-|`SIGN_UP_SIGN_IN_POLICY_AUTHORITY`|The **Sign in and sign up** user flow authority such as `https://<your-tenant-name>.b2clogin.com/<your-tenant-name>.onmicrosoft.com/<sign-in-sign-up-user-flow-name>`. Replace `<your-tenant-name>` with the name of your tenant and `<sign-in-sign-up-user-flow-name>` with the name of your Sign in and Sign up user flow such as `B2C_1_susi`. Learn how to [Get your tenant name](tenant-management.md#get-your-tenant-name). |

-1. Replace `<TENANT_NAME>` with the first part of your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name) (for example, `https://contoso.b2clogin.com/contoso.onmicrosoft.com`).

-1. Replace `<TENANT_NAME>` with the first part of your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name) (for example, `https://contoso.b2clogin.com/contoso.onmicrosoft.com`).

- 1. Replace `<TENANT_NAME>` with the first part of your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name) (for example, `https://contoso.b2clogin.com/contoso.onmicrosoft.com`). If you have a [custom domains](custom-domain.md) configure, you can use that custom domain. Replace your B2C tenant name, contoso.onmicrosoft.com, in the authentication request URL with your tenant ID GUID. For example, you can change `https://fabrikamb2c.b2clogin.com/contoso.onmicrosoft.com/` to `https://account.contosobank.co.uk/<tenant ID GUID>/`.

-|`SIGN_UP_SIGN_IN_POLICY_AUTHORITY`|The **Sign in and sign up** user flow authority for the user flow you created in [step 1](#step-1-configure-your-user-flow) such as `https://<your-tenant-name>.b2clogin.com/<your-tenant-name>.onmicrosoft.com/<sign-in-sign-up-user-flow-name>`. Replace `<your-tenant-name>` with the name of your tenant and `<sign-in-sign-up-user-flow-name>` with the name of your Sign in and Sign up user flow such as `B2C_1_susi`. Learn how to [Get your tenant name](tenant-management.md#get-your-tenant-name). |

- - For `tenantName`, use the [name of your tenant name](tenant-management.md#get-your-tenant-name) such as `fabrikamb2c`.

-| [authorities](../active-directory/develop/msal-client-application-configuration.md#authority)| The authority is a URL that indicates a directory that the MSAL can request tokens from. Use the following format: `https://<your-tenant-name>.b2clogin.com/<your-tenant-name>.onmicrosoft.com/<your-sign-in-sign-up-policy>`. Replace `<your-tenant-name>` with your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name). Then, replace `<your-sign-in-sign-up-policy>` with the user flows or custom policy that you created in [step 1](#step-1-configure-your-user-flow). |

-| azureAdB2CHostName| The first part of your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name) (for example, `https://contoso.b2clogin.com`).|

-| tenantName| Your Azure AD B2C tenant full [tenant name](tenant-management.md#get-your-tenant-name) (for example, `contoso.onmicrosoft.com`).|

-| b2cPolicies | authorities | Replace `your-tenant-name` with your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name). For example, use `contoso.onmicrosoft.com`. Then, replace the policy name with the user flow or custom policy that you created in [step 1](#step-1-configure-your-user-flow). For example: `https://<your-tenant-name>.b2clogin.com/<your-tenant-name>.onmicrosoft.com/<your-sign-in-sign-up-policy>`. |

-| b2cPolicies | authorityDomain|Your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name). For example: `contoso.onmicrosoft.com`. |

-|credentials|tenantName| The first part of your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name). For example: `contoso`.|

-|credentials| issuer| (Optional) The token issuer `iss` claim value. Azure AD B2C by default returns the token in the following format: `https://<your-tenant-name>.b2clogin.com/<your-tenant-ID>/v2.0/`. Replace `<your-tenant-name>` with the first part of your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name). Replace `<your-tenant-ID>` with your [Azure AD B2C tenant ID](tenant-management.md#get-your-tenant-id). |

-|kTenantName| Your Azure AD B2C tenant full [tenant name](tenant-management.md#get-your-tenant-name) (for example, `contoso.onmicrosoft.com`).|

-|kAuthorityHostName|The first part of your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name) (for example, `contoso.b2clogin.com`).|

-|`b2c_tenant`| The first part of your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name) (for example, `contoso`).|

-| b2cPolicies | authorities | Replace `your-tenant-name` with your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name). For example, use `contoso.onmicrosoft.com`. Then, replace the policy name with the user flow or custom policy that you created in [step 1](#step-1-configure-your-user-flow). For example: `https://<your-tenant-name>.b2clogin.com/<your-tenant-name>.onmicrosoft.com/<your-sign-in-sign-up-policy>`. |

-| b2cPolicies | authorityDomain|Your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name). For example: `contoso.onmicrosoft.com`. |

-|credentials|tenantName| Your Azure AD B2C [domain/tenant name](tenant-management.md#get-your-tenant-name). For example: `contoso.ommicrosoft.com`.|

-|AzureAdB2C|Instance| The first part of your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name). For example, `https://contoso.b2clogin.com`.|

-|AzureAdB2C|Domain| Your Azure AD B2C tenant full [tenant name](tenant-management.md#get-your-tenant-name). For example, `contoso.onmicrosoft.com`.|

-| AzureAdB2C | Instance | The first part of your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name) (for example, `https://contoso.b2clogin.com`).|

-|AzureAdB2C|Domain| Your Azure AD B2C tenant full [tenant name](tenant-management.md#get-your-tenant-name) (for example, `contoso.onmicrosoft.com`).|

-|AzureAdB2C|Instance| The first part of your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name) (for example, `https://contoso.b2clogin.com`).|

-|AzureAdB2C|Domain| Your Azure AD B2C tenant full [tenant name](tenant-management.md#get-your-tenant-name) (for example, `contoso.onmicrosoft.com`).|

-1. Under **Redirect URI**, select **Public client/native (desktop & desktop)** and then, in the URL box, enter `https://your-tenant-name.b2clogin.com/oauth2/nativeclient`. Replace `your-tenant-name` with your [tenant name](tenant-management.md#get-your-tenant-name). For more options, see [Configure redirect URI](enable-authentication-wpf-desktop-app-options.md#configure-the-redirect-uri).

-|`TenantName`|The first part of your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name) (for example, `contoso.b2clogin.com`).|

- |Origin host name| Enter `<tenant-name>.b2clogin.com`. Replace `<tenant-name>` with the [name of your Azure AD B2C tenant](tenant-management.md#get-your-tenant-name) such as `contoso.b2clogin.com`.|

- |`env`| `tenant` | Your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name) (for example, contoso.onmicrosoft.com). |

-1. Update the URL of your Azure AD B2C well-Known configuration endpoint with your custom domain and [tenant ID](tenant-management.md#get-your-tenant-id). For more information, see [Use tenant ID](custom-domain.md#optional-use-tenant-id).

-| credentials | tenantName | The first part of your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name) (for example, `fabrikamb2c`).|

-1. Update the `kTenantName` class member with your [tenant ID](tenant-management.md#get-your-tenant-id).

-1. Replace all instances of `contoso` with your [Azure AD B2C tenant name](./tenant-management.md#get-your-tenant-name).

-|AzureAdB2C|Instance| The first part of your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name) (for example, `https://contoso.b2clogin.com`).|

-|AzureAdB2C|Domain| Your Azure AD B2C tenant full [tenant name](tenant-management.md#get-your-tenant-name) (for example, `contoso.onmicrosoft.com`).|

-| credentials | tenantName | Your Azure AD B2C [tenant name/domain name](tenant-management.md#get-your-tenant-name) (for example, `contoso.onmicrosoft.com`).|

-| credentials | issuer| The token issuer `iss` claim value. By default, Azure AD B2C returns the token in the following format: `https://<your-tenant-name>.b2clogin.com/<your-tenant-ID>/v2.0/`. Replace `<your-tenant-name>` with the first part of your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name). Replace `<your-tenant-ID>` with your [Azure AD B2C tenant ID](tenant-management.md#get-your-tenant-id). |

-* **Instance**: Replace `<your-tenant-name>` with the first part of your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name) (for example, `https://contoso.b2clogin.com`).

-* **Domain**: Replace `<your-b2c-domain>` with your Azure AD B2C full [tenant name](tenant-management.md#get-your-tenant-name) (for example, `contoso.onmicrosoft.com`).

- 1. Your tenant ID or domain name. See how to find your [tenant ID](tenant-management.md#get-your-tenant-id) or [tenant name](tenant-management.md#get-your-tenant-name).

-Azure AD B2C extends the standard OAuth 2.0 implicit flow to more than simple authentication and authorization. Azure AD B2C introduces the [policy parameter](user-flow-overview.md). With the policy parameter, you can use OAuth 2.0 to add policies to your app, such as sign-up, sign-in, and profile management user flows. In the example HTTP requests in this article, we use **{tenant}.onmicrosoft.com** for illustration. Replace `{tenant}` with [the name of your tenant](tenant-management.md#get-your-tenant-name) if you've one. Also, you need to have [created a user flow](tutorial-create-user-flows.md?pivots=b2c-user-flow).

-| {tenant} | Yes | Name of your [Azure AD B2C tenant](tenant-management.md#get-your-tenant-name). If you're using a [custom domain](custom-domain.md), replace `tenant.b2clogin.com` with your domain, such as `fabrikam.com`. |

-Azure AD B2C correlation ID is a unique identifier value that is attached to authorization requests. It passes through all the orchestration steps a user is taken through. With the correlation ID, you can:

-With the focus on the Azure AD B2C trace explorer, start to type the first digit of the correlation ID, or a time you want to find. You will see a filter box in the top-right of the Azure AD B2C trace explorer showing what you have typed so far, and matching trace logs will be highlighted.

-After you finish developing your policy, you upload the policy to Azure AD B2C. there might be some issues with your policy. Use the following methods to ensure your policy integrity/validity.

-1. From VS Code, click on the **Settings**. For more information, see [User and Workspace Settings](https://code.visualstudio.com/docs/getstarted/settings).

->If you're unable to create Azure AD B2C tenant, review your user settings page to ensure that tenant creation isn't switched off. If tenant creation is switched off, ask your _Global Administrator_ to assign you a _Tenant Creator_ role.

->We highly recommend enabling number matching in the near term for improved sign-in security.

-When a user responds to an MFA push notification using the Authenticator app, they'll be presented with a number. They need to type that number into the app to complete the approval.

-Self-service password reset (SSPR) with Microsoft Authenticator will require number matching when using Microsoft Authenticator. During self-service password reset, the sign-in page will show a number that the user will need to type into the Microsoft Authenticator notification. This number will only be seen by users who are enabled for number matching.

-Combined registration with Microsoft Authenticator will require number matching. When a user goes through combined registration to set up the Authenticator app, the user is asked to approve a notification as part of adding the account. For users who are enabled for number matching, this notification will show a number that they need to type in their Authenticator app notification.

-AD FS adapter will require number matching on supported versions of Windows Server. On earlier versions, users will continue to see the **Approve**/**Deny** experience and wonΓÇÖt see number matching until you upgrade. The AD FS adapter supports number matching only after installing one of the updates in the following table.

-Make sure you run the latest version of the [NPS extension](https://www.microsoft.com/download/details.aspx?id=54688). Until February 27, 2023, users are asked to enter a One-Time Passcode (OTP) for push notifications beginning with NPS extension 1.2.2131.2 _only_ if number matching is enabled. After February 27, 2023, number matching will be enabled by default and all users with push notifications beginning with NPS extension 1.2.2131.2 will be asked to enter an OTP.

-The user must have an OTP authentication method registered to see this behavior. Common OTP authentication methods include the OTP available in Microsoft Authenticator, other software tokens, and so on. For OTP to work, the VPN needs to use PAP protocol. For more information, see [Determine which authentication methods your users can use](howto-mfa-nps-extension.md#determine-which-authentication-methods-your-users-can-use).

->[!NOTE]

->If the user doesn't have an OTP method registered, they'll continue to get the **Approve**/**Deny** experience. A user who can't use an OTP will always see the **Approve**/**Deny** experience with push notifications triggered by a legacy NPS extension.

-Earlier versions of the NPS extension beginning with 1.0.1.40 also support number matching, but you need to create a registry key that overrides push notifications to ask a user to enter an OTP. If you don't create the registry key, or you run a version prior to 1.0.1.40, users who are enabled for number matching will be prompted to **Approve**/**Deny**.

-To create the registry key that overrides push notifications:

-If you're using Remote Desktop Gateway and the user is registered for OTP code along with Microsoft Authenticator push notifications, the user won't be able to meet the Azure AD MFA challenge and Remote Desktop Gateway sign-in will fail. In this case, you can set OVERRIDE_NUMBER_MATCHING_WITH_OTP = FALSE to fall back to push notifications with Microsoft Authenticator.

-### Will the changes on February 27th, 2023, override number matching settings that are configured for a group?

-The **Enable and Target** tab of the Microsoft Authenticator authentication method policy will remain unchanged. Admins can continue to Target specific users and groups or All Users for Push or Any notifications. This change will only impact members of users and groups that are Targeted on the **Enable and Target** tab for Push and/or Any.

-When Microsoft begins protecting all organizations by enabling number matching on February 27th, 2023, administrators will see the **Require number matching for push notifications** setting on the **Configure** tab of the Microsoft Authenticator policy is set to **Enabled** for **All users** and can't be disabled. In addition, the **Exclude** option for this setting will be removed.

-If the user has a different default authentication method, there won't be any change to their default sign-in. If the default method is Microsoft Authenticator and they are members of groups targeted for **Push** or **Any** on the **Enable and Target** tab, they'll start to receive number matching approval on February 27th, 2023.

-Regardless of their default method, any user who is prompted to sign-in with Authenticator will see number match after February 27th, 2023. If the user is prompted for another method, they won't see any change.

-It depends on how the **Enable and Target** tab is configured. The scope for number match approvals will change under the **Configure** tab to include everyone, but it only applies for users and groups targeted on the **Enable and Target** tab for Push or Any. However, if Target on the **Enable and Target** tab is set to specific groups for Push or Any, and the user isn't a member of those groups, then they won't receive the number matching approvals once the change is implemented on February 27th, 2023 because they aren't a member of the groups defined on the **Enable and Target** tab for Push and/or Any.

-You can customize the sign-in page, such as to add a logo that appears along with the image that fits your company branding. For more information on how to configure company branding, see [Add company branding to your sign-in page in Azure AD](../fundamentals/customize-branding.md).

-# Use the portal to create an Azure AD application and service principal that can access resources

-This article shows you how to create a new Azure Active Directory (Azure AD) application and service principal that can be used with the role-based access control. When you have applications, hosted services, or automated tools that need to access or modify resources, you can create an identity for the app. This identity is known as a service principal. Access to resources is restricted by the roles assigned to the service principal, giving you control over which resources can be accessed and at which level. For security reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.

-This article shows you how to use the portal to create the service principal in the Azure portal. It focuses on a single-tenant application where the application is intended to run within only one organization. You typically use single-tenant applications for line-of-business applications that run within your organization. You can also [use Azure PowerShell](howto-authenticate-service-principal-powershell.md) or the [Azure CLI](/cli/azure/create-an-azure-service-principal-azure-cli) to create a service principal.

-## App registration, app objects, and service principals

-There is no way to directly create a service principal using the Azure portal. When you register an application through the Azure portal, an application object and service principal are automatically created in your home directory or tenant. For more information on the relationship between app registration, application objects, and service principals, read [Application and service principal objects in Azure Active Directory](app-objects-and-service-principals.md).

-## Permissions required for registering an app

-You must have sufficient permissions to register an application with your Azure AD tenant, and assign to the application a role in your Azure subscription.

-### Check Azure AD permissions

-1. Select **Azure Active Directory**.

-1. Find your role under **Overview**->**My feed**. If you have the **User** role, you must make sure that non-administrators can register applications.

- :::image type="content" source="media/howto-create-service-principal-portal/view-user-info.png" alt-text="Screenshot showing how to find your role.":::

-1. In the left pane, select **Users** and then **User settings**.

-1. Check the **App registrations** setting. This value can only be set by an administrator. If set to **Yes**, any user in the Azure AD tenant can register an app.

-If the app registrations setting is set to **No**, only users with an administrator role may register these types of applications. See [Azure AD built-in roles](../roles/permissions-reference.md#all-roles) to learn about available administrator roles and the specific permissions in Azure AD that are given to each role. If your account is assigned the User role, but the app registration setting is limited to admin users, ask your administrator to either assign you one of the administrator roles that can create and manage all aspects of app registrations, or to enable users to register apps.

-### Check Azure subscription permissions

-In your Azure subscription, your account must have `Microsoft.Authorization/*/Write` access to assign a role to an AD app. This action is granted through the [Owner](../../role-based-access-control/built-in-roles.md#owner) role or [User Access Administrator](../../role-based-access-control/built-in-roles.md#user-access-administrator) role. If your account is assigned the **Contributor** role, you don't have adequate permission. You will receive an error when attempting to assign the service principal a role.

-To check your subscription permissions:

-1. Search for and select **Subscriptions**, or select **Subscriptions** on the **Home** page.

- :::image type="content" source="media/howto-create-service-principal-portal/select-subscription.png" alt-text="Screenshot how to search subscription permissions.":::

-1. Select the subscription you want to create the service principal in.

- :::image type="content" source="media/howto-create-service-principal-portal/select-one-subscription.png" alt-text="Select subscription for assignment.":::

- If you don't see the subscription you're looking for, select **global subscriptions filter**. Make sure the subscription you want is selected for the portal.

-1. Select **My permissions**. Then, select **Click here to view complete access details for this subscription**.

- :::image type="content" source="media/howto-create-service-principal-portal/view-details.png" alt-text="Select the subscription you want to create the service principal in.":::

-1. Select **Role assignments** to view your assigned roles, and determine if you have adequate permissions to assign a role to an AD app. If not, ask your subscription administrator to add you to User Access Administrator role. In the following image, the user is assigned the Owner role, which means that user has adequate permissions.

- :::image type="content" source="media/howto-create-service-principal-portal/view-user-role.png" alt-text="Screenshot showing the user is assigned the Owner role.":::

-Let's jump straight into creating the identity. If you run into a problem, check the [required permissions](#permissions-required-for-registering-an-app) to make sure your account can create the identity.

-1. Sign in to your Azure Account through the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.

-1. Select **Azure Active Directory**.

-1. Select **App registrations**.

-1. Select **New registration**.

-1. Name the application, for example "example-app". Select a supported account type, which determines who can use the application. Under **Redirect URI**, select **Web** for the type of application you want to create. Enter the URI where the access token is sent to. You can't create credentials for a [Native application](../app-proxy/application-proxy-configure-native-client-application.md). You can't use that type for an automated application. After setting the values, select **Register**.

-> [!NOTE]

-> You can register multiple applications with the same name in Azure AD, but the applications must have different Application (client) IDs.

-You can set the scope at the level of the subscription, resource group, or resource. Permissions are inherited to lower levels of scope. For example, adding an application to the *Reader* role for a resource group means it can read the resource group and any resources it contains.

-1. In the Azure portal, select the level of scope you wish to assign the application to. For example, to assign a role at the subscription scope, search for and select **Subscriptions**, or select **Subscriptions** on the **Home** page.

- :::image type="content" source="media/howto-create-service-principal-portal/select-subscription.png" alt-text="For example, assign a role at the subscription scope.":::

-1. Select the particular subscription to assign the application to.

- :::image type="content" source="media/howto-create-service-principal-portal/select-one-subscription.png" alt-text="Select subscription for assignment.":::

- If you don't see the subscription you're looking for, select **global subscriptions filter**. Make sure the subscription you want is selected for the portal.

-1. Select **Add** > **Add role assignment** to open the **Add role assignment** page.

-1. In the **Role** tab, select the role you wish to assign to the application in the list. For example, to allow the application to execute actions like **reboot**, **start** and **stop** instances, select the **Contributor** role. Read more about the [available roles](../../role-based-access-control/built-in-roles.md).

- Select the **Next** button to move to the **Members** tab. Select **Assign access to**-> **User, group, or service principal** and then select **Select members**. By default, Azure AD applications aren't displayed in the available options. To find your application, search by name (for example, "example-app") and select it from the returned list. Click the **Select** button. Then click the **Review + assign** button.

-## Get tenant and app ID values for signing in

-When programmatically signing in, pass the tenant ID with your authentication request and the application ID. You also need a certificate or an authentication key (described in the following section). To get those values, use the following steps:

-1. Select **Azure Active Directory**.

-1. Copy the Directory (tenant) ID and store it in your application code.

- :::image type="content" source="media/howto-create-service-principal-portal/copy-tenant-id.png" alt-text="Copy the directory (tenant ID) and store it in your app code.":::

- The directory (tenant) ID can also be found in the default directory overview page.

-1. Copy the **Application ID** and store it in your application code.

- :::image type="content" source="media/howto-create-service-principal-portal/copy-app-id.png" alt-text="Copy the application (client) ID.":::

-## Authentication: Two options

-### Option 1: Upload a certificate

-You can use an existing certificate if you have one. Optionally, you can create a self-signed certificate for *testing purposes only*. To create a self-signed certificate, open PowerShell and run [New-SelfSignedCertificate](/powershell/module/pki/new-selfsignedcertificate) with the following parameters to create the cert in the user certificate store on your computer:

-1. Select **Run** from the **Start** menu, and then enter **certmgr.msc**.

- The Certificate Manager tool for the current user appears.

-1. Right-click on the cert you created, select **All tasks->Export**.

-1. Follow the Certificate Export wizard. Do not export the private key, and export to a .CER file.

-1. Select **Azure Active Directory**.

-1. Select **Certificates** > **Upload certificate** and select the certificate (an existing certificate or the self-signed certificate you exported).

- :::image type="content" source="media/howto-create-service-principal-portal/upload-cert.png" alt-text="Select Upload certificate and select the one you want to add.":::

-1. Select **Azure Active Directory**.

-1. From **App registrations** in Azure AD, select your application.

-1. Select **Client secrets -> New client secret**.

-1. Provide a description of the secret, and a duration. When done, select **Add**.

- After saving the client secret, the value of the client secret is displayed. Copy this value because you won't be able to retrieve the key later. You will provide the key value with the application ID to sign in as the application. Store the key value where your application can retrieve it.

- :::image type="content" source="media/howto-create-service-principal-portal/copy-secret.png" alt-text="Copy the secret value because you can't retrieve this later.":::

-Keep in mind, you might need to configure additional permissions on resources that your application needs to access. For example, you must also [update a key vault's access policies](../../key-vault/general/security-features.md#privileged-access) to give your application access to keys, secrets, or certificates.

-1. In the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>, navigate to your key vault and select **Access policies**.

-1. Select **Add** to add the access policy, then **Save** to commit your changes.

-* Learn how to use [Azure PowerShell](howto-authenticate-service-principal-powershell.md) or [Azure CLI](/cli/azure/create-an-azure-service-principal-azure-cli) to create a service principal.

-* To learn about specifying security policies, see [Azure role-based access control (Azure RBAC)](../../role-based-access-control/role-assignments-portal.md).

-* For a list of available actions that can be granted or denied to users, see [Azure Resource Manager Resource Provider operations](../../role-based-access-control/resource-provider-operations.md).

-* For information about working with app registrations by using **Microsoft Graph**, see the [Applications](/graph/api/resources/application) API reference.

-For the client app, the correct delegated permissions must be granted. Delegated permissions can also be referred to as scopes. Scopes are permissions for a given resource that represent what a client application can access on behalf of the user. For more information about scopes, see [scopes and permissions](v2-permissions-and-consent.md#scopes-and-permissions).

-## October 2022

-### Updated articles

-## October 2022

-### Updated articles

-# Securing external access with groups

-Groups are an essential part of any access control strategy. Azure Active Directory (Azure AD) security groups and Microsoft 365 Groups can be used as the basis for securing access to resources.

-Groups are the best option to use as the basis for the following access control mechanisms:

-* Entitlement Management Access Packages

-* Owners ΓÇô Group owners manage the group settings and its membership.

-* Members ΓÇô Members who inherit the permissions and access assigned to the group.

-* Guests ΓÇô Guests are members from outside of your organization.

-## Determine your group strategy

-As you develop your group strategy to secure external access to your resources, consider [your desired security posture](1-secure-access-posture.md) to determine the following choices.

-* **Who should be able to create groups?** Do you want only administrators to create groups, or do you want employees and or external users to also create these groups.

- * *By default any tenant member can create Azure AD security groups*.

- * You can [restrict access to the portal for non-administrators](../develop/howto-restrict-your-app-to-a-set-of-users.md) and disable group creation ability in [PowerShell.](../enterprise-users/groups-troubleshooting.md)

- * You can also [set up self-service group management in Azure Active Directory](../enterprise-users/groups-self-service-management.md).

- * *By default all users can create Microsoft 365 Groups and groups are open for all (internal and external) users in your tenant to join*.

- * [You can restrict Microsoft 365 Group creation](/microsoft-365/solutions/manage-creation-of-groups) to the members of a particular security group. Use Windows PowerShell to configure this setting.

-* **Who should be able to invite people to groups?** Can all group members be able to add other members, or can only group owners add members?

-* **Who can be invited to groups?** By default, external users can be added to groups.

-Users can be assigned to groups both manually based on the user attributes in their user object, or on other criteria. Users can only be assigned to groups dynamically based on their attributes.

-For example, you can assign users to groups based on their:

-* specific job title or department

-* partner organization to which they belong (manually, or through Connected organizations)

-* user type (Member or Guest)

-* participation in a specific project (manually)

-* location

-Dynamic groups can contain either users or devices, but not both. You add queries based on user attributes to assign users into the dynamic group. The below example shows queries that add users to the group if they are members (not guests) and in the finance department.

-

-For more information on dynamic groups, see [Create or update a dynamic group in Azure Active Directory.](../enterprise-users/groups-create-rule.md)

-### Do not use groups for multiple purposes

-When using groups for security or resource access purposes, it's important that they have a single function. If a group is used to grant access to resources, it shouldn't be used for any other purpose. If a group is used for generic purposes such as to define location or team membership, it shouldn't also be used to secure access.

-We recommend a naming convention for security groups that makes the purpose clear. For example:

-* *Secure_access_finance_apps*

-* *Team_membership_finance_team*

-* *Location_finance_building*

-### Types of groups

-Both Azure AD security groups and Microsoft 365 groups can be created from the Azure AD portal or the Microsoft 365 admin portal. Both types can be used as the basis for securing external access:

-| Considerations | Azure AD security groups (manual and dynamic)| Microsoft 365 Groups |

-| What can the group contain?| Users<br>Groups<br>Service principals<br>Devices| Users only |

-| Where is the group created?| Azure AD portal<br>Microsoft 365 portal (if to be mail enabled)<br>PowerShell<br>Microsoft Graph<br>End user portal| Microsoft 365 portal<br>Azure AD portal<br>PowerShell<br>Microsoft Graph<br>In Microsoft 365 applications |

-| Who creates by default?| Administrators <br>Users| Administrators<br>Users |

-| Who can be added by default?| Internal users (tenant members) and guest users | Tenant members and guests from any organization |

-| What does it grant access to?| Only resources to which it's assigned.| All group-related resources:<br>(Group mailbox, site, team, chats, and other included Microsoft 365 resources)<br>Any other resources to which group is added |

-| Can be used with| Conditional Access<br>Entitlement Management<br>Group licensing| Conditional Access<br>Entitlement Management<br>Sensitivity labels |

-Use Microsoft 365 groups to create and manage a set of Microsoft 365 resources, such as a Team and its associated sites and content. TheyΓÇÖre a great choice for a project-based effort.

-

-[Azure AD security groups](./active-directory-manage-groups.md) can contain users or devices and can be used to manage access to

-* Azure resources such as Microsoft 365 apps, custom apps, and Software as a Service (SaaS) apps such as ServiceNow of Dropbox.

-* Azure data and subscriptions.

-* Azure services.

-Azure AD security groups can also be used to:

-* assign licenses for services such as Microsoft 365, Dynamics 365, and Enterprise Mobility and Security. For more information, see [group-based licensing](./active-directory-licensing-whatis-azure-portal.md).

-* assign elevated permissions. For more information, see [Use Azure AD groups to manage role assignments](../roles/groups-concept.md).

-To create a group [in the Azure portal](./active-directory-groups-create-azure-portal.md) navigate to Azure Active Directory, then to Groups. You can also create Azure AD security groups by using [PowerShell cmdlets](../enterprise-users/groups-settings-v2-cmdlets.md).

-> A security group can be used for assignment of up to 1500 applications, but not more.

-

-> [!IMPORTANT]

-> **To create a mail-enabled security group, go to the [Microsoft 365 Admin center](https://admin.microsoft.com/)**. You cannot create it in the Azure AD portal.

-<br>You must enable a security group for mail at the time of creation. You canΓÇÖt enable it later.

-Hybrid organizations have both an on-premises infrastructure and an Azure AD cloud infrastructure. Many hybrid organizations that use Active Directory create their security groups on-premises and sync them to the cloud. By using this method, only users in the on-premises environment can be added to the security groups.

-**Protect your on-premises infrastructure from compromise, as a breach on-premises can be used to gain access to your Microsoft 365 tenant**. See [Protecting Microsoft 365 from on-premises attacks](./protect-m365-from-on-premises-attacks.md) for guidance.

-[Microsoft 365 Groups](/microsoft-365/admin/create-groups/office-365-groups) are the foundational membership service that drives all access across Microsoft 365. They can be created from the [Azure portal](https://portal.azure.com/), or the [Microsoft 365 portal](https://admin.microsoft.com/). When a Microsoft 365 group is created, you grant access to a group of resources used to collaborate. See [Overview of Microsoft 365 Groups for administrators](/microsoft-365/admin/create-groups/office-365-groups) for a complete listing of these resources.

-Microsoft 365 Groups have the following nuances for their roles:

-* **Owners** - Group owners can add or remove members and have unique administrative permissions in the group, such as the ability to delete conversations from the shared inbox or change group settings. Group owners can rename the group, update the description or picture and more.

-* **Members** - Group members can access everything in the group but can't change group settings. By default, group members can invite guests to join your group. You can [control that setting](/microsoft-365/admin/create-groups/manage-guest-access-in-groups).

-* **Guests** - Group guests are members who are from outside your organization. Guests by default have some limits to functionality in Teams.

-

-You select email alias, privacy, and whether to enable the group for teams at the time of set-up.

-

-After setup, you add members, and configure settings for email usage, etc.

-See the following articles on securing external access to resources. We recommend you take the actions in the listed order.

-1. [Determine your desired security posture for external access](1-secure-access-posture.md)

-2. [Discover your current state](2-secure-access-current-state.md)

-3. [Create a governance plan](3-secure-access-plan.md)

-4. [Use groups for security](4-secure-access-groups.md) (You are here.)

-5. [Transition to Azure AD B2B](5-secure-access-b2b.md)

-6. [Secure access with Entitlement Management](6-secure-access-entitlement-managment.md)

-7. [Secure access with Conditional Access policies](7-secure-access-conditional-access.md)

-8. [Secure access with Sensitivity labels](8-secure-access-sensitivity-labels.md)

-9. [Secure access to Microsoft Teams, OneDrive, and SharePoint](9-secure-access-teams-sharepoint.md)

-description: Use sensitivity labels as a part of your overall security plan for external access.

-# Control access with sensitivity labels

-[Sensitivity labels](/microsoft-365/compliance/sensitivity-labels) help you control access to your content in Office 365 applications, and in containers like Microsoft Teams, Microsoft 365 Groups, and SharePoint sites. They can protect your content without hindering your usersΓÇÖ collaboration and production abilities. Sensitivity labels allow you to send your organizationΓÇÖs content across devices, apps, and services, while protecting your data and meeting your compliance and security policies.

-With sensitivity labels you can:

-* **Classify content without adding any protection settings**. You can assign a classification to content (like a sticker) that persists and roams with your content as itΓÇÖs used and shared. You can use this classification to generate usage reports and see activity data for your sensitive content.

-* **Enforce protection settings such as encryption, watermarks, and access restrictions**. For example, users can apply a Confidential label to a document or email, and that label can [encrypt the content](/microsoft-365/compliance/encryption-sensitivity-labels) and add a ΓÇ£ConfidentialΓÇ¥ watermark. In addition, you can [apply a sensitivity label to a container](/microsoft-365/compliance/sensitivity-labels-teams-groups-sites) like a SharePoint site, and enforce whether external users can access the content it contains.

-Sensitivity labels on email and other content travel with the content. Sensitivity labels on containers can restrict access to the container, but content in the container doesn't inherit the label. For example, a user could take content from a protected site, download it, and then share it without restrictions unless the content also had a sensitivity label.

- >[!NOTE]

->To apply sensitivity labels users must be signed into their Microsoft work or school account.

-## Permissions necessary to create and manage sensitivity levels

-Members of your compliance team who will create sensitivity labels need permissions to the Microsoft 365 Defender portal, Microsoft Purview compliance portal, or Office 365 Security & Compliance Center.

-By default, global administrators for your tenant have access to these admin centers and can give compliance officers and other people access, without giving them all the permissions of a tenant admin. For this delegated limited admin access, add users to the Compliance Data Administrator, Compliance Administrator, or Security Administrator role group.

-## Determine your sensitivity label strategy

-As you think about governing external access to your content, determine the following:

-**For all content and containers**

-* How will you define what is High, Medium, or Low Business Impact (HBI, MBI, LBI)? Consider the impact to your organization if specific types of content are shared inappropriately.

- * Content with specific types of inherently [sensitive content](/microsoft-365/compliance/apply-sensitivity-label-automatically), such as credit cards or passport numbers

- * Content created by specific groups or people (for example, compliance officers, financial officers, or executives)

- * Content in specific libraries or sites. For example, containers hosting organizational strategy or private financial data

- * Other criteria

-* What categories of content (for example HBI content) should be restricted from access by external users?

- * Restrictions can include actions like restricting access to containers, and encrypting content.

-* What defaults should be in place for HBI data, sites, or Microsoft 365 Groups?

-* Where will you use sensitivity labels to [label and monitor](/microsoft-365/compliance/sensitivity-labels), versus to [enforce encryption](/microsoft-365/compliance/encryption-sensitivity-labels) or to [enforce container access restrictions](/microsoft-365/compliance/sensitivity-labels-teams-groups-sites)?

-**For email and content**

-* Do you want to [automatically apply sensitivity labels](/microsoft-365/compliance/apply-sensitivity-label-automatically) to content, or do so manually?

- * If you choose to do so manually, do you want to [recommend that users apply a label](/microsoft-365/compliance/apply-sensitivity-label-automatically)?

-**For containers**

-* What criteria will determine if M365 Groups, Teams, or SharePoint sites require access to be restricted by using sensitivity labels?

-* Do you want to only label content in these containers moving forward, or do you want to [automatically label](/microsoft-365/compliance/apply-sensitivity-label-automatically) existing files in SharePoint and OneDrive?

-See these [common scenarios for sensitivity labels](/microsoft-365/compliance/get-started-with-sensitivity-labels) for other ideas on how you can use sensitivity labels.

-### Sensitivity labels on email and content

-When you assign a sensitivity label to a document or email, it's like a stamp that's applied to content that is customizable, clear text, and persistent.

-* **Customizable** means you can create labels appropriate for your organization and determine what happens when they're applied.

-* **Clear text** means itΓÇÖs a part of the itemΓÇÖs metadata and is readable by applications and services so that they can apply their own protective actions.

-* **Persistent** means the label and any associated protections roam with the content, and become the basis for applying and enforcing policies.

-

-> Each item of content can have a single sensitivity label applied to it.

-### Sensitivity labels on containers

-You can apply sensitivity labels on containers such as [Microsoft 365 Groups](../enterprise-users/groups-assign-sensitivity-labels.md), [Microsoft Teams](/microsoft-365/compliance/sensitivity-labels-teams-groups-sites), and [SharePoint sites](/microsoft-365/compliance/sensitivity-labels-teams-groups-sites). When you apply this sensitivity label to a supported container, the label automatically applies the classification and protection settings to the connected site or group. Sensitivity labels on these containers can control the following aspects of containers:

-* **Privacy**. You can choose who can see the site: specific users, all internal users, or anyone.

-* **External user access**. Controls whether the group owner can add guests to the group.

-* **Access from unmanaged devices**. Determines if and how unmanaged devices can access content.

-

-

-

-When you apply a sensitivity label to a container such as a SharePoint site, it is not applied to content there: sensitivity labels on containers control access to the content within the container.

-* If you want to automatically apply labels to the content within the container, see [Apply a sensitivity to content automatically](/microsoft-365/compliance/apply-sensitivity-label-automatically).

-* If you want users to be able to manually apply labels to this content, be sure that youΓÇÿve [enabled sensitivity labels for Office files in SharePoint and OneDrive](/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files).

-### Plan to implement sensitivity labels

-Once you have determined how you want to use sensitivity labels, and to what content and sites you want to apply them, see the following documentation to help you perform your implementation.

-1. [Get started with sensitivity labels](/microsoft-365/compliance/get-started-with-sensitivity-labels)

-2. [Create a deployment strategy](/microsoft-365/compliance/get-started-with-sensitivity-labels)

-3. [Create and publish sensitivity labels](/microsoft-365/compliance/create-sensitivity-labels)

-4. [Restrict access to content using sensitivity labels to apply encryption](/microsoft-365/compliance/encryption-sensitivity-labels)

-5. [Use sensitivity labels with teams, groups, and sites](/microsoft-365/compliance/sensitivity-labels-teams-groups-sites)

-6. [Enable sensitivity labels for Office files in SharePoint and OneDrive](/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files)

-### Next steps

-See the following articles on securing external access to resources. We recommend you take the actions in the listed order.

-1. [Determine your desired security posture for external access](1-secure-access-posture.md)

-2. [Discover your current state](2-secure-access-current-state.md)

-3. [Create a governance plan](3-secure-access-plan.md)

-4. [Use groups for security](4-secure-access-groups.md)

-5. [Transition to Azure AD B2B](5-secure-access-b2b.md)

-6. [Secure access with Entitlement Management](6-secure-access-entitlement-managment.md)

-7. [Secure access with Conditional Access policies](7-secure-access-conditional-access.md)

-8. [Secure access with Sensitivity labels](8-secure-access-sensitivity-labels.md) (You are here.)

-9. [Secure access to Microsoft Teams, OneDrive, and SharePoint](9-secure-access-teams-sharepoint.md)

-## July 2022

-

-### Public Preview - ADFS to Azure AD: SAML App Multi-Instancing

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** SSO

-Users can now configure multiple instances of the same application within an Azure AD tenant. It's now supported for both IdP, and Service Provider (SP), initiated single sign-on requests. Multiple application accounts can now have a separate service principal to handle instance-specific claims mapping and roles assignment. For more information, see:

-### Public Preview - ADFS to Azure AD: Apply RegEx Replace to groups claim content

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** SSO

-

-Administrators up until recently has the capability to transform claims using many transformations, however using regular expression for claims transformation wasn't exposed to customers. With this public preview release, administrators can now configure and use regular expressions for claims transformation using portal UX.

-For more information, see:[Customize app SAML token claims - Microsoft Entra | Microsoft Docs](../develop/active-directory-saml-claims-customization.md).

-

-

-### Public Preview - Azure AD Domain Services - Trusts for User Forests

-**Type:** New feature

-**Service category:** Azure AD Domain Services

-**Product capability:** Azure AD Domain Services

-

-You can now create trusts on both user and resource forests. On-premises AD DS users can't authenticate to resources in the Azure AD DS resource forest until you create an outbound trust to your on-premises AD DS. An outbound trust requires network connectivity to your on-premises virtual network on which you have installed Azure AD Domain Service. On a user forest, trusts can be created for on-premises AD forests that aren't synchronized to Azure AD DS.

-To learn more about trusts and how to deploy your own, visit [How trust relationships work for forests in Active Directory](../../active-directory-domain-services/concepts-forest-trust.md).

-

-

-

-### New Federated Apps available in Azure AD Application gallery - July 2022

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** 3rd Party Integration

-

-In July 2022 we've added the following 28 new applications in our App gallery with Federation support:

-[Lunni Ticket Service](https://ticket.lunni.io/login), [TESMA](https://tesma.com/), [Spring Health](https://benefits.springhealth.com/care), [Sorbet](https://lite.sorbetapp.com/login), [Rainmaker UPS](https://upsairlines.rainmaker.aero/rainmaker.security.web/), [Planview ID](../saas-apps/planview-id-tutorial.md), [Karbonalpha](https://saas.karbonalpha.com/settings/api), [Headspace](../saas-apps/headspace-tutorial.md), [SeekOut](../saas-apps/seekout-tutorial.md), [Stackby](../saas-apps/stackby-tutorial.md), [Infrascale Cloud Backup](../saas-apps/infrascale-cloud-backup-tutorial.md), [Keystone](../saas-apps/keystone-tutorial.md), [LMS・教育管理システム Leaf](../saas-apps/lms-and-education-management-system-leaf-tutorial.md), [ZDiscovery](../saas-apps/zdiscovery-tutorial.md), [ラインズeライブラリアドバンス (Lines eLibrary Advance)](../saas-apps/lines-elibrary-advance-tutorial.md), [Rootly](../saas-apps/rootly-tutorial.md), [Articulate 360](../saas-apps/articulate360-tutorial.md), [Rise.com](../saas-apps/risecom-tutorial.md), [SevOne Network Monitoring System (NMS)](../saas-apps/sevone-network-monitoring-system-tutorial.md), [PGM](https://ups-pgm.4gfactor.com/azure/), [TouchRight Software](https://app.touchrightsoftware.com/), [Tendium](../saas-apps/tendium-tutorial.md), [Training Platform](../saas-apps/training-platform-tutorial.md), [Znapio](https://app.znapio.com/), [Preset](../saas-apps/preset-tutorial.md), [itslearning MS Teams sync](https://itslearning.com/global/), [Veza](../saas-apps/veza-tutorial.md), [Trax](https://app.trax.co/authn/login)

-You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,

-For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest

-

-

-### General Availability - No more waiting, provision groups on demand into your SaaS applications.

-**Type:** New feature

-**Service category:** Provisioning

-**Product capability:** Identity Lifecycle Management

-

-Pick a group of up to five members and provision them into your third-party applications in seconds. Get started testing, troubleshooting, and provisioning to non-Microsoft applications such as ServiceNow, ZScaler, and Adobe. For more information, see: [On-demand provisioning in Azure Active Directory](../app-provisioning/provision-on-demand.md).

-

-

-### General Availability ΓÇô Protect against by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD

-**Type:** New feature

-**Service category:** MS Graph

-**Product capability:** Identity Security & Protection

-

-We're delighted to announce a new security protection that prevents bypassing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD. When enabled for a federated domain in your Azure AD tenant, it ensures that a compromised federated account can't bypass Azure AD Multi-Factor Authentication by imitating that a multi factor authentication has already been performed by the identity provider. The protection can be enabled via new security setting, [federatedIdpMfaBehavior](/graph/api/resources/internaldomainfederation?view=graph-rest-beta#federatedidpmfabehavior-values&preserve-view=true).

-

-We highly recommend enabling this new protection when using Azure AD Multi-Factor Authentication as your multi factor authentication for your federated users. To learn more about the protection and how to enable it, visit [Enable protection to prevent by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD](/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#enable-protection-to-prevent-by-passing-of-cloud-azure-ad-multi-factor-authentication-when-federated-with-azure-ad).

-

-

-### Public preview - New provisioning connectors in the Azure AD Application Gallery - July 2022

-**Type:** New feature

-**Service category:** App Provisioning

-**Product capability:** 3rd Party Integration

-

-You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

-For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).

-

-

-### General Availability - Tenant-based service outage notifications

-**Type:** New feature

-**Service category:** Other

-**Product capability:** Platform

-

-Azure Service Health supports service outage notifications to Tenant Admins for Azure Active Directory issues. These outages will also appear on the Azure AD Admin Portal Overview page with appropriate links to Azure Service Health. Outage events will be able to be seen by built-in Tenant Administrator Roles. We'll continue to send outage notifications to subscriptions within a tenant for transition. More information is available at: [What are Service Health notifications in Azure Active Directory?](../reports-monitoring/overview-service-health-notifications.md).

-

-

-### Public Preview - Multiple Passwordless Phone sign-in Accounts for iOS devices

-**Type:** New feature

-**Service category:** Authentications (Logins)

-**Product capability:** User Authentication

-

-End users can now enable passwordless phone sign-in for multiple accounts in the Authenticator App on any supported iOS device. Consultants, students, and others with multiple accounts in Azure AD can add each account to Microsoft Authenticator and use passwordless phone sign-in for all of them from the same iOS device. The Azure AD accounts can be in either the same, or different, tenants. Guest accounts aren't supported for multiple account sign-ins from one device.

-Note that end users are encouraged to enable the optional telemetry setting in the Authenticator App, if not done so already. For more information, see: [Enable passwordless sign-in with Microsoft Authenticator](../authentication/howto-authentication-passwordless-phone.md)

-

-

-

-### Public Preview - Azure AD Domain Services - Fine Grain Permissions

-**Type:** Changed feature

-**Service category:** Azure AD Domain Services

-**Product capability:** Azure AD Domain Services

-

-Previously to set up and administer your AAD-DS instance you needed top level permissions of Azure Contributor and Azure AD Global Administrator. Now for both initial creation, and ongoing administration, you can utilize more fine grain permissions for enhanced security and control. The prerequisites now minimally require:

-

-Check out these resources to learn more:

-

-

-### General Availability- Azure AD Connect update release with new functionality and bug fixes

-**Type:** Changed feature

-**Service category:** Provisioning

-**Product capability:** Identity Lifecycle Management

-

-A new Azure AD Connect release fixes several bugs and includes new functionality. This release is also available for auto upgrade for eligible servers. For more information, see: [Azure AD Connect: Version release history](../hybrid/reference-connect-version-history.md#21150).

-

-### General Availability - Cross-tenant access settings for B2B collaboration

-**Type:** Changed feature

-**Service category:** B2B

-**Product capability:** B2B/B2C

-

-Cross-tenant access settings enable you to control how users in your organization collaborate with members of external Azure AD organizations. Now youΓÇÖll have granular inbound and outbound access control settings that work on a per org, user, group, and application basis. These settings also make it possible for you to trust security claims from external Azure AD organizations like multi-factor authentication (MFA), device compliance, and hybrid Azure AD joined devices. For more information, see: [Cross-tenant access with Azure AD External Identities](../external-identities/cross-tenant-access-overview.md).

-

-

-### General Availability- Expression builder with Application Provisioning

-**Type:** Changed feature

-**Service category:** Provisioning

-**Product capability:** Outbound to SaaS Applications

-

-Accidental deletion of users in your apps or in your on-premises directory could be disastrous. WeΓÇÖre excited to announce the general availability of the accidental deletions prevention capability. When a provisioning job would cause a spike in deletions, it will first pause and provide you visibility into the potential deletions. You can then accept or reject the deletions and have time to update the jobΓÇÖs scope if necessary. For more information, see [Understand how expression builder in Application Provisioning works](../app-provisioning/expression-builder.md).

-

-

-### Public Preview - Improved app discovery view for My Apps portal

-**Type:** Changed feature

-**Service category:** My Apps

-**Product capability:** End User Experiences

-

-An improved app discovery view for My Apps is in public preview. The preview shows users more apps in the same space and allows them to scroll between collections. It doesn't currently support drag-and-drop and list view. Users can opt into the preview by selecting Try the preview and opt out by selecting Return to previous view. To learn more about My Apps, see [My Apps portal overview](../manage-apps/myapps-overview.md).

-

-

-### Public Preview - New Azure AD Portal All Devices list

-**Type:** Changed feature

-**Service category:** Device Registration and Management

-**Product capability:** End User Experiences

-

-We're enhancing the All Devices list in the Azure AD Portal to make it easier to filter and manage your devices. Improvements include:

-All Devices List:

-For more information, see: [Manage devices in Azure AD using the Azure portal](../devices/device-management-azure-portal.md#view-and-filter-your-devices-preview).

-

-

-### Public Preview - ADFS to Azure AD: Persistent NameID for IDP-initiated Apps

-**Type:** Changed feature

-**Service category:** Enterprise Apps

-**Product capability:** SSO

-

-Previously the only way to have persistent NameID value was to ΓÇïconfigure user attribute with an empty value. Admins can now explicitly configure the NameID value to be persistent ΓÇïalong with the corresponding format.

-For more information, see: [Customize app SAML token claims - Microsoft identity platform | Microsoft Docs](../develop/active-directory-saml-claims-customization.md#attributes).

-

-

-### Public Preview - ADFS to Azure Active Directory: Customize attrname-formatΓÇï

-**Type:** Changed feature

-**Service category:** Enterprise Apps

-**Product capability:** SSO

-

-With this new parity update, customers can now integrate non-gallery applications such as Socure DevHub with Azure AD to have SSO via SAML.

-For more information, see [Claims mapping policy - Microsoft Entra | Microsoft Docs](../develop/reference-claims-mapping-policy-type.md#claim-schema-entry-elements).

-

-## October 2022

-### Updated articles

-This article describes the keys steps to configure cross-tenant synchronization using Microsoft Graph API. When configured, Azure AD automatically provisions and de-provisions B2B users in your target tenant. For detailed steps using the Azure portal, see [Configure cross-tenant synchronization](cross-tenant-synchronization-configure.md).

- "tenantId": "376a1f89-b02f-4a85-8252-2974d1984d14",

-1. Select the **Trust settings** tab.

-1. Sign in to the [Azure portal](https://portal.azure.com) as an administrator of the target tenant.

-1. Select **Azure Active Directory** > **Cross-tenant synchronization (Preview)**.

-1. In the configuration list, select your configuration.

-1. Select **Provisioning** and expand the **Settings** section.

-1. Select **Provisioning** and expand the **Mappings** section.

-1. Select **Provisioning** and expand the **Mappings** section.

-1. Select **Provisioning** and expand the **Settings** section.

-| Privileged Role Administrator</br>(Activated/Eligible) | Yes</br>(only if no explicit approvers are specified) | Yes* | Yes |

-| Security Administrator</br>(Activated/Eligible) | No | Yes* | Yes |

-| Global Administrator</br>(Activated/Eligible) | No | Yes* | Yes |

-* Only linux node clusters and node pools are supported.

-## Use pod-managed identities

-Azure Active Directory (Azure AD) pod-managed identities (preview) use AKS primitives to associate managed identities for Azure resources and identities in Azure AD with pods. You can use these identities to grant access to the Azure Key Vault Secrets Provider for Secrets Store CSI driver.

-### Prerequisites

-### Use an Azure AD pod-managed identity

-1. Follow the instructions in [Use Azure Active Directory pod-managed identities in Azure Kubernetes Service (Preview)][aad-pod-identity-create] to create a cluster identity, assign it permissions, and create a pod identity. Take note of the newly created identity's `clientId` and `name`.

-1. Assign permissions to the new identity to enable it to read your key vault and view its contents by running the following commands:

- ```azurecli-interactive

- # set policy to access keys in your key vault

- az keyvault set-policy -n <keyvault-name> --key-permissions get --spn <pod-identity-client-id>

- # set policy to access secrets in your key vault

- az keyvault set-policy -n <keyvault-name> --secret-permissions get --spn <pod-identity-client-id>

- # set policy to access certs in your key vault

- az keyvault set-policy -n <keyvault-name> --certificate-permissions get --spn <pod-identity-client-id>

- ```

-1. Create a `SecretProviderClass` by using the following YAML, using your own values for `aadpodidbinding`, `tenantId`, and the objects to retrieve from your key vault:

- ```yml

- # This is a SecretProviderClass example using aad-pod-identity to access the key vault

- apiVersion: secrets-store.csi.x-k8s.io/v1

- kind: SecretProviderClass

- metadata:

- name: azure-kvname-podid

- spec:

- provider: azure

- parameters:

- usePodIdentity: "true" # Set to true for using aad-pod-identity to access your key vault

- keyvaultName: <key-vault-name> # Set to the name of your key vault

- cloudName: "" # [OPTIONAL for Azure] if not provided, the Azure environment defaults to AzurePublicCloud

- objects: |

- array:

- - |

- objectName: secret1

- objectType: secret # object types: secret, key, or cert

- objectVersion: "" # [OPTIONAL] object versions, default to latest if empty

- - |

- objectName: key1

- objectType: key

- objectVersion: ""

- tenantId: <tenant-Id> # The tenant ID of the key vault

- ```

-1. Apply the `SecretProviderClass` to your cluster:

- ```bash

- kubectl apply -f secretproviderclass.yaml

- ```

-1. Create a pod by using the following YAML, using the name of your identity:

- ```yml

- # This is a sample pod definition for using SecretProviderClass and aad-pod-identity to access the key vault

- kind: Pod

- apiVersion: v1

- metadata:

- name: busybox-secrets-store-inline-podid

- labels:

- aadpodidbinding: <name> # Set the label value to the name of your pod identity

- spec:

- containers:

- - name: busybox

- image: k8s.gcr.io/e2e-test-images/busybox:1.29-1

- command:

- - "/bin/sleep"

- - "10000"

- volumeMounts:

- - name: secrets-store01-inline

- mountPath: "/mnt/secrets-store"

- readOnly: true

- volumes:

- - name: secrets-store01-inline

- csi:

- driver: secrets-store.csi.k8s.io

- readOnly: true

- volumeAttributes:

- secretProviderClass: "azure-kvname-podid"

- ```

-1. Apply the pod to your cluster:

- ```bash

- kubectl apply -f pod.yaml

- ```

-## Use a user-assigned managed identity

-## Use a system-assigned managed identity

-### Prerequisites

->[!IMPORTANT]

-> Before you begin this step, [enable system-assigned managed identity][enable-system-assigned-identity] on your AKS cluster's VMs or scale sets.

->

-### Usage

-1. Verify that your Virtual Machine Scale Set or Availability Set nodes have their own system-assigned identity:

- ```azurecli-interactive

- az vmss identity show -g <resource group> -n <vmss scalset name> -o yaml

- az vm identity show -g <resource group> -n <vm name> -o yaml

- ```

- >[!NOTE]

- > The output should contain `type: SystemAssigned`. Make a note of the `principalId`.

- >

- > IMDS is looking for a System Assigned Identity on VMSS first, then it will look for a User Assigned Identity and pull that if there is only 1. If there are multiple User Assigned Identities IMDS will throw an error as it does not know which identity to pull.

- >

-1. To grant your identity permissions that enable it to read your key vault and view its contents, run the following commands:

- ```azurecli-interactive

- # set policy to access keys in your key vault

- az keyvault set-policy -n <keyvault-name> --key-permissions get --spn <identity-principal-id>

- # set policy to access secrets in your key vault

- az keyvault set-policy -n <keyvault-name> --secret-permissions get --spn <identity-principal-id>

- # set policy to access certs in your key vault

- az keyvault set-policy -n <keyvault-name> --certificate-permissions get --spn <identity-principal-id>

- ```

-1. Create a `SecretProviderClass` by using the following YAML, using your own values for `keyvaultName`, `tenantId`, and the objects to retrieve from your key vault:

- ```yml

- # This is a SecretProviderClass example using system-assigned identity to access your key vault

- apiVersion: secrets-store.csi.x-k8s.io/v1

- kind: SecretProviderClass

- metadata:

- name: azure-kvname-system-msi

- spec:

- provider: azure

- parameters:

- usePodIdentity: "false"

- useVMManagedIdentity: "true" # Set to true for using managed identity

- userAssignedIdentityID: "" # If empty, then defaults to use the system assigned identity on the VM

- keyvaultName: <key-vault-name>

- cloudName: "" # [OPTIONAL for Azure] if not provided, the Azure environment defaults to AzurePublicCloud

- objects: |

- array:

- - |

- objectName: secret1

- objectType: secret # object types: secret, key, or cert

- objectVersion: "" # [OPTIONAL] object versions, default to latest if empty

- - |

- objectName: key1

- objectType: key

- objectVersion: ""

- tenantId: <tenant-id> # The tenant ID of the key vault

- ```

-1. Apply the `SecretProviderClass` to your cluster:

- ```bash

- kubectl apply -f secretproviderclass.yaml

- ```

-1. Create a pod by using the following YAML:

- ```yml

- # This is a sample pod definition for using SecretProviderClass and system-assigned identity to access your key vault

- kind: Pod

- apiVersion: v1

- metadata:

- name: busybox-secrets-store-inline-system-msi

- spec:

- containers:

- - name: busybox

- image: k8s.gcr.io/e2e-test-images/busybox:1.29-1

- command:

- - "/bin/sleep"

- - "10000"

- volumeMounts:

- - name: secrets-store01-inline

- mountPath: "/mnt/secrets-store"

- readOnly: true

- volumes:

- - name: secrets-store01-inline

- csi:

- driver: secrets-store.csi.k8s.io

- readOnly: true

- volumeAttributes:

- secretProviderClass: "azure-kvname-system-msi"

- ```

-## Handling CA rollover

-Values for *httpProxy*, *httpsProxy*, and *noProxy* can't be changed after cluster creation. However, to support rolling CA certs, the value for *trustedCa* can be changed and applied to the cluster with the [az aks update][az-aks-update] command.

-For example, assuming a new file has been created with the base64 encoded string of the new CA cert called *aks-proxy-config-2.json*, the following action updates the cluster:

-[install-azure-cli]: /cli/azure/install-azure-cli

-description: Learn how to use ImageCleaner to clean up stale images on Azure Kubernetes Service (AKS)

-# Use ImageCleaner to clean up stale images on your Azure Kubernetes Service cluster (preview)

-It's common to use pipelines to build and deploy images on Azure Kubernetes Service (AKS) clusters. While great for image creation, this process often doesn't account for the stale images left behind and can lead to image bloat on cluster nodes. These images can present security issues as they may contain vulnerabilities. By cleaning these unreferenced images, you can remove an area of risk in your clusters. When done manually, this process can be time intensive, which ImageCleaner can mitigate via automatic image identification and removal.

-> ImageCleaner is a feature based on [Eraser](https://github.com/Azure/eraser).

-> On an AKS cluster, the feature name and property name is `ImageCleaner` while the relevant ImageCleaner pods' names contain `Eraser`.

-ImageCleaner does not support the following:

-## How ImageCleaner works

-When enabled, an `eraser-controller-manager` pod is deployed on each agent node, which will use an `ImageList` CRD to determine unreferenced and vulnerable images. Vulnerability is determined based on a [trivy][trivy] scan, after which images with a `LOW`, `MEDIUM`, `HIGH`, or `CRITICAL` classification are flagged. An updated `ImageList` will be automatically generated by ImageCleaner based on a set time interval, and can also be supplied manually.

-Once an `ImageList` is generated, ImageCleaner will remove all the images in the list from node VMs.

-In addition to choosing between manual and automatic mode, there are several options for ImageCleaner:

-|--enable-image-cleaner|Enable the ImageCleaner feature for an AKS cluster|Yes, unless disable is specified|

-|--disable-image-cleaner|Disable the ImageCleaner feature for an AKS cluster|Yes, unless enable is specified|

-|--image-cleaner-interval-hours|This parameter determines the interval time (in hours) ImageCleaner will use to run. The default value for Azure CLI is one week, the minimum value is 24 hours and the maximum is three months.|Not required for Azure CLI, required for ARM template or other clients|

-> After disabling ImageCleaner, the old configuration still exists. This means that if you enable the feature again without explicitly passing configuration, the existing value will be used rather than the default.

-## Enable ImageCleaner on your AKS cluster

-The `--image-cleaner-interval-hours` parameter can be specified at creation time or for an existing cluster. For example, the following command updates the interval for a cluster with ImageCleaner already enabled:

-Based on your configuration, ImageCleaner will generate an `ImageList` containing non-running and vulnerable images at the desired interval. ImageCleaner will automatically remove these images from cluster nodes.

-To manually remove images from your cluster using ImageCleaner, first create an `ImageList`. For example, save the following as `image-list.yml`:

-A job named `eraser-aks-xxx`will be triggered which causes ImageCleaner to remove the desired images from all nodes.

-## Disable ImageCleaner

-To stop using ImageCleaner, you can disable it via the `--disable-image-cleaner` flag:

-Use `az acr import` to import the following images into your ACR.

-```azurecli

-REGISTRY_NAME=<REGISTRY_NAME>

-CERT_MANAGER_REGISTRY=quay.io

-CERT_MANAGER_TAG=v1.8.0

-CERT_MANAGER_IMAGE_CONTROLLER=jetstack/cert-manager-controller

-CERT_MANAGER_IMAGE_WEBHOOK=jetstack/cert-manager-webhook

-CERT_MANAGER_IMAGE_CAINJECTOR=jetstack/cert-manager-cainjector

-az acr import --name $REGISTRY_NAME --source $CERT_MANAGER_REGISTRY/$CERT_MANAGER_IMAGE_CONTROLLER:$CERT_MANAGER_TAG --image $CERT_MANAGER_IMAGE_CONTROLLER:$CERT_MANAGER_TAG

-az acr import --name $REGISTRY_NAME --source $CERT_MANAGER_REGISTRY/$CERT_MANAGER_IMAGE_WEBHOOK:$CERT_MANAGER_TAG --image $CERT_MANAGER_IMAGE_WEBHOOK:$CERT_MANAGER_TAG

-az acr import --name $REGISTRY_NAME --source $CERT_MANAGER_REGISTRY/$CERT_MANAGER_IMAGE_CAINJECTOR:$CERT_MANAGER_TAG --image $CERT_MANAGER_IMAGE_CAINJECTOR:$CERT_MANAGER_TAG

-```

-Use `Import-AzContainerRegistryImage` to import the following images into your ACR.

-```azurepowershell

-$RegistryName = "<REGISTRY_NAME>"

-$ResourceGroup = (Get-AzContainerRegistry | Where-Object {$_.name -eq $RegistryName} ).ResourceGroupName

-$CertManagerRegistry = "quay.io"

-$CertManagerTag = "v1.8.0"

-$CertManagerImageController = "jetstack/cert-manager-controller"

-$CertManagerImageWebhook = "jetstack/cert-manager-webhook"

-$CertManagerImageCaInjector = "jetstack/cert-manager-cainjector"

-Import-AzContainerRegistryImage -ResourceGroupName $ResourceGroup -RegistryName $RegistryName -SourceRegistryUri $CertManagerRegistry -SourceImage "${CertManagerImageController}:${CertManagerTag}"

-Import-AzContainerRegistryImage -ResourceGroupName $ResourceGroup -RegistryName $RegistryName -SourceRegistryUri $CertManagerRegistry -SourceImage "${CertManagerImageWebhook}:${CertManagerTag}"

-Import-AzContainerRegistryImage -ResourceGroupName $ResourceGroup -RegistryName $RegistryName -SourceRegistryUri $CertManagerRegistry -SourceImage "${CertManagerImageCaInjector}:${CertManagerTag}"

-```

-```azurecli-interactive

-az aks show --resource-group myResourceGroup --name myAKSCluster --query nodeResourceGroup -o tsv

-```

-```azurecli-interactive

-az network public-ip create --resource-group MC_myResourceGroup_myAKSCluster_eastus --name myAKSPublicIP --sku Standard --allocation-method static --query publicIp.ipAddress -o tsv

-```

-```azurecli-interactive

-DNS_LABEL="<DNS_LABEL>"

-NAMESPACE="ingress-basic"

-STATIC_IP=<STATIC_IP>

-helm upgrade ingress-nginx ingress-nginx/ingress-nginx \

- --namespace $NAMESPACE \

- --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-dns-label-name"=$DNS_LABEL \

- --set controller.service.loadBalancerIP=$STATIC_IP

-```

-```azurepowershell-interactive

-(Get-AzAksCluster -ResourceGroupName $ResourceGroup -Name myAKSCluster).NodeResourceGroup

-```

-```azurepowershell-interactive

-(New-AzPublicIpAddress -ResourceGroupName MC_myResourceGroup_myAKSCluster_eastus -Name myAKSPublicIP -Sku Standard -AllocationMethod Static -Location eastus).IpAddress

-```

-3. Add the --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-dns-label-name"="<DNS_LABEL>" parameter. The DNS label can be set either when the ingress controller is first deployed, or it can be configured later.

-4. Add the --set controller.service.loadBalancerIP="<STATIC_IP>" parameter. Specify your own public IP address that was created in the previous step.

-```azurepowershell-interactive

-$DnsLabel = "<DNS_LABEL>"

-$Namespace = "ingress-basic"

-$StaticIP = "<STATIC_IP>"

-helm upgrade ingress-nginx ingress-nginx/ingress-nginx `

- --namespace $Namespace `

- --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-dns-label-name"=$DnsLabel `

- --set controller.service.loadBalancerIP=$StaticIP

-```

-An Azure public IP address is created for your ingress controller upon creation. The public IP address is static for the lifespan of your ingress controller. The public IP address *doesn't* remain if you delete your ingress controller. If you create a new ingress controller, it will be assigned a new public IP address.

-Use the `kubectl get service` command to get the public IP address for your ingress controller.

-```console

-kubectl --namespace ingress-basic get services -o wide -w nginx-ingress-ingress-nginx-controller

-```

-Your output should look similar to the following example output:

-```console

-NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR

-nginx-ingress-ingress-nginx-controller LoadBalancer 10.0.74.133 EXTERNAL_IP 80:32486/TCP,443:30953/TCP 44s app.kubernetes.io/component=controller,app.kubernetes.io/instance=nginx-ingress,app.kubernetes.io/name=ingress-nginx

-```

-Add an *A* record to your DNS zone with the external IP address of the NGINX service using [`az network dns record-set a add-record`][az-network-dns-record-set-a-add-record].

-```azurecli

-az network dns record-set a add-record \

- --resource-group myResourceGroup \

- --zone-name MY_CUSTOM_DOMAIN \

- --record-set-name "*" \

- --ipv4-address MY_EXTERNAL_IP

-```

-Add an *A* record to your DNS zone with the external IP address of the NGINX service using [`New-AzDnsRecordSet`][new-az-dns-recordset-create-a-record].

-```azurepowershell

-$Records = @()

-$Records += New-AzDnsRecordConfig -IPv4Address <External IP>

-New-AzDnsRecordSet -Name "*" `

- -RecordType A `

- -ResourceGroupName <Name of Resource Group for the DNS Zone> `

- -ZoneName <Custom Domain Name> `

- -TTL 3600 `

- -DnsRecords $Records

-```

-Optionally, you can configure an FQDN for the ingress controller IP address instead of a custom domain by setting a DNS label. Your FQDN should follow this form: `<CUSTOM LABEL>.<AZURE REGION NAME>.cloudapp.azure.com`. Your DNS label must be unique within its Azure location.

-DNSNAME="demo-aks-ingress"

-az network public-ip update --ids $PUBLICIPID --dns-name $DNSNAME

-$PublicIp.DnsSettings = @{"DomainNameLabel" = "demo-aks-ingress"}

-The following example shows how to update this setting after the controller has been deployed.

-DNS_LABEL="<DNS_LABEL>"

- --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-dns-label-name"=$DNS_LABEL

-Create a cluster issuer, such as `cluster-issuer.yaml`, using the following example manifest. Replace `MY_EMAIL_ADDRESS` with a valid address from your organization.

-```yaml

-apiVersion: cert-manager.io/v1

-kind: ClusterIssuer

-metadata:

- name: letsencrypt

-spec:

- acme:

- server: https://acme-v02.api.letsencrypt.org/directory

- email: MY_EMAIL_ADDRESS

- privateKeySecretRef:

- name: letsencrypt

- solvers:

- - http01:

- ingress:

- class: nginx

- podTemplate:

- spec:

- nodeSelector:

- "kubernetes.io/os": linux

-```

-To create the issuer, use the `kubectl apply` command.

-```console

-kubectl apply -f cluster-issuer.yaml --namespace ingress-basic

-```

-Create or update the `hello-world-ingress.yaml` file using the following example YAML file. Update the `spec.tls.hosts` and `spec.rules.host` to the DNS name you created in a previous step.

-```yaml

-apiVersion: networking.k8s.io/v1

-kind: Ingress

-metadata:

- name: hello-world-ingress

- annotations:

- nginx.ingress.kubernetes.io/rewrite-target: /$2

- nginx.ingress.kubernetes.io/use-regex: "true"

- cert-manager.io/cluster-issuer: letsencrypt

-spec:

- ingressClassName: nginx

- tls:

- - hosts:

- - hello-world-ingress.MY_CUSTOM_DOMAIN

- secretName: tls-secret

- rules:

- - host: hello-world-ingress.MY_CUSTOM_DOMAIN

- http:

- paths:

- - path: /hello-world-one(/|$)(.*)

- pathType: Prefix

- backend:

- service:

- name: aks-helloworld-one

- port:

- number: 80

- - path: /hello-world-two(/|$)(.*)

- pathType: Prefix

- backend:

- service:

- name: aks-helloworld-two

- port:

- number: 80

- - path: /(.*)

- pathType: Prefix

- backend:

- service:

- name: aks-helloworld-one

- port:

- number: 80

-apiVersion: networking.k8s.io/v1

-kind: Ingress

-metadata:

- name: hello-world-ingress-static

- annotations:

- nginx.ingress.kubernetes.io/ssl-redirect: "false"

- nginx.ingress.kubernetes.io/rewrite-target: /static/$2

-spec:

- ingressClassName: nginx

- tls:

- - hosts:

- - hello-world-ingress.MY_CUSTOM_DOMAIN

- secretName: tls-secret

- rules:

- - host: hello-world-ingress.MY_CUSTOM_DOMAIN

- http:

- paths:

- - path: /static(/|$)(.*)

- pathType: Prefix

- backend:

- service:

- name: aks-helloworld-one

- port:

- number: 80

-```

-Update the ingress resource using the `kubectl apply` command.

-```console

-kubectl apply -f hello-world-ingress.yaml --namespace ingress-basic

-```

-To delete the entire sample namespace, use the `kubectl delete` command and specify your namespace name. All the resources in the namespace will be deleted.

-```console

-kubectl delete namespace ingress-basic

-```

-First, remove the cluster issuer resources.

-```console

-kubectl delete -f cluster-issuer.yaml --namespace ingress-basic

-```

-List the Helm releases with the `helm list` command. Look for charts named *nginx* and *cert-manager*, as shown in the following example output.

-```console

-$ helm list --namespace ingress-basic

-NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION

-cert-manager ingress-basic 1 2020-01-15 10:23:36.515514 -0600 CST deployed cert-manager-v0.13.0 v0.13.0

-nginx ingress-basic 1 2020-01-15 10:09:45.982693 -0600 CST deployed nginx-ingress-1.29.1 0.27.0

-```

-Uninstall the releases with the `helm uninstall` command. The following example uninstalls the NGINX ingress and cert-manager deployments.

-```console

-$ helm uninstall cert-manager nginx --namespace ingress-basic

-release "cert-manager" uninstalled

-release "nginx" uninstalled

-```

-Next, remove the two sample applications.

-```console

-kubectl delete -f aks-helloworld-one.yaml --namespace ingress-basic

-kubectl delete -f aks-helloworld-two.yaml --namespace ingress-basic

-```

-Remove the ingress route that directed traffic to the sample apps.

-```console

-kubectl delete -f hello-world-ingress.yaml --namespace ingress-basic

-```

-Finally, you can delete the itself namespace. Use the `kubectl delete` command and specify your namespace name.

-```console

-kubectl delete namespace ingress-basic

-```

-|<a id="ref-context-deployment"></a>`context.Deployment`|`GatewayId`: `string` (returns 'managed' for managed gateways)<br /><br /> `Region`: `string`<br /><br /> `ServiceId`: `string`<br /><br /> `ServiceName`: `string`<br /><br /> `Certificates`: `IReadOnlyDictionary<string, X509Certificate2>`|

-# Tutorial: Map an existing custom DNS name to Azure App Service

-[Azure App Service](overview.md) provides a highly scalable, self-patching web hosting service. This tutorial shows you how to map an existing custom Domain Name System (DNS) name to App Service. To migrate a live site and its DNS domain name to App Service with no downtime, see [Migrate an active DNS name to Azure](manage-custom-dns-migrate-domain.md).

-In this tutorial, you learn how to:

-> [!div class="checklist"]

-> * Map a subdomain by using a [CNAME record](https://en.wikipedia.org/wiki/CNAME_record).

-> * Map a root domain by using an [A record](https://en.wikipedia.org/wiki/List_of_DNS_record_types#A).

-> * Map a [wildcard domain](https://en.wikipedia.org/wiki/Wildcard_DNS_record) by using a CNAME record.

-> * Redirect the default URL to a custom directory.

-## 1. Prepare your environment

-* If you don't have a custom domain yet, you can [purchase an App Service domain](manage-custom-dns-buy-domain.md).

-## 2. Get a domain verification ID

-#### Sign in to Azure

-Open the [Azure portal](https://portal.azure.com), and sign in with your Azure account.

-#### Select the app in the Azure portal

-1. Search for and select **App Services**.

- 

-1. On the **App Services** page, select the name of your Azure app.

- 

- You see the management page of the App Service app.

- To add a custom domain to your app, you need to verify your ownership of the domain by adding a verification ID as a TXT record with your domain provider.

-1. In the left pane of your app page, select **Custom domains**.

-1. Copy the ID in the **Custom Domain Verification ID** box in the **Custom Domains** page for the next step.

- 

- > [!WARNING]

- > Adding domain verification IDs to your custom domain can prevent dangling DNS entries and help to avoid subdomain takeovers. For custom domains you previously configured without this verification ID, you should protect them from the same risk by adding the verification ID to your DNS record. For more information on this common high-severity threat, see [Subdomain takeover](../security/fundamentals/subdomain-takeover.md).

-

-<a name="info"></a>

-3. **(A record only)** To map an [A record](https://en.wikipedia.org/wiki/List_of_DNS_record_types#A), you need the app's external IP address. In the **Custom domains** page, copy the value of **IP address**.

- 

-## 3. Create the DNS records

-1. Sign in to the website of your domain provider.

- You can use Azure DNS to manage DNS records for your domain and configure a custom DNS name for Azure App Service. For more information, see [Tutorial: Host your domain in Azure DNS](../dns/dns-delegate-domain-azure-dns.md).

-1. Find the page for managing DNS records.

- Every domain provider has its own DNS records interface, so consult the provider's documentation. Look for areas of the site labeled **Domain Name**, **DNS**, or **Name Server Management**.

-

- Often, you can find the DNS records page by viewing your account information and then looking for a link such as **My domains**. Go to that page, and then look for a link that's named something like **Zone file**, **DNS Records**, or **Advanced configuration**.

- The following screenshot is an example of a DNS records page:

- 

-1. Select **Add** or the appropriate widget to create a record.

-1. Select the type of record to create and follow the instructions. You can use either a [CNAME record](https://en.wikipedia.org/wiki/CNAME_record) or an [A record](https://en.wikipedia.org/wiki/List_of_DNS_record_types#A) to map a custom DNS name to App Service.

-### DNS record types

-| Scenario | Example | Recommended DNS record |

-| - | - | - | - |

-| Root domain | contoso.com | [A record](https://en.wikipedia.org/wiki/List_of_DNS_record_types#A). Don't use the CNAME record for the root record (for information, see [RFC 1912 Section 2.4](https://datatracker.ietf.org/doc/html/rfc1912#section-2.4)). |

-| Subdomain | www.contoso.com, my.contoso.com | [CNAME record](https://en.wikipedia.org/wiki/CNAME_record). You can map a subdomain to the app's IP address directly with an A record, but it's possible for [the IP address to change](overview-inbound-outbound-ips.md#when-inbound-ip-changes). The CNAME maps to the app's default hostname instead, which is less susceptible to change. |

-| [Wildcard](https://en.wikipedia.org/wiki/Wildcard_DNS_record) | *.contoso.com | [CNAME record](https://en.wikipedia.org/wiki/CNAME_record). |

-# [A](#tab/a)

- | Record type | Host | Value | Comments |

- | - | - | - |

- | A | `@` | IP address from [Copy the app's IP address](#2-get-a-domain-verification-id) | The domain mapping itself (`@` typically represents the root domain). |

- | TXT | `asuid` | [The verification ID you got earlier](#2-get-a-domain-verification-id) | For root domain, App Service accesses `asuid` TXT record to verify your ownership of the custom domain |

-

- 

-

- |Record type|Host|Value| Comments |

- | | | | |

- |A|\<subdomain\> (for example, www)|IP address from [Copy the app's IP address](#2-get-a-domain-verification-id)||

- |TXT|asuid.\<subdomain\> (for example, asuid.www)|[The verification ID you got earlier](#2-get-a-domain-verification-id)||

- 

-

-# [CNAME](#tab/cname)

-For a subdomain like `www` in `www.contoso.com`, create two records according to the following table:

-| TXT | `asuid.<subdomain>` (for example, `asuid.www`) | [The verification ID you got earlier](#2-get-a-domain-verification-id) | App Service accesses the `asuid.<subdomain>` TXT record to verify your ownership of the custom domain. |

-

-# [Wildcard (CNAME)](#tab/wildcard)

-| - | - | - |

-| TXT | `asuid` | [The verification ID you got earlier](#2-get-a-domain-verification-id) | App Service accesses the `asuid` TXT record to verify your ownership of the custom domain. |

-

-> [!NOTE]

-> For certain providers, such as GoDaddy, changes to DNS records don't become effective until you select a separate **Save Changes** link.

-<a name="a" aria-hidden="true"></a>

-<a name="enable-a" aria-hidden="true"></a>

-<a name="wildcard" aria-hidden="true"></a>

-<a name="cname" aria-hidden="true"></a>

-## 4. Enable the mapping in your app

-After you [create DNS records](#3-create-the-dns-records), you enable the mapping in your app.

-# [A](#tab/a)

-1. In the left pane of the app page in the Azure portal, select **Custom domains**.

- 

-1. Select **Add custom domain**.

- 

-1. Type the fully qualified domain name that you configured the A record for, such as `contoso.com`.

-1. Select **Validate**. The **Add custom domain** page is shown.

-1. Make sure that **Hostname record type** is set to **A record (example.com)**. Select **Add custom domain**.

- 

- It might take some time for the new custom domain to be reflected in the app's **Custom Domains** page. Refresh the browser to update the data.

- 

- > A warning label for your custom domain means that it's not yet bound to a TLS/SSL certificate. Any HTTPS request from a browser to your custom domain will receive an error or warning, depending on the browser. To add a TLS binding, see [Secure a custom DNS name with a TLS/SSL binding in Azure App Service](configure-ssl-bindings.md).

-

- If you missed a step or made a typo somewhere earlier, a verification error appears at the bottom of the page.

-

- 

-# [CNAME](#tab/cname)

-1. In the left pane of the app page in the Azure portal, select **Custom domains**.

- 

-1. Select **Add custom domain**.

- 

-1. Type the fully qualified domain name that you added a CNAME record for, such as `www.contoso.com`.

-1. Select **Validate**. The **Add custom domain** page appears.

-1. Make sure that **Hostname record type** is set to **CNAME (www\.example.com or any subdomain)**. Select **Add custom domain**.

- 

- It might take some time for the new custom domain to be reflected in the app's **Custom Domains** page. Refresh the browser to update the data.

- 

- > A warning label for your custom domain means that it's not yet bound to a TLS/SSL certificate. Any HTTPS request from a browser to your custom domain will receive an error or warning, depending on the browser. To add a TLS binding, see [Secure a custom DNS name with a TLS/SSL binding in Azure App Service](configure-ssl-bindings.md).

- If you missed a step or made a typo somewhere earlier, a verification error appears at the bottom of the page.

- 

-# [Wildcard (CNAME)](#tab/wildcard)

-1. In the left pane of the app page in the Azure portal, select **Custom domains**.

- 

-1. Select **Add custom domain**.

- 

-1. Type a fully qualified domain name that matches the wildcard domain. For example, for the example `*.contoso.com`, you can use `sub1.contoso.com`, `sub2.contoso.com`, `*.contoso.com`, or any other string that matches the wildcard pattern. Then, select **Validate**.

- The **Add custom domain** button is activated.

-1. Make sure that **Hostname record type** is set to **CNAME record (www\.example.com or any subdomain)**. Select **Add custom domain**.

- 

- It might take some time for the new custom domain to be reflected in the app's **Custom Domains** page. Refresh the browser to update the data.

- > [!NOTE]

- > A warning label for your custom domain means that it's not yet bound to a TLS/SSL certificate. Any HTTPS request from a browser to your custom domain will receive an error or warning, depending on the browser. To add a TLS binding, see [Secure a custom DNS name with a TLS/SSL binding in Azure App Service](configure-ssl-bindings.md).

-## 5. Test in a browser

-If you receive an HTTP 404 (Not Found) error when you browse to the URL of your custom domain, the two most common causes are:

-* The custom domain configured is missing an A record or a CNAME record. You may have deleted the DNS record after you've enabled the mapping in your app. Check if the DNS records are properly configured using an <a href="https://www.nslookup.io/">online DNS lookup</a> tool.

-* The browser client has cached the old IP address of your domain. Clear the cache, and test DNS resolution again. On a Windows machine, you clear the cache with `ipconfig /flushdns`.

-For high availability scenarios, you can implement a load-balancing DNS setup without Traffic Manager by creating multiple *A records* that point from the root domain to each app copy's IP address. Then, [map the same root domain to all the app copies](app-service-web-tutorial-custom-domain.md#3-create-the-dns-records). Since the same domain name cannot be mapped to two different apps in the same region, this setup only works when your app copies are in different regions.

-In this tutorial, you learn how to:

-> [!div class="checklist"]

-> * Upgrade your app's pricing tier

-> * Secure a custom domain with a certificate

-> * Enforce HTTPS

-> * Enforce TLS 1.1/1.2

-> * Automate TLS management with scripts

-> The easiest way to add a private certificate is to [create a free App Service managed certificate](configure-ssl-certificate.md#create-a-free-managed-certificate).

-| Setting | Description |

-|-|-|

-| Custom domain | The domain name to add the TLS/SSL binding for. |

-| Private Certificate Thumbprint | The certificate to bind. |

-| TLS/SSL Type | <ul><li>**[SNI SSL](https://en.wikipedia.org/wiki/Server_Name_Indication)** - Multiple SNI SSL bindings may be added. This option allows multiple TLS/SSL certificates to secure multiple domains on the same IP address. Most modern browsers (including Internet Explorer, Chrome, Firefox, and Opera) support SNI (for more information, see [Server Name Indication](https://wikipedia.org/wiki/Server_Name_Indication)).</li><li>**IP SSL** - Only one IP SSL binding may be added. This option allows only one TLS/SSL certificate to secure a dedicated public IP address. After you configure the binding, follow the steps in [Remap records for IP SSL](#remap-records-for-ip-ssl).<br/>IP SSL is supported only in **Standard** tier or above. </li></ul> |

- Your app's **Custom domain** page is updated with the new, dedicated IP address. [Copy this IP address](app-service-web-tutorial-custom-domain.md#info), then [remap the A record](app-service-web-tutorial-custom-domain.md#3-create-the-dns-records) to this new IP address.

-# Secure connections by adding and managing TLS/SSL certificates in Azure App Service

-For details on how to create an ILB App Service environment, see [Create an ASE in the Azure portal][creation] and [Create an ASE with ARM][createfromtemplate].

-With a public domain mapped to the application gateway, you don't need to configure a custom domain in App Service. You can buy a custom domain name with [App Service Domains](../manage-custom-dns-buy-domain.md#buy-an-app-service-domain).

- In **Configuration** setting, you need to add a routing rule by clicking **Add a routing rule** icon.

- :::image type="content" source="./media/integrate-with-application-gateway/https-routing-rule.png" alt-text="H T T P S listener of the application gateway Routing Rule.":::

- * You have to configure a **Backend Pool** and **HTTP setting** in **Backend targets**. The Backend pool was configured in previously steps. Click **Add new** link to add an HTTP setting.

-To access ILB ASE from the application gateway, you need to check if a virtual network link to private DNS zone. If there is no virtual network linked to your application gateway's VNet, add a virtual network link with following steps.

-> Support in App Service environments (ASE) V2 and V3 is in preview. For App Service environments:

-||Automatic backups | Custom backups |

-Automatic backups are available in preview for Azure Functions in [dedicated (App Service)](../azure-functions/dedicated-plan.md) **Basic** or **Standard** or **Premium** tiers. Function apps in the [**Consumption**](../azure-functions/consumption-plan.md) or [**Elastic Premium**](../azure-functions/functions-premium-plan.md) pricing tiers aren't supported for automatic backups.

-# Buy a custom domain name for Azure App Service

-App Service domains are custom domains that are managed directly in Azure. They make it easy to manage custom domains for [Azure App Service](overview.md). This tutorial shows you how to buy an App Service domain and assign DNS names to Azure App Service.

-For Azure VM or Azure Storage, see [Assign App Service domain to Azure VM or Azure Storage](https://azure.github.io/AppService/2017/07/31/Assign-App-Service-domain-to-Azure-VM-or-Azure-Storage). For Cloud Services, see

-[Configuring a custom domain name for an Azure cloud service](../cloud-services/cloud-services-custom-domain-name-portal.md).

-To complete this tutorial:

-* [Remove the spending limit on your subscription](../cost-management-billing/manage/spending-limit.md#remove). You cannot buy App Service domains with free subscription credits.

-## Buy an App Service domain

-1. Open the [Azure portal](https://portal.azure.com) and sign in with your Azure account.

-1. In the search bar, search for and select **App Service Domains**.

- 

-1. In the **App Service Domains** view, click **Add**.

- 

-1. Select **Click to try the newer version of the App Service Domains create experience**.

- 

-### Basics tab

-1. In the **Basics** tab, configure the settings using the following table:

- | **Domain** | Type the domain you want. For example, **contoso.com**. If the domain you want is not available, you can select from a list of suggestions of available domains, or try a different domain. |

-2. When finished, click **Next: Contact information**.

-### Contact information tab

-1. Supply your information as required by [ICANN](https://go.microsoft.com/fwlink/?linkid=2116641) for the domain registration.

- It is important that you fill out all required fields with as much accuracy as possible. Incorrect data for contact information can result in failure to buy the domain.

-1. When finished, click **Next: Advanced**.

-### Advanced tab

-1. In the **Advanced** tab, configure the optional settings:

- | **Auto renewal** | Enabled by default. Your App Service domain is registered to you at one-year increments. Auto renewal makes sure that your domain registration doesn't expire and that you retain ownership of the domain. Your Azure subscription is automatically charged the yearly domain registration fee at the time of renewal. To opt out, select **Disable**. If auto-renewal is disabled, you can [renew it manually](#renew-the-domain). |

-2. When finished, click **Next: Tags**.

-### Finish

-1. In the **Tags** tab, set the tags you want for your App Service domain. Tagging is not required for using App Service domains, but is a [feature in Azure that helps you manage your resources](../azure-resource-manager/management/tag-resources.md).

-1. Click **Next: Review + create**.

-1. In the **Review + create** tab, review your domain order. When finished, click **Create**.

-1. When the domain registration is complete, you see a **Go to resource** button. Select it to see it's management page.

- 

-> Depending on the subscription type, a sufficient payment history may be required prior to creating an App Service Domain.

->

-> If you have made payments and are still running into this error, you can contact support and provide proof of payments.

-## Prepare the app

-To map a custom DNS name to a web app, the web app's [App Service plan](https://azure.microsoft.com/pricing/details/app-service/) must be a paid tier (Shared, Basic, Standard, Premium, or Consumption for Azure Functions). In this step, you make sure that the App Service app is in the supported pricing tier.

-### Navigate to the app in the Azure portal

-1. From the top search bar, search for and select **App Services**.

- 

-1. Select the name of the app.

- 

- You see the management page of the App Service app.

-### Check the pricing tier

-1. In the left navigation of the app page, scroll to the **Settings** section and select **Scale up (App Service plan)**.

- 

-1. The app's current tier is highlighted by a blue border. Check to make sure that the app is not in the **F1** tier. Custom DNS is not supported in the **F1** tier.

- :::image type="content" source="./media/app-service-web-tutorial-custom-domain/check-pricing-tier.png" alt-text="Screenshot of the left navigation menu of the app page with Scale up (App Service plan) selected.":::

-1. If the App Service plan is not in the **F1** tier, close the **Scale up** page and skip to [Buy the domain](#buy-an-app-service-domain).

-### Scale up the App Service plan

-1. Select any of the non-free tiers (**D1**, **B1**, **B2**, **B3**, or any tier in the **Production** category). For additional options, click **See additional options**.

-1. Click **Apply**.

- :::image type="content" source="./media/app-service-web-tutorial-custom-domain/choose-pricing-tier.png" alt-text="Screenshot of the custom domain pricing tiers in the Production category with the Production tab, B1 plan, and the Apply button highlighted.":::

- When you see the following notification, the scale operation is complete.

- 

-## Map App Service domain to your app

-It's easy to map a hostname in your App Service domain to an App Service app, as long as it's in the same subscription. You map the App Service domain or any of its subdomain directly in your app, and Azure creates the necessary DNS records for you.

-> [!NOTE]

-> If the domain and the app are in different subscriptions, you map the App Service domain to the app just like [mapping an externally purchased domain](app-service-web-tutorial-custom-domain.md). In this case, Azure DNS is the external domain provider, and you need to [add the required DNS records manually](#manage-custom-dns-records).

->

-### Map the domain

-1. In the left navigation of the app page, scroll to the **Settings** section and select **Custom domains**.

- 

-1. Select **Add custom domain**.

- 

-1. Type the App Service domain (such as **contoso.com**) or a subdomain (such as **www.contoso.com**) and click **Validate**.

- > [!NOTE]

- > If you made a typo in the App Service domain name, a verification error appears at the bottom of the page to tell you that you're missing some DNS records. You don't need to add these records manually for an App Service domain. Just make sure that you type the domain name correctly and click **Validate** again.

- >

- > 

-1. Accept the **Hostname record type** and click **Add custom domain**.

- 

-1. It might take some time for the new custom domain to be reflected in the app's **Custom Domains** page. Refresh the browser to update the data.

- 

- > A **Not Secure** label for your custom domain means that it's not yet bound to a TLS/SSL certificate. Any HTTPS request from a browser to your custom domain will receive an error or warning, depending on the browser. To add a TLS binding, see [Secure a custom DNS name with a TLS/SSL binding in Azure App Service](configure-ssl-bindings.md).

-

-### Test the custom domain

-To test the custom domain, navigate to it in the browser.

-The App Service domain you bought is valid for one year from the time of purchase. You can configure to renew your domain automatically which will charge your payment method when your domain renews the following year. You can also manually renew your domain name.

- 

-1. In the **App Service Domains** section, select the domain you want to configure.

- 

- > When navigating away from the page, disregard the "Your unsaved edits will be discarded" error by clicking **OK**.

-To manually renew your domain, select **Renew domain**. However, this button is not active until 90 days before the domain's expiration date.

- 

-1. In the **App Service Domains** section, select the domain you want to configure.

-After you purchase the App Service Domain, you have five days to cancel your purchase for a full refund. After five days, you can delete the App Service Domain, but cannot receive a refund.

- 

-1. In the **App Service Domains** section, select the domain you want to configure.

-1. Click **Delete** to remove the lock.

-1. If the cancellation period on the purchased domain has not elapsed, select **Cancel purchase**. Otherwise, you see a **Delete** button instead. To delete the domain without a refund, select **Delete**.

- 

-## Direct default URL to a custom directory

-By default, App Service directs web requests to the root directory of your app code. To direct them to a subdirectory, such as `public`, see [Redirect to a custom directory](configure-common.md#redirect-to-a-custom-directory).

-To complete this how-to, [make sure that your App Service app is not in FREE tier](manage-scale-up.md#scale-up-your-pricing-tier).

-## Bind the domain name preemptively

-### Get domain verification ID

-Get the domain verification ID for you app by following the steps at [Get domain verification ID](app-service-web-tutorial-custom-domain.md#2-get-a-domain-verification-id).

-### Create domain verification record

-To verify domain ownership, add a TXT record for domain verification. The hostname for the TXT record depends on the type of DNS record type you want to map. See the following table (`@` typically represents the root domain):

-| \@ (root) | _asuid_ | [Domain verification ID for your app](app-service-web-tutorial-custom-domain.md#2-get-a-domain-verification-id) |

-| www (sub) | _asuid.www_ | [Domain verification ID for your app](app-service-web-tutorial-custom-domain.md#2-get-a-domain-verification-id) |

-| \* (wildcard) | _asuid_ | [Domain verification ID for your app](app-service-web-tutorial-custom-domain.md#2-get-a-domain-verification-id) |

-In your DNS records page, note the record type of the DNS name you want to migrate. App Service supports mappings from CNAME and A records.

-### Enable the domain for your app

-1. In the [Azure portal](https://portal.azure.com), in the left navigation of the app page, select **Custom domains**.

- 

-1. In the **Custom domains** page, select **Add custom domain**.

- 

-1. Type the fully qualified domain name you want to migrate, that corresponds to the TXT record you create, such as `contoso.com`, `www.contoso.com`, or `*.contoso.com`. Select **Validate**.

- The **Add custom domain** button is activated.

-1. Make sure that **Hostname record type** is set to the DNS record type you want to migrate. Select **Add hostname**.

- 

- It might take some time for the new hostname to be reflected in the app's **Custom domains** page. Try refreshing the browser to update the data.

- 

- Your custom DNS name is now enabled in your Azure app.

-## Remap the active DNS name

-The only thing left to do is remapping your active DNS record to point to App Service. Right now, it still points to your old site.

-### Copy the app's IP address (A record only)

-If you are remapping a CNAME record, skip this section.

-To remap an A record, you need the App Service app's external IP address, which is shown in the **Custom domains** page.

-In the **Custom domains** page, copy the app's IP address.

-

-### Update the DNS record

-Back in the DNS records page of your domain provider, select the DNS record to remap.

-For the `contoso.com` root domain example, remap the A or CNAME record like the examples in the following table:

-| FQDN example | Record type | Host | Value |

-| - | - | - | - |

-| contoso.com (root) | A | `@` | IP address from [Copy the app's IP address](#info) |

-| www\.contoso.com (sub) | CNAME | `www` | _&lt;appname>.azurewebsites.net_ |

-| \*.contoso.com (wildcard) | CNAME | _\*_ | _&lt;appname>.azurewebsites.net_ |

-Save your settings.

-DNS queries should start resolving to your App Service app immediately after DNS propagation happens.

-## Migrate domain from another app

-You can migrate an active custom domain in Azure, between subscriptions or within the same subscription. However, such a migration without downtime requires the source app and the target app are assigned the same custom domain at a certain time. Therefore, you need to make sure that the two apps are not deployed to the same deployment unit (internally known as a webspace). A domain name can be assigned to only one app in each deployment unit.

-You can find the deployment unit for your app by looking at the domain name of the FTP/S URL `<deployment-unit>.ftp.azurewebsites.windows.net`. Check and make sure the deployment unit is different between the source app and the target app. The deployment unit of an app is determined by the [App Service plan](overview-hosting-plans.md) it's in. It's selected randomly by Azure when you create the plan and can't be changed. Azure only makes sure two plans are in the same deployment unit when you [create them in the same resource group *and* the same region](app-service-plan-manage.md#create-an-app-service-plan), but it doesn't have any logic to make sure plans are in different deployment units. The only way for you to create a plan in a different deployment unit is to keep creating a plan in a new resource group or region until you get a different deployment unit.

-4. When you're ready for the custom domain to point to the target app, [remap the domain name](manage-custom-dns-migrate-domain.md#remap-the-active-dns-name).

-2. If you use a custom domain, [bind it preemptively to the target app](manage-custom-dns-migrate-domain.md#bind-the-domain-name-preemptively) with `asuid.` and [enable the domain in the target app](manage-custom-dns-migrate-domain.md#enable-the-domain-for-your-app).

-4. When you're ready for the custom domain to point to the target app, [remap the domain name](manage-custom-dns-migrate-domain.md#remap-the-active-dns-name).

-> [Map custom domain](app-service-web-tutorial-custom-domain.md)

-1. In **Publish**, select **Azure** and click **Next**.

-1. To the right of **App Service instances**, click **+**.

-1. In the **Publish** page, click **Publish** to deploy your project.

- The first time you ran the command, it saved the app name, resource group, and App Service plan in the <i>.azure/config</i> file from the project root. When you run it again from the project root, it uses the values saved in <i>.azure/config</i>, detects that the App Service resources already exists, and performs Zip deploy again.

-1. From the left menu, click **App Services**, and then click the name of your Azure app.

-> [Tutorial: Map a custom domain name](./app-service-web-tutorial-custom-domain.md)

-> Map custom domain

-> [Map custom domain](app-service-web-tutorial-custom-domain.md)

-1. In Select a pricing tier, select **Free (F1)** and wait for the resources to be provisioned in Azure.

- While Visual Studio Code provisions the Azure resources and deploys the code, it shows [progress notifications](https://code.visualstudio.com/api/references/extension-guidelines#notifications).

-1. For **Select an Application Insights resource for your app**, select **Skip for now** and wait the resources to be provisioned in Azure.

- While Visual Studio Code provisions the Azure resources and deploys the code, it shows [progress notifications](https://code.visualstudio.com/api/references/extension-guidelines#notifications).

-> [Tutorial: Run Python app in custom container](tutorial-custom-container.md)

-> [Tutorial: Map a custom domain name](app-service-web-tutorial-custom-domain.md)

-To get a domain verification ID, see the [Map a custom domain tutorial](app-service-web-tutorial-custom-domain.md#2-get-a-domain-verification-id)

-> [Map an existing custom DNS name to Azure App Service](app-service-web-tutorial-custom-domain.md)

-> [Map an existing custom DNS name to Azure App Service](app-service-web-tutorial-custom-domain.md)

-In the next tutorial, you learn how to map a custom DNS name to your app.

-> [Tutorial: Map custom DNS name to your app](app-service-web-tutorial-custom-domain.md)

-Advance to the next tutorial to learn how to map a custom DNS name to your app.

-> [Tutorial: Map custom DNS name to your app](app-service-web-tutorial-custom-domain.md)

-Advance to the next tutorial to learn how to map a custom DNS name to your app.

-> [Tutorial: Map custom DNS name to your app](app-service-web-tutorial-custom-domain.md)

-Advance to the next tutorial to learn how to map a custom DNS name to the app.

-> [Tutorial: Map custom DNS name to your app](app-service-web-tutorial-custom-domain.md)

-Learn how to map a custom DNS name to your app:

-> [Tutorial: Map custom DNS name to your app](app-service-web-tutorial-custom-domain.md)

-Advance to the next tutorial to learn how to map a custom DNS name to your app.

-> [Tutorial: Map custom DNS name to your app](app-service-web-tutorial-custom-domain.md)

-* **Variations (template model)**: Consider splitting the dataset into folders and train a model for each of variation. Variations that include either structure or layout should be split into different models. You can then compose the individual models into a single [composed model](concept-composed-models.md).

-### Failure due to previous deployments

-If Arc resource bridge is deployed multiple times, an old token or expired credentials left on the management machine may cause future deployments to fail.

-To prevent this from happening, be sure to run the `az arcappliance delete` command after any failed deployment, or to delete the current bridge before attempting another deployment. The delete command must be run with the latest `arcappliance` Azure CLI extension. To ensure that you have the latest version installed on your machine, run the following command:

-```azurecli

-az extension update --name arcappliance

-```

-If all components of Arc resource bridge are not completely deleted, the residual token or expired credentials may cause future deployments to fail. When this is the case, the error will contain the message `Unavailable desc = connection closed before server preface received` to surface when various `az arcappliance` commands are run, including `prepare` and `delete`.

-To resolve this error, the .wssd\python and .wssd\kva folders in the user profile directory need to be deleted from the management machine. You can delete these manually by navigating to the user profile directory (typically `C:\Users\<username>`), then deleting the `.wssd\python` and/or `.wssd\kva` folders. After they are deleted, retry the command that failed.

-Azure Arc-enabled servers lets you manage Windows and Linux physical servers and virtual machines hosted *outside* of Azure, on your corporate network, or other cloud provider. This management experience is designed to be consistent with how you manage native Azure virtual machines, using standard Azure constructs such as Azure Policy and applying tags.

-| Durable Functions | [Supported](durable/durable-functions-overview.md) | [Supported (public preview)](https://github.com/microsoft/durabletask-dotnet#usage-with-azure-functions) |

-[ILogger&lt;T&gt;]: /dotnet/api/microsoft.extensions.logging.logger-1

-# [C#](#tab/csharp)

-# [C#](#tab/csharp)

-# [C#](#tab/csharp)

-# [C#](#tab/csharp)

-> Entity triggers are not yet supported in Java.

-# [C#](#tab/csharp)

-# [C#](#tab/csharp)

-# [C#](#tab/csharp)

-> The class-based syntax is just a layer on top of the function-based syntax, so both variants can be used interchangeably in the same application.

-> Entity functions and related functionality are only available in [Durable Functions 2.0](durable-functions-versions.md#migrate-from-1x-to-2x) and above. They are currently supported in .NET, JavaScript, and Python, but not in PowerShell or Java.

-# [C#](#tab/csharp)

-# [C#](#tab/csharp)

-When using the .NET isolated worker or Java, you also have the option to implement retry handlers in code. This is useful when declarative retry policies are not expressive enough. For languages that don't support custom retry handlers, you still have the option of implementing retry policies using loops, exception handling, and timers for injecting delays between retries.

-# [C#](#tab/csharp)

-# [C#](#tab/csharp)

-Your app needs a storage for runtime information. To use [Azurite](https://learn.microsoft.com/azure/storage/common/storage-use-azurite?tabs=visual-studio-code), which is an emulator for Azure Storage, set `AzureWebJobStorage` in _local.settings.json_ to `UseDevelopmentStorage=true`:

-There are other storage options you can use for your Durable Functions app. See [Durable Functions storage providers](https://learn.microsoft.com/azure/azure-functions/durable/durable-functions-storage-providers) to learn more about different storage options and what benefits they provide.

-* Verify that you have the [Azurite Emulator](../../storage/common//storage-use-azurite.md) installed and running.

-Note that there are other storage options you can use for your Durable Functions app. See [Durable Functions storage providers](https://learn.microsoft.com/azure/azure-functions/durable/durable-functions-storage-providers) to learn more about different storage options and what benefits they provide.

-# [C#](#tab/csharp)

-> Critical sections are available in Durable Functions 2.0 and above. Currently, only .NET orchestrations implement this feature.

-# [C#](#tab/csharp)

-# [C#](#tab/csharp)

-# [C#](#tab/csharp)

-# [C#](#tab/csharp)

-# [C#](#tab/csharp)

-# [C#](#tab/csharp)

-# [C#](#tab/csharp)

-# [C#](#tab/csharp)

-# [C#](#tab/csharp)

-* *Instance states* store the current status and history of an instance. For orchestration instances, this includes the runtime state, the orchestration history, inputs, outputs, and custom status. For entity instances, it includes the entity state.

-* *Messages* store function inputs or outputs, event payloads, and metadata that Durable Functions uses for internal purposes, like routing and end-to-end correlation.

-Where and how states and messages are represented in storage [depends on the storage provider](durable-functions-task-hubs.md#representation-in-storage). By default, Durable Functions uses the [Azure Storage provider](durable-functions-azure-storage-provider.md) which persists data to queues, tables, and blobs in an [Azure Storage](https://azure.microsoft.com/services/storage/) account that you specify.

-The following is a list of the different types of data that will be serialized and persisted when using features of Durable Functions:

-When using Azure Storage, all data is automatically encrypted at rest. However, anyone with access to the storage account can read the data in its unencrypted form. If you need stronger protection for sensitive data, consider first encrypting the data using your own encryption keys so that Durable Functions persists the data in a pre-encrypted form.

-# [C#](#tab/csharp)

-Durable Functions for .NET in-process internally uses [Json.NET](https://www.newtonsoft.com/json/help/html/Introduction.htm) to serialize orchestration and entity data to JSON. The default settings Durable Functions uses for Json.NET are:

-When serializing data, Json.NET looks for [various attributes](https://www.newtonsoft.com/json/help/html/SerializationAttributes.htm) on classes and properties that control how the data is serialized and deserialized from JSON. If you own the source code for data type passed to Durable Functions APIs, consider adding these attributes to the type to customize serialization and deserialization.

-Function apps that target .NET and run on the Functions V3 runtime can use [Dependency Injection (DI)](../functions-dotnet-dependency-injection.md) to customize how data and exceptions are serialized. The sample code below demonstrates how to use DI to override the default Json.NET serialization settings using custom implementations of the `IMessageSerializerSettingsFactory` and `IErrorSerializerSettingsFactory` service interfaces.

-Durable Functions running in the [.NET Isolated worker process](../dotnet-isolated-process-guide.md) use [System.Text.Json](/dotnet/api/system.text.json) libraries for serialization rather than Newtonsoft.Json. There is currently no support for injecting serialization settings. However, attributes may be used to control aspects of serialization.

-It is strongly recommended to use type annotations to ensure Durable Functions serializes and deserializes your data correctly. While many built-in types are handled automatically, some built-in data types require type annotations to preserve the type during deserialization.

-# [C#](#tab/csharp)

-# [C#](#tab/csharp)

-## Blob trigger

- connection="<STORAGE_CONNECTION_SETTING>")

-@app.cosmos_db_trigger(arg_name="documents", database_name="<DB_NAME>", collection_name="<COLLECTION_NAME>", connection_string_setting="<COSMOS_CONNECTION_SETTING>",

- connection="<EVENT_HUB_CONNECTION_SETTING>")

-## Azure Queue Storage trigger

- connection="")

-@app.service_bus_queue_trigger(arg_name="msg", queue_name="myinputqueue", connection="")

-@app.service_bus_topic_trigger(arg_name="message", topic_name="mytopic", connection="", subscription_name="testsub")

-+ If you had custom domain configured, [remap the domain name](../app-service/manage-custom-dns-migrate-domain.md#remap-the-active-dns-name)

-| [Azure Blob Storage](functions-bindings-triggers-python.md#blob-trigger) | x | x | x |

-+ To use a `--worker-runtime` value of `node`, specify the `--language` as `javascript`.

-|[Accenture Federal Services LLC](https://www.accenture.com/us-en/afs-industry-index)|

-## [3.0.0-preview.2](https://www.npmjs.com/package/azure-maps-control/v/3.0.0-preview.2) (December 16, 2022)

-### New features

-Add `progressiveLoading` and `progressiveLoadingInitialLayerGroups` to [StyleOptions][StyleOptions] to enable the capability of loading map layers progressively. This feature improves the perceived loading time of the map. For more information, see [2.2.2 release notes](#222-december-15-2022).

-The preview is available on [npm](https://www.npmjs.com/package/azure-maps-control/v/3.0.0-preview.2) and CDN.

- - Install [azure-maps-control@next][azure-maps-control] to your dependencies:

- ```shell

- npm i azure-maps-control@next

- ```

- - Reference the following CSS and JavaScript in the `<head>` element of an HTML file:

- <link href="https://atlas.microsoft.com/sdk/javascript/mapcontrol/3.0.0-preview.2/atlas.min.css" rel="stylesheet" />

- <script src="https://atlas.microsoft.com/sdk/javascript/mapcontrol/3.0.0-preview.2/atlas.min.js"></script>

-### Bug fixes

-## [3.0.0-preview.1](https://www.npmjs.com/package/azure-maps-control/v/3.0.0-preview.1) (November 18, 2022)

-### New features

-This update is the first preview of the upcoming 3.0.0 release. The underlying [maplibre-gl][maplibre-gl] dependency has been upgraded from `1.14` to `3.0.0-pre.1`, offering improvements in stability and performance. The preview is available on [npm](https://www.npmjs.com/package/azure-maps-control/v/3.0.0-preview.1).

- - Install [azure-maps-control@next][azure-maps-control] to your dependencies:

-### Bug fixes

- ```js

- indoorManager.setOptions({

- tilesetId: undefined

- })

- ```

-## [2.2.2](https://www.npmjs.com/package/azure-maps-control/v/2.2.2) (December 15, 2022)

-### New features

-Add `progressiveLoading` and `progressiveLoadingInitialLayerGroups` to [StyleOptions][StyleOptions] to enable the capability of loading map layers progressively. This feature improves the perceived loading time of the map.

-### Bug fixes

-[Azure Maps Samples](https://samples.azuremaps.com)

-[Azure Maps Blog](https://techcommunity.microsoft.com/t5/azure-maps-blog/bg-p/AzureMapsBlog)

-[TrafficControlOptions]: /javascript/api/azure-maps-control/atlas.trafficcontroloptions

-# Install Log Analytics agent on Linux computers

-* Install the agent for Linux using a wrapper-script hosted on GitHub. This is the recommended method to install and upgrade the agent when the computer has connectivity with the Internet, directly or through a proxy server.

-* Manually download and install the agent. This is required when the Linux computer doesn't have access to the Internet and will be communicating with Azure Monitor or Azure Automation through the [Log Analytics gateway](./gateway.md).

-See [Installation options](./log-analytics-agent.md#installation-options) for more efficient options you can use for Azure virtual machines.

-See [Overview of Azure Monitor agents](agents-overview.md#supported-operating-systems) for a list of Linux distributions supported by the Log Analytics agent.

->[!NOTE]

->OpenSSL 1.1.0 is only supported on x86_x64 platforms (64-bit) and OpenSSL earlier than 1.x is not supported on any platform.

->The Log Analytics Linux Agent does not run in containers. To monitor containers, use the [Container Monitoring solution](../containers/containers.md) for Docker hosts or [Container insights](../containers/container-insights-overview.md) for Kubernetes.

-* Only the server versions are supported, not client.

-* Focus support on any of the [Azure Linux Endorsed distros](../../virtual-machines/linux/endorsed-distros.md). There may be some delay between a new distro/version being Azure Linux Endorsed and it being supported for the Log Analytics Linux agent.

-* Only support VM images; containers, even those derived from official distro publishers' images, aren't supported.

->If you are using a distro or version that is not currently supported and doesn't align to our support model, we recommend that you fork this repo, acknowledging that Microsoft support will not provide assistance with forked agent versions.

-Starting from Agent version 1.13.27, the Linux Agent will support both Python 2 and 3. We always recommend using the latest agent.

-If you're using an older version of the agent, you must have the Virtual Machine use Python 2 by default. If your virtual machine is using a distro that doesn't include Python 2 by default, then you must install it. The following sample commands will install Python 2 on different distros.

-Again, only if you're using an older version of the agent, the python2 executable must be aliased to *python*. Following is one method that you can use to set this alias:

-1. Run the following command to remove any existing aliases.

-2. Run the following command to create the alias.

-The following are currently supported:

-The following aren't supported:

-CIS, FIPS and SELinux hardening support is planned for [Azure Monitoring Agent](./azure-monitor-agent-overview.md). Further hardening and customization methods aren't supported nor planned for OMS Agent. For instance, OS images like GitHub Enterprise Server which include customizations such as limitations to user account privileges aren't supported.

-The following table highlights the packages required for [supported Linux distros](#supported-operating-systems) that the agent will be installed on.

-|Glibc | GNU C Library | 2.5-12

-|Openssl | OpenSSL Libraries | 1.0.x or 1.1.x |

-|PAM | Pluggable Authentication Modules | |

->Either rsyslog or syslog-ng are required to collect syslog messages. The default syslog daemon on version 5 of Red Hat Enterprise Linux, CentOS, and Oracle Linux version (sysklog) is not supported for syslog event collection. To collect syslog data from this version of these distributions, the rsyslog daemon should be installed and configured to replace sysklog.

-See [Log Analytics agent overview](./log-analytics-agent.md#network-requirements) for the network requirements for the Linux agent.

-Regardless of the installation method used, you'll require the workspace ID and key for the Log Analytics workspace that the agent will connect to. Select the workspace from the **Log Analytics workspaces** menu in the Azure portal. Then select **Agents management** in the **Settings** section.

-[](media/log-analytics-agent/workspace-details.png#lightbox)

-**Package** | **Version** | **Description**

-omsagent | 1.14.19 | The Log Analytics Agent for Linux

-omsconfig | 1.1.1 | Configuration agent for the Log Analytics agent

-omi | 1.6.9 | Open Management Infrastructure (OMI) -- a lightweight CIM Server. *Note that OMI requires root access to run a cron job necessary for the functioning of the service*

-scx | 1.6.9 | OMI CIM Providers for operating system performance metrics

-Installing the Log Analytics agent for Linux packages also applies the system-wide configuration changes below. Uninstalling the omsagent package removes these artifacts.

-* A non-privileged user named: `omsagent` is created. The daemon runs under this credential.

-* A sudoers *include* file is created in `/etc/sudoers.d/omsagent`. This authorizes `omsagent` to restart the syslog and omsagent daemons. If sudo *include* directives aren't supported in the installed version of sudo, these entries will be written to `/etc/sudoers`.

-On a monitored Linux computer, the agent is listed as `omsagent`. `omsconfig` is the Log Analytics agent for Linux configuration agent that looks for new portal side configuration every 5 minutes. The new and updated configuration is applied to the agent configuration files located at `/etc/opt/microsoft/omsagent/conf/omsagent.conf`.

-## Install the agent

-The following steps configure setup of the agent for Log Analytics in Azure and Azure Government cloud using the wrapper script for Linux computers that can communicate directly or through a proxy server to download the agent hosted on GitHub and install the agent.

-If your Linux computer needs to communicate through a proxy server to Log Analytics, this configuration can be specified on the command line by including `-p [protocol://][user:password@]proxyhost[:port]`. The *protocol* property accepts `http` or `https`, and the *proxyhost* property accepts a fully qualified domain name or IP address of the proxy server.

-If authentication is required in either case, you need to specify the username and password. For example: `https://user01:password@proxy01.contoso.com:30443`

-1. To configure the Linux computer to connect to a Log Analytics workspace, run the following command providing the workspace ID and primary key. The following command downloads the agent, validates its checksum, and installs it.

-1. To configure the Linux computer to connect to Log Analytics workspace in Azure Government cloud, run the following command providing the workspace ID and primary key copied earlier. The following command downloads the agent, validates its checksum, and installs it.

-1. Restart the agent by running the following command:

-The Log Analytics agent for Linux is provided in a self-extracting and installable shell script bundle. This bundle contains Debian and RPM packages for each of the agent components and can be installed directly or extracted to retrieve the individual packages. One bundle is provided for x64 and one for x86 architectures.

-> For Azure VMs, we recommend you install the agent on them using the [Azure Log Analytics VM extension](../../virtual-machines/extensions/oms-linux.md) for Linux.

-1. [Download](https://github.com/microsoft/OMS-Agent-for-Linux#azure-install-guide) and transfer the appropriate bundle (x64 or x86) to your Linux VM or physical computer, using scp/sftp.

- > Use the `--upgrade` argument if any dependent packages such as omi, scx, omsconfig, or their older versions are installed, as would be the case if the system Center Operations Manager agent for Linux is already installed.

- > The command above uses the optional `--skip-docker-provider-install` flag to disable the Container Monitoring data collection because the [Container Monitoring solution](../containers/containers.md) is being retired.

-1. To configure the Linux agent to install and connect to a Log Analytics workspace through a Log Analytics gateway, run the following command providing the proxy, workspace ID, and workspace key parameters. This configuration can be specified on the command line by including `-p [protocol://][user:password@]proxyhost[:port]`. The *proxyhost* property accepts a fully qualified domain name or IP address of the Log Analytics gateway server.

- If authentication is required, you need to specify the username and password. For example:

-1. To configure the Linux computer to connect to a Log Analytics workspace in Azure Government cloud, run the following command providing the workspace ID and primary key copied earlier.

-> There will be a warning message during the upgrade "docker provider package installation skipped" since --skip-docker-provider-install flag is set. If you are installing over an existing omsagent install and wish to remove the docker provider, you should first purge the existing installation and then install using the --skip-docker-provider-install flag.

-Data from the Log Analytics agent for Linux is cached on the local machine at *%STATE_DIR_WS%/out_oms_common*.buffer* before it's sent to Azure Monitor. Custom log data is buffered in *%STATE_DIR_WS%/out_oms_blob*.buffer*. The path may be different for some [solutions and data types](https://github.com/microsoft/OMS-Agent-for-Linux/search?utf8=%E2%9C%93&q=+buffer_path&type=).

-The agent attempts to upload every 20 seconds. If it fails, it waits an exponentially increasing length of time until it succeeds: 30 seconds before the second attempt, 60 seconds before the third, 120 seconds, and so on, up to a maximum of 16 minutes between retries until it successfully connects again. The agent retries up to 6 times for a given chunk of data before discarding and moving to the next one. This continues until the agent can successfully upload again. This means that data may be buffered up to approximately 30 minutes before being discarded.

- |10102 and 10103 |Health Service Modules |Workflow couldn't resolve the data source. |This issue can occur if the specified performance counter or instance doesn't exist on the computer or is incorrectly defined in the workspace data settings. If this is a user-specified [performance counter](data-sources-performance-counters.md#configuring-performance-counters), verify the information specified follows the correct format and exists on the target computers. |

-description: Internet Information Services (IIS) stores user activity in log files that can be collected by Azure Monitor. This article describes how to configure collection of IIS logs and details of the records they create in Azure Monitor.

-# Collect IIS logs with Log Analytics agent in Azure Monitor

-

-> This article covers collecting IIS logs with the [Log Analytics agent](./log-analytics-agent.md), which **will be deprecated by August 2024**. Please be sure to [migrate to Azure Monitor agent](./azure-monitor-agent-manage.md) before August 2024 to continue ingesting data. See [Collect text logs with Azure Monitor agent (preview)](../agents/data-collection-text-log.md) for details on collecting IIS logs with [Azure Monitor agent](azure-monitor-agent-overview.md).

-## Configuring IIS logs

-Azure Monitor only supports IIS log files stored in W3C format and does not support custom fields or IIS Advanced Logging. It does not collect logs in NCSA or IIS native format.

-Configure IIS logs in Azure Monitor from the [Agent configuration menu](../agents/agent-data-sources.md#configure-data-sources) for the Log Analytics agent. There is no configuration required other than selecting **Collect W3C format IIS log files**.

-Azure Monitor collects IIS log entries from each agent each time the log timestamp changes. The log is read every **5 minutes**. If for any reason IIS doesn't update the timestamp before the rollover time when a new file is created, entries will be collected following creation of the new file. The frequency of new file creation is controlled by the **Log File Rollover Schedule** setting for the IIS site, which is once a day by default. If the setting is **Hourly**, Azure Monitor collects the log each hour. If the setting is **Daily**, Azure Monitor collects the log every 24 hours.

-> It is recommended to set the **Log File Rollover Schedule** to **Hourly**. If it's set to **Daily**, you may experience spikes in your data since it will only be collected once per day.

-IIS log records have a type of **W3CIISLog** and have the properties in the following table:

-| csMethod |Method of the request such as GET or POST. |

-| csUriStem |Target of the request such as a web page. |

-| ManagementGroupName |Name of the management group for Operations Manager agents. For other agents, this is AOI-\<workspace ID\> |

-| SourceSystem |OpsMgr |

-The following table provides different examples of log queries that retrieve IIS log records.

-description: Performance counters are collected by Azure Monitor to analyze performance on Windows and Linux agents. This article describes how to configure collection of Performance counters for both Windows and Linux agents, details of they are stored in the workspace, and how to analyze them in the Azure portal.

-# Collect Windows and Linux performance data sources with Log Analytics agent

-Performance counters in Windows and Linux provide insight into the performance of hardware components, operating systems, and applications. Azure Monitor can collect performance counters from Log Analytics agents at frequent intervals for Near Real Time (NRT) analysis in addition to aggregating performance data for longer term analysis and reporting.