davinci-002`.

+This article contains a quick reference and a detailed description of the quotas and limits for Azure OpenAI in Azure Cognitive Services.

+description: Learn how to use Azure OpenAI's REST API. In this article, you'll learn about authorization options, how to structure a request and receive a response.

+This article provides details on the REST API endpoints for Azure OpenAI, a service in the Azure Cognitive Services suite. The REST APIs are broken up into two categories:

+* **Service APIs**: Azure OpenAI provides you with a set of REST APIs for interacting with the resources & models you deploy via the Management APIs.

+Azure OpenAI is deployed as a part of the Azure Cognitive Services. All Cognitive Services rely on the same set of management APIs for creation, update and delete operations. The management APIs are also used for deploying models within an OpenAI resource.

+Azure OpenAI provides two methods for authentication. you can use either API Keys or Azure Active Directory.

+ Title: Azure OpenAI Service embeddings tutorial

+description: Learn how to use Azure OpenAI's embeddings API for document search with the BillSum dataset

+# Tutorial: Explore Azure OpenAI Service embeddings and document search

+* Access granted to Azure OpenAI in the desired Azure subscription

+ Currently, access to this service is granted only by application. You can apply for access to Azure OpenAI by completing the form at <a href="https://aka.ms/oai/access" target="_blank">https://aka.ms/oai/access</a>. Open an issue on this repo to contact us if you have an issue.

+* An Azure OpenAI resource with **text-search-curie-doc-001** and **text-search-curie-query-001** models deployed. These models are currently only available in [certain regions](../concepts/models.md#model-summary-table-and-region-availability). If you don't have a resource the process is documented in our [resource deployment guide](../how-to/create-resource.md).

+To successfully make a call against Azure OpenAI, you'll need an **endpoint** and a **key**.

+| `ENDPOINT` | This value can be found in the **Keys & Endpoint** section when examining your resource from the Azure portal. Alternatively, you can find the value in **Azure OpenAI Studio** > **Playground** > **Code View**. An example endpoint is: `https://docs-test-001.openai.azure.com/`.|

+* **Customer managed key (CMK) encryption.** CMK provides customers greater control over managing their data in Azure OpenAI by providing their own encryption keys used for storing training data and customized models. Customer-managed keys (CMK), also known as bring your own key (BYOK), offer greater flexibility to create, rotate, disable, and revoke access controls. You can also audit the encryption keys used to protect your data. [Learn more from our encryption at rest documentation](encrypt-data-at-rest.md).

+Cognitive Services can be categorized into five main areas:

+* Azure OpenAI Service

+## Azure OpenAI

+|Service Name | Service Description| Quickstart|

+|:|:-|--|

+|[Azure OpenAI](./openai/index.yml "Azure OpenAI") |Powerful language models including the GPT-3, Codex and Embeddings model series for content generation, summarization, semantic search, and natural language to code translation. | [Azure OpenAI quickstart](./openai/quickstart.md) |

+| Toll-Free and Local (Geographic) | Modern Customer Agreement (Field and Customer Led), Modern Partner Agreement (CSP), Enterprise Agreement*, Pay-As-You-Go |

+| Short-Codes | Modern Customer Agreement (Field Led), Enterprise Agreement**, Pay-As-You-Go |

+ Title: Manage Azure AD token-based users in Azure confidential ledger

+description: Learn how to manage Azure AD token-based users in Azure confidential ledger

+# Manage Azure AD token-based users in Azure confidential ledger

+Azure AD-based users are identified by their Azure AD object ID.

+Users with Administrator privileges can manage users of the confidential ledger. Available roles are Reader (read-only), Contributor (read and write), and Administrator (read, write, and manage users).

+The following client libraries are available to manage users:

+- [Python](#python-client-library)

+- [.NET](#net-client-library)

+- [Java](#java-client-library)

+- [TypeScript](#typescript-client-library)

+## Sign in to Azure

+Get the confidential ledger's name and the identity service URI from the Azure portal as it is needed to create a client to manage the users. This image shows the appropriate properties in the Azure portal.

+Replace instances of `contoso` and `https://contoso.confidential-ledger.azure.com` in the following code snippets with the respective values from the Azure portal.

+## Python Client Library

+### Install the packages

+```Python

+pip install azure-identity azure-confidentialledger

+```

+### Create a confidential ledger client

+```Python

+from azure.identity import DefaultAzureCredential

+from azure.confidentialledger import ConfidentialLedgerClient

+from azure.confidentialledger.identity_service import ConfidentialLedgerIdentityServiceClient

+from azure.confidentialledger import LedgerUserRole

+identity_client = ConfidentialLedgerCertificateClient()

+network_identity = identity_client.get_ledger_identity(

+ ledger_id="contoso"

+)

+ledger_tls_cert_file_name = "ledger_certificate.pem"

+with open(ledger_tls_cert_file_name, "w") as cert_file:

+ cert_file.write(network_identity["ledgerTlsCertificate"])

+# The DefaultAzureCredential will use the current Azure context to authenticate to Azure

+credential = DefaultAzureCredential()

+ledger_client = ConfidentialLedgerClient(

+ endpoint="https://contoso.confidential-ledger.azure.com",

+ credential=credential,

+ ledger_certificate_path=ledger_tls_cert_file_name

+)

+# Add a user with the contributor role

+# Other supported roles are Contributor and Administrator

+user_id = "Azure AD object id of the user"

+user = ledger_client.create_or_update_user(

+ user_id, {"assignedRole": "Contributor"}

+)

+# Get the user and check their properties

+user = ledger_client.get_user(user_id)

+assert user["userId"] == user_id

+assert user["assignedRole"] == "Contributor"

+# Delete the user

+ledger_client.delete_user(user_id)

+```

+## .NET Client Library

+### Install the packages

+```

+dotnet add package Azure.Security.ConfidentialLedger

+dotnet add package Azure.Identity

+dotnet add Azure.Security

+```

+### Create a client and manage the users

+```Dotnet

+using Azure.Core;

+using Azure.Identity;

+using Azure.Security.ConfidentialLedger;

+internal class ACLUserManagement

+{

+ static void Main(string[] args)

+ {

+ // Create a ConfidentialLedgerClient instance

+ // The DefaultAzureCredential will use the current Azure context to authenticate to Azure

+ var ledgerClient = new ConfidentialLedgerClient(new Uri("https://contoso.confidential-ledger.azure.com"), new DefaultAzureCredential());

+ string userId = "Azure AD object id of the user";

+ // Add the user with the Reader role

+ // Other supported roles are Contributor and Administrator

+ ledgerClient.CreateOrUpdateUser(

+ userId,

+ RequestContent.Create(new { assignedRole = "Reader" }));

+ // Get the user and print their properties

+ Azure.Response response = ledgerClient.GetUser(userId);

+ var aclUser = System.Text.Json.JsonDocument.Parse(response.Content.ToString());

+ Console.WriteLine($"Assigned Role is = {aclUser.RootElement.GetProperty("assignedRole").ToString()}");

+ Console.WriteLine($"User id is = {aclUser.RootElement.GetProperty("userId").ToString()}");

+ // Delete the user

+ ledgerClient.DeleteUser(userId);

+ }

+}

+```

+## Java Client Library

+### Install the packages

+```Java

+<!-- https://mvnrepository.com/artifact/com.azure/azure-security-confidentialledger -->

+<dependency>

+ <groupId>com.azure</groupId>

+ <artifactId>azure-security-confidentialledger</artifactId>

+ <version>1.0.6</version>

+</dependency>

+<!-- https://mvnrepository.com/artifact/com.azure/azure-identity -->

+<dependency>

+ <groupId>com.azure</groupId>

+ <artifactId>azure-identity</artifactId>

+ <version>1.8.0</version>

+</dependency>

+<!-- https://mvnrepository.com/artifact/com.azure/azure-core -->

+<dependency>

+ <groupId>com.azure</groupId>

+ <artifactId>azure-core</artifactId>

+ <version>1.36.0</version>

+</dependency>

+```

+### Create a client and manage the users

+```Java

+ import java.io.IOException;

+import com.azure.core.http.HttpClient;

+import java.io.ByteArrayInputStream;

+import java.nio.charset.StandardCharsets;

+import com.azure.security.confidentialledger.*;

+import com.azure.core.http.rest.RequestOptions;

+import com.azure.core.http.netty.NettyAsyncHttpClientBuilder;

+import com.azure.core.http.rest.Response;

+import com.azure.core.util.BinaryData;

+import com.azure.identity.DefaultAzureCredentialBuilder;

+import com.fasterxml.jackson.databind.JsonNode;

+import com.fasterxml.jackson.databind.ObjectMapper;

+import com.azure.security.confidentialledger.certificate.ConfidentialLedgerCertificateClient;

+import com.azure.security.confidentialledger.certificate.ConfidentialLedgerCertificateClientBuilder;

+import io.netty.handler.ssl.SslContext;

+import io.netty.handler.ssl.SslContextBuilder;

+public class CreateOrUpdateUserSample {

+ public static void main(String[] args) {

+ try {

+ // Download the service identity certificate of the ledger from the well-known identity service endpoint.

+ // Do not change the identity endpoint.

+ ConfidentialLedgerCertificateClientBuilder confidentialLedgerCertificateClientbuilder = new ConfidentialLedgerCertificateClientBuilder()

+ .certificateEndpoint("https://identity.confidential-ledger.core.azure.com")

+ .credential(new DefaultAzureCredentialBuilder().build()).httpClient(HttpClient.createDefault());

+ ConfidentialLedgerCertificateClient confidentialLedgerCertificateClient = confidentialLedgerCertificateClientbuilder

+ .buildClient();

+ String ledgerId = "contoso";

+ Response<BinaryData> ledgerCertificateWithResponse = confidentialLedgerCertificateClient

+ .getLedgerIdentityWithResponse(ledgerId, null);

+ BinaryData certificateResponse = ledgerCertificateWithResponse.getValue();

+ ObjectMapper mapper = new ObjectMapper();

+ JsonNode jsonNode = mapper.readTree(certificateResponse.toBytes());

+ String ledgerTlsCertificate = jsonNode.get("ledgerTlsCertificate").asText();

+ SslContext sslContext = SslContextBuilder.forClient()

+ .trustManager(new ByteArrayInputStream(ledgerTlsCertificate.getBytes(StandardCharsets.UTF_8)))

+ .build();

+ reactor.netty.http.client.HttpClient reactorClient = reactor.netty.http.client.HttpClient.create()

+ .secure(sslContextSpec -> sslContextSpec.sslContext(sslContext));

+ HttpClient httpClient = new NettyAsyncHttpClientBuilder(reactorClient).wiretap(true).build();

+ // The DefaultAzureCredentialBuilder will use the current Azure context to authenticate to Azure

+ ConfidentialLedgerClient confidentialLedgerClient = new ConfidentialLedgerClientBuilder()

+ .credential(new DefaultAzureCredentialBuilder().build()).httpClient(httpClient)

+ .ledgerEndpoint("https://contoso.confidential-ledger.azure.com").buildClient();

+ // Add a user

+ // Other supported roles are Contributor and Administrator

+ BinaryData userDetails = BinaryData.fromString("{\"assignedRole\":\"Reader\"}");

+ RequestOptions requestOptions = new RequestOptions();

+ String userId = "Azure AD object id of the user";

+ Response<BinaryData> response = confidentialLedgerClient.createOrUpdateUserWithResponse(userId,

+ userDetails, requestOptions);

+ BinaryData parsedResponse = response.getValue();

+ ObjectMapper objectMapper = new ObjectMapper();

+ JsonNode responseBodyJson = null;

+ try {

+ responseBodyJson = objectMapper.readTree(parsedResponse.toBytes());

+ } catch (IOException e) {

+ e.printStackTrace();

+ }

+ System.out.println("Assigned role for user is " + responseBodyJson.get("assignedRole"));

+ // Get the user and print the details

+ response = confidentialLedgerClient.getUserWithResponse(userId, requestOptions);

+ parsedResponse = response.getValue();

+ try {

+ responseBodyJson = objectMapper.readTree(parsedResponse.toBytes());

+ } catch (IOException e) {

+ e.printStackTrace();

+ }

+ System.out.println("Assigned role for user is " + responseBodyJson.get("assignedRole"));

+ // Delete the user

+ confidentialLedgerClient.deleteUserWithResponse(userId, requestOptions);

+ } catch (Exception ex) {

+ System.out.println("Caught exception" + ex);

+ }

+ }

+}

+```

+## TypeScript Client Library

+### Install the packages

+```

+ "dependencies": {

+ "@azure-rest/confidential-ledger": "^1.0.0",

+ "@azure/identity": "^3.1.3",

+ "typescript": "^4.9.5"

+ }

+```

+### Create a client and manage the users

+```TypeScript

+import ConfidentialLedger, { getLedgerIdentity } from "@azure-rest/confidential-ledger";

+import { DefaultAzureCredential } from "@azure/identity";

+export async function main() {

+ // Get the signing certificate from the confidential ledger Identity Service

+ const ledgerIdentity = await getLedgerIdentity("contoso");

+ // Create the confidential ledger Client

+ const confidentialLedger = ConfidentialLedger(

+ "https://contoso.confidential-ledger.azure.com",

+ ledgerIdentity.ledgerIdentityCertificate,

+ new DefaultAzureCredential()

+ );

+ // Azure AD object id of the user

+ const userId = "Azure AD Object id"

+ // Other supported roles are Reader and Contributor

+ const createUserParams: CreateOrUpdateUserParameters = {

+ contentType: "application/merge-patch+json",

+ body: {

+ assignedRole: "Contributor",

+ userId: `${userId}`

+ }

+ }

+ // Add the user

+ var response = await confidentialLedger.path("/app/users/{userId}", userId).patch(createUserParams)

+

+ // Check for a non-success response

+ if (response.status !== "200") {

+ throw response.body.error;

+ }

+ // Print the response

+ console.log(response.body);

+ // Get the user

+ response = await confidentialLedger.path("/app/users/{userId}", userId).get()

+ // Check for a non-success response

+ if (response.status !== "200") {

+ throw response.body.error;

+ }

+ // Print the response

+ console.log(response.body);

+ // Set the user role to Reader

+ const updateUserParams: CreateOrUpdateUserParameters = {

+ contentType: "application/merge-patch+json",

+ body: {

+ assignedRole: "Reader",

+ userId: `${userId}`

+ }

+ }

+ // Update the user

+ response = await confidentialLedger.path("/app/users/{userId}", userId).patch(updateUserParams)

+ // Check for a non-success response

+ if (response.status !== "200") {

+ throw response.body.error;

+ }

+ // Print the response

+ console.log(response.body);

+ // Delete the user

+ await confidentialLedger.path("/app/users/{userId}", userId).delete()

+ // Get the user to make sure it is deleted

+ response = await confidentialLedger.path("/app/users/{userId}", userId).get()

+ // Check for a non-success response

+ if (response.status !== "200") {

+ throw response.body.error;

+ }

+}

+main().catch((err) => {

+ console.error(err);

+});

+```

+## Next steps

+- [Register an ACL app with Azure AD](register-application.md)

+- [Manage certificate-based users](manage-certificate-based-users.md)

+ Title: Manage certificate-based users in Azure confidential ledger

+description: Learn how to manage certificate-based users in Azure confidential ledger

+# Manage certificate-based users in Azure confidential ledger

+For certificate based users, their user ID is the fingerprint of their PEM certificate. Users with Administrator privileges can manage users of the confidential ledger. Available roles are Reader (read-only), Contributor (read and write), and Administrator (read, write, and manage users).

+The following client libraries are available to manage users:

+- [Python](#python-client-library)

+- [.NET](#net-client-library)

+- [Java](#java-client-library)

+- [TypeScript](#typescript-client-library)

+## Sign in to Azure

+Get the confidential ledger's name and the identity service URI from the Azure portal; it will be needed to create a client to manage the users. The image shows the appropriate properties in the Azure portal.

+Replace instances of `contoso` and `https://contoso.confidential-ledger.azure.com` in the following code snippets with the respective values from the Azure portal.

+## Python Client Library

+### Install the packages

+```Python

+pip install azure-identity azure-confidentialledger

+```

+### Create a confidential ledger client and manage the users

+```Python

+from azure.identity import DefaultAzureCredential

+from azure.confidentialledger import ConfidentialLedgerClient

+from azure.confidentialledger.identity_service import ConfidentialLedgerIdentityServiceClient

+from azure.confidentialledger import LedgerUserRole

+identity_client = ConfidentialLedgerCertificateClient()

+network_identity = identity_client.get_ledger_identity(

+ ledger_id="contoso"

+ )

+ledger_tls_cert_file_name = "ledger_certificate.pem"

+with open(ledger_tls_cert_file_name, "w") as cert_file:

+ cert_file.write(network_identity["ledgerTlsCertificate"])

+credential = DefaultAzureCredential()

+ledger_client = ConfidentialLedgerClient(

+ endpoint="https://contoso.confidential-ledger.azure.com",

+ credential=credential,

+ ledger_certificate_path=ledger_tls_cert_file_name

+)

+# Add a user with the contributor role

+# Other possible roles are Contributor and Administrator

+user_id = "PEM certficate fingerprint"

+user = ledger_client.create_or_update_user(

+ user_id, {"assignedRole": "Contributor"}

+)

+# Get the user and check their properties

+user = ledger_client.get_user(user_id)

+assert user["userId"] == user_id

+assert user["assignedRole"] == "Contributor"

+# Delete the user

+ledger_client.delete_user(user_id)

+```

+## .NET Client Library

+### Install the packages

+```

+dotnet add package Azure.Security.ConfidentialLedger

+dotnet add package Azure.Identity

+dotnet add Azure.Security

+```

+### Create a client and manage the users

+```Dotnet

+using Azure.Core;

+using Azure.Identity;

+using Azure.Security.ConfidentialLedger;

+internal class ACLUserManagement

+{

+ static void Main(string[] args)

+ {

+ // The DefaultAzureCredential will use the current Azure context to authenticate to Azure

+ var ledgerClient = new ConfidentialLedgerClient(new Uri("https://contoso.confidential-ledger.azure.com"), new DefaultAzureCredential());

+ // User id is the fingerprint of the PEM certificate

+ string userId = "PEM certficate fingerprint";

+ // Add the user with the Reader role

+ // Other supported roles are Contributor and Administrator

+ ledgerClient.CreateOrUpdateUser(

+ userId,

+ RequestContent.Create(new { assignedRole = "Reader" }));

+ // Get the user and print their properties

+ Azure.Response response = ledgerClient.GetUser(userId);

+ var aclUser = System.Text.Json.JsonDocument.Parse(response.Content.ToString());

+ Console.WriteLine($"Assigned Role is = {aclUser.RootElement.GetProperty("assignedRole").ToString()}");

+ Console.WriteLine($"User id is = {aclUser.RootElement.GetProperty("userId").ToString()}");

+ // Delete the user

+ ledgerClient.DeleteUser(userId);

+ }

+}

+```

+## Java Client Library

+### Install the packages

+```Java

+<!-- https://mvnrepository.com/artifact/com.azure/azure-security-confidentialledger -->

+<dependency>

+ <groupId>com.azure</groupId>

+ <artifactId>azure-security-confidentialledger</artifactId>

+ <version>1.0.6</version>

+</dependency>

+<!-- https://mvnrepository.com/artifact/com.azure/azure-identity -->

+<dependency>

+ <groupId>com.azure</groupId>

+ <artifactId>azure-identity</artifactId>

+ <version>1.8.0</version>

+</dependency>

+<!-- https://mvnrepository.com/artifact/com.azure/azure-core -->

+<dependency>

+ <groupId>com.azure</groupId>

+ <artifactId>azure-core</artifactId>

+ <version>1.36.0</version>

+</dependency>

+```

+### Create a client and manage the users

+```Java

+import java.io.IOException;

+import com.azure.core.http.HttpClient;

+import java.io.ByteArrayInputStream;

+import java.nio.charset.StandardCharsets;

+import com.azure.security.confidentialledger.*;

+import com.azure.core.http.rest.RequestOptions;

+import com.azure.core.http.netty.NettyAsyncHttpClientBuilder;

+import com.azure.core.http.rest.Response;

+import com.azure.core.util.BinaryData;

+import com.azure.identity.DefaultAzureCredentialBuilder;

+import com.fasterxml.jackson.databind.JsonNode;

+import com.fasterxml.jackson.databind.ObjectMapper;

+import com.azure.security.confidentialledger.certificate.ConfidentialLedgerCertificateClient;

+import com.azure.security.confidentialledger.certificate.ConfidentialLedgerCertificateClientBuilder;

+import io.netty.handler.ssl.SslContext;

+import io.netty.handler.ssl.SslContextBuilder;

+public class CreateOrUpdateUserSample {

+ public static void main(String[] args) {

+ try {

+ // Download the service identity certificate of the ledger from the well-known identity service endpoint.

+ // Do not change the identity endpoint.

+ ConfidentialLedgerCertificateClientBuilder confidentialLedgerCertificateClientbuilder = new ConfidentialLedgerCertificateClientBuilder()

+ .certificateEndpoint("https://identity.confidential-ledger.core.azure.com")

+ .credential(new DefaultAzureCredentialBuilder().build()).httpClient(HttpClient.createDefault());

+ ConfidentialLedgerCertificateClient confidentialLedgerCertificateClient = confidentialLedgerCertificateClientbuilder

+ .buildClient();

+ String ledgerId = "contoso";

+ Response<BinaryData> ledgerCertificateWithResponse = confidentialLedgerCertificateClient

+ .getLedgerIdentityWithResponse(ledgerId, null);

+ BinaryData certificateResponse = ledgerCertificateWithResponse.getValue();

+ ObjectMapper mapper = new ObjectMapper();

+ JsonNode jsonNode = mapper.readTree(certificateResponse.toBytes());

+ String ledgerTlsCertificate = jsonNode.get("ledgerTlsCertificate").asText();

+ SslContext sslContext = SslContextBuilder.forClient()

+ .trustManager(new ByteArrayInputStream(ledgerTlsCertificate.getBytes(StandardCharsets.UTF_8)))

+ .build();

+ reactor.netty.http.client.HttpClient reactorClient = reactor.netty.http.client.HttpClient.create()

+ .secure(sslContextSpec -> sslContextSpec.sslContext(sslContext));

+ HttpClient httpClient = new NettyAsyncHttpClientBuilder(reactorClient).wiretap(true).build();

+ // The DefaultAzureCredentialBuilder will use the current Azure context to authenticate to Azure.

+ ConfidentialLedgerClient confidentialLedgerClient = new ConfidentialLedgerClientBuilder()

+ .credential(new DefaultAzureCredentialBuilder().build()).httpClient(httpClient)

+ .ledgerEndpoint("https://contoso.confidential-ledger.azure.com").buildClient();

+ // Add a user using their certificate fingerprint as the user id

+ // Other supported roles are Contributor and Administrator

+ BinaryData userDetails = BinaryData.fromString("{\"assignedRole\":\"Reader\"}");

+ RequestOptions requestOptions = new RequestOptions();

+ String userId = "PEM certificate fingerprint";

+ Response<BinaryData> response = confidentialLedgerClient.createOrUpdateUserWithResponse(userId,

+ userDetails, requestOptions);

+ BinaryData parsedResponse = response.getValue();

+ ObjectMapper objectMapper = new ObjectMapper();

+ JsonNode responseBodyJson = null;

+ try {

+ responseBodyJson = objectMapper.readTree(parsedResponse.toBytes());

+ } catch (IOException e) {

+ e.printStackTrace();

+ }

+ System.out.println("Assigned role for user is " + responseBodyJson.get("assignedRole"));

+ // Get the user and print the details

+ response = confidentialLedgerClient.getUserWithResponse(userId, requestOptions);

+ parsedResponse = response.getValue();

+ try {

+ responseBodyJson = objectMapper.readTree(parsedResponse.toBytes());

+ } catch (IOException e) {

+ e.printStackTrace();

+ }

+ System.out.println("Assigned role for user is " + responseBodyJson.get("assignedRole"));

+ // Delete the user

+ confidentialLedgerClient.deleteUserWithResponse(userId, requestOptions);

+ } catch (Exception ex) {

+ System.out.println("Caught exception" + ex);

+ }

+ }

+}

+```

+## TypeScript Client Library

+### Install the packages

+```

+ "dependencies": {

+ "@azure-rest/confidential-ledger": "^1.0.0",

+ "@azure/identity": "^3.1.3",

+ "typescript": "^4.9.5"

+ }

+```

+### Create a client and manage the users

+```TypeScript

+import ConfidentialLedger, { getLedgerIdentity } from "@azure-rest/confidential-ledger";

+import { DefaultAzureCredential } from "@azure/identity";

+export async function main() {

+ // Get the signing certificate from the confidential ledger Identity Service

+ const ledgerIdentity = await getLedgerIdentity("contoso");

+ // Create the confidential ledger Client

+ const confidentialLedger = ConfidentialLedger(

+ "https://contoso.confidential-ledger.azure.com",

+ ledgerIdentity.ledgerIdentityCertificate,

+ new DefaultAzureCredential()

+ );

+ // User id is the PEM certificate fingerprint

+ const userId = "PEM certificate fingerprint"

+ // Other supported roles are Reader and Contributor

+ const createUserParams: CreateOrUpdateUserParameters = {

+ contentType: "application/merge-patch+json",

+ body: {

+ assignedRole: "Contributor",

+ userId: `${userId}`

+ }

+ }

+ // Add the user

+ var response = await confidentialLedger.path("/app/users/{userId}", userId).patch(createUserParams)

+

+ // Check for a non-success response

+ if (response.status !== "200") {

+ throw response.body.error;

+ }

+ // Print the response

+ console.log(response.body);

+ // Get the user

+ response = await confidentialLedger.path("/app/users/{userId}", userId).get()

+ // Check for a non-success response

+ if (response.status !== "200") {

+ throw response.body.error;

+ }

+ // Print the response

+ console.log(response.body);

+ // Set the user role to Reader

+ const updateUserParams: CreateOrUpdateUserParameters = {

+ contentType: "application/merge-patch+json",

+ body: {

+ assignedRole: "Reader",

+ userId: `${userId}`

+ }

+ }

+ // Update the user

+ response = await confidentialLedger.path("/app/users/{userId}", userId).patch(updateUserParams)

+ // Check for a non-success response

+ if (response.status !== "200") {

+ throw response.body.error;

+ }

+ // Print the response

+ console.log(response.body);

+ // Delete the user

+ await confidentialLedger.path("/app/users/{userId}", userId).delete()

+ // Get the user to make sure it is deleted

+ response = await confidentialLedger.path("/app/users/{userId}", userId).get()

+ // Check for a non-success response

+ if (response.status !== "200") {

+ throw response.body.error;

+ }

+}

+main().catch((err) => {

+ console.error(err);

+});

+```

+## Next steps

+- [Create a client certificate](create-client-certificate.md)

+- [Manage Azure AD token-based users](manage-azure-ad-token-based-users.md)

+> The above table covers stable Dapr APIs. To learn more about using alpha APIs and features, [see limitations](#unsupported-dapr-capabilities).

+- **Alpha APIs and components**: Azure Container Apps does not guarantee the availability of Dapr alpha APIs and features. If available to use, they are on a self-service, opt-in basis. Alpha APIs and components are provided "as is" and "as available," and are continually evolving as they move toward stable status. Alpha APIs and components are not covered by customer support.

+| Environments | Region | Up to 15 | Yes | Limit up to 15 environments per subscription, per region.<br><br>For example, if you deploy to three regions you can get up to 45 environments for a single subscription. |

+| Container Apps | Environment | Unlimited | Yes | |

+* Move data from one Azure Cosmos DB account to another Azure Cosmos DB account (could be in the same region or a different region, same subscription or a different one).

+* **Online vs offline migration**: Many migration tools provide a path to do a one-time migration only. This means that the applications accessing the database might experience a period of downtime. Some migration solutions provide a way to do a live migration where there's a replication pipeline set up between the source and the target.

+* If you're migrating from a vCores- or server-based platform and you need guidance on estimating request units, consider reading our [guide to estimating RU/s based on vCores](estimate-ru-with-capacity-planner.md).

+|Online|[Azure Cosmos DB Spark connector + Change Feed sample](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/cosmos/azure-cosmos-spark_3_2-12/Samples/DatabricksLiveContainerMigration)|Azure Cosmos DB for NoSQL. <br/><br/>Uses Azure Cosmos DB Change Feed to stream all historic data as well as live updates.| Azure Cosmos DB for NoSQL. <br/><br/>You can use other targets with additional connectors from the Spark ecosystem.| &bull; Makes use of the Azure Cosmos DB bulk executor library. <br/>&bull; Suitable for large datasets. <br/>&bull; Needs a custom Spark setup. <br/>&bull; Spark is sensitive to schema inconsistencies and this can be a problem during migration. |

+|Online|[Azure Cosmos DB Functions + ChangeFeed API](change-feed-functions.md)| Azure Cosmos DB for NoSQL | Azure Cosmos DB for NoSQL| &bull; Easy to set up. <br/>&bull; Works only if the source is an Azure Cosmos DB container. <br/>&bull; Not suitable for large datasets. <br/>&bull; Doesn't capture deletes from the source container. |

+* If you're migrating from a vCores- or server-based platform and you need guidance on estimating request units, consider reading our [guide to estimating RU/s based on vCores](convert-vcore-to-request-unit.md).

+When you're ready to migrate, you can find detailed guidance on migration tools below

+Then, follow our [post-migration guide](mongodb/post-migration-optimization.md) to optimize your Azure Cosmos DB data estate once you've migrated.

+* Azure SQL Managed Instance

+* SQL Managed Instance

+3. Select the Set Variable activity on the canvas if it isn't already selected, and then select the **Settings** tab to edit its details.

+4. Select **Pipeline variable** for your **Variable type**.

+5. Select the variable for the Name property.

+6. Enter an expression to set the value for the variables. This expression can be a literal string expression, or any combination of dynamic [expressions, functions](control-flow-expression-language-functions.md), [system variables](control-flow-system-variables.md), or [outputs from other activities](how-to-expression-language-functions.md#examples-of-using-parameters-in-expressions).

+## Setting a pipeline return value with UI

+We have expanded Set Variable activity to include a special system variable, named _Pipeline Return Value_. This allows communication from the child pipeline to the calling pipeline, in the following scenario.

+You don't need to define the variable, before using it. For more information, see [Pipeline Return Value](tutorial-pipeline-return-value.md)

+A common scenario involving variable is to use a variable as an iterator within an **Until** or **ForEach** activity. In a **Set variable** activity, you can't reference the variable being set in the `value` field. To work around this limitation, set a temporary variable and then create a second **Set variable** activity. The second **Set variable** activity sets the value of the iterator to the temporary variable.

+Variables are currently scoped at the pipeline level. This means that they're not thread safe and can cause unexpected and undesired behavior if they're accessed from within a parallel iteration activity such as a ForEach loop, especially when the value is also being modified within that foreach activity.

+> [!NOTE]

+> This feature will now be generally available in the ADF studio.

+#### Simplified default monitoring view

+ Title: Set Pipeline Return Value

+description: Learn how to use the Set Variable activity to send information from child pipeline to main pipeline

+# Set Pipeline Return Value in Azure Data Factory and Azure Synapse Analytics

+In the calling pipeline-child pipeline paradigm, you can use the [Set Variable activity](control-flow-set-variable-activity.md) to return values from the child pipeline to the calling pipeline. In the following scenario, we have a child pipeline through [Execute Pipeline Activity](control-flow-execute-pipeline-activity.md). And we want to __retrieve information from the child pipeline__, to then be used in the calling pipeline.

+Introduce pipeline return value, a dictionary of key value pairs, that allows communications between child pipelines and parent pipeline.

+## Prerequisite - Calling a Child Pipeline

+The prerequisite of the use case, is that you've an [Execute Pipeline Activity](control-flow-execute-pipeline-activity.md), calling a child pipeline. It's important that we enabled _Wait on Completion_ for the activity

+## Configure Pipeline Return Value in Child Pipeline

+We've expanded the [Set Variable activity](control-flow-set-variable-activity.md) to include system variables _Pipeline Return Value_. You don't need to define them at pipeline level (as opposed to any other variables you use in the pipeline).

+1. Search for _Set Variable_ in the pipeline Activities pane, and drag a Set Variable activity to the pipeline canvas.

+1. Select the Set Variable activity on the canvas if it isn't already selected, and then its **Variables** tab, to edit its details.

+1. Choose _Pipeline return value_ for variable type.

+1. Select _New_ to add a new key value pair.

+1. You can add reasonable number of key value pairs, bounded by size limit of returning json.

+There are a few options for value types, including

+Type Name | Description

+-- | --

+String | The most straight forward of all. It expects a string value.

+Expression | It allows you to reference output from previous activities.

+Array | It expects an array of _string values_. Press "enter" key to separate values in the array

+Boolean | True or False

+Null | Signal place holder status; the value is constant _null_

+Int | It expects a numerical value of integer type

+Float | It expects a numerical value of float type

+Object | __Warning__ complicated use cases only. It allows you to embed a list of key value pairs type for the value

+Value of object type is defined as follows:

+``` json

+[{"key": "myKey1", "value": {"type": "String", "content": "hello world"}},

+ {"key": "myKey2", "value": {"type": "String", "content": "hi"}}

+]

+```

+## Retrieving Value in Calling Pipeline

+The pipeline return value of the child pipeline becomes the activity output of the Execute Pipeline Activity. You can retrieve the information with _@activity('Execute Pipeline1').output.pipelineReturnValue.keyName_. The use case is limitless. For instance, you may use

+* An _int_ value from child pipeline to define the wait period for a [wait activity](control-flow-wait-activity.md)

+* A _sting_ value to define the URL for the [Web activity](control-flow-web-activity.md)

+* An _expression_ value payload for a [script activity](transform-data-using-script.md) for logging purposes.

+There are two noticeable call outs in referencing the pipeline return values.

+1. With _Object_ type, you may further expand into the nested json object, such as _@activity('Execute Pipeline1').output.pipelineReturnValue.keyName.nextLevelKey_

+2. With _Array_ type, you can specify the index in the list, with _@activity('Execute Pipeline1').output.pipelineReturnValue.keyName[0]_. The number is zero indexed, meaning that it starts with 0.

+> [!NOTE]

+> Please make sure that the _keyName_ you are referencing exists in your child pipeline. ADF expression builder can _not_ confirm the referential check for you.

+> Pipeline will fail if the key referenced is missing in the payload

+## Special Considerations

+You may have multiple Set Pipeline Return value activities in a pipeline. However, please ensure that only one gets to run in a pipeline.

+To avoid missing key situation in the calling pipeline, described above, we encourage you to have the same list of keys for all branches in child pipeline. Consider using _null_ types for keys that don't have values, in a specific branch.

+## Next steps

+Learn about another related control flow activity:

+- [Set Variable Activity](control-flow-set-variable-activity.md)

+- [Append Variable Activity](control-flow-append-variable-activity.md)

+1. On the **Create Kubernetes service** dialog, select the Kubernetes **Node size** for the infrastructure VM. Select a VM node size that's appropriate for the workload size you're deploying. In this example, we've selected VM size **Standard_F16s_HPN ΓÇô 16 vCPUs, 32.77 GB memory**.

+az sig image-definition create --resource-group {resourceGroupName}

+--gallery-name {galleryName} --gallery-image-definition {definitionName}

+--publisher {publisherName} --offer {offerName} --sku {skuName}

+--os-type windows --os-state Generalized

+--hyper-v-generation v2

+--features SecurityType=TrustedLaunch

+az devcenter admin gallery create -g demo-rg

+--dev-center-name contoso-devcenter -n SharedGallery

+--gallery-resource-id "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/galleries/{computeGalleryName}"

+az devcenter admin devcenter create -g demo-rg

+-n contoso-devcenter --identity-type UserAssigned

+--user-assigned-identity "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{managedIdentityName}"

+--location {regionName}

+az devcenter admin project create -g demo-rg

+-n ContosoProject

+--description "project description"

+--devcenter-id /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DevCenter/devcenters/{devCenterName}

+az devcenter admin project delete

+-g {resourceGroupName}

+--project {projectName}

+az devcenter admin network-connection create --location "centralus"

+--domain-join-type "AzureADJoin"

+--subnet-id "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ExampleRG/providers/Microsoft.Network/virtualNetworks/ExampleVNet/subnets/default"

+--name "{networkConnectionName}" --resource-group "rg1"

+az devcenter admin network-connection create --location "centralus"

+--domain-join-type "HybridAzureADJoin" --domain-name "mydomaincontroller.local"

+--domain-password "Password value for user" --domain-username "testuser@mydomaincontroller.local"

+--subnet-id "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ExampleRG/providers/Microsoft.Network/virtualNetworks/ExampleVNet/subnets/default"

+--name "{networkConnectionName}" --resource-group "rg1"

+az devcenter admin attached-network create --attached-network-connection-name westus3network

+--dev-center-name contoso-devcenter -g demo-rg

+--network-connection-id /subscriptions/f141e9f2-4778-45a4-9aa0-8b31e6469454/resourceGroups/demo-rg/providers/Microsoft.DevCenter/networkConnections/netset99

+az devcenter admin devbox-definition list

+--dev-center-name "Contoso" --resource-group "rg1"

+az devcenter admin devbox-definition create -g demo-rg

+--dev-center-name contoso-devcenter -n BaseImageDefinition

+--image-reference id="/subscriptions/{subscriptionId}/resourceGroups/demo-rg/providers/Microsoft.DevCenter/devcenters/contoso-devcenter/galleries/Default/images/MicrosoftWindowsDesktop_windows-ent-cpc_win11-21h2-ent-cpc-m365"

+--sku name="general_a_8c32gb_v1"

+az devcenter admin devbox-definition create -g demo-rg

+--dev-center-name contoso-devcenter -n CustomDefinition

+--image-reference id="/subscriptions/{subscriptionId}/resourceGroups/demo-rg/providers/Microsoft.DevCenter/devcenters/contoso-devcenter/galleries/SharedGallery/images/CustomImageName"

+az devcenter admin pool create -g demo-rg

+--project-name ContosoProject -n MarketplacePool

+--devbox-definition-name Definition

+--network-connection-name westus3network

+--license-type Windows_Client --local-administrator Enabled

+az devcenter admin pool show --resource-group "{resourceGroupName}"

+--project-name {projectName} --name "{poolName}"

+az devcenter admin pool list --resource-group "{resourceGroupName}"

+--project-name {projectName}

+az devcenter admin pool update

+--resource-group "{resourceGroupName}"

+--project-name {projectName}

+--name "{poolName}"

+az devcenter admin pool update

+--resource-group "{resourceGroupName}"

+--project-name {projectName}

+--name "{poolName}"

+--devbox-definition-name {devBoxDefinitionName}

+az devcenter admin pool delete

+--resource-group "{resourceGroupName}"

+--project-name "{projectName}"

+--name "{poolName}"

+az devcenter dev project list

+az devcenter dev pool list

+--devcenter {devCenterName}

+--project-name {ProjectName}

+az devcenter dev dev-box create

+--devcenter {devCenterName}

+--project-name {projectName}

+--pool-name {poolName}

+-n {devBoxName}

+az devcenter dev dev-box show-remote-connection

+--devcenter {devCenterName}

+--project-name {projectName}

+-n {devBoxName}

+az devcenter dev dev-box list --devcenter {devCenterName}

+az devcenter dev dev-box show

+--devcenter {devCenterName}

+--project-name {projectName}

+az devcenter dev dev-box stop

+--devcenter {devCenterName}

+--project-name {projectName}

+--user-id "me"

+-n {devBoxName}

+az devcenter dev dev-box start

+--devcenter {devCenterName}

+--project-name {projectName}

+--user-id "me"

+-n {devBoxName}

+If you need help with GitHub sign in or setup, go to [GitHub Support](https://aka.ms/githubsupporteduhub).

+ requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://contoso.energy.azure.com/api/workflow/v1/workflow/Osdu_ingest/workflowRun/e9a815f2-84f5-4513-9825-4d37ab291264

+ [2023-02-05, 14:55:37 IST] {connectionpool.py:452} DEBUG - https://contoso.energy.azure.com:443 "GET /api/schema-service/v1/schema/osdu:wks:work-product-component--WellLog:2.2.0 HTTP/1.1" 404 None

+ [2023-02-05, 14:55:37 IST] {validate_schema.py:171} ERROR - 404 Client Error: Not Found for url: https://contoso.energy.azure.com/api/schema-service/v1/schema/osdu:wks:work-product-component--WellLog:2.2.0

+ [2023-02-05, 19:14:40 IST] {search_record_ids.py:75} DEBUG - Search query "contoso-dp1:work-product-component--WellLog:5ab388ae0e140838c297f0e6559" OR "contoso-dp1:work-product-component--WellLog:5ab388ae0e1b40838c297f0e6559" OR "contoso-dp1:work-product-component--WellLog:5ab388ae0e1b40838c297f0e6559758a"

+ [2023-02-05, 19:14:40 IST] {search_record_ids.py:141} DEBUG - response ids: ['contoso-dp1:work-product-component--WellLog:5ab388ae0e1b40838c297f0e6559758a:1675590506723615', 'contoso-dp1:work-product-component--WellLog:5ab388ae0e1b40838c297f0e6559758a ']

+ [2023-02-05, 16:57:05 IST] {authorization.py:137} ERROR - {"code":400,"reason":"Invalid legal tags","message":"Invalid legal tags: contoso-dp1-R3FullManifest-Legal-Tag-Test779759112"}

+ [2023-02-05, 16:58:46 IST] {authorization.py:137} ERROR - {"code":400,"reason":"Validation error.","message":"createOrUpdateRecords.records[0].acl: Invalid group name 'data1.default.viewers@contoso-dp1.dataservices.energy'"}

+Azure Event Hubs supports compacting event log to retain the latest events of a given event key. With compacted event hubs/Kafka topic, you can use key-based retention rather than using the coarser-grained time-based retention.

+When creating a namespace, you can either allow public only (from all networks) or private only (only via private endpoints) access to the namespace. Once the namespace is created, you can allow access from specific IP addresses or from specific virtual networks (using network service endpoints).

+### Configure public access when creating a namespace

+To enable public access, select **Public access** on the **Networking** page of the namespace creation wizard.

+After you create the namespace, select **Networking** on the left menu of the **Event Hubs Namespace** page. You see that **All Networks** option is selected. You can select **Selected Networks** option and allow access from specific IP addresses or specific virtual networks. The next section provides you details on configuring IP firewall to specify the IP addresses from which the access is allowed.

+### Configure IP firewall for an existing namespace

+## Use Azure CLI

+Use [`az eventhubs namespace network-rule`](/cli/azure/eventhubs/namespace/network-rule) add, list, update, and remove commands to manage IP firewall rules for an Event Hubs namespace.

+## Use Azure PowerShell

+Use the following Azure PowerShell commands to add, list, remove, update, and delete IP firewall rules.

+- [`Add-AzEventHubIPRule`](/powershell/module/az.eventhub/add-azeventhubiprule) to add an IP firewall rule.

+- [`New-AzEventHubIPRuleConfig`](/powershell/module/az.eventhub/new-azeventhubipruleconfig) and [`Set-AzEventHubNetworkRuleSet`](/powershell/module/az.eventhub/set-azeventhubnetworkruleset) together to add an IP firewall rule

+- [`Remove-AzEventHubIPRule`](/powershell/module/az.eventhub/remove-azeventhubiprule) to remove an IP firewall rule.

+When creating a namespace, you can either allow public only (from all networks) or private only (only via private endpoints) access to the namespace. Once the namespace is created, you can allow access from specific IP addresses or from specific virtual networks (using network service endpoints).

+### Configure public access when creating a namespace

+To enable public access, select **Public access** on the **Networking** page of the namespace creation wizard.

+After you create the namespace, select **Networking** on the left menu of the **Service Bus Namespace** page. You see that **All Networks** option is selected. You can select **Selected Networks** option and allow access from specific IP addresses or specific virtual networks. The next section provides you details on specifying the networks from which the access is allowed.

+### Configure selected networks for an existing namespace

+ - **Disabled**. This option disables any public access to the namespace. The namespace is accessible only through [private endpoints](private-link-service.md).

+3. Select the virtual network from the list of virtual networks, and then pick the **subnet**. You have to enable the service endpoint before adding the virtual network to the list. If the service endpoint isn't enabled, the portal prompts you to enable it.

+## Use Azure CLI

+Use [`az eventhubs namespace network-rule`](/cli/azure/eventhubs/namespace/network-rule) add, list, update, and remove commands to manage virtual network rules for a Service Bus namespace.

+## Use Azure PowerShell

+Use the following Azure PowerShell commands to add, list, remove, update, and delete network rules for a Service Bus namespace.

+- [`Add-AzEventHubVirtualNetworkRule`](/powershell/module/az.eventhub/add-azeventhubvirtualnetworkrule) to add a virtual network rule.

+- [`New-AzEventHubVirtualNetworkRuleConfig`](/powershell/module/az.eventhub/new-azeventhubipruleconfig) and [`Set-AzEventHubNetworkRuleSet`](/powershell/module/az.eventhub/set-azeventhubnetworkruleset) together to add a virtual network rule.

+- [`Remove-AzEventHubVirtualNetworkRule`](/powershell/module/az.eventhub/remove-azeventhubvirtualnetworkrule) to remove s virtual network rule.

+### Configure private access when creating a namespace

+When creating a namespace, you can either allow public only (from all networks) or private only (only via private endpoints) access to the namespace.

+If you select the **Private access** option on the **Networking** page of the namespace creation wizard, you can add a private endpoint on the page by selecting **+ Private endpoint** button. See the next section for the detailed steps for adding a private endpoint.

+### Configure private access for an existing namespace

+| **Busan** | [LG CNS](https://www.lgcns.com/business/cloud/datacenter/) | 2 | Korea South | n/a | LG CNS |

+| **[CloudXpress](https://www2.telenet.be/business/nl/sme-le/aanbod/verbinden/bedrijfsnetwerk/cloudxpress.html)** | Equinix | Amsterdam |

+Additionally, for an improved method to work with firewall logs, see [Azure Structured Firewall Logs (preview)](firewall-structured-logs.md).

+|2.4|July 8, 2019|End of Life Announced (EOLA)| Feb10,2023| Aug 10,2023|Feb 10,2024|

+1. Create the file `client-ssl-auth.properties` on client machine (hn1). It should have the following lines:

+> [!Note]

+> Below commands will work if you are either using Kafka user or a custom user which have access to do CRUD operation.

+Using Command Line Tool

+1. Create a topic if it doesn't exist already.

+ ```bash

+ sudo su kafka ΓÇôc "/usr/hdp/current/kafka-broker/bin/kafka-topics.sh --zookeeper <ZOOKEEPER_NODE>:2181 --create --topic topic1 --partitions 2 --replication-factor 2"

+ ```

+ To use a keytab, create a JAAS file with the following content. Be sure to point the keyTab property to your keytab file and reference the principal used inside the keytab. Following is a sample JAAS file created and placed in the location in VM: **/home/hdiuser/kafka_client_jaas_keytab.conf**

+

+ ```

+ KafkaClient {

+ com.sun.security.auth.module.Krb5LoginModule required

+ useKeyTab=true

+ storeKey=true

+ keyTab="/home/hdiuser/espkafkauser.keytab"

+ principal="espkafkauser@TEST.COM";

+ };

+ ```

+

+1. Start console producer and provide the path to `client-ssl-auth.properties` as a configuration file for the producer.

+ ```bash

+ export KAFKA_OPTS="-Djava.security.auth.login.config=/home/hdiuser/kafka_client_jaas_keytab.conf"

+

+ /usr/hdp/current/kafka-broker/bin/kafka-console-producer.sh --broker-list <FQDN_WORKER_NODE>:9093 --topic topic1 --producer.config ~/ssl/client-ssl-auth.properties

+ ```

+

+ ```bash

+ export KAFKA_OPTS="-Djava.security.auth.login.config=/home/hdiuser/kafka_client_jaas_keytab.conf"

+

+ /usr/hdp/current/kafka-broker/bin/kafka-console-consumer.sh --bootstrap-server <FQDN_WORKER_NODE>:9093 --topic topic1 --consumer.config ~/ssl/client-ssl-auth.properties --from-beginning

+ ```

+

+If you want to use Java client to do CRUD operations, then use following GitHub repository.

+https://github.com/Azure-Samples/hdinsight-kafka-java-get-started/tree/main/DomainJoined-Producer-Consumer-With-TLS

+Kafka REST Proxy enables you to interact with your Kafka cluster via a REST API over HTTPS. This action means that your Kafka clients can be outside of your virtual network. Clients can make simple, secure HTTPS calls to the Kafka cluster, instead of relying on Kafka libraries. This article shows you how to create a REST proxy enabled Kafka cluster. Also provides a sample code that shows how to make calls to REST proxy.

+Access to the Kafka REST proxy managed with Azure Active Directory security groups. When creating the Kafka cluster, provide the Azure AD security group with REST endpoint access. Kafka clients that need access to the REST proxy should be registered to this group by the group owner. The group owner can register via the Portal or via PowerShell.

+For REST proxy endpoint requests, client applications should get an OAuth token. The token uses to verify security group membership. Find a [Client application sample](#client-application-sample) shows how to get an OAuth token. The client application passes the OAuth token in the HTTPS request to the REST proxy.

+If you bring your own VNet and control network traffic with network security groups, allow **inbound** traffic on port **9400** in addition to port 443. This ensures that Kafka REST proxy server is reachable.

+1. Register an application with Azure AD. The client applications that you write to interact with the Kafka REST proxy uses this application's ID and secret to authenticate to Azure.

+1. Create an Azure AD security group. Add the application that you've registered with Azure AD to the security group as a **member** of the group. This security group will be used to control which applications allow to interact with the REST proxy. For more information on creating Azure AD groups, see [Create a basic group and add members using Azure Active Directory](../../active-directory/fundamentals/active-directory-groups-create-azure-portal.md).

+The steps use the Azure portal. For an example using Azure CLI, see [Create Apache Kafka REST proxy cluster using Azure CLI](tutorial-cli-rest-proxy.md).

+You can use the Python code to interact with the REST proxy on your Kafka cluster. To use the code sample, follow these steps:

+For more information about getting OAuth tokens in Python, see [Python AuthenticationContext class](/python/api/adal/adal.authentication_context.authenticationcontext). You might see a delay while `topics` that isn't created or deleted through the Kafka REST proxy are reflected there. This delay is because of cache refresh. The **value** field of the Producer API has been enhanced. Now, it accepts JSON objects and any serialized form.

+partitions_api_format = 'metadata/topics/{topic_name}/partitions'

+partition_api_format = 'metadata/topics/{topic_name}/partitions/{partition_id}'

+To store profiles in Azure API for FHIR, you can `PUT` the `StructureDefinition` with the profile content in the body of the request. An update or a conditional update are both good methods to store profiles on the FHIR service. Use the conditional update if you're unsure which to use.

+### Bindings in Profiles

+A terminology service is a set of functions that can perform operations on medical ΓÇ£terminologies,ΓÇ¥ such as validating codes, translating codes, expanding value sets, etc. The Azure API for FHIR service doesn't support terminology service. Information for supported operations ($), resource types and interactions can be found in the service's CapabilityStatement. Resource types ValueSet, StructureDefinition and CodeSystem are supported with basic CRUD operations and Search (as defined in the CapabilityStatement) as well as being leveraged by the system for use in $validate.

+ValueSets can contain a complex set of rules and external references. Today, the service will only consider the pre-expanded inline codes. Customers need to upload supported ValueSets to the FHIR server prior to utilizing the $validate operation. The ValueSet resources must be uploaded to the FHIR server, using PUT or conditional update as mentioned under Storing Profiles section above.

+IoT Edge devices send HTTPS requests to communicate with IoT Hub. If you connected your device to a network that uses a proxy server, you need to configure the IoT Edge runtime to communicate through the server. Proxy servers can also affect individual IoT Edge modules if they make HTTP or HTTPS requests that you haven't routed through the IoT Edge hub.

+ This step is a one-time process to configure the IoT Edge device when you first set it up. You also need these same connections when you update the IoT Edge runtime.

+ The IoT Edge daemon starts the edgeAgent module initially. Then, the edgeAgent module retrieves the deployment manifest from IoT Hub and starts all the other modules. Configure the edgeAgent module environment variables manually on the device itself, so that the IoT Edge agent can make the initial connection to IoT Hub. After the initial connection, you can configure the edgeAgent module remotely.

+ Once you set up and connect an IoT Edge device to IoT Hub through the proxy server, you need to maintain the connection in all future module deployments.

+If you're installing the IoT Edge runtime on a Linux device, configure the package manager to go through your proxy server to access the installation package. For example, [Set up apt-get to use a http-proxy](https://help.ubuntu.com/community/AptGet/Howto/#Setting_up_apt-get_to_use_a_http-proxy). Once you configure your package manager, follow the instructions in [Install Azure IoT Edge runtime](how-to-provision-single-device-linux-symmetric.md) as usual.

+If you're installing the IoT Edge runtime using IoT Edge for Linux on Windows, IoT Edge is installed by default on your Linux virtual machine. You're not required to install or update any other steps.

+If you have complicated credentials for the proxy server that you can't include in the URL, use the `-ProxyCredential` parameter within `-InvokeWebRequestParameters`. For example,

+You must configure both the Moby and the IoT Edge daemons to use the proxy server for ongoing device functionality. This step takes place on the IoT Edge device during initial device setup.

+The IoT Edge daemon is similar to the Moby daemon. Use the following steps to set an environment variable for the service, based on your operating system.

+Verify that your environment variables and the new configuration are present.

+Sign in to your IoT Edge for Linux on Windows virtual machine:

+Follow the same steps as the Linux section of this article to configure the IoT Edge daemon.

+The IoT Edge agent is the first module to start on any IoT Edge device. This module starts for the first time based on information in the IoT Edge config file. The IoT Edge agent then connects to IoT Hub to retrieve deployment manifests. The manifest declares which other modules the device should deploy.

+1. Open the config file on your IoT Edge device: `/etc/aziot/config.toml`. You need administrative privileges to access the configuration file. On Linux systems, use the `sudo` command before opening the file in your preferred text editor.

+2. In the config file, find the `[agent]` section, which contains all the configuration information for the edgeAgent module to use on startup. Check to make sure the `[agent]` section is without comments. If the `[agent]` section is missing, add it to the `config.toml`. The IoT Edge agent definition includes an `[agent.env]` subsection where you can add environment variables.

+6. Verify that your proxy settings are propagated using `docker inspect edgeAgent` in the `Env` section. If not, you must recreate the container.

+7. The IoT Edge runtime should recreate `edgeAgent` within a minute. Once the `edgeAgent` container is running again, use the `docker inspect edgeAgent` command to verify that the proxy settings match the configuration file.

+Once you configure your IoT Edge device to work with your proxy server, declare the HTTPS_PROXY environment variable in future deployment manifests. You can edit deployment manifests either using the Azure portal wizard or by editing a deployment manifest JSON file.

+All other modules that you add to a deployment manifest follow the same pattern. Select **Apply** to save your changes.

+If you create deployments for IoT Edge devices using the templates in Visual Studio Code or by manually creating JSON files, you can add the environment variables directly to each module definition. If you didn't add them in the Azure portal, add them here to your JSON manifest file. Replace `<proxy URL>` with your own value.

+ "image": "mcr.microsoft.com/azureiotedge-hub:1.4",

+Some proxies like [Zscaler](https://www.zscaler.com) can inspect TLS-encrypted traffic. During TLS traffic inspection, the certificate returned by the proxy isn't the certificate from the target server, but instead is the certificate signed by the proxy's own root certificate. By default, IoT Edge modules (including *edgeAgent* and *edgeHub*) don't trust this proxy's certificate and the TLS handshake fails.

+To resolve the failed handshake, configure both the operating system and IoT Edge modules to trust the proxy's root certificate with the following steps.

+If your proxy's firewall requires you to add all FQDNs to your allowlist for internet connectivity, review the list from [Allow connections from IoT Edge devices](production-checklist.md#allow-connections-from-iot-edge-devices) to determine which FQDNs to add.

+1. Download a disk image file to use for your VM and save it locally. For example, [Ubuntu Server 22.04](http://releases.ubuntu.com/22.04/). For information about supported operating systems for IoT Edge devices, see [Azure IoT Edge supported systems](./support.md).

+modules/*&lt;your module name&gt;*/**ModuleBackgroundService.cs**

+Open the file `ModuleBackgroundService.cs` and add a breakpoint.

+1. Open your module file (`ModuleBackgroundService.cs`, `app.js`, `App.java`, or `<your module name>.cs`) and add a breakpoint.

+Add your breakpoint to the file `ModuleBackgroundService.cs`.

+| Ubuntu Server 22.04 |  | |  |

+| [Ubuntu 22.04 ²](https://wiki.ubuntu.com/JammyJellyfish/ReleaseNotes) | |  | |

+ Title: Set up a lab with Adobe Creative Cloud

+description: Learn how to set up a lab in Azure Lab Services for digital arts and media classes that use Adobe Creative Cloud.

+# Set up a lab for Adobe Creative Cloud in Azure Lab Services

+In this article, you learn how to set up a class that uses Adobe Creative Cloud. [Adobe Creative Cloud](https://www.adobe.com/creativecloud.html) is a collection of desktop applications and web services used for photography, design, video, web, user experience (UX), and more. Universities and K-12 schools use Creative Cloud in digital arts and media classes. Some of Creative CloudΓÇÖs media processes might require more computational and visualization (GPU) power than a typical tablet, laptop, or workstation support. With Azure Lab Services, you have flexibility to choose from various virtual machine (VM) sizes, including GPU sizes.

+## Create Cloud licensing in a lab VM

+To use Creative Cloud on a lab VM, you must use [Named User Licensing](https://helpx.adobe.com/enterprise/kb/technical-support-boundaries-virtualized-server-based.html#main_Licensing_considerations), which is the only type of licensing that supports deployment on a virtual machine.

+Each lab VM has internet access so that lab users can activate Creative Cloud apps by signing into the software. When a user signs in, their authentication token is cached in the user profile so that they donΓÇÖt have to sign in again on their VM.

+Read [AdobeΓÇÖs article on licensing](https://helpx.adobe.com/enterprise/using/licensing.html) for more details.

+This lab uses a Windows 10 Azure Marketplace images as the base VM image. You first need to enable this image in your lab plan. This lets lab creators then select the image as a base image for their lab.

+Follow these steps to [enable these Azure Marketplace images available to lab creators](specify-marketplace-images.md). Select one of the **Windows 10** Azure Marketplace images.

+1. Create a lab for your lab plan:

+ [!INCLUDE [create lab](./includes/lab-services-class-type-lab.md)] Specify the following lab settings:

+ | Lab settings | Value/instructions |

+ | | |

+ |Virtual Machine Size| **Small GPU (Visualization)**. This VM is best suited for remote visualization, streaming, gaming, encoding using frameworks such as OpenGL and DirectX.|

+ |Virtual Machine Image| Windows 10 |

+ The size of VM that you need to use for your lab depends on the types of projects that users create. Most [Creative Cloud apps](https://helpx.adobe.com/creative-cloud/system-requirements.html) support GPU-based acceleration and require a GPU for features to work properly. To ensure that you select the appropriate VM size, we recommend that you test the projects that users create, to ensure adequate performance. Learn more about [which VM size is recommended](./administrator-guide.md#vm-sizing) for using Creative Cloud.

+1. When you create a lab with the **Small GPU (Visualization)** size, follow these steps to [set up a lab with GPUs](./how-to-setup-lab-gpu.md).

+ > [!WARNING]

+ > The **Small GPU (Visualization)** virtual machine size is configured to enable a high-performing graphics experience and meets [AdobeΓÇÖs system requirements for each application](https://helpx.adobe.com/creative-cloud/system-requirements.html). Make sure to choose Small GPU (Visualization) not Small GPU (Compute).

+When you create the lab, we recommend that you install the GPU drivers by selecting the **Install GPU drivers** option in the lab creation wizard. You should also validate that the correct installation of the GPU drivers. For more information, read the following sections:

+Installing Creative Cloud requires the use of a deployment package. Typically, your IT department creates the deployment package department using AdobeΓÇÖs Admin Console. When IT creates the deployment package, they can also enable self-service. There are a few ways to enable self-service for the deployment package:

+With self-service enabled, you donΓÇÖt install the entire Creative Cloud collection of apps. Instead, users can install apps themselves using the Creative Cloud desktop app. Here are some key benefits with this approach:

+- The entire Creative Cloud install is about 25 GB. If users install only the apps they need on-demand, this helps optimize disk space. Lab VMs have a maximum disk size of 128 GB.

+- You can choose to install a subset of the apps on the template VM before publishing. This way the lab VMs have some apps installed by default and users can add more apps on their own as needed.

+- You can avoid republishing the template VM because users can install more apps on their VM at any point during the lifetime of the lab. Otherwise, either IT or the lab creator needs to install more apps on the template VM and republish. Republishing causes the usersΓÇÖ VMs to be reset and any work that isnΓÇÖt saved externally is lost.

+If you use a managed deployment package with self-service disabled, users donΓÇÖt have the ability to install their own apps. In this case, IT must specify the Creative Cloud apps that are installed.

+After the creation of the lab template machine completes, follow the steps below to set up your labΓÇÖs template virtual machine (VM) with Creative Cloud.

+1. Run the deployment package file. Depending on whether self-service is enabled or disabled, this installs Creative Cloud desktop app and\or the specified Creative Cloud apps.

+1. Once the template VM is set up, [publish the template VM](how-to-create-manage-template.md). All lab VMs use this template as their base image.

+Lab virtual machines have a maximum disk size of 128 GB. If users need extra storage for saving large media assets or they need to access shared media assets, you should consider using external file storage. For more information, read the following articles:

+- [Using external file storage in Azure Lab Services](how-to-attach-external-storage.md)

+- When self-service is *enabled*, the template VMΓÇÖs image has Creative Cloud desktop installed. Lab creators can then reuse this image to create labs and to choose which Creative Cloud apps to install. This helps reduce IT overhead since teachers can independently set up labs and have full control over installing the Creative Cloud apps required for their classes.

+- When self-service is *disabled*, the template VMΓÇÖs image will already have the specified Creative Cloud apps installed. Lab creators can reuse this image to create labs; however, they wonΓÇÖt be able to install additional Creative Cloud apps.

+Adobe Creative Cloud may show the following error: *Your graphics processor is incompatible* when the GPU drivers or the GPU isn't configured correctly.

+- Ensure that you selected the Small GPU *(Visualization)* VM size when you created your lab. You can see the VM size used by the lab on the lab's [Template page](../lab-services/how-to-create-manage-template.md).

+This section provides a cost estimate for running this class for 25 users. There are 20 hours of scheduled class time. Also, each user gets 10 hours quota for homework or assignments outside scheduled class time. The virtual machine size we chose was **Small GPU (Visualization)**, which is 160 lab units.

+> This cost estimate is for example purposes only. For current details on pricing, see [Azure Lab Services Pricing](https://azure.microsoft.com/pricing/details/lab-services/).

+ Title: Set up a data science lab with Python and Jupyter Notebooks

+description: Learn how to set up a lab VM in Azure Lab Services to teach data science using Python and Jupyter Notebooks.

+This article outlines how to set up a [template virtual machine (VM)](./classroom-labs-concepts.md#template-virtual-machine) in Azure Lab Services with the tools for teaching students to use Jupyter Notebooks. You also learn how to lab users can connect to notebooks on their virtual machines.

+[Jupyter Notebooks](https://jupyter-notebook.readthedocs.io/) is an open-source project that enables you to easily combine rich text and executable Python source code on a single canvas, known as a notebook. Running a notebook results in a linear record of inputs and outputs. Those outputs can include text, tables of information, scatter plots, and more.

+This lab uses one of the Data Science Virtual Machine Azure Marketplace images as the base VM image. You first need to enable these images in your lab plan. This lets lab creators then select the image as a base image for their lab.

+1. Follow these steps to [enable these Azure Marketplace images available to lab creators](specify-marketplace-images.md). Select one of the following Azure Marketplace images, depending on your OS requirements:

+ - **Data Science Virtual Machine ΓÇô Windows Server 2019**

+ - **Data Science Virtual Machine ΓÇô Ubuntu 18.04**

+

+1. Alternately, create a custom VM image:

+ The Data Science VMs images in the Azure Marketplace are already configured with Jupyter Notebooks. These images, however, also include many other development and modeling tools for data science. If you don't want those extra tools and want a lightweight setup with only Jupyter notebooks, create a custom VM image. For an example, [Installing JupyterHub on Azure](http://tljh.jupyter.org/en/latest/install/azure.html).

+ After you create the custom image, upload the image to a compute gallery to use it with Azure Lab Services. Learn more about [using compute gallery in Azure Lab Services](how-to-attach-detach-shared-image-gallery.md).

+1. Create a lab for your lab plan:

+ [!INCLUDE [create lab](./includes/lab-services-class-type-lab.md)] Specify the following lab settings:

+ | Lab settings | Value |

+ | | |

+ | Virtual machine size | Select **Small** or **Medium** for a basic setup accessing Jupyter Notebooks. Select **Small GPU (Compute)** for compute-intensive and network-intensive applications used in Artificial Intelligence and Deep Learning classes. |

+ | Virtual machine image | Choose **[Data Science Virtual Machine ΓÇô Windows Server 2019](https://azuremarketplace.microsoft.com/marketplace/apps/microsoft-dsvm.dsvm-win-2019)** or **[Data Science Virtual Machine ΓÇô Ubuntu](https://azuremarketplace.microsoft.com/marketplace/apps?search=Data%20science%20Virtual%20machine&page=1&filters=microsoft%3Blinux)** depending on your OS needs. |

+ | Template virtual machine settings | Select **Use virtual machine without customization.**.

+1. When you create a lab with the **Small GPU (Compute)** size, follow these steps to [install GPU drivers](./how-to-setup-lab-gpu.md#ensure-that-the-appropriate-gpu-drivers-are-installed).

+ These process installs recent NVIDIA drivers and the Compute Unified Device Architecture (CUDA) toolkit, which you need to enable high-performance computing with the GPU. For more information, see [Set up a lab with GPU virtual machines](./how-to-setup-lab-gpu.md).

+- [Jupyter Notebooks](http://jupyter-notebook.readthedocs.io/): A web application that allows data scientists to take raw data, run computations, and see the results all in the same environment. It runs locally in the template VM.

+The **Data Science Virtual Machine ΓÇô Ubuntu** image is already provisioned with X2GO server to enable lab users to use a graphical desktop experience.

+If you're using the **Small GPU (Compute)** size, we recommend that you verify that the Data Science frameworks and libraries are properly set up to use GPUs. You might need to install a different version of the NVIDIA drivers and CUDA toolkit. To configure the GPUs, you should consult the framework's or library's documentation.

+For example, to validate that TensorFlow uses the GPU, connect to the template VM and run the following Python-TensorFlow code in Jupyter Notebooks:

+If the output from the above code looks like the following, TensorFlow isn't using the GPU:

+The next task is to provide lab users with notebooks that you want them to use. You can save notebooks locally on the template VM so each lab user has their own copy.

+If you want to use sample notebooks from Azure Machine Learning, see [how to configure an environment with Jupyter Notebooks](/azure/machine-learning/how-to-configure-environment#jupyter-notebooks).

+You make the lab VM available for lab users, you have to [publish the template](how-to-create-manage-template.md#publish-the-template-vm). The lab VM has all the local tools and notebooks that you configured previously.

+## Connect to Jupyter Notebooks

+The following sections show different ways for lab users to connect to Jupyter Notebooks on the lab VM.

+### Use Jupyter Notebooks on the lab VM

+Lab users can connect from their local machine to the lab VM and then use Jupyter Notebooks inside the lab VM.

+If you use a Windows-based lab VM, lab users can connect to their lab VMs through remote desktop (RDP). For more information, see how to [connect to a Windows lab VM](connect-virtual-machine.md#connect-to-a-windows-lab-vm).

+If you use a Linux-based lab VM, lab users can connect to their lab VMs through SSH or by using X2Go. For more information, see how to [connect to a Linux lab VM](connect-virtual-machine.md#connect-to-a-linux-lab-vm).

+### SSH tunnel to Jupyter server on the VM

+For Linux-based labs, you can also connect directly from your local computer to the Jupyter server inside the lab VM. The SSH protocol enables port forwarding between the local computer and a remote server (in our case, the user's lab VM). An application that is running on a certain port on the server is **tunneled** to the mapping port on the local computer.

+Follow these steps to configure an SSH tunnel between a user's local machine and the Jupyter server on the lab VM:

+1. Go to the [Azure Lab Services website](https://labs.azure.com)

+1. Verify that the Linux-based [lab VM is running](how-to-use-lab.md#start-or-stop-the-vm).

+1. Select the **Connect** icon > **Connect via SSH** to get the SSH connection command.

+ The SSH connection command looks like the following:

+ Learn more about [how to connect to a Linux VM](connect-virtual-machine.md#connect-to-a-linux-lab-vm-using-ssh).

+1. On your local computer, launch a terminal or command prompt, and copy the SSH connection string to it. Then, add `-L 8888:localhost:8888` to the command string, which creates the **tunnel** between the ports.

+ The final command should look as follows:

+1. Press **ENTER** to run the command.

+1. When prompted, provide the lab VM password to connect to the lab VM.

+1. When youΓÇÖre connected to the VM, start the Jupyter server using this command:

+ The command outputs a URL for the Jupyter server in the terminal. The URL should look like:

+ ```output

+1. Paste this URL into a browser on your local computer to connect and work on your Jupyter Notebook.

+This section provides a cost estimate for running this class for 25 users. There are 20 hours of scheduled class time. Also, each user gets 10 hours quota for homework or assignments outside scheduled class time. The VM size we chose was small GPU (compute), which is 139 lab units. If you want to use the Small (20 lab units) or Medium size (42 lab units), you can replace the lab unit part in the equation below with the correct number.

+Here's an example of a possible cost estimate for this class:

+>This cost estimate is for example purposes only. For current details on pricing, see [Azure Lab Services Pricing](https://azure.microsoft.com/pricing/details/lab-services/).

+In this article, you learned how to create a lab for a Jupyter Notebooks class and how user can connect to their notebooks on the lab VM. You can use a similar setup for other machine learning classes.

+description: Learn how to connect using remote desktop (RDP) from a Mac to a virtual machine in Azure Lab Services.

+In this article, you learn how to connect to a lab VM in Azure Lab Services from a Mac by using Remote Desktop Protocol (RDP).

+To connect to the lab VM via RDP, you can use the Microsoft Remote Desktop app.

+To install the Microsoft Remote Desktop app:

+1. Select **Install** to install the latest version of Microsoft Remote Desktop.

+Next, you connect to the lab VM by using the remote desktop application. You can retrieve the connection information for the lab VM from the Azure Lab Services website.

+1. Navigate to the Azure Lab Services website (https://labs.azure.com), and sign in with your credentials.

+1. If youΓÇÖre connecting to a Linux VM, you'll see two options to connect to the VM: SSH and RDP. Select the **Connect via RDP** option. If you're connecting to a Windows VM, you don't need to choose a connection option. The RDP file will automatically start downloading.

+1. Open the **RDP** file that's downloaded on your computer with **Microsoft Remote Desktop** installed. It should start connecting to the VM.

+1. When prompted, enter your username and password.

+1. If you receive a certificate warning, you can select **Continue**.

+1. After the connection is established, you see the desktop of your lab VM.

+ The following example is for a CentOS Linux VM:

+ :::image type="content" source="./media/how-to-use-classroom-lab/vm-ui.png" alt-text="Screenshot of the desktop for a CentOS Linux VM.":::

+ Title: Connect to Azure Lab Services VMs from Windows

+description: Learn how to connect using remote desktop (RDP) from Windows to a virtual machine in Azure Lab Services.

+In this article, you learn how to connect to a lab VM in Azure Lab Services from Windows by using Remote Desktop Protocol (RDP).

+You can use RDP to connect to your lab VMs in Azure Lab Services. If the lab VM is a Linux VM, the lab creator must [enable RDP for the lab](how-to-enable-remote-desktop-linux.md) and install GUI packages for a Linux graphical desktop. For Windows-based lab VMs, no additional configuration is needed.

+Typically, the [Remote Desktop client software](/windows-server/remote/remote-desktop-services/clients/remote-desktop-clients) is already present on Windows. To connect to the lab VM, you open the RDP connection file to start the remote session.

+To connect to a lab VM in Azure Lab

+1. Navigate to the Azure Lab Services website (https://labs.azure.com), and sign in with your credentials.

+1. On the tile for your VM, select the **Connect** icon.

+ To connect to a lab VM, the vm must be running. Learn how you can [start a VM](how-to-use-lab.md#start-or-stop-the-vm).

+ :::image type="content" source="./media/connect-virtual-machine-windows-rdp/connect-vm.png" alt-text="Screenshot of My virtual machines page for Azure Lab Services, highlighting the connect button on the VM tile.":::

+1. If youΓÇÖre connecting to a Linux VM, select the **Connect via RDP** option.

+ :::image type="content" source="./media/connect-virtual-machine-windows-rdp/student-vm-connect-options.png" alt-text="Screenshot that shows VM tile for student, highlighting the connect button and showing the SSH and RDP connection options.":::

+1. After the RDP connection file download finishes, open the RDP file to launch the RDP client.

+1. Optionally, adjust the RDP connection settings, and then select **Connect** to start the remote session.

+The RDP client software has various settings for optimizing your connection experience. The default settings optimize your experience based on your network connection. Typically, you don't need to change the default settings.

+Learn more about the [RDP client's **Experience** settings](/windows-server/administration/performance-tuning/role/remote-desktop/session-hosts#client-experience-settings).

+If the lab creator configured the GNOME graphical desktop on a Linux lab VM with the RDP client, we recommend the following settings to optimize performance:

+- On the **Display** tab, set the color depth to **High Color (15 bit)**.

+ :::image type="content" source="./media/connect-virtual-machine-windows-rdp/rdp-display-settings.png" alt-text="Screenshot of display tab of the Windows R D P client, highlighting the color depth setting.":::

+- On the **Experience** tab, set the connection speed to **Modem (56 kbps)**.

+ :::image type="content" source="./media/connect-virtual-machine-windows-rdp/rdp-experience-settings.png" alt-text="Screenshot of experience tab of the Windows R D P client, highlighting the connection speed setting.":::

+ Title: How to connect to a lab VM

+description: Learn how to connect to a lab VM in Azure Lab Services.

+In this article, you learn how to connect to a lab virtual machine (VM) in Azure Lab Services. Depending on the operating system (OS) and your local machine, you can use different mechanisms, such as secure shell (SSH) or remote desktop (RDP), to connect to your VM.

+To connect to a lab VM, the VM must be running. Learn more about [how to start and stop a lab VM](how-to-use-lab.md#start-or-stop-the-vm).

+Follow these instructions to connect to a Windows-based lab VM. Choose the instructions that match your local machine's operating system.

+To connect to a Linux-based lab VM, you can use the secure shell protocol (SSH), remote desktop protocol (RDP), or X2Go.

+Azure Lab Services automatically configures SSH for Linux VMs. Both lab users and lab creators can SSH into Linux VMs without additional setup. If you want to connect to a VM with a Linux GUI, the lab creator might need to do extra setup on the template VM.

+> If you need to use [GNOME](https://www.gnome.org/) or [MATE](https://mate-desktop.org/) you should coordinate with the lab creator to ensure that your lab VM has the correct configuration. For details, see [Using GNOME or MATE graphical desktops](how-to-enable-remote-desktop-linux.md#using-gnome-or-mate-graphical-desktops).

+### Connect to a Linux lab VM using RDP

+Before you can connect to a Linux VM using RDP, the lab creator first needs to [enable remote desktop connection for Linux VMs](how-to-enable-remote-desktop-linux.md#rdp-setup).

+To connect to a Linux VM using RDP, follow the instructions based on the type of OS you're using.

+For instructions to connect to a Linux VM using X2Go, see [Connect to a VM using X2Go](connect-virtual-machine-linux-x2go.md).

+By default Linux VMs have SSH installed. To connect to a Linux VM using SSH:

+1. If you're using a Windows machine to connect to the lab VM, ensure you have SSH client software on your machine.

+ The latest version of Windows 10 and Windows 11 include a built-in SSH client. Learn how you can use the [access the built-in SSH client](/windows/terminal/tutorials/ssh).

+ Alternately, you can download an SSH client, such as [PuTTY](https://www.putty.org/) or enable [OpenSSH in Windows](/windows-server/administration/openssh/openssh_install_firstuse).

+1. If the lab VM is not running, go to the [Azure Lab Services website](https://labs.azure.com), and then [start the lab VM](how-to-use-lab.md#start-or-stop-the-vm).

+1. Once the VM is running, select the **Connect** icon > **Connect via SSH**, to get the SSH command string

+ The connection command looks like the following sample:

+ Title: How to access and manage a lab VM

+# Access a lab in Azure Lab Services

+Before you can access a lab in Azure Lab Services, you need to first register to the lab. In this article, you learn how to register for a lab, connect to a lab virtual machine (VM), start and stop the lab VM, and how to monitor your quota hours.

+## Prerequisites

+- To register for a lab, you need a lab registration link.

+- To view, start, stop, and connect to a lab VM, you need to register for the lab and have an assigned lab VM.

+To get access to a lab and connect to the lab VM from the Azure Lab Services website, you first need to register for the lab by using a lab registration link. The lab creator can [provide the registration link for the lab](./how-to-configure-student-usage.md#send-invitations-to-users).

+To register for a lab by using the registration link:

+1. Open the lab registration URL in a browser.

+ After you complete the lab registration, you no longer need the registration link. Instead, you can navigate to the Azure Lab Services website (https://labs.azure.com) to access your labs.

+1. Sign in to the service using your organizational or school account to complete the registration.

+ > You need a Microsoft account to use Azure Lab Services, unless you're using Canvas. If you try to use your non-Microsoft account, such as Yahoo or Google accounts, to sign in to the portal, follow the instructions to create a Microsoft account that's linked to your non-Microsoft account. Then, follow the steps to complete the lab registration process.

+1. After the registration finishes, confirm that you see the lab virtual machine in **My virtual machines**.

+## View your lab virtual machines

+You can view all your assigned lab virtual machines to you in the Azure Lab Services website. Alternately, if your organization uses Azure Lab Services with Microsoft Teams or Canvas, learn how you can [access your lab VMs in Microsoft Teams](./how-to-access-vm-for-students-within-teams.md) or [access your lab VMs in Canvas](./how-to-access-vm-for-students-within-canvas.md).

+1. Go to the [Azure Lab Services website](https://labs.azure.com).

+1. The page has a tile for each lab VM that you have access to. The VM tile shows the VM details and provides access to functionality for controlling the lab VM:

+ - In the top-left, notice the name of the lab. The lab creator specifies the lab name when creating the lab.

+ - In the top-right, you can see an icon that represents the operating system (OS) of the VM.

+ - In the center, you can see a progress bar that shows your [quota hours consumption](#view-quota-hours).

+ - In the bottom-left, you can see the status of the lab VM and a control to [start or stop the VM](#start-or-stop-the-vm).

+ - In the bottom-right, you have the control to [connect to the lab VM](./connect-virtual-machine.md) with remote desktop (RDP) or secure shell (SSH).

+ - Also in the bottom-right, you can [reset or troubleshoot the lab VM](./how-to-reset-and-redeploy-vm.md), if you experience problems with the VM.

+ :::image type="content" source="./media/how-to-use-lab/lab-services-virtual-machine-tile.png" alt-text="Screenshot of My virtual machines page for Azure Lab Services, highlighting the VM tile sections.":::

+As a lab user, you can start or stop a lab VM from the Azure Lab Services website. Alternately, you can also stop a lab VM by using the operating system shutdown command from within the lab VM. The preferred method to stop a lab VM is to use the [Azure Lab Services website](https://labs.azure.com) to avoid incurring additional costs.

+> [!TIP]

+> With the [April 2022 Updates](lab-services-whats-new.md), Azure Lab Services will detect when a lab user shuts down their VM using the OS shutdown command. After a long delay to ensure the VM wasn't being restarted, the lab VM will be marked as stopped and billing will discontinue.

+To start or stop a lab VM in the Azure Lab Services website:

+1. Go to the [Azure Lab Services website](https://labs.azure.com).

+1. Use the toggle control in the bottom-left of the VM tile to start or stop the lab VM.

+ Depending on the current status of the lab VM, the toggle control starts or stops the VM. When the VM is in progress of starting or stopping, the control is inactive.

+ Starting or stopping the lab VM might take some time to complete.

+ :::image type="content" source="./media/tutorial-connect-vm-in-classroom-lab/start-vm.png" alt-text="Screenshot of My virtual machines page for Azure Lab Services, highlighting the status toggle and status label on the VM tile.":::

+1. After the operation finishes, confirm that the lab VM status is correct.

+ :::image type="content" source="./media/tutorial-connect-vm-in-classroom-lab/vm-running.png" alt-text="Screenshot of My virtual machines page for Azure Lab Services, highlighting the status label on the VM tile.":::

+Depending on the lab VM operating system configuration, you can use remote desktop (RDP) or secure shell (SSH) to connect to your lab VM. Learn more about how to [connect to a lab VM](connect-virtual-machine.md).

+## View quota hours

+On the lab VM tile in the [Azure Lab Services website](https://labs.azure.com), you can view your consumption of [quota hours](how-to-configure-student-usage.md#set-quotas-for-users) in the progress bar. Quota hours are the extra time allotted to you outside of the [scheduled time](./classroom-labs-concepts.md#schedules) for the lab. For example, the time outside of classroom time, to complete homework.

+The color of the progress bar and the text under the progress bar changes depending on the scenario:

+- A class is in progress, according to the lab schedules: the progress bar is grayed out to represent that you didn't use quota hours.

+ :::image type="content" source="./media/tutorial-connect-vm-in-classroom-lab/progress-bar-class-in-progress.png" alt-text="Screenshot of lab VM tile in Azure Lab Services when a schedule started the VM.":::

+- The lab has no quota (zero hours): the text **Available during classes only** shows in place of the progress bar.

+ :::image type="content" source="./media/tutorial-connect-vm-in-classroom-lab/available-during-class.png" alt-text="Screenshot of lab VM tile in Azure Lab Services when there's no quota.":::

+- You ran out of quota: the color of the progress bar is **red**.

+ :::image type="content" source="./media/tutorial-connect-vm-in-classroom-lab/progress-bar-red-color.png" alt-text="Screenshot of lab VM tile in Azure Lab Services when there's quota usage.":::

+- No class is in progress, according to the lab schedules: the color of the progress bar is **blue** to indicate that it's outside the scheduled time for the lab, and some of the quota time was used.

+ :::image type="content" source="./media/tutorial-connect-vm-in-classroom-lab/progress-bar-blue-color.png" alt-text="Screenshot of lab VM tile in Azure Lab Services when quota has been partially used.":::

+ Title: 'Tutorial: Access a lab in Azure Lab Services'

+description: In this tutorial, learn how you can register for a lab in Azure Lab Services and connect to the lab virtual machine.

+# Tutorial: Access a lab in Azure Lab Services from the Lab Services website

+In this tutorial, learn how you can register for a lab as a lab user, and then start and connect to lab virtual machine (VM) by using the Azure Lab Services website.

+If you're using Microsoft Teams or Canvas with Azure Lab Services, learn how you can [access your lab from Microsoft Teams](./how-to-access-vm-for-students-within-teams.md) or how you can [access your lab from Canvas](./how-to-access-vm-for-students-within-canvas.md).

+Before you can use the lab from the Azure Lab Services website, you need to first register for the lab by using a registration link.

+To register for a lab by using the registration link:

+1. Navigate to the registration URL that you received from the lab creator.

+ You have to register for each lab that you want to access. After you complete registration for a lab, you no longer need the registration link for that lab.

+ :::image type="content" source="./media/tutorial-connect-vm-in-classroom-lab/register-lab.png" alt-text="Screenshot of browser with example registration link for Azure Lab Services, highlighting the registration link.":::

+1. Sign in to the service using your organizational or school account to complete the registration.

+ > You need a Microsoft account to use Azure Lab Services, unless you're using Canvas. If you try to use your non-Microsoft account, such as Yahoo or Google accounts, to sign in to the portal, follow the instructions to create a Microsoft account that's linked to your non-Microsoft account. Then, follow the steps to complete the lab registration process.

+1. After the registration finishes, confirm that you see the lab virtual machine in **My virtual machines**.

+ After you complete the registration, you can directly access your lab VMs by using the Azure Lab Services website (https://labs.azure.com).

+1. On the **My virtual machines** page, you can see a tile for your lab VM. Confirm that the VM is in the **Stopped** state.

+ The VM tile shows the lab VM details, such as the lab name, operating system, and status. The VM tile also enables you to perform specific actions on the lab VM, such starting and stopping it.

+ :::image type="content" source="./media/tutorial-connect-vm-in-classroom-lab/vm-in-stopped-state.png" alt-text="Screenshot of My virtual machines page in Azure Lab Services website, highlighting the stopped state.":::

+Before you can connect to a lab VM, the VM must be running.

+To start the lab VM from the Azure Lab Services website:

+1. Go to the [Azure Lab Services website](https://labs.azure.com).

+1. Start the VM by selecting the status toggle control.

+ Starting the lab VM might take some time.

+ :::image type="content" source="./media/tutorial-connect-vm-in-classroom-lab/start-vm.png" alt-text="Screenshot of My virtual machines page in the Azure Lab Services website, highlighting the VM state toggle.":::

+1. Confirm that the status of the VM is now **Running**.

+ :::image type="content" source="./media/tutorial-connect-vm-in-classroom-lab/vm-running.png" alt-text="Screenshot of My virtual machines page in the Azure Lab Services website, highlighting the VM is running.":::

+You can now connect to the lab VM. You can retrieve the connection information from the Azure Lab Services website.

+1. Go to the [Azure Lab Services website](https://labs.azure.com).

+1. Select the connect button in the lower right of the VM tile to retrieve the connection information.

+ :::image type="content" source="./media/tutorial-connect-vm-in-classroom-lab/connect-vm.png" alt-text="Screenshot of My virtual machines page in Azure Lab Services website, highlighting the Connect button.":::

+1. Connect to the lab VM in either of two ways:

+ - For Windows virtual machines, open the RDP connection file once it has finished downloading. Use the credentials that the lab creator provided to sign in to the virtual machine. For more information, see [Connect to a Windows lab VM](connect-virtual-machine.md#connect-to-a-windows-lab-vm).

+ - For Linux virtual machines, you can use either SSH or RDP (if RDP is enabled for the lab) to connect to the VM. For more information, see [Connect to a Linux lab VM](connect-virtual-machine.md#connect-to-a-linux-lab-vm).

+In this tutorial, you accessed a lab using the registration link you got from the lab creator. When done with the VM, you stop the lab VM from the Azure Lab Services website.

+Some application scenarios prefer or require the use of the same port by multiple application instances on a single VM in the backend pool. Common examples of port reuse include:

+When you enable Floating IP, Azure changes the IP address mapping to the Frontend IP address of the Load Balancer frontend instead of backend instance's IP. Without Floating IP, Azure exposes the VM instances' IP. Enabling Floating IP changes the IP address mapping to the Frontend IP of the load Balancer to allow for more flexibility. Learn more [here](load-balancer-multivip-overview.md).

+In the diagrams, you see how IP address mapping works before and after enabling Floating IP:

+You configure Floating IP on a Load Balancer rule via the Azure portal, REST API, CLI, PowerShell, or other client. In addition to the rule configuration, you must also configure your virtual machine's Guest OS in order to use Floating IP.

+In order to function, you configure the Guest OS for the virtual machine to receive all traffic bound for the frontend IP and port of the load balancer. Configuring the VM requires:

+* adding a loopback network interface

+* ensuring the system can send/receive packets on interfaces that don't have the IP address assigned to that interface.Windows systems require setting interfaces to use the "weak host" model. For Linux systems, this model is normally used by default.

+* configuring the host firewall to allow traffic on the frontend IP port.

+netsh interface ipv4 set interface "interfacename" weakhostreceive=enabled

+(replace **"interfacename"** with the name of this interface)

+For each loopback interface you added, repeat these commands:

+netsh interface ipv4 add addr floatingipaddress floatingip floatingipnetmask

+netsh interface ipv4 set interface floatingipaddress weakhostreceive=enabled weakhostsend=enabled

+(replace **loopbackinterface** with the name of this loopback interface and **floatingip** and **floatingipnetmask** with the appropriate values that correspond to the load balancer frontend IP)

+Finally, if the guest host uses a firewall, ensure a rule set up so the traffic can reach the VM on the appropriate ports.

+This example configuration assumes a load balancer frontend IP configuration of 1.2.3.4 and a load balancing rule for port 80:

+(replace **floatingip** and **floatingipnetmask** with the appropriate values that correspond to the load balancer frontend IP)

+Finally, if the guest host uses a firewall, ensure a rule set up so the traffic can reach the VM on the appropriate ports.

+This example configuration assumes a load balancer frontend IP configuration of 1.2.3.4 and a load balancing rule for port 80. This example also assumes the use of [UFW (Uncomplicated Firewall)](https://www.wikipedia.org/wiki/Uncomplicated_Firewall) in Ubuntu.

+- You can't use Floating IP on secondary IP configurations for Load Balancing scenarios. This limitation doesn't apply to Public load balancers with dual-stack configurations or to architectures that utilize a NAT Gateway for outbound connectivity.

+ - For Consumption logic app workflows, you can install the Logic Apps Management Solution (Preview) in the Azure portal and set up Azure Monitor logs to collect diagnostic data. After you set up your logic app to send that data to an Azure Log Analytics workspace, telemetry flows to where the Logic Apps Management Solution can provide health visualizations. For more information, see [Set up Azure Monitor logs and collect diagnostics data for Azure Logic Apps](./monitor-workflows-collect-diagnostic-data.md). With diagnostics enabled, you can also use Azure Monitor to send alerts based on different signal types such as when a trigger or a run fails. For more information, see [Monitor run status, review trigger history, and set up alerts for Azure Logic Apps](./monitor-logic-apps.md?tabs=consumption#set-up-monitoring-alerts).

+* If you want to use this data with Azure Log Analytics, you can make the data available for both the primary and secondary locations by setting up your logic app's **Diagnostic settings** and sending the data to multiple Log Analytics workspaces. For more information, see [Set up Azure Monitor logs and collect diagnostics data for Azure Logic Apps](../logic-apps/monitor-workflows-collect-diagnostic-data.md).

+ | **Running** | The run was triggered and is in progress, but this status can also appear for a run that is throttled due to [action limits](logic-apps-limits-and-config.md) or the [current pricing plan](https://azure.microsoft.com/pricing/details/logic-apps/). <p><p>**Tip**: If you set up [diagnostics logging](monitor-workflows-collect-diagnostic-data.md), you can get information about any throttle events that happen. |

+ | **Running** | The run was triggered and is in progress, but this status can also appear for a run that is throttled due to [action limits](logic-apps-limits-and-config.md) or the [current pricing plan](https://azure.microsoft.com/pricing/details/logic-apps/). <p><p>**Tip**: If you set up [diagnostics logging](monitor-workflows-collect-diagnostic-data.md), you can get information about any throttle events that happen. |

+Before you can view the resource health status for your logic apps, you must first [set up diagnostic logging](monitor-workflows-collect-diagnostic-data.md). If you already have a Log Analytics workspace, you can enable logging either when you create your logic app or on existing logic apps.

+ | **Enable log analytics** | **No** (default) or **Yes** | To set up [diagnostic logging](monitor-workflows-collect-diagnostic-data.md) for your logic app resource by using [Azure Monitor logs](../azure-monitor/logs/log-query-overview.md), select **Yes**. This selection requires that you already have a Log Analytics workspace. |

+* [Set up Azure Monitor logs and collect diagnostics data for Azure Logic Apps](../logic-apps/monitor-workflows-collect-diagnostic-data.md)

+For more information, review [Set up Azure Monitor logs and collect diagnostics data for Azure Logic Apps](monitor-workflows-collect-diagnostic-data.md).

+* When you obscure the inputs or outputs on a trigger or action, Azure Logic Apps doesn't send the secured data to Azure Log Analytics. Also, you can't add [tracked properties](monitor-workflows-collect-diagnostic-data.md#other-destinations) to that trigger or action for monitoring.

+* [Monitor logic apps](monitor-workflows-collect-diagnostic-data.md)

+Azure Monitor lets you create [log queries](../azure-monitor/logs/log-query-overview.md) to help you find and review this information. You can also [use this diagnostics data with other Azure services](monitor-workflows-collect-diagnostic-data.md#other-destinations), such as Azure Storage and Azure Event Hubs.

+For real-time event monitoring and richer debugging, set up diagnostics logging for your logic app by using [Azure Monitor logs](../azure-monitor/overview.md). This Azure service helps you monitor your cloud and on-premises environments so that you can more easily maintain their availability and performance. You can then find and view events, such as trigger events, run events, and action events. By storing this information in [Azure Monitor logs](../azure-monitor/logs/data-platform-logs.md), you can create [log queries](../azure-monitor/logs/log-query-overview.md) that help you find and analyze this information. You can also use this diagnostic data with other Azure services, such as Azure Storage and Azure Event Hubs. For more information, see [Monitor logic apps by using Azure Monitor](monitor-workflows-collect-diagnostic-data.md).

+ | **Running** | The run was triggered and is in progress. However, this status can also appear for a run that's throttled due to [action limits](logic-apps-limits-and-config.md) or the [current pricing plan](https://azure.microsoft.com/pricing/details/logic-apps/). <br><br>**Tip**: If you set up [diagnostics logging](monitor-workflows-collect-diagnostic-data.md), you can get information about any throttle events that happen. |

+ | **Running** | The run was triggered and is in progress. However, this status can also appear for a run that's throttled due to [action limits](logic-apps-limits-and-config.md) or the [current pricing plan](https://azure.microsoft.com/pricing/details/logic-apps/). <br><br>**Tip**: If you set up [diagnostics logging](monitor-workflows-collect-diagnostic-data.md), you can get information about any throttle events that happen. |

+* [Monitor logic apps with Azure Monitor](monitor-workflows-collect-diagnostic-data.md)

+ Title: Collect diagnostic data for workflows

+description: Record diagnostic data for workflows in Azure Logic Apps with Azure Monitor Logs.

+ms.suite: integration

+# As a developer, I want to collect and send diagnostics data for my logic app workflows to specific destinations, such as a Log Analytics workspace, storage account, or event hub, for further review.

+# Monitor and collect diagnostic data for workflows in Azure Logic Apps

+To get richer data for debugging and diagnosing your workflows in Azure Logic Apps, you can log workflow runtime data and events, such as trigger events, run events, and action events, that you can send to a [Log Analytics workspace](../azure-monitor/essentials/resource-logs.md#send-to-log-analytics-workspace), Azure [storage account](../storage/common/storage-account-overview.md), Azure [event hub](../event-hubs/event-hubs-features.md#namespace), another partner destination, or all these destinations when you set up and use [Azure Monitor Logs](../azure-monitor/logs/data-platform-logs.md).

+This how-to guide shows how to complete the following tasks, based on whether you have a Consumption or Standard logic app resource.

+### [Consumption](#tab/consumption)

+1. At Consumption logic app creation, [enable Log Analytics and specify your Log Analytics workspace](#enable-for-new-logic-apps).

+ -or-

+ For an existing Consumption logic app, [install the Logic Apps Management solution in your Log Analytics workspace](#install-management-solution). This solution provides aggregated information for your logic app runs and includes specific details such as status, execution time, resubmission status, and correlation IDs.

+1. [Add a diagnostic setting to enable data collection](#add-diagnostic-setting).

+1. [View workflow run status](#view-workflow-run-status).

+1. [Send diagnostic data to Azure Storage and Azure Event Hubs](#other-destinations).

+1. [Include custom properties in telemetry](#custom-tracking-properties).

+### [Standard (preview)](#tab/standard)

+1. [Add a diagnostic setting to enable data collection](#add-diagnostic-setting).

+1. [View workflow run status](#view-workflow-run-status).

+1. [Send diagnostic data to Azure Storage and Azure Event Hubs](#other-destinations).

+1. [Include custom properties in telemetry](#custom-tracking-properties).

+## Prerequisites

+* An Azure account and subscription. If you don't have a subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+ For a Consumption logic app resource, you need Azure subscription Owner or Contributor permissions so you can install the Logic Apps Management solution from the Azure Marketplace. For more information, see the following documentation:

+ * [Permission to purchase - Azure Marketplace purchasing](/marketplace/azure-purchasing-invoicing#permission-to-purchase)

+ * [Azure roles - Classic subscription administrator roles, Azure roles, and Azure AD roles](../role-based-access-control/rbac-and-directory-admin-roles.md#azure-roles)

+* The destination resource for where you want to send diagnostic data:

+ * A [Log Analytics workspace](../azure-monitor/logs/quick-create-workspace.md)

+ * An [Azure storage account](../storage/common/storage-account-create.md)

+ * An [Azure event hub](../event-hubs/event-hubs-create.md)

+* Your logic app resource and workflow

+## Enable Log Analytics

+### [Consumption](#tab/consumption)

+For a Consumption logic app, you need to first enable Log Analytics.

+<a name="enable-for-new-logic-apps"></a>

+#### Enable Log Analytics at logic app creation

+1. In the [Azure portal](https://portal.azure.com), on the **Create Logic App** pane, follow these steps:

+ 1. Under **Plan**, make sure to select **Consumption** so that only the options for Consumption workflows appear.

+ 1. For **Enable log analytics**, select **Yes**.

+ 1. From the **Log Analytics workspace** list, select the workspace where you want to send the data from your workflow run.

+ :::image type="content" source="./media/monitor-workflows-collect-diagnostic-data/consumption/create-logic-app-details.png" alt-text="Screenshot showing the Azure portal and Consumption logic app creation page.":::

+ 1. Finish creating your logic app resource.

+

+ When you're done, your logic app is associated with your Log Analytics workspace. This step also automatically installs the Logic Apps Management solution in your workspace.

+1. After you run your workflow, [view your workflow run status](#view-workflow-run-status).

+<a name="install-management-solution"></a>

+#### Install Logic Apps Management solution

+If you turned on Log Analytics when you created your logic app resource, skip this section. You already have the Logic Apps Management solution installed in your Log Analytics workspace. Otherwise, continue with the following steps for an existing Consumption logic app:

+1. In the [Azure portal](https://portal.azure.com) search box, enter **log analytics workspaces**, and select **Log Analytics workspaces** from the results.

+ :::image type="content" source="./media/monitor-workflows-collect-diagnostic-data/consumption/find-select-log-analytics-workspaces.png" alt-text="Screenshot showing the Azure portal search box with log analytics workspaces selected.":::

+1. Under **Log Analytics workspaces**, select your workspace.

+ :::image type="content" source="./media/monitor-workflows-collect-diagnostic-data/consumption/select-log-analytics-workspace.png" alt-text="Screenshot showing the Azure portal, the Log Analytics workspaces list, and a specific workspace selected.":::

+1. On the **Overview** pane, under **Get started with Log Analytics** > **Configure monitoring solutions**, select **View solutions**.

+ :::image type="content" source="./media/monitor-workflows-collect-diagnostic-data/consumption/log-analytics-workspace.png" alt-text="Screenshot showing the Azure portal, the workspace's overview page, and View solutions selected.":::

+1. Under **Overview**, select **Add**, which adds a new solution to your workspace.

+1. After the **Marketplace** page opens, in the search box, enter **logic apps management**, and select **Logic Apps Management**.

+ :::image type="content" source="./media/monitor-workflows-collect-diagnostic-data/consumption/select-logic-apps-management.png" alt-text="Screenshot showing the Azure portal, the Marketplace page search box with 'logic apps management' entered and 'Logic Apps Management' selected.":::

+1. On the **Logic Apps Management** tile, from the **Create** list, select **Logic Apps Management**.

+ :::image type="content" source="./media/monitor-workflows-collect-diagnostic-data/consumption/create-logic-apps-management-solution.png" alt-text="Screenshot showing the Azure portal, the Marketplace page, the 'Logic Apps Management' tile, with the Create list open, and Logic Apps Management (Preview) selected.":::

+1. On the **Create Logic Apps Management (Preview) Solution** pane, select the Log Analytics workspace where you want to install the solution. Select **Review + create**, review your information, and select **Create**.

+ :::image type="content" source="./media/monitor-workflows-collect-diagnostic-data/consumption/confirm-log-analytics-workspace.png" alt-text="Screenshot showing the Azure portal, the Create Logic Apps Management (Preview) Solution page, and workspace information.":::

+ After Azure deploys the solution to the Azure resource group that contains your Log Analytics workspace, the solution appears on your workspace summary pane under **Overview**.

+ :::image type="content" source="./media/monitor-workflows-collect-diagnostic-data/consumption/workspace-summary-pane-logic-apps-management.png" alt-text="Screenshot showing the Azure portal, the workspace summary pane with Logic Apps Management solution.":::

+### [Standard (preview)](#tab/standard)

+For a Standard logic app, you can continue with [Add a diagnostic setting](#add-diagnostic-setting). No other prerequisite steps are necessary to enable Log Analytics, nor does the Logic Apps Management solution apply to Standard logic apps.

+<a name="add-diagnostic-setting"></a>

+## Add a diagnostic setting

+### [Consumption](#tab/consumption)

+1. In the [Azure portal](https://portal.azure.com), open your Consumption logic app resource.

+1. On the logic app resource menu, under **Monitoring**, select **Diagnostic settings**. On the **Diagnostic settings** page, select **Add diagnostic setting**.

+ :::image type="content" source="media/monitor-workflows-collect-diagnostic-data/consumption/add-diagnostic-setting.png" alt-text="Screenshot showing Azure portal, Consumption logic app resource menu with 'Diagnostic settings' selected and then 'Add diagnostic setting' selected.":::

+1. For **Diagnostic setting name**, provide the name that you want for the setting.

+1. Under **Logs** > **Categories**, select **Workflow runtime diagnostic events**. Under **Metrics**, select **AllMetrics**.

+1. Under **Destination details**, select one or more destinations, based on where you want to send the logs.

+ | Destination | Directions |

+ |-||

+ | **Send to Log Analytics workspace** | Select the Azure subscription for your Log Analytics workspace and the workspace. |

+ | **Archive to a storage account** | Select the Azure subscription for your Azure storage account and the storage account. For more information, see [Send diagnostic data to Azure Storage and Azure Event Hubs](#other-destinations). |

+ | **Stream to an event hub** | Select the Azure subscription for your event hub namespace, event hub, and event hub policy name. For more information, see [Send diagnostic data to Azure Storage and Azure Event Hubs](#other-destinations) and [Azure Monitor partner integrations](../azure-monitor/partners.md). |

+ | **Send to partner solution** | Select your Azure subscription and the destination. For more information, see [Azure Native ISV Services overview](../partner-solutions/overview.md). |

+ The following example selects a Log Analytics workspace as the destination:

+ :::image type="content" source="media/monitor-workflows-collect-diagnostic-data/consumption/send-diagnostics-data-log-analytics-workspace.png" alt-text="Screenshot showing Azure portal, Log Analytics workspace, and data to collect.":::

+1. To finish adding your diagnostic setting, select **Save**.

+### [Standard (preview)](#tab/standard)

+1. In the [Azure portal](https://portal.azure.com), open your Standard logic app resource.

+1. On the logic app resource menu, under **Monitoring**, select **Diagnostic settings**. On the **Diagnostic settings** page, select **Add diagnostic setting**.

+ :::image type="content" source="media/monitor-workflows-collect-diagnostic-data/standard/add-diagnostic-setting.png" alt-text="Screenshot showing Azure portal, Standard logic app resource menu with 'Diagnostic settings' selected and then 'Add diagnostic setting' selected.":::

+1. For **Diagnostic setting name**, provide the name that you want for the setting.

+1. Under **Logs** > **Categories**, select **Workflow Runtime Logs**. Under **Metrics**, select **AllMetrics**.

+1. Under **Destination details**, select one or more destinations, based on where you want to send the logs.

+ | Destination | Directions |

+ |-||

+ | **Send to Log Analytics workspace** | Select the Azure subscription for your Log Analytics workspace and the workspace. |

+ | **Archive to a storage account** | Select the Azure subscription for your Azure storage account and the storage account. For more information, see [Send diagnostic data to Azure Storage and Azure Event Hubs](#other-destinations). |

+ | **Stream to an event hub** | Select the Azure subscription for your event hub namespace, event hub, and event hub policy name. For more information, see [Send diagnostic data to Azure Storage and Azure Event Hubs](#other-destinations) and [Azure Monitor partner integrations](../azure-monitor/partners.md). |

+ | **Send to partner solution** | Select your Azure subscription and the destination. For more information, see [Azure Native ISV Services overview](../partner-solutions/overview.md). |

+ The following example selects a Log Analytics workspace as the destination:

+ :::image type="content" source="media/monitor-workflows-collect-diagnostic-data/standard/send-to-log-analytics-workspace.png" alt-text="Screenshot showing Azure portal, Standard logic app resource menu with log analytics options selected.":::

+1. Optionally, to include telemetry for events such as **Host.Startup**, **Host.Bindings**, and **Host.LanguageWorkerConfig**, select **Function Application Logs**. For more information, see [Monitor Azure Functions with Azure Monitor Logs](../azure-functions/functions-monitor-log-analytics.md).

+1. To finish adding your diagnostic setting, select **Save**.

+Azure Logic Apps now sends telemetry about your workflow runs to your Log Analytics workspace.

+> [!NOTE]

+>

+> After you enable diagnostics settings, diagnostics data might not flow for up to 30 minutes to the logs

+> at the specified destination, such as Log Analytics, storage account, or event hub. This delay means that

+> diagnostics data from this time period might not exist for you to review. Completed events and

+> [tracked properties](#custom-tracking-properties) might not appear in your Log Analytics workspace for 10-15 minutes.

+<a name="view-workflow-run-status"></a>

+## View workflow run status

+### [Consumption](#tab/consumption)

+After your workflow runs, you can view the data about those runs in your Log Analytics workspace.

+1. In the [Azure portal](https://portal.azure.com), open your Log Analytics workspace.

+1. On your workspace menu, under **Classic**, select **Workspace summary**. On the **Overview** page, select **Logic Apps Management**.

+ > [!NOTE]

+ >

+ > If the Logic Apps Management tile doesn't immediately show results after a run,

+ > try selecting **Refresh** or wait for a short time before trying again.

+ :::image type="content" source="./media/monitor-workflows-collect-diagnostic-data/consumption/logic-app-runs-summary.png" alt-text="Screenshot showing Azure portal, Log Analytics workspace with Consumption logic app workflow run status and count.":::

+ The summary page shows workflows grouped by name or by execution status. The page also shows details about failures in the actions or triggers for the workflow runs.

+ :::image type="content" source="./media/monitor-workflows-collect-diagnostic-data/consumption/logic-app-runs-summary-details.png" alt-text="Screenshot showing status summary for Consumption logic app workflow runs.":::

+1. To view all the runs for a specific workflow or status, select the row for that workflow or status.

+ This example shows all the runs for a specific workflow:

+ :::image type="content" source="./media/monitor-workflows-collect-diagnostic-data/consumption/logic-app-run-details.png" alt-text="Screenshot showing runs and status for a specific Consumption logic app workflow.":::

+ For actions where you added [tracked properties](#custom-tracking-properties), you can search for the tracked properties using the column filter. To view the properties, in the **Tracked Properties** column, select **View**.

+ :::image type="content" source="./media/monitor-workflows-collect-diagnostic-data/consumption/logic-app-tracked-properties.png" alt-text="Screenshot showing tracked properties for a specific Consumption logic app workflow.":::

+1. To filter your results, you can perform both client-side and server-side filtering.

+ * **Client-side filter**: For each column, select the filters that you want, for example:

+ :::image type="content" source="./media/monitor-workflows-collect-diagnostic-data/consumption/filters.png" alt-text="Screenshot showing example client-side filter using column filters.":::

+ * **Server-side filter**: To select a specific time window or to limit the number of runs that appear, use the scope control at the top of the page. By default, only 1,000 records appear at a time.

+ :::image type="content" source="./media/monitor-workflows-collect-diagnostic-data/consumption/change-interval.png" alt-text="Screenshot showing example server-side filter that changes the time window.":::

+1. To view all the actions and their details for a specific run, select the row for a logic app workflow run.

+ The following example shows all the actions and triggers for a specific logic app workflow run:

+ :::image type="content" source="./media/monitor-workflows-collect-diagnostic-data/consumption/logic-app-action-details.png" alt-text="Screenshot showing all operations and details for a specific logic app workflow run.":::

+### [Standard (preview)](#tab/standard)

+1. In the [Azure portal](https://portal.azure.com), open your Log Analytics workspace.

+1. On the workspace navigation menu, select **Logs**.

+1. On the new query tab, in the left column, under **Tables**, expand **LogManagement**, and select **LogicAppWorkflowRuntime**.

+ In the right pane, under **Results**, the table shows records related to the following events:

+ * WorkflowRunStarted

+ * WorkflowRunCompleted

+ * WorkflowTriggerStarted

+ * WorkflowTriggerEnded

+ * WorkflowActionStarted

+ * WorkflowActionCompleted

+ * WorkflowBatchMessageSend

+ * WorkflowBatchMessageRelease

+ For completed events, the **EndTime** column publishes the timestamp for when those finished. This value helps you determine the duration between the start event and the completed event.

+ :::image type="content" source="media/monitor-workflows-collect-diagnostic-data/standard/log-analytics-workspace-results.png" alt-text="Screenshot showing Azure portal, Log Analytics workspace, and captured telemetry for Standard logic app workflow run.":::

+## Sample queries

+In your Log Analytics workspace's query pane, you can enter your own queries to find specific data, for example:

+* Select all events for a specific workflow run ID:

+ ```

+ LogicAppWorkflowRuntime

+ | where RunId == "08585258189921908774209033046CU00"

+ ```

+* List all exceptions:

+ ```

+ LogicAppWorkflowRuntime

+ | where Error != ""

+ | sort by StartTime desc

+ ```

+* Identify actions that have experienced retries:

+ ```

+ LogicAppWorkflowRuntime

+ | where RetryHistory != ""

+ | sort by StartTime desc

+ ```

+<a name="other-destinations"></a>

+## Send diagnostic data to Azure Storage and Azure Event Hubs

+Along with Azure Monitor Logs, you can send the collected data to other destinations, for example:

+* [Archive Azure resource logs to storage account](../azure-monitor/essentials/resource-logs.md#send-to-azure-storage)

+* [Stream Azure platform logs to Azure Event Hubs](../azure-monitor/essentials/resource-logs.md#send-to-azure-event-hubs)

+You can then get real-time monitoring by using telemetry and analytics from other services, such as [Azure Stream Analytics](../stream-analytics/stream-analytics-introduction.md) and [Power BI](../azure-monitor/logs/log-powerbi.md), for example:

+* [Stream data from Event Hubs to Stream Analytics](../stream-analytics/stream-analytics-define-inputs.md)

+* [Analyze streaming data with Stream Analytics and create a real-time analytics dashboard in Power BI](../stream-analytics/stream-analytics-power-bi-dashboard.md)

+> [!NOTE]

+>

+> Retention periods apply only when you use a storage account.

+<a name="custom-tracking-properties"></a>

+## Include custom properties in telemetry

+In your workflow, triggers and actions have the capability for you to add the following custom properties so that their values appear along with the emitted telemetry in your Log Analytics workspace.

+### Custom tracking ID

+Most triggers have a **Custom Tracking Id** property where you can specify a tracking ID using an expression. You can use this expression to get data from the received message payload or to generate unique values, for example:

+If you don't specify this custom tracking ID, Azure automatically generates this ID and correlates events across a workflow run, including any nested workflows that are called from the parent workflow. You can manually specify this ID in a trigger by passing a `x-ms-client-tracking-id` header with your custom ID value in the trigger request. You can use a Request trigger, HTTP trigger, or webhook-based trigger.

+### [Consumption](#tab/consumption)

+### [Standard (preview)](#tab/standard)

+### Tracked properties

+Actions have a **Tracked Properties** section where you can specify a custom property name and value by entering an expression or hardcoded value to track specific inputs or outputs, for example:

+### [Consumption](#tab/consumption)

+### [Standard (preview)](#tab/standard)

+Tracked properties can track only a single action's inputs and outputs, but you can use the `correlation` properties of events to correlate across actions in a workflow run.

+The following examples shows where custom properties appear in your Log Analytics workspace:

+### [Consumption](#tab/consumption)

+1. On your Log Analytics workspace menu, under **Classic**, select **Workspace summary**. On the **Overview** page, select **Logic Apps Management**.

+1. Select the row for the workflow that you want to review.

+1. On the **Runs** page, in the **Logic App Runs** table, find the **Tracking ID** column and the **Tracked Properties** column.

+ :::image type="content" source="./media/monitor-workflows-collect-diagnostic-data/consumption/logic-app-run-details.png" alt-text="Screenshot showing runs and status for a specific Consumption workflow.":::

+1. To search the tracked properties, use the column filter. To view the properties, select **View**.

+ :::image type="content" source="./media/monitor-workflows-collect-diagnostic-data/consumption/example-tracked-properties.png" alt-text="Screenshot showing example tracked properties for a specific Consumption workflow.":::

+### [Standard (preview)](#tab/standard)

+The custom tracking ID appears in the **ClientTrackingId** column and tracked properties appear in the **TrackedProperties** column, for example:

+## Next steps

+* [Create monitoring and tracking queries](create-monitoring-tracking-queries.md)

+* [Monitor B2B messages with Azure Monitor Logs](monitor-b2b-messages-log-analytics.md)

+In this article, learn how to deploy your [MLflow](https://www.mlflow.org) model to an [online endpoint](concept-endpoints.md) for real-time inference. When you deploy your MLflow model to an online endpoint, you don't need to indicate a scoring script or an environment. This characteristic is referred as __no-code deployment__.

+* Dynamically installs Python packages provided in the `conda.yaml` file. Hence, dependencies are installed during container runtime.

+This example shows how you can deploy an MLflow model to an online endpoint to perform predictions. This example uses an MLflow model based on the [Diabetes dataset](https://www4.stat.ncsu.edu/~boos/var.select/diabetes.html). This dataset contains ten baseline variables, age, sex, body mass index, average blood pressure, and six blood serum measurements obtained from n = 442 diabetes patients. It also contains the response of interest, a quantitative measure of disease progression one year after baseline (regression).

+The model was trained using an `scikit-learn` regressor and all the required preprocessing has been packaged as a pipeline, making this model an end-to-end pipeline that goes from raw data to predictions.

+The information in this article is based on code samples contained in the [azureml-examples](https://github.com/azure/azureml-examples) repository. To run the commands locally without having to copy/paste YAML and other files, clone the repo, and then change directories to the `cli/endpoints/online` if you are using the Azure CLI or `sdk/endpoints/online` if you are using our SDK for Python.

+- You must have a MLflow model registered in your workspace. Particularly, this example registers a model trained for the [Diabetes dataset](https://www4.stat.ncsu.edu/~boos/var.select/diabetes.html).

+Additionally, you need to:

+There are no more prerequisites when working in Azure Machine Learning studio.

+The workspace is the top-level resource for Azure Machine Learning, providing a centralized place to work with all the artifacts you create when you use Azure Machine Learning. In this section, we connect to the workspace in which you perform deployment tasks.

+ data = infer_and_parse_json_input(serving_input, input_schema)

+ Title: Plan for network isolation

+description: Demystify Azure Machine Learning network isolation with recommendations and automation templates

+# Plan for network isolation

+In this article, you learn how to plan your network isolation for Azure Machine Learning and our recommendations. This is a document for IT administrators who want to design network architecture.

+## Key considerations

+### Azure Machine Learning has both IaaS and PaaS resources

+Azure Machine Learning's network isolation involves both Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) components. PaaS services, such as the Azure Machine Learning workspace, storage, key vault, container registry, and monitor, can be isolated using Private Link. IaaS computing services, such as compute instances/clusters for AI model training, and Azure Kubernetes Service (AKS) or managed online endpoints for AI model scoring, can be injected into your virtual network and communicate with PaaS services using Private Link. The following diagram is an example of this architecture.

+In this diagram, the compute instances, compute clusters, and AKS Clusters are located within your virtual network. They can access the Azure Machine Learning workspace or storage using a private endpoint. Instead of a private endpoint, you can use a service endpoint for Azure Storage and Azure Key Vault. The other services don't support service endpoint.

+### Required inbound and outbound configurations

+Azure Machine Learning has [several required inbound and outbound configurations](how-to-access-azureml-behind-firewall.md) with your virtual network. If you have a standalone virtual network, the configuration is straightforward using network security group. However, you may have a hub-spoke or mesh network architecture, firewall, network virtual appliance, proxy, and user defined routing. In either case, make sure to allow inbound and outbound with your network security components.

+In this diagram, you have a hub and spoke network architecture. The spoke VNet has resources for Azure Machine Learning. The hub VNet has a firewall that control internet outbound from your virtual networks. In this case, your firewall must allow outbound to required resources and your compute resources in spoke VNet must be able to reach your firewall.

+> [!TIP]

+> In the diagram, the compute instance and compute cluster are configured for no public IP. If you instead use a compute instance or cluster __with public IP__, you need to allow inbound from the Azure Machine Learning service tag using a Network Security Group (NSG) and user defined routing to skip your firewall. This inbound traffic would be from a Microsoft service (Azure Machine Learning). However, we recommend using the no public IP option to remove this inbound requirement.

+### DNS resolution of private link resources and application on compute instance

+If you have your own DNS server hosted in Azure or on-premises, you need to create a conditional forwarder in your DNS server. The conditional forwarder sends DNS requests to the Azure DNS for all private link enabled PaaS services. For more information, see the [DNS configuration scenarios](/azure/private-link/private-endpoint-dns#dns-configuration-scenarios) and [Azure Machine Learning specific DNS configuration](how-to-custom-dns.md) articles.

+### Data exfiltration protection

+We have two types of outbound; read only and read/write. Read only outbound can't be exploited by malicious actors but read/write outbound can be. Azure Storage and Azure Frontdoor (the `frontdoor.frontend` service tag) are read/write outbound in our case.

+You can mitigate this data exfiltration risk using [our data exfiltration prevention solution](how-to-prevent-data-loss-exfiltration.md). We use a service endpoint policy with an Azure Machine Learning alias to allow outbound to only Azure Machine Learning managed storage accounts. You don't need to open outbound to Storage on your firewall.

+In this diagram, the compute instance and cluster need to access Azure Machine Learning managed storage accounts to get set-up scripts. Instead of opening the outbound to storage, you can use service endpoint policy with Azure Machine Learning alias to allow the storage access only to Azure Machine Learning storage accounts.

+The following tables list the required outbound [Azure Service Tags](/azure/virtual-network/service-tags-overview) and fully qualified domain names (FQDN) with data exfiltration protection setting:

+| Outbound service tag | Protocol | Port |

+| - | - | - |

+| `AzureActiveDirectory` | TCP | 80, 443 |

+| `AzureResourceManager` | TCP | 443 |

+| `AzureMachineLearning` | UDP | 5831 |

+| `BatchNodeManagement` | TCP | 443 |

+| Outbound FQDN | Protocol | Port |

+| - | - | - |

+| `mcr.microsoft.com` | TCP | 443 |

+| `*.data.mcr.microsoft.com` | TCP | 443 |

+| `ml.azure.com` | TCP | 443 |

+| `automlresources-prod.azureedge.net` | TCP | 443 |

+### Managed online endpoint

+Azure Machine Learning managed online endpoint uses Azure Machine Learning managed VNet, instead of using your VNet. If you want to disallow public access to your endpoint, set the `public_network_access` flag to disabled. When this flag is disabled, your endpoint can be accessed via the private endpoint of your workspace, and it can't be reached from public networks. If you want to use a private storage account for your deployment, set the `egress_public_network_access` flag disabled. It automatically creates private endpoints to access your private resources.

+> [!TIP]

+> The workspace default storage account is the only private storage account supported by managed online endpoint.

+For more information, see the [Network isolation of managed online endpoints](how-to-secure-online-endpoint.md) article.

+### Private IP address shortage in your main network

+Azure Machine Learning requires private IPs; one IP per compute instance, compute cluster node, and private endpoint. You also need many IPs if you use AKS. Your hub-spoke network connected with your on-premises network might not have a large enough private IP address space. In this scenario, you can use isolated, not-peered VNets for your Azure Machine Learning resources.

+In this diagram, your main VNet requires the IPs for private endpoints. You can have hub-spoke VNets for multiple Azure Machine Learning workspaces with large address spaces. A downside of this architecture is to double the number of private endpoints.

+### Network policy enforcement

+You can use [built-in policies](/how-to-integrate-azure-policy.md) if you want to control network isolation parameters with self-service workspace and computing resources creation.

+### Other considerations

+#### Image build compute setting for ACR behind VNet

+If you put your Azure container registry (ACR) behind your private endpoint, your ACR can't build your docker images. You need to use compute instance or compute cluster to build images. For more information, see the [how to set image build compute](how-to-secure-workspace-vnet.md#enable-azure-container-registry-acr) article.

+#### Enablement of studio UI with private link enabled workspace

+If you plan on using the Azure Machine Learning studio, there are extra configuration steps that are needed. These steps are to preventing any data exfiltration scenarios. For more information, see the [how to use Azure Machine Learning studio in an Azure virtual network](how-to-enable-studio-virtual-network.md) article.

+<!-- ### Registry -->

+## Recommended architecture

+The following diagram is our recommended architecture to make all resources private but allow outbound internet access from your VNet. This diagram describes the following architecture:

+* Put all resources in the same region.

+* A hub VNet, which contains your firewall.

+* A spoke VNet, which contains the following resources:

+ * A training subnet contains compute instances and clusters used for training ML models. These resources are configured for no public IP.

+ * A scoring subnet contains an AKS cluster.

+ * A 'pe' subnet contains private endpoints that connect to the workspace and private resources used by the workspace (storage, key vault, container registry, etc.)

+* Managed online endpoints use the private endpoint of the workspace to process incoming requests. A private endpoint is also used to allow managed online endpoint deployments to access private storage.

+This architecture balances your network security and your ML engineers' productivity.

+You can automate this environments creation using [a template](tutorial-create-secure-workspace-template.md) without managed online endpoint or AKS. Managed online endpoint is the solution if you don't have an existing AKS cluster for your AI model scoring. See [how to secure online endpoint](how-to-secure-online-endpoint.md) documentation for more info. AKS with Azure Machine Learning extension is the solution if you have an existing AKS cluster for your AI model scoring. See [how to attach kubernetes](how-to-attach-kubernetes-anywhere.md) documentation for more info.

+### Removing firewall requirement

+If you want to remove the firewall requirement, you can use network security groups and [Azure virtual network NAT](/azure/virtual-network/nat-gateway/nat-overview) to allow internet outbound from your private computing resources.

+### Using public workspace

+You can use a public workspace if you're OK with Azure AD authentication and authorization with conditional access. A public workspace has some features to show data in your private storage account and we recommend using private workspace.

+## Recommended architecture with data exfiltration prevention

+This diagram shows the recommended architecture to make all resources private and control outbound destinations to prevent data exfiltration. We recommend this architecture when using Azure Machine Learning with your sensitive data in production. This diagram describes the following architecture:

+* Put all resources in the same region.

+* A hub VNet, which contains your firewall.

+ * In addition to service tags, the firewall uses FQDNs to prevent data exfiltration.

+* A spoke VNet, which contains the following resources:

+ * A training subnet contains compute instances and clusters used for training ML models. These resources are configured for no public IP. Additionally, a service endpoint and service endpoint policy are in place to prevent data exfiltration.

+ * A scoring subnet contains an AKS cluster.

+ * A 'pe' subnet contains private endpoints that connect to the workspace and private resources used by the workspace (storage, key vault, container registry, etc.)

+* Managed online endpoints use the private endpoint of the workspace to process incoming requests. A private endpoint is also used to allow managed online endpoint deployments to access private storage.

+The following tables list the required outbound [Azure Service Tags](/azure/virtual-network/service-tags-overview) and fully qualified domain names (FQDN) with data exfiltration protection setting:

+| Outbound service tag | Protocol | Port |

+| - | -- | - |

+| `AzureActiveDirectory` | TCP | 80, 443 |

+| `AzureResourceManager` | TCP | 443 |

+| `AzureMachineLearning` | UDP | 5831 |

+| `BatchNodeManagement` | TCP | 443 |

+| Outbound FQDN | Protocol | Port |

+| - | - | - |

+| `mcr.microsoft.com` | TCP | 443 |

+| `*.data.mcr.microsoft.com` | TCP | 443 |

+| `ml.azure.com` | TCP | 443 |

+| `automlresources-prod.azureedge.net` | TCP | 443 |

+### Using public workspace

+You can use the public workspace if you're OK with Azure AD authentication and authorization with conditional access. A public workspace has some features to show data in your private storage account and we recommend using private workspace.

+## Next steps

+* [Virtual network overview](how-to-network-security-overview.md)

+* [Secure the workspace resources](how-to-secure-workspace-vnet.md)

+* [Secure the training environment](how-to-secure-training-vnet.md)

+* [Secure the inference environment](how-to-secure-inferencing-vnet.md)

+* [Enable studio functionality](how-to-enable-studio-virtual-network.md)

+* [Configure inbound and outbound network traffic](how-to-access-azureml-behind-firewall.md)

+* [Use custom DNS](how-to-custom-dns.md)

+ Title: Deploy a registered R model to an online (real time) endpoint

+description: 'Learn how to deploy your R model to an online (real-time) managed endpoint'

+ms.devlang: r

+# How to deploy a registered R model to an online (real time) endpoint

+In this article, you'll learn how to deploy an R model to a managed endpoint (Web API) so that your application can score new data against the model in near real-time.

+## Prerequisites

+- An [Azure Machine Learning workspace](quickstart-create-resources.md).

+- Azure [CLI and ml extension installed](how-to-configure-cli.md). Or use a [compute instance in your workspace](quickstart-create-resources.md), which has the CLI pre-installed.

+- At least one custom environment associated with your workspace. Create [an R environment](how-to-r-modify-script-for-production.md#create-an-environment), or any other custom environment if you don't have one.

+- An understanding of the [R `plumber` package](https://www.rplumber.io/https://docsupdatetracker.net/index.html)

+- A model that you've trained and [packaged with `crate`](how-to-r-modify-script-for-production.md#crate-your-models-with-the-carrier-package), and [registered into your workspace](how-to-r-train-model.md#register-model)

+## Create a folder with this structure

+Create this folder structure for your project:

+```

+📂 r-deploy-azureml

+ ├─📂 docker-context

+ Γöé Γö£ΓöÇ Dockerfile

+ Γöé Γö£ΓöÇ start_plumber.R

+ ├─📂 src

+ Γöé Γö£ΓöÇ plumber.R

+ Γö£ΓöÇ deployment.yml

+ Γö£ΓöÇ endpoint.yml

+```

+The contents of each of these files is shown and explained in this article.

+### Dockerfile

+This is the file that defines the container environment. You'll also define the installation of any additional R packages here.

+A sample **Dockerfile** will look like this:

+```dockerfile

+# REQUIRED: Begin with the latest R container with plumber

+FROM rstudio/plumber:latest

+# REQUIRED: Install carrier package to be able to use the crated model (whether from a training job

+# or uploaded)

+RUN R -e "install.packages('carrier', dependencies = TRUE, repos = 'https://cloud.r-project.org/')"

+# OPTIONAL: Install any additional R packages you may need for your model crate to run

+RUN R -e "install.packages('<PACKAGE-NAME>', dependencies = TRUE, repos = 'https://cloud.r-project.org/')"

+RUN R -e "install.packages('<PACKAGE-NAME>', dependencies = TRUE, repos = 'https://cloud.r-project.org/')"

+# REQUIRED

+ENTRYPOINT []

+COPY ./start_plumber.R /tmp/start_plumber.R

+CMD ["Rscript", "/tmp/start_plumber.R"]

+```

+Modify the file to add the packages you need for your scoring script.

+### plumber.R

+> [!IMPORTANT]

+> This section shows how to structure the **plumber.R** script. For detailed information about the `plumber` package, see [`plumber` documentation](https://www.rplumber.io/https://docsupdatetracker.net/index.html) .

+The file **plumber.R** is the R script where you'll define the function for scoring. This script also performs tasks that are necessary to make your endpoint work. The script:

+- Gets the path where the model is mounted from the `AZUREML_MODEL_DIR` environment variable in the container.

+- Loads a model object created with the `crate` function from the `carrier` package, which was saved as **crate.bin** when it was packaged.

+- _Unserializes_ the model object

+- Defines the scoring function

+> [!TIP]

+> Make sure that whatever your scoring function produces can be converted back to JSON. Some R objects are not easily converted.

+```r

+# plumber.R

+# This script will be deployed to a managed endpoint to do the model scoring

+# REQUIRED

+# When you deploy a model as an online endpoint, AzureML mounts your model

+# to your endpoint. Model mounting enables you to deploy new versions of the model without

+# having to create a new Docker image.

+model_dir <- Sys.getenv("AZUREML_MODEL_DIR")

+# REQUIRED

+# This reads the serialized model with its respecive predict/score method you

+# registered. The loaded load_model object is a raw binary object.

+load_model <- readRDS(paste0(model_dir, "/models/crate.bin"))

+# REQUIRED

+# You have to unserialize the load_model object to make it its function

+scoring_function <- unserialize(load_model)

+# REQUIRED

+# << Readiness route vs. liveness route >>

+# An HTTP server defines paths for both liveness and readiness. A liveness route is used to

+# check whether the server is running. A readiness route is used to check whether the

+# server's ready to do work. In machine learning inference, a server could respond 200 OK

+# to a liveness request before loading a model. The server could respond 200 OK to a

+# readiness request only after the model has been loaded into memory.

+#* Liveness check

+#* @get /live

+function() {

+ "alive"

+}

+#* Readiness check

+#* @get /ready

+function() {

+ "ready"

+}

+# << The scoring function >>

+# This is the function that is deployed as a web API that will score the model

+# Make sure that whatever you are producing as a score can be converted

+# to JSON to be sent back as the API response

+# in the example here, forecast_horizon (the number of time units to forecast) is the input to scoring_function.

+# the output is a tibble

+# we are converting some of the output types so they work in JSON

+#* @param forecast_horizon

+#* @post /score

+function(forecast_horizon) {

+ scoring_function(as.numeric(forecast_horizon)) |>

+ tibble::as_tibble() |>

+ dplyr::transmute(period = as.character(yr_wk),

+ dist = as.character(logmove),

+ forecast = .mean) |>

+ jsonlite::toJSON()

+}

+```

+### start_plumber.R

+The file **start_plumber.R** is the R script that gets run when the container starts, and it calls your **plumber.R** script. Use the following script as-is.

+```r

+entry_script_path <- paste0(Sys.getenv('AML_APP_ROOT'),'/', Sys.getenv('AZUREML_ENTRY_SCRIPT'))

+pr <- plumber::plumb(entry_script_path)

+args <- list(host = '0.0.0.0', port = 8000);

+if (packageVersion('plumber') >= '1.0.0') {

+ pr$setDocs(TRUE)

+} else {

+ args$swagger <- TRUE

+}

+do.call(pr$run, args)

+```

+## Build container

+These steps assume you have an Azure Container Registry associated with your workspace, which is created when you create your first custom environment. To see if you have a custom environment:

+1. Sign in to [Azure Machine Learning studio](https://ml.azure.com).

+1. Select your workspace if necessary.

+1. On the left navigation, select **Environments**.

+1. On the top, select **Custom environments**.

+1. If you see custom environments, nothing more is needed.

+1. If you don't see any custom environments, create [an R environment](how-to-r-modify-script-for-production.md#create-an-environment), or any other custom environment. (You *won't* use this environment for deployment, but you *will* use the container registry that is also created for you.)

+Once you have verified that you have at least one custom environment, use the following steps to build a container.

+1. Open a terminal window and sign in to Azure. If you're doing this from an [Azure Machine Learning compute instance](quickstart-create-resources.md#create-compute-instance), use:

+ ```azurecli

+ az login --identity

+ ```

+ If you're not on the compute instance, omit `--identity` and follow the prompt to open a browser window to authenticate.

+1. Make sure you have the most recent versions of the CLI and the `ml` extension:

+

+ ```azurecli

+ az upgrade

+ ```

+1. If you have multiple Azure subscriptions, set the active subscription to the one you're using for your workspace. (You can skip this step if you only have access to a single subscription.) Replace `<SUBSCRIPTION-NAME>` with your subscription name. Also remove the brackets `<>`.

+ ```azurecli

+ az account set --subscription "<SUBSCRIPTION-NAME>"

+ ```

+1. Set the default workspace. If you're doing this from a compute instance, you can use the following command as is. If you're on any other computer, substitute your resource group and workspace name instead. (You can find these values in [Azure Machine Learning studio](how-to-r-train-model.md#submit-the-job).)

+ ```azurecli

+ az configure --defaults group=$CI_RESOURCE_GROUP workspace=$CI_WORKSPACE

+ ```

+1. Make sure you are in your project directory.

+ ```bash

+ cd r-deploy-azureml

+ ```

+1. To build the image in the cloud, execute the following bash commands in your terminal. Replace `<IMAGE-NAME>` with the name you want to give the image.

+ If your workspace is in a virtual network, see [Enable Azure Container Registry (ACR)](how-to-secure-workspace-vnet.md#enable-azure-container-registry-acr) for additional steps to add `--image-build-compute` to the `az acr build` command in the last line of this code.

+ ```azurecli

+ WORKSPACE=$(az config get --query "defaults[?name == 'workspace'].value" -o tsv)

+ ACR_NAME=$(az ml workspace show -n $WORKSPACE --query container_registry -o tsv | cut -d'/' -f9-)

+ IMAGE_TAG=${ACR_NAME}.azurecr.io/<IMAGE-NAME>

+

+ az acr build ./docker-context -t $IMAGE_TAG -r $ACR_NAME

+ ```

+> [!IMPORTANT]

+> It will take a few minutes for the image to be built. Wait until the build process is complete before proceeding to the next section. Don't close this terminal, you'll use it next to create the deployment.

+The `az acr` command will automatically upload your docker-context folder - that contains the artifacts to build the image - to the cloud where the image will be built and hosted in an Azure Container Registry.

+## Deploy model

+In this section of the article, you'll define and create an [endpoint and deployment](concept-endpoints.md) to deploy the model and image built in the previous steps to a managed online endpoint.

+An *endpoint* is an HTTPS endpoint that clients - such as an application - can call to receive the scoring output of a trained model. It provides:

+> [!div class="checklist"]

+> - Authentication using "key & token" based auth

+> - SSL termination

+> - A stable scoring URI (endpoint-name.region.inference.ml.Azure.com)

+A *deployment* is a set of resources required for hosting the model that does the actual scoring. A **single** *endpoint* can contain **multiple** *deployments*. The load balancing capabilities of Azure Machine Learning managed endpoints allows you to give any percentage of traffic to each deployment. Traffic allocation can be used to do safe rollout blue/green deployments by balancing requests between different instances.

+### Create managed online endpoint

+1. In your project directory, add the **endpoint.yml** file with the following code. Replace `<ENDPOINT-NAME>` with the name you want to give your managed endpoint.

+ ```yml

+ $schema: https://azuremlschemas.azureedge.net/latest/managedOnlineEndpoint.schema.json

+ name: <ENDPOINT-NAME>

+ auth_mode: aml_token

+ ```

+1. Using the same terminal where you built the image, execute the following CLI command to create an endpoint:

+ ```azurecli

+ az ml online-endpoint create -f endpoint.yml

+ ```

+1. Leave the terminal open to continue using it in the next section.

+### Create deployment

+1. To create your deployment, add the following code to the **deployment.yml** file.

+ * Replace `<ENDPOINT-NAME>` with the endpoint name you defined in the **endpoint.yml** file

+ * Replace `<DEPLOYMENT-NAME>` with the name you want to give the deployment

+ * Replace `<MODEL-URI>` with the registered model's URI in the form of `azureml:modelname@latest`

+ * Replace `<IMAGE-TAG>` with the value from:

+

+ ```bash

+ echo $IMAGE_TAG

+ ```

+

+ ```yml

+ $schema: https://azuremlschemas.azureedge.net/latest/managedOnlineDeployment.schema.json

+ name: <DEPLOYMENT-NAME>

+ endpoint_name: <ENDPOINT-NAME>

+ code_configuration:

+ code: ./src

+ scoring_script: plumber.R

+ model: <MODEL-URI>

+ environment:

+ image: <IMAGE-TAG>

+ inference_config:

+ liveness_route:

+ port: 8000

+ path: /live

+ readiness_route:

+ port: 8000

+ path: /ready

+ scoring_route:

+ port: 8000

+ path: /score

+ instance_type: Standard_DS2_v2

+ instance_count: 1

+ ```

+1. Next, in your terminal execute the following CLI command to create the deployment (notice that you're setting 100% of the traffic to this model):

+ ```azurecli

+ az ml online-deployment create -f r-deployment.yml --all-traffic --skip-script-validation

+ ```

+> [!NOTE]

+> It may take several minutes for the service to be deployed. Wait until deployment is finished before proceeding to the next section.

+## Test

+Once your deployment has been successfully created, you can test the endpoint using studio or the CLI:

+# [Studio](#tab/azure-studio)

+Navigate to the [Azure Machine Learning studio](https://ml.azure.com) and select from the left-hand menu **Endpoints**. Next, select the **r-endpoint-iris** you created earlier.

+Enter the following json into the **Input data to rest real-time endpoint** textbox:

+```json

+{

+ "forecast_horizon" : [2]

+}

+```

+Select **Test**. You should see the following output:

+# [Azure CLI](#tab/cli)

+### Create a sample request

+In your project parent folder, create a file called **sample_request.json** and populate it with:

+```json

+{

+ "forecast_horizon" : [2]

+}

+```

+### Invoke the endpoint

+Invoke the request. This example uses the name r-endpoint-forecast:

+```azurecli

+az ml online-endpoint invoke --name r-endpoint-forecast --request-file sample_request.json

+```

+## Clean-up resources

+Now that you've successfully scored with your endpoint, you can delete it so you don't incur ongoing cost:

+```azurecli

+az ml online-endpoint delete --name r-endpoint-forecast

+```

+## Next steps

+For more information about using R with Azure Machine Learning, see [Overview of R capabilities in Azure Machine Learning](how-to-r-overview-r-capabilities.md)

+ Title: Use R interactively on Azure Machine Learning

+description: 'Learn how to work with R interactively on Azure Machine Learning'

+ms.devlang: r

+# Interactive R development

+This article will show you how to use R on a compute instance in Azure Machine Learning studio, running an R kernel in a Jupyter notebook.

+Many R users also use RStudio, a popular IDE. You can install RStudio or Posit Workbench in a custom container on a compute instance. However, there are limitations with the container in reading and writing to your Azure Machine Learning workspace.

+> [!IMPORTANT]

+> The code shown in this article works on an Azure Machine Learning compute instance. The compute instance has environment and configuration file necessary for the code to run successfully.

+## Prerequisites

+- If you don't have an Azure subscription, create a free account before you begin. Try the [free or paid version of Azure Machine Learning](https://azure.microsoft.com/free/) today

+- An [Azure Machine Learning workspace and a compute instance](quickstart-create-resources.md)

+- A basic understand of using Jupyter notebooks in Azure Machine Learning studio. For more information, see [Quickstart: Run Jupyter notebooks in studio](quickstart-run-notebooks.md)

+## Run R in a notebook in studio

+You'll use a notebook in your Azure Machine Learning workspace, on a compute instance.

+1. Sign in to [Azure Machine Learning studio](https://ml.azure.com)

+1. Open your workspace if it isn't already open

+1. On the left navigation, select **Notebooks**

+1. Create a new notebook, named **RunR.ipynb**

+ > [!TIP]

+ > If you're not sure how to create and work with notebooks in studio, review [Quickstart: Run Jupyter notebooks in studio](quickstart-run-notebooks.md).

+1. Select the notebook.

+1. On the notebook toolbar, make sure your compute instance is running. If not, start it now.

+1. On the notebook toolbar, switch the kernel to **R**.

+ :::image type="content" source="media/how-to-r-interactive-development/r-kernel.png" alt-text="Screenshot: Switch the notebook kernel to use R." lightbox="media/how-to-r-interactive-development/r-kernel.png":::

+Your notebook is now ready for you to run R commands.

+## Access data

+You can upload files to your workspace file storage and access them in R. But for files stored in Azure [_data assets_ or data from _datastores_](concept-data.md), you first need to install a few packages.

+This section describes how to use Python and the `reticulate` package to load your data assets and datastores into R from an interactive session. You'll read tabular data as Pandas DataFrames using the [`azureml-fsspec`](/python/api/azureml-fsspec/?view=azure-ml-py&preserve-view=true) Python package and the `reticulate` R package.

+To install these packages:

+1. Create a new file on the compute instance, called **setup.sh**.

+1. Copy this code into the file:

+ :::code language="bash" source="~/azureml-examples-mavaisma-r-azureml/tutorials/using-r-with-azureml/01-setup-compute-instance-for-interactive-r/setup-ci-for-interactive-data-reads.sh":::

+1. Select **Save and run script in terminal** to run the script

+The install script performs the following steps:

+* `pip` installs `azureml-fsspec` in the default conda environment for the compute instance

+* Installs the R `reticulate` package if necessary (version must be 1.26 or greater)

+### Read tabular data from registered data assets or datastores

+When your data is stored in a data asset [created in Azure Machine Learning](how-to-create-data-assets.md?tabs=cli#create-a-file-asset), use these steps to read that tabular file into an R `data.frame`:

+> [!NOTE]

+> Reading a file with `reticulate` only works with tabular data.

+1. Ensure you have the correct version of `reticulate`. If the version is less than 1.26, try to use a newer compute instance.

+ ```r

+ packageVersion("reticulate")

+ ```

+1. Load `reticulate` and set the conda environment where `azureml-fsspec` was installed

+ [!Notebook-r[](~/azureml-examples-mavaisma-r-azureml/tutorials/using-r-with-azureml/02-develop-in-interactive-r/work-with-data-assets.ipynb?name=reticulate)]

+1. Find the URI path to the data file.

+ 1. First, get a handle to your workspace

+ [!Notebook-r[](~/azureml-examples-mavaisma-r-azureml/tutorials/using-r-with-azureml/02-develop-in-interactive-r/work-with-data-assets.ipynb?name=configure-ml_client)]

+

+ 1. Use this code to retrieve the asset. Make sure to replace `<DATA_NAME>` and `<VERSION_NUMBER>` with the name and number of your data asset.

+ > [!TIP]

+ > In studio, select **Data** in the left navigation to find your data asset's name and version number.

+

+ [!Notebook-r[](~/azureml-examples-mavaisma-r-azureml/tutorials/using-r-with-azureml/02-develop-in-interactive-r/work-with-data-assets.ipynb?name=get-uri)]

+

+ 1. Run the code to retrieve the URI.

+ [!Notebook-r[](~/azureml-examples-mavaisma-r-azureml/tutorials/using-r-with-azureml/02-develop-in-interactive-r/work-with-data-assets.ipynb?name=py_run_string)]

+

+1. Use Pandas read functions to read the file(s) into the R environment

+ [!Notebook-r[](~/azureml-examples-mavaisma-r-azureml/tutorials/using-r-with-azureml/02-develop-in-interactive-r/work-with-data-assets.ipynb?name=read-uri)]

+## Install R packages

+There are many R packages pre-installed on the compute instance.

+When you want to install other packages, you'll need to explicitly state the location and dependencies.

+> [!TIP]

+> When you create or use a different compute instance, you'll need to again install any packages you've installed.

+For example, to install the `tsibble` package:

+```r

+install.packages("tsibble",

+ dependencies = TRUE,

+ lib = "/home/azureuser")

+```

+> [!NOTE]

+> Since you are installing packages within an R session running in a Jupyter notebook, `dependencies = TRUE` is required. Otherwise, dependent packages will not be automatically installed. The lib location is also required to install in the correct compute instance location.

+## Load R libraries

+Add `/home/azureuser` to the R library path.

+```r

+.libPaths("/home/azureuser")

+```

+> [!TIP]

+> You need to update the `.libPaths` in each interactive R script to access user installed libraries. Add this code to the top of each interactive R script or notebook.

+Once the libPath is updated, load libraries as usual

+```r

+library('tsibble')

+```

+## Use R in the notebook

+Other than the above issues, use R as you would in any other environment, such as your local workstation. In your notebook or script, you can read and write to the path where the notebook/script is stored.

+> [!NOTE]

+> - From an interactive R session, you can only write to the workspace file system.

+> - From an interactive R session, you can't interact with MLflow (such as, log model or query registry).

+## Next steps

+* [Adapt your R script to run in production](how-to-r-modify-script-for-production.md)

+ Title: Adapt your R script to run in production

+description: 'Learn how to modify your existing R scripts to run in production on Azure Machine Learning'

+ms.devlang: r

+# Adapt your R script to run in production

+This article explains how to take an existing R script and make the appropriate changes to run it as a job in Azure Machine Learning.

+You'll have to make most of, if not all, of the changes described in detail in this article.

+## Remove user interaction

+Your R script must be designed to run unattended and will be executed via the `Rscript` command within the container. Make sure you remove any interactive inputs or outputs from the script.

+## Add parsing

+If your script requires any sort of input parameter (most scripts do), pass the inputs into the script via the `Rscript` call.

+```bash

+Rscript <name-of-r-script>.R

+--data_file ${{inputs.<name-of-yaml-input-1>}}

+--brand ${{inputs.<name-of-yaml-input-2>}}

+```

+In your R script, parse the inputs and make the proper type conversions. We recommend that you use the `optparse` package.

+The following snippet shows how to:

+* initiate the parser

+* add all your inputs as options

+* parse the inputs with the appropriate data types

+You can also add defaults, which are handy for testing. We recommend that you add an `--output` parameter with a default value of `./outputs` so that any output of the script will be stored.

+```r

+library(optparse)

+parser <- OptionParser()

+parser <- add_option(

+ parser,

+ "--output",

+ type = "character",

+ action = "store",

+ default = "./outputs"

+)

+parser <- add_option(

+ parser,

+ "--data_file",

+ type = "character",

+ action = "store",

+ default = "data/myfile.csv"

+)

+parser <- add_option(

+ parser,

+ "--brand",

+ type = "double",

+ action = "store",

+ default = 1

+)

+args <- parse_args(parser)

+```

+`args` is a named list. You can use any of these parameters later in your script.

+## Source the `azureml_utils.R` helper script

+You must source a helper script called `azureml_utils.R` script in the same working directory of the R script that will be run. The helper script is required for the running R script to be able to communicate with the MLflow server. The helper script provides a method to continuously retrieve the authentication token, since the token changes quickly in a running job. The helper script also allows you to use the logging functions provided in the [R MLflow API](https://MLflow.org/docs/latest/R-api.html) to log models, parameters, tags and general artifacts.

+1. Create your file, `azureml_utils.R`, with this code:

+ ::: code language="r" source="~/azureml-examples-mavaisma-r-azureml/tutorials/using-r-with-azureml/03-train-model-job/src/azureml_utils.R" :::

+1. Start your R script with the following line:

+```r

+source("azureml_utils.R")

+```

+## Read data files as local files

+When you run an R script as a job, Azure Machine Learning takes the data you specify in the job submission and mounts it on the running container. Therefore you'll be able to read the data file(s) as if they were local files on the running container.

+* Make sure your source data is registered as a data asset

+* Pass the data asset by name in the job submission parameters

+* Read the files as you normally would read a local file

+Define the input parameter as shown in the [parameters section](#add-parsing). Use the parameter, `data-file`, to specify a whole path, so that you can use `read_csv(args$data_file)` to read the data asset.

+## Save job artifacts (images, data, etc.)

+> [!IMPORTANT]

+> This section does not apply to models. See the following two sections for model specific saving and logging instructions.

+You can store arbitrary script outputs like data files, images, serialized R objects, etc. that are generated by the R script in Azure Machine Learning. Create a `./outputs` directory to store any generated artifacts (images, models, data, etc.) Any files saved to `./outputs` will be automatically included in the run and uploaded to the experiment at the end of the run. Since you added a default value for the `--output` parameter in the [input parameters](#add-parsing) section, include the following code snippet in your R script to create the `output` directory.

+```r

+if (!dir.exists(args$output)) {

+ dir.create(args$output)

+}

+```

+After you create the directory, save your artifacts to that directory. For example:

+```r

+# create and save a plot

+library(ggplot2)

+myplot <- ggplot(...)

+ggsave(myplot,

+ filename = "./outputs/myplot.png")

+# save an rds serialized object

+saveRDS(myobject, file = "./outputs/myobject.rds")

+```

+## `crate` your models with the `carrier` package

+The [R MLflow API documentation](https://MLflow.org/docs/latest/models.html#r-function-crate) specifies that your R models need to be of the `crate` _model flavor_.

+* If your R script trains a model and you produce a model object, you'll need to `crate` it to be able to deploy it at a later time with Azure Machine Learning.

+* When using the `crate` function, use explicit namespaces when calling any package function you need.

+Let's say you have a timeseries model object called `my_ts_model` created with the `fable` package. In order to make this model callable when it's deployed, create a `crate` where you'll pass in the model object and a forecasting horizon in number of periods:

+```r

+library(carrier)

+crated_model <- crate(function(x)

+{

+ fabletools::forecast(!!my_ts_model, h = x)

+})

+```

+The `crated_model` object is the one you'll log.

+## Log models, parameters, tags, or other artifacts with the R MLflow API

+In addition to [saving any generated artifacts](#save-job-artifacts-images-data-etc), you can also log models, tags, and parameters for each run. Use the R MLflow API to do so.

+When you log a model, you log the _crated model_ you created as described in the [previous section](#crate-your-models-with-the-carrier-package).

+> [!NOTE]

+> When you log a model, the model is also saved and added to the run artifacts. There is no need to explicitly save a model unless you did not log it.

+To log a model, and/or parameter:

+1. Start the run with `mlflow_start_run()`

+1. Log artifacts with `mlflow_log_model`, `mlflow_log_param`, or `mlflow_log_batch`

+1. Do **not** end the run with `mlflow_end_run()`. Skip this call, as it currently causes an error.

+For example, to log the `crated_model` object as created in the [previous section](#crate-your-models-with-the-carrier-package), you would include the following code in your R script:

+> [!TIP]

+> Use `models` as value for `artifact_path` when logging a model, this is a best practice (even though you can name it something else.)

+```r

+mlflow_start_run()

+mlflow_log_model(

+ model = crated_model, # the crate model object

+ artifact_path = "models" # a path to save the model object to

+ )

+mlflow_log_param(<key-name>, <value>)

+# mlflow_end_run() - causes an error, do not include mlflow_end_run()

+```

+## Script structure and example

+Use these code snippets as a guide to structure your R script, following all the changes outlined in this article.

+```r

+# BEGIN R SCRIPT

+# source the azureml_utils.R script which is needed to use the MLflow back end

+# with R

+source("azureml_utils.R")

+# load your packages here. Make sure that they are installed in the container.

+library(...)

+# parse the command line arguments.

+library(optparse)

+parser <- OptionParser()

+parser <- add_option(

+ parser,

+ "--output",

+ type = "character",

+ action = "store",

+ default = "./outputs"

+)

+parser <- add_option(

+ parser,

+ "--data_file",

+ type = "character",

+ action = "store",

+ default = "data/myfile.csv"

+)

+parser <- add_option(

+ parser,

+ "--brand",

+ type = "double",

+ action = "store",

+ default = 1

+)

+args <- parse_args(parser)

+# your own R code goes here

+# - model building/training

+# - visualizations

+# - etc.

+# create the ./outputs directory

+if (!dir.exists(args$output)) {

+ dir.create(args$output)

+}

+# log models and parameters to MLflow

+mlflow_start_run()

+mlflow_log_model(

+ model = crated_model, # the crate model object

+ artifact_path = "models" # a path to save the model object to

+ )

+mlflow_log_param(<key-name>, <value>)

+# mlflow_end_run() - causes an error, do not include mlflow_end_run()

+## END OF R SCRIPT

+```

+## Create an environment

+To run your R script, you'll use the `ml` extension for Azure CLI, also referred to as CLI v2. The `ml` command uses a YAML job definitions file. For more information about submitting jobs with `az ml`, see [Train models with Azure Machine Learning CLI](how-to-train-model.md?tabs=azurecli#4-submit-the-training-job).

+The YAML job file specifies an [environment](concept-environments.md). You'll need to create this environment in your workspace before you can run the job.

+

+You can create the environment in [Azure Machine Learning studio](how-to-manage-environments-in-studio.md#create-an-environment) or with [the Azure CLI](how-to-manage-environments-v2.md#create-an-environment-from-a-docker-image).

+Whatever method you use, you'll use a Dockerfile. All Docker context files for R environments must have the following specification in order to work on Azure Machine Learning:

+```dockerfile

+FROM rocker/tidyverse:latest

+# Install python

+RUN apt-get update -qq && \

+ apt-get install -y python3-pip tcl tk libz-dev libpng-dev

+RUN ln -f /usr/bin/python3 /usr/bin/python

+RUN ln -f /usr/bin/pip3 /usr/bin/pip

+RUN pip install -U pip

+# Install azureml-MLflow

+RUN pip install azureml-MLflow

+RUN pip install MLflow

+# Create link for python

+RUN ln -f /usr/bin/python3 /usr/bin/python

+# Install R packages required for logging with MLflow (these are necessary)

+RUN R -e "install.packages('MLflow', dependencies = TRUE, repos = 'https://cloud.r-project.org/')"

+RUN R -e "install.packages('carrier', dependencies = TRUE, repos = 'https://cloud.r-project.org/')"

+RUN R -e "install.packages('optparse', dependencies = TRUE, repos = 'https://cloud.r-project.org/')"

+RUN R -e "install.packages('tcltk2', dependencies = TRUE, repos = 'https://cloud.r-project.org/')"

+```

+The base image is `rocker/tidyverse:latest`, which has many R packages and their dependencies already installed.

+> [!IMPORTANT]

+> You must install any R packages your script will need to run in advance. Add more lines to the Docker context file as needed.

+```dockerfile

+RUN R -e "install.packages('<package-to-install>', dependencies = TRUE, repos = 'https://cloud.r-project.org/')"

+```

+## Additional suggestions

+Some additional suggestions you may want to consider:

+- Use R's `tryCatch` function for exception and error handling

+- Add explicit logging for troubleshooting and debugging

+## Next steps

+* [How to train R models in Azure Machine Learning](how-to-r-train-model.md)

+ Title: Bring R workloads into Azure Machine Learning

+description: 'Learn how to bring your R workloads into Azure Machine Learning'

+ms.devlang: r

+# Bring your R workloads

+There's no Azure Machine Learning SDK for R. Instead, you'll use either the CLI or a Python control script to run your R scripts.

+This article outlines the key scenarios for R that are supported in Azure Machine Learning and known limitations.

+## Typical R workflow

+A typical workflow for using R with Azure Machine Learning:

+- [Develop R scripts interactively](how-to-r-interactive-development.md) using Jupyter Notebooks on a compute instance. (While you can also add Posit or RStudio to a compute instance, you can't currently access data assets in the workspace from these applications on the compute instance. So for now, interactive work is best done in a Jupyter notebook.)

+ - Read tabular data from a registered data asset or datastore

+ - Install additional R libraries

+ - Save artifacts to the workspace file storage

+- [Adapt your script](how-to-r-modify-script-for-production.md) to run as a production job in Azure Machine Learning

+ - Remove any code that may require user interaction

+ - Add command line input parameters to the script as necessary

+ - Include and source the `azureml_utils.R` script in the same working directory of the R script to be executed

+ - Use `crate` to package the model

+ - Include the R/MLflow functions in the script to **log** artifacts, models, parameters, and/or tags to the job on MLflow

+- [Submit remote asynchronous R jobs](how-to-r-train-model.md) (you submit jobs via the CLI or Python SDK, not R)

+ - Build an environment

+ - Log job artifacts, parameters, tags and models

+- [Register your model](how-to-r-train-model.md#register-model) using Azure Machine Learning studio

+- [Deploy registered R models](how-to-r-deploy-r-model.md) to managed online endpoints

+ - Use the deployed endpoints for real-time inferencing/scoring

+## Known limitations

+ 

+| Limitation | Do this instead |

+|||

+| There's no R _control-plane_ SDK. | Use the Azure CLI or Python control script to submit jobs. |

+| RStudio running as a custom application (such as Posit or RStudio) within a container on the compute instance can't access workspace assets or MLflow. | Use Jupyter Notebooks with the R kernel on the compute instance. |

+| Interactive querying of workspace MLflow registry from R isn't supported. | |

+| Nested MLflow runs in R are not supported. | |

+| Parallel job step isn't supported. | Run a script in parallel `n` times using different input parameters. But you'll have to meta-program to generate `n` YAML or CLI calls to do it. |

+| Programmatic model registering/recording from a running job with R isn't supported. | |

+| Zero code deployment (that is, automatic deployment) of an R MLflow model is currently not supported. | Create a custom container with `plumber` for deployment. |

+| Scoring an R model with batch endpoints isn't supported. | |

+| AzureML online deployment yml can only use image URIs directly from the registry for the environment specification; not pre-built environments from the same Dockerfile. | Follow the steps in [How to deploy a registered R model to an online (real time) endpoint](how-to-r-deploy-r-model.md) for the correct way to deploy. |

+## Next steps

+Learn more about R in Azure Machine Learning:

+* [Interactive R development](how-to-r-interactive-development.md)

+* [Adapt your R script to run in production](how-to-r-modify-script-for-production.md)

+* [How to train R models in Azure Machine Learning](how-to-r-train-model.md)

+* [How to deploy an R model to an online (real time) endpoint](how-to-r-deploy-r-model.md)

+ Title: Train R models

+description: 'Learn how to train your machine learning model with R for use in Azure Machine Learning.'

+ms.devlang: r

+# Run an R job to train a model

+This article explains how to take the R script that you [adapted to run in production](how-to-r-modify-script-for-production.md) and set it up to run as an R job using the AzureML CLI V2.

+> [!NOTE]

+> Although the title of this article refers to _training_ a model, you can actually run any kind of R script as long as it meets the requirements listed in the adapting article.

+## Prerequisites

+- An [Azure Machine Learning workspace](quickstart-create-resources.md).

+- [A registered data asset](how-to-create-data-assets.md) that your training job will use.

+- Azure [CLI and ml extension installed](how-to-configure-cli.md). Or use a [compute instance in your workspace](quickstart-create-resources.md), which has the CLI pre-installed.

+- [A compute cluster](how-to-create-attach-compute-cluster.md) or [compute instance](quickstart-create-resources.md#create-compute-instance) to run your training job.

+- [An R environment](how-to-r-modify-script-for-production.md#create-an-environment) for the compute cluster to use to run the job.

+## Create a folder with this structure

+Create this folder structure for your project:

+```

+📁 r-job-azureml

+Γö£ΓöÇ src

+Γöé Γö£ΓöÇ azureml_utils.R

+Γöé Γö£ΓöÇ r-source.R

+Γö£ΓöÇ job.yml

+```

+> [!IMPORTANT]

+> All source code goes in the `src` directory.

+* The **r-source.R** file is the R script that you adapted to run in production

+* The **azureml_utils.R** file is necessary. The source code is shown [here](how-to-r-modify-script-for-production.md#source-the-azureml_utilsr-helper-script)

+## Prepare the job YAML

+AzureML CLI v2 has different [different YAML schemas](reference-yaml-overview.md) for different operations. You'll use the [job YAML schema](reference-yaml-job-command.md) to submit a job. This is the **job.yml** file that is a part of this project.

+You'll need to gather specific pieces of information to put into the YAML:

+- The name of the registered data asset you'll use as the data input (with version): `azureml:<REGISTERED-DATA-ASSET>:<VERSION>`

+- The name of the environment you created (with version): `azureml:<R-ENVIRONMENT-NAME>:<VERSION>`

+- The name of the compute cluster: `azureml:<COMPUTE-CLUSTER-NAME>`

+> [!TIP]

+> For AzureML artifacts that require versions (data assets, environments), you can use the shortcut URI `azureml:<AZUREML-ASSET>@latest` to get the latest version of that artifact if you don't need to set a specific version.

+### Sample YAML schema to submit a job

+Edit your **job.yml** file to contain the following. Make sure to replace values shown `<IN-BRACKETS-AND-CAPS>` and remove the brackets.

+```yml

+$schema: https://azuremlschemas.azureedge.net/latest/commandJob.schema.json

+# the Rscript command goes in the command key below. Here you also specify

+# which parameters are passed into the R script and can reference the input

+# keys and values further below

+# Modify any value shown below <IN-BRACKETS-AND-CAPS> (remove the brackets)

+command: >

+Rscript <NAME-OF-R-SCRIPT>.R

+--data_file ${{inputs.datafile}}

+--other_input_parameter ${{inputs.other}}

+code: src # this is the code directory

+inputs:

+ datafile: # this is a registered data asset

+ type: uri_file

+ path: azureml:<REGISTERED-DATA-ASSET>@latest

+ other: 1 # this is a sample parameter, which is the number 1 (as text)

+environment: azureml:<R-ENVIRONMENT-NAME>@latest

+compute: azureml:<COMPUTE-CLUSTER-OR-INSTANCE-NAME>

+experiment_name: <NAME-OF-EXPERIMENT>

+description: <DESCRIPTION>

+```

+## Submit the job

+In the following commands in this section, you may need to know:

+- The AzureML workspace name

+- The resource group name where the workspace is

+- The subscription where the workspace is

+Find these values from [Azure Machine Learning studio](https://ml.azure.com):

+1. Sign in and open your workspace.

+1. In the upper right Azure Machine Learning studio toolbar, select your workspace name.

+1. You can copy the values from the section that appears.

+To submit the job, run the following commands in a terminal window:

+1. Change directories into the `r-job-azureml`.

+ ```bash

+ cd r-job-azureml

+ ```

+1. Sign in to Azure. If you're doing this from an [Azure Machine Learning compute instance](quickstart-create-resources.md#create-compute-instance), use:

+ ```azurecli

+ az login --identity

+ ```

+ If you're not on the compute instance, omit `--identity` and follow the prompt to open a browser window to authenticate.

+1. Make sure you have the most recent versions of the CLI and the `ml` extension:

+

+ ```azurecli

+ az upgrade

+ ```

+1. If you have multiple Azure subscriptions, set the active subscription to the one you're using for your workspace. (You can skip this step if you only have access to a single subscription.) Replace `<SUBSCRIPTION-NAME>` with your subscription name. Also remove the brackets `<>`.

+ ```azurecli

+ az account set --subscription "<SUBSCRIPTION-NAME>"

+ ```

+1. Now use CLI to submit the job. If you are doing this on a compute instance in your workspace, you can use environment variables for the workspace name and resource group as show in the following code. If you are not on a compute instance, replace these values with your workspace name and resource group.

+ ```azurecli

+ az ml job create -f job.yml --workspace-name $CI_WORKSPACE --resource-group $CI_RESOURCE_GROUP

+ ```

+Once you've submitted the job, you can check the status and results in studio:

+1. Sign in to [Azure Machine Learning studio](https://ml.azure.com).

+1. Select your workspace if it isn't already loaded.

+1. On the left navigation, select **Jobs**.

+1. Select the **Experiment name** that you used to train your model.

+1. Select the **Display name** of the job to view details and artifacts of the job, including metrics, images, child jobs, outputs, logs, and code used in the job.

+## Register model

+Finally, once the training job is complete, register your model if you want to deploy it. Start in the studio from the page showing your job details.

+1. On the toolbar at the top, select **+ Register model**.

+1. Select **MLflow** for the **Model type**.

+1. Select the folder which contains the model.

+1. Select **Next**.

+1. Supply the name you wish to use for your model. Add **Description**, **Version**, and **Tags** if you wish.

+1. Select **Next**.

+1. Review the information.

+1. Select **Register**.

+You'll see a confirmation that the model is registered.

+## Next steps

+

+Now that you have a registered model, learn [How to deploy an R model to an online (real time) endpoint](how-to-r-deploy-r-model.md).

+ Title: How to set up private access (preview) in Azure Managed Grafana

+description: How to disable public access to your Azure Managed Grafana instance and configure private endpoints.

+# Set up private access (preview) in Azure Managed Grafana

+In this guide, you'll learn how to disable public access to your Azure Managed Grafana instance and set up private endpoints. Setting up private endpoints in Azure Managed Grafana increases security by limiting incoming traffic only to specific network.

+> [!IMPORTANT]

+> Private access is currently in PREVIEW.

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free).

+- An existing Managed Grafana workspace. [Create one if you haven't already](quickstart-managed-grafana-portal.md).

+## Disable public access to a workspace

+Public access is enabled by default when you create an Azure Grafana workspace. Disabling public access prevents all traffic from accessing the resource unless you go through a private endpoint.

+> [!NOTE]

+> When private access (preview) is enabled, pinging charts using the [*Pin to Grafana*](/azure/azure-monitor/visualize/grafana-plugin#pin-charts-from-the-azure-portal-to-azure-managed-grafana) feature will no longer work as the Azure portal canΓÇÖt access Azure Managed Grafana instances using a private IP address.

+To disable access to an Azure Managed Grafana instance from public network, follow these steps:

+### [Portal](#tab/azure-portal)

+1. Navigate to your Azure Managed Grafana workspace in the Azure portal.

+1. In the left-hand menu, under **Settings**, select **Networking (Preview)**.

+1. Under **Public Access**, select **Disabled** to disable public access to the Azure Managed Grafana instance and only allow access through private endpoints. If you already had public access disabled and instead wanted to enable public access to your Azure Managed Grafana instance, you would select **Enabled**.

+1. Select **Save**.

+ :::image type="content" source="media/private-endpoints/disable-public-access.png" alt-text="Screenshot of the Azure portal disabling public access.":::

+### [Azure CLI](#tab/azure-cli)

+In the CLI, run the [az grafana update](/cli/azure/grafana#az-grafana-update) command and replace the placeholders `<grafana-workspace>` and `<resource-group>` with your own information:

+```azurecli-interactive

+az grafana update --name <grafana-workspace> resource-group <resource-group> --public-network-access disabled

+```

+## Create a private endpoint

+Once you have disabled public access, set up a [private endpoint](../private-link/private-endpoint-overview.md) with Azure Private Link. Private endpoints allow access to your Azure Managed Grafana instance using a private IP address from a virtual network.

+### [Portal](#tab/azure-portal)

+1. In **Networking (Preview)**, select the **Private Access** tab and then **Add** to start setting up a new private endpoint.

+ :::image type="content" source="media/private-endpoints/add-private-endpoint.png" alt-text="Screenshot of the Azure portal selecting Add button.":::

+1. Fill out the **Basics** tab with the following information:

+ | Parameter | Description | Example |

+ ||--|-|

+ | Subscription | Select an Azure subscription. Your private endpoint must be in the same subscription as your virtual network. You'll select a virtual network later in this how-to guide. | *MyAzureSubscription* |

+ | Resource group | Select a resource group or create a new one. | *MyResourceGroup* |

+ | Name | Enter a name for the new private endpoint for your Azure Managed Grafana instance. | *MyPrivateEndpoint* |

+ | Network Interface Name | This field is completed automatically. Optionally edit the name of the network interface. | *MyPrivateEndpoint-nic* |

+ | Region | Select a region. Your private endpoint must be in the same region as your virtual network. | *(US) West Central US* |

+ :::image type="content" source="media/private-endpoints/create-endpoint-basics.png" alt-text="Screenshot of the Azure portal filling out Basics tab.":::

+1. Select **Next : Resource >**. Private Link offers options to create private endpoints for different types of Azure resources. The current Azure Managed Grafana instance is automatically filled in the **Resource** field.

+ 1. The resource type **Microsoft.Dashboard/grafana** and the target sub-resource **grafana** indicate that you're creating an endpoint for an Azure Managed Grafana workspace.

+ 1. The name of your instance is listed under **Resource**.

+ :::image type="content" source="media/private-endpoints/create-endpoint-resource.png" alt-text="Screenshot of the Azure portal filling out Resource tab.":::

+1. Select **Next : Virtual Network >**.

+ 1. Select an existing **Virtual network** to deploy the private endpoint to. If you don't have a virtual network, [create a virtual network](../private-link/create-private-endpoint-portal.md#create-a-virtual-network-and-bastion-host).

+ 1. Select a **Subnet** from the list.

+ 1. **Network policy for private endpoints** is disabled by default. Optionally, select **edit** to add a network security group or a route table policy. This change would affect all private endpoints associated to the selected subnet.

+ 1. Under **Private IP configuration**, select the option to allocate IP addresses dynamically. For more information, refer to [Private IP addresses](../virtual-network/ip-services/private-ip-addresses.md#allocation-method).

+ 1. Optionally, you can select or create an **Application security group**. Application security groups allow you to group virtual machines and define network security policies based on those groups.

+ :::image type="content" source="media/private-endpoints/create-endpoint-vnet.png" alt-text="Screenshot of the Azure portal filling out virtual network tab.":::

+1. Select **Next : DNS >** to configure a DNS record. If you don't want to make changes to the default settings, you can move forward to the next tab.

+ 1. For **Integrate with private DNS zone**, select **Yes** to integrate your private endpoint with a private DNS zone. You may also use your own DNS servers or create DNS records using the host files on your virtual machines.

+ 1. A subscription and resource group for your private DNS zone are preselected. You can change them optionally.

+ To learn more about DNS configuration, go to [Name resolution for resources in Azure virtual networks](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#name-resolution-that-uses-your-own-dns-server) and [DNS configuration for Private Endpoints](../private-link/private-endpoint-overview.md#dns-configuration).

+ :::image type="content" source="media/private-endpoints/create-endpoint-dns.png" alt-text="Screenshot of the Azure portal filling out DNS tab.":::

+1. Select **Next : Tags >** and optionally create tags. Tags are name/value pairs that enable you to categorize resources and view consolidated billing by applying the same tag to multiple resources and resource groups.

+1. Select **Next : Review + create >** to review information about your Azure Managed Grafana instance, private endpoint, virtual network and DNS. You can also select **Download a template for automation** to reuse JSON data from this form later.

+1. Select **Create**.

+Once deployment is complete, you'll get a notification that your endpoint has been created. If it's auto-approved, you can start accessing your instance privately. Otherwise, you will have to wait for approval.

+### [Azure CLI](#tab/azure-cli)

+1. To set up your private endpoint (preview), you need a virtual network. If you don't have one yet, create a virtual network with [az network vnet create](/cli/azure/network/vnet#az-network-vnet-create). Replace the placeholder texts `<vnet>`, `<resource-group>`, `<subnet>`, and `<vnet-location>` with the name of your new virtual network, resource group, and name, and vnet location.

+ ```azurecli-interactive

+ az network vnet create --name <vnet> --resource-group <resource-group> --subnet-name <subnet> --location <vnet-location>

+ ```

+ > [!div class="mx-tdBreakAll"]

+ > | Placeholder | Description | Example |

+ > ||-|-|

+ > | `<vnet>` | Enter a name for your new virtual network. A virtual network enables Azure resources to communicate privately with each other, and with the internet. | `MyVNet` |

+ > | `<resource-group>` | Enter the name of an existing resource group for your virtual network. | `MyResourceGroup` |

+ > | `<subnet>` | Enter a name for your new subnet. A subnet is a network inside a network. This is where the private IP address is assigned. | `MySubnet` |

+ > | `<vnet-location>`| Enter an Azure region. Your virtual network must be in the same region as your private endpoint. | `centralus` |

+1. Run the command [az grafana show](/cli/azure/grafana#az-grafana-show) to retrieve the properties of the Azure Managed Grafana workspace, for which you want to set up private access. Replace the placeholder `<grafana-workspace` with the name of your workspace.

+ ```azurecli-interactive

+ az grafana show --name <grafana-workspace>

+ ```

+ This command generates an output with information about your Azure Managed Grafana workspace. Note down the `id` value. For instance: `/subscriptions/123/resourceGroups/MyResourceGroup/providers/Microsoft.Dashboard/grafana/my-azure-managed-grafana`.

+1. Run the command [az network private-endpoint create](/cli/azure/network/private-endpoint#az-network-private-endpoint-create) to create a private endpoint for your Azure Managed Grafana instance. Replace the placeholder texts `<resource-group>`, `<private-endpoint>`, `<vnet>`, `<private-connection-resource-id>`, `<connection-name>`, and `<location>` with your own information.

+ ```azurecli-interactive

+ az network private-endpoint create --resource-group <resource-group> --name <private-endpoint> --vnet-name <vnet> --subnet Default --private-connection-resource-id <private-connection-resource-id> --connection-name <connection-name> --location <location> --group-id grafana

+ ```

+ > [!div class="mx-tdBreakAll"]

+ > | Placeholder | Description | Example |

+ > ||-|-|

+ > | `<resource-group>` | Enter the name of an existing resource group for your private endpoint. | `MyResourceGroup` |

+ > | `<private-endpoint>` | Enter a name for your new private endpoint. | `MyPrivateEndpoint` |

+ > | `<vnet>` | Enter the name of an existing vnet. | `Myvnet` |

+ > | `<private-connection-resource-id>` | Enter your Azure Managed Grafana workspace's private connection resource ID. This is the ID you saved from the output of the previous step. | `/subscriptions/123/resourceGroups/MyResourceGroup/providers/Microsoft.Dashboard/grafana/my-azure-managed-grafana`|

+ > | `<connection-name>` | Enter a connection name. |`MyConnection` |

+ > | `<location>` | Enter an Azure region. Your private endpoint must be in the same region as your virtual network. |`centralus` |

+## Manage private link connection

+### [Portal](#tab/azure-portal)

+Go to **Networking (Preview)** > **Private Access** in your Azure Managed Grafana workspace to access the private endpoints linked to your instance.

+1. Check the connection state of your private link connection. When you create a private endpoint, the connection must be approved. If the resource for which you're creating a private endpoint is in your directory and you have [sufficient permissions](../private-link/rbac-permissions.md), the connection request will be auto-approved. Otherwise, you must wait for the owner of that resource to approve your connection request. For more information about the connection approval models, go to [Manage Azure Private Endpoints](../private-link/manage-private-endpoint.md#private-endpoint-connections).

+1. To manually approve, reject or remove a connection, select the checkbox next to the endpoint you want to edit and select an action item from the top menu.

+1. Select the name of the private endpoint to open the private endpoint resource and access more information or to edit the private endpoint.

+ :::image type="content" source="media/private-endpoints/create-endpoint-approval.png" alt-text="Screenshot of the Azure portal, manage private endpoint.":::

+### [Azure CLI](#tab/azure-cli)

+#### Review private endpoint connection details

+Run the [az network private-endpoint-connection list](/cli/azure/network/private-endpoint-connection#az-network-private-endpoint-connection-list) command to review all private endpoint connections linked to your Azure Managed Grafana workspace and check their connection state. Replace the placeholders `<resource-group>` and `<grafana-workspace>` with the name of the resource group and Azure Managed Grafana workspace.

+```azurecli-interactive

+az network private-endpoint-connection list --resource-group <resource-group> --name <grafana-workspace> --type Microsoft.Dashboard/grafana

+```

+Optionally, to get the details of a specific private endpoint, use the [az network private-endpoint-connection show](/cli/azure/network/private-endpoint-connection#az-network-private-endpoint-connection-show) command. Replace the placeholder texts `<resource-group>` and `<grafana-workspace>` with the name of the resource group and the name of the Azure Managed Grafana workspace.

+```azurecli-interactive

+az network private-endpoint-connection show --resource-group <resource-group> --name <grafana-workspace> --type Microsoft.Dashboard/grafana

+```

+#### Get connection approval

+When you create a private endpoint, the connection must be approved. If the resource for which you're creating a private endpoint is in your directory and you have [sufficient permissions](../private-link/rbac-permissions.md), the connection request will be auto-approved. Otherwise, you must wait for the owner of that resource to approve your connection request.

+To approve a private endpoint connection, use the [az network private-endpoint-connection approve](/cli/azure/network/private-endpoint-connection#az-network-private-endpoint-connection-approve) command. Replace the placeholder texts `<resource-group>`, `<private-endpoint>`, and `<grafana-workspace>` with the name of the resource group, the name of the private endpoint and the name of the Azure Managed Grafana resource.

+```azurecli-interactive

+az network private-endpoint-connection approve --resource-group <resource-group> --name <private-endpoint> --type Microsoft.Dashboard/grafana --resource-name <grafana-workspace>

+```

+For more information about the connection approval models, go to [Manage Azure Private Endpoints](../private-link/manage-private-endpoint.md#private-endpoint-connections).

+#### Delete a private endpoint connection

+To delete a private endpoint connection, use the [az network private-endpoint-connection delete](/cli/azure/network/private-endpoint-connection#az-network-private-endpoint-connection-delete) command. Replace the placeholder texts `<resource-group>` and `<private-endpoint>` with the name of the resource group and the name of the private endpoint.

+```azurecli-interactive

+az network private-endpoint-connection delete --resource-group <resource-group> --name <private-endpoint>

+```

+For more CLI commands, go to [az network private-endpoint-connection](/cli/azure/network/private-endpoint-connection#az-network-private-endpoint-connection)

+If you have issues with a private endpoint, check the following guide: [Troubleshoot Azure Private Endpoint connectivity problems](../private-link/troubleshoot-private-endpoint-connectivity.md).

+## Next steps

+> [!div class="nextstepaction"]

+> [Share an Azure Managed Grafana instance](./how-to-share-grafana-workspace.md)

+ :::image type="content" source="media/domain-transition/grafana-domain-view-endpoint.png" alt-text="Screenshot of the Azure platform showing the Grafana endpoint URL.":::

+Azure Managed Grafana has the following known limitations:

+1. Ensure that the fields mappings are set up correctly. Here's the list of fields that the connector needs to be entered on the form.

+ :::image type="content" source="./media/commercial-marketplace-lead-management-instructions-marketo/marketo-6.png" alt-text="Screenshot showing the Marketo Embed Code screen.":::

+ The following method is another way to figure out these values:

+ - Get your subscription's Munchkin ID by going to your **Admin** > **Munchkin** menu in the **Munchkin Account ID** field, or from the first part of your Marketo REST API host subdomain (`https://{Munchkin ID}.mktorest.com`).

+## Obtain API access from your Marketo Admin

+1. Ensure that the **Custom service created** indicates Partner Center.

+ :::image type="content" source="./media/commercial-marketplace-lead-management-instructions-marketo/customer-leads.png" alt-text="Screenshot showing the Partner Center Customer leads page.":::

+ :::image type="content" source="./media/commercial-marketplace-lead-management-instructions-marketo/choose-lead-destination.png" alt-text="Screenshot showing the lead destination page.":::

+

+This article provides the necessary details that allow you to secure outbound traffic from your Azure Red Hat OpenShift cluster (ARO). With the release of the [Egress Lockdown Feature](./concepts-egress-lockdown.md), all of the required connections for a private cluster are proxied through the service. There are additional destinations that you may want to allow to use features such as Operator Hub, or Red Hat telemetry. An [example](#private-aro-cluster-setup) is be provided at the end showing how to configure these requirements with Azure Firewall. Keep in mind, you can apply this information to Azure Firewall or to any outbound restriction method or appliance.

+The following FQDNs are proxied through the service, and won't need additional firewall rules. They're here for informational purposes.

+| **`arosvc.azurecr.io`** | **HTTPS:443** | Global Internal Private registry for ARO Operators. Required if you don't allow the service-endpoints Microsoft.ContainerRegistry on your subnets. |

+| **`arosvc.$REGION.data.azurecr.io`** | **HTTPS:443** | Regional Internal Private registry for ARO Operators. Required if you don't allow the service-endpoints Microsoft.ContainerRegistry on your subnets. |

+| **`management.azure.com`** | **HTTPS:443** | Used by the cluster to access Azure APIs. |

+| **`login.microsoftonline.com`** | **HTTPS:443** | Used by the cluster for authentication to Azure. |

+| **`*.monitor.core.windows.net`** | **HTTPS:443** | Used for Microsoft Geneva Monitoring so that the ARO team can monitor the customer's cluster(s). |

+| **`*.monitoring.core.windows.net`** | **HTTPS:443** | Used for Microsoft Geneva Monitoring so that the ARO team can monitor the customer's cluster(s). |

+| **`*.blob.core.windows.net`** | **HTTPS:443** | Used for Microsoft Geneva Monitoring so that the ARO team can monitor the customer's cluster(s). |

+| **`*.servicebus.windows.net`** | **HTTPS:443** | Used for Microsoft Geneva Monitoring so that the ARO team can monitor the customer's cluster(s). |

+| **`*.table.core.windows.net`** | **HTTPS:443** | Used for Microsoft Geneva Monitoring so that the ARO team can monitor the customer's cluster(s). |

+- **`*.quay.io`**: May be used to download images from the Red Hat managed Quay registry. Also a possible fall-back target for ARO required system images. If your firewall can't use wildcards, you can find the [full list of subdomains in the Red Hat documentation.](https://docs.openshift.com/container-platform/latest/installing/install_config/configuring-firewall.html)

+You can opt out of telemetry, but make sure you understand this feature before doing so: https://docs.openshift.com/container-platform/4.6/support/remote_health_monitoring/about-remote-health-monitoring.html

+- **`access.redhat.com`**: Used in conjunction with `registry.access.redhat.com` when pulling images. Failure to add this access could result in an error message.

+If you're copying your pull secret or referencing it in other scripts, format your pull secret as a valid JSON string.

+Example rule for telemetry to work. Additional possibilities are listed [here](https://docs.openshift.com/container-platform/4.3/installing/install_config/configuring-firewall.html#configuring-firewall_configuring-firewall):

+ | **Resource group** |Specify whether you want to create a new resource group or use an existing one. A [resource group](/azure/azure-resource-manager/management/overview) is a container that holds related resources for an Azure solution.|

+ These logs provide insight into the operations on your resources at the [control plane](/azure/azure-resource-manager/management/control-plane-and-data-plane). These logs also include updates on service-health events.

+1. To send Azure resource logs to New Relic, select **Azure resource logs** for all supported resource types. The types of Azure resource logs are listed in [Azure Monitor Resource Log categories](/azure/azure-monitor/essentials/resource-logs-categories).

+ These logs provide insight into operations that were taken on an Azure resource at the [data plane](/azure/azure-resource-manager/management/control-plane-and-data-plane). For example, getting a secret from a key vault is a data plane operation. Making a request to a database is also a data plane operation. The content of resource logs varies by the Azure service and resource type.

+ Azure charges for logs sent to New Relic. For more information, see the [pricing of platform logs](https://azure.microsoft.com/pricing/details/monitor/) to Azure Marketplace partners.

+ | **Resource group** | Specify whether you want to create a new resource group or use an existing one. A [resource group](/azure/azure-resource-manager/management/overview) is a container that holds related resources for an Azure solution.|

+- **Send subscription activity logs**: These logs provide insight into the operations on your resources at the [control plane](/azure/azure-resource-manager/management/control-plane-and-data-plane). The logs also include updates on service-health events.

+- **Azure resource logs**: These logs provide insight into operations that were taken on an Azure resource at the [data plane](/azure/azure-resource-manager/management/control-plane-and-data-plane). For example, getting a secret from a key vault is a data plane operation. Making a request to a database is also a data plane operation. The content of resource logs varies by the Azure service and resource type.

+1. To send Azure resource logs to New Relic, select **Send Azure resource logs for all defined resources**. The types of Azure resource logs are listed in [Azure Monitor resource log categories](/azure/azure-monitor/essentials/resource-logs-categories).

+- MVU is currently not supported for PgBouncer,AAD,CMK enabled servers. We are going to support this during GA.

+The current minor release is **14.6**. Refer to the [PostgreSQL documentation](https://www.postgresql.org/docs/release/14.5/) to learn more about improvements and fixes in this release. New servers will be created with this minor version.

+The current minor release is **13.9**. Refer to the [PostgreSQL documentation](https://www.postgresql.org/docs/release/13.8/) to learn more about improvements and fixes in this release. New servers will be created with this minor version.

+The current minor release is **12.13**. Refer to the [PostgreSQL documentation](https://www.postgresql.org/docs/release/12.12/) to learn more about improvements and fixes in this release. New servers will be created with this minor version. Your existing servers will be automatically upgraded to the latest supported minor version in your future scheduled maintenance window.

+The current minor release is **11.18**. Refer to the [PostgreSQL documentation](https://www.postgresql.org/docs/release/11.17/) to learn more about improvements and fixes in this release. New servers will be created with this minor version. Your existing servers will be automatically upgraded to the latest supported minor version in your future scheduled maintenance window.

+* Support for [extension](concepts-extensions.md) semver with new servers^$

+* Public Preview of [Major Version Upgrade](concepts-major-version-upgrade.md) for Azure Database for PostgreSQL ΓÇô Flexible Server.

+* Support for [Geo-redundant backup feature](./concepts-backup-restore.md#geo-redundant-backup-and-restore) when using [Disk Encryption with Customer Managed Key (CMK)](./concepts-data-encryption.md#how-data-encryption-with-a-customer-managed-key-work) feature.

+* Support for [minor versions](./concepts-supported-versions.md) 14.6, 13.9, 12.13, 11.18. ^$

+ Title: "Tutorial: Migrate Azure Database for PostgreSQL - Single Server to Flexible Server using the Azure CLI"

+description: "Learn about migrating your Single Server databases to Azure Database for PostgreSQL Flexible Server by using the Azure CLI."

+# Tutorial: Migrate Azure Database for PostgreSQL - Single Server to Flexible Server by using the Azure CLI

+You can migrate an instance of Azure Database for PostgreSQL ΓÇô Single Server to Azure Database for PostgreSQL ΓÇô Flexible Server by using the Azure Command Line Interface (CLI). In this tutorial, we perform migration of a sample database from an Azure Database for PostgreSQL single server to a PostgreSQL flexible server using the Azure CLI.

+In this tutorial, you learn about:

+> [!div class="checklist"]

+>

+> * Prerequisites

+> * Getting started

+> * Migration CLI commands

+> * Monitor the migration

+> * Cancel the migration

+> * Migration best practices

+## Prerequisites

+To complete this tutorial, you need to:

+* Use an existing instance of Azure Database for PostgreSQL ΓÇô Single Server (the source server)

+* All extensions used on the Single Server (source) must be [allow-listed on the Flexible Server (target)](./concepts-single-to-flexible.md#allow-list-required-extensions)

+> [!IMPORTANT]

+> To provide the best migration experience, performing migration using a burstable instance of Flexible server is not supported. Please use a general purpose or a memory optimized instance (4 VCore or higher) as your Target Flexible server to perform the migration. Once the migration is complete, you can downscale back to a burstable instance if necessary.

+* Create the target flexible server. For guided steps, refer to the quickstart [Create an Azure Database for PostgreSQL flexible server using the Portal](../flexible-server/quickstart-create-server-portal.md) or [Create an Azure Database for PostgreSQL flexible server using the CLI](../flexible-server/quickstart-create-server-cli.md)

+ If the Azure CLI is already installed, check the version by using the `az version` command. The version should be **2.45.0** or later to use the migration CLI commands. If not, [update your Azure CLI version](/cli/azure/update-azure-cli).

+ A browser window opens with the Azure sign-in page. Provide your Azure credentials to do a successful authentication. For other ways to sign with the Azure CLI, refer [this article](/cli/azure/authenticate-azure-cli).

+Allow-list all required extensions as shown in [Migrate from Azure Database for PostgreSQL Single Server to Flexible Server](./concepts-single-to-flexible.md#allow-list-required-extensions). It is important to allow-list the extensions before you initiate a migration using this tool.

+The above command gives you the following output:

+### Create a migration using the Azure CLI

+The above command gives you the following result:

+It lists the expected arguments and has an example syntax for successfully creating a migration from the source server to the target server. Here's the CLI command to create a new migration:

+ [--properties]

+The `migration-name` argument used in the `create` command will be used in other CLI commands, such as `update`, `delete`, and `show.` In all those commands, it uniquely identifies the migration attempt in the corresponding actions.

+Finally, the `create` command needs a JSON file to be passed as part of its `properties` argument.

+ }

+"OverwriteDBsInTarget":"true"

+The `create` parameters that go into the json file format are as shown below:

+| `SourceDBServerResourceId` | Required | This parameter is the resource ID of the Single Server source and is mandatory. |

+| `OverwriteDBsinTarget` | Required | When set to true (default), if the target server happens to have an existing database with the same name as the one you're trying to migrate, migration tool automatically overwrites the database. |

+| `SourceDBServerFullyQualifiedDomainName` | Optional | Use it when a custom DNS server is used for name resolution for a virtual network. Provide the FQDN of the Single Server source according to the custom DNS server for this property. |

+| `TargetDBServerFullyQualifiedDomainName` | Optional | Use it when a custom DNS server is used for name resolution inside a virtual network. Provide the FQDN of the Flexible Server target according to the custom DNS server. <br> `SourceDBServerFullyQualifiedDomainName` and `TargetDBServerFullyQualifiedDomainName` are included as a part of the JSON only in the rare scenario that a custom DNS server is used for name resolution instead of Azure-provided DNS. Otherwise, don't include these parameters as a part of the JSON file. |

+Note these important points for the command response:

+- As soon as the `create` command is triggered, the migration moves to the `InProgress` state and the `PerformingPreRequisiteSteps` substate. The migration workflow takes a couple of minutes to deploy the migration infrastructure and setup connections between the source and target.

+- After the `PerformingPreRequisiteSteps` substate is completed, the migration moves to the substate of `Migrating Data`, where the Cloning/Copying of the databases take place.

+- Each database migrated has its own section with all migration details, such as table count, incremental inserts, deletions, and pending bytes.

+- The time that the `Migrating Data` substate takes to finish depends on the size of databases that are migrated.

+- The migration moves to the `Succeeded` state as soon as the `Migrating Data` substate finishes successfully. If there's a problem at the `Migrating Data` substate, the migration moves into a `Failed` state.

+>[!NOTE]

+> Gentle reminder to [allow-list the extensions](./concepts-single-to-flexible.md#allow-list-required-extensions) before you execute **Create** in case it is not yet done. It is important to allow-list the extensions before you initiate a migration using this tool.

+### List the migration(s)

+The `list` command lists all the migration attempts made to a Flexible Server target:

+The `filter` parameter has two options:

+- `Active`: Lists the current active migration attempts (in progress) into the target server. It does not include the migrations that have reached a failed, canceled, or succeeded state.

+- `All`: Lists all the migration attempts into the target server. This includes both the active and past migrations, regardless of the state.

+For more information about this command, use the `help` parameter:

+## Monitor the migration

+The `show` command helps you monitor ongoing migrations and gives the current state and substate of the migration.

+These details include information on the current state and substate of the migration.

+az postgres flexible-server migration show [--subscription]

+The `migration_name` parameter is the name you have assigned to the migration during the `create` command. Here's a snapshot of the sample response from the CLI command for showing details:

+The following tables describe the migration states and substates.

+| Migration state | Description |

+| - | - |

+| `InProgress` | The migration infrastructure is set up, or the actual data migration is in progress. |

+| `Canceled` | The migration is canceled or deleted. |

+| `Failed` | The migration has failed. |

+| `Succeeded` | The migration has succeeded and is complete. |

+| Migration substate | Description |

+| - | - |

+| `PerformingPreRequisiteSteps` | Infrastructure is set up and is prepped for data migration. |

+| `MigratingData` | Data migration is in progress. |

+| `CompletingMigration` | Migration cutover is in progress. |

+| `Completed` | Cutover was successful, and migration is complete. |

+## Cancel the migration

+You can cancel any ongoing migration attempts by using the `cancel` command. This command stops the particular migration attempt, but it doesn't drop or roll back any changes on your target server. Here's the CLI command to delete a migration:

+az postgres flexible-server migration update cancel [--subscription]

+az postgres flexible-server migration update cancel --subscription 11111111-1111-1111-1111-111111111111 --resource-group my-learning-rg --name myflexibleserver --migration-name migration1"

+ az postgres flexible-server migration update cancel -- help

+The command gives you the following output:

+## Migration best practices

+- For a successful end-to-end migration, follow the post-migration steps in [Migrate from Azure Database for PostgreSQL Single Server to Flexible Server](./concepts-single-to-flexible.md#best-practices).

+You can scale up your pricing tier, compute, and storage easily using the following command. You can see all the server operation you can perform [az postgres server overview](/cli/azure/postgres/server)

+> | [Reader and Data Access](#reader-and-data-access) | Lets you view everything but

+. It will also allow read/write access to all data contained in a storage account via access to storage account keys. | c12c1c16-33a1-487b-954d-41c89c60f349 |

+Lets you view everything but will not let you delete or create a storage account. It will also allow read/write/delete access to all data contained in a storage account via access to storage account keys.

+ "description": "Lets you view everything but will not let you delete or create a storage account. It will also allow read/write/delete access to all data contained in a storage account via access to storage account keys.",

+- February 17, 2023: Add support and Sentinel sections, few other minor updates in [RISE with SAP integration](rise-integration.md)

+For customers with SAP solutions such as RISE with SAP Enterprise Cloud Services (ECS) and SAP S/4HANA Cloud, private edition (PCE) deployed in Azure, integrating the SAP managed environment with their own Azure ecosystem and third party applications is of particular importance. The following article explains the concepts and best practices to follow for a secure and performant solution.

+## Azure support aspects

+RISE with SAP S/4HANA Cloud, private edition and SAP Enterprise Cloud Services are SAP managed services of your SAP landscape, in an Azure subscription owned by SAP. This means all Azure resources of your SAP environment are visible and managed only by SAP. In turn, the customer's own Azure environment contains applications that interact with the SAP systems. Elements such as virtual networks, network security groups, firewalls, routing, Azure services such as Azure Data Factory and others running inside the customer subscription accessing the SAP managed applications. When engaging with Azure support on Azure topics, only resources owned in your own customer subscriptions are in scope. Contact SAP for issues with any resources operated in SAP's Azure subscriptions for your RISE workload.

+As part of your RISE project, document the interface points between on-premises, your own Azure environment and SAP workload managed by SAP. This needs to include any network information such as address space, firewall(s) and routing, network file shares, Azure services, DNS and others. Document ownership of any interface partner and where any resource is running, so this information you can access quickly in a support situation and determine your best way to obtain support. Contact SAP's support organization for services running in SAP's Azure subscriptions.

+A vnet peering is the most performant way to connect securely and privately two standalone vnets, utilizing the Microsoft private backbone network. The peered networks appear as one for connectivity purposes, allowing applications to talk to each other. Applications running in different vnets, subscriptions, Azure tenants or regions can communicate directly. Like network traffic on a single vnet, vnet peering traffic remains on MicrosoftΓÇÖs private network and doesn't traverse the internet.

+SAP managed workload should run in the same [Azure region](https://azure.microsoft.com/global-infrastructure/geographies/) as customerΓÇÖs central infrastructure and applications accessing it. Virtual network peering can be set up within the same region as your SAP managed environment, but also through [global virtual network peering](../../virtual-network/virtual-network-peering-overview.md) between any two Azure regions. With SAP RISE/ECS available in many Azure regions, the region should match with workload running in customer vnets due to latency and vnet peering cost considerations. However, some of the scenarios (for example, central S/4HANA deployment for a multi-national, globally presented company) also require to peer networks globally.

+Since SAP RISE/ECS runs in SAPΓÇÖs Azure tenant and subscriptions, set up the virtual network peering between [different tenants](../../virtual-network/create-peering-different-subscriptions.md). You accomplish this by setting up the peering with the SAP provided networkΓÇÖs Azure resource ID and have SAP approve the peering. Add a user from the opposite Azure AD tenant as a guest user, accept the guest user invitation and follow process documented at [Create a vnet peering - different subscriptions](../../virtual-network/create-peering-different-subscriptions.md). Contact your SAP representative for the exact steps required. Engage the respective team(s) within your organization that deal with network, user administration and architecture to enable this process to be completed swiftly.

+Migration of your SAP landscape to ECS/RISE is done in several phases over several months or longer. Some of your SAP environments are migrated already and in use productively, while other SAP systems are prepared for migration. In most customer projects the biggest and most critical systems are migrated in the middle or at end of the project. You need to consider having ample bandwidth for data migration or database replication, and not impact the network path of your users to the already productive ECS/RISE environments. Already migrated SAP systems also might need to communicate with the SAP landscape still on-premises or at existing service provider.

+During your migration planning to ECS/RISE, plan how in each phase SAP systems are reachable for your user base and how data transfer to ECS/RISE vnet is routed. Often multiple locations and parties are involved, such as existing service provider and data centers with own connection to your corporate network. Make sure no temporary solutions with VPN connections are created without considering how in later phases SAP data gets migrated for the business critical and largest systems.