-

-You should see something similar to the following response:

-The authorization code flow begins with the client directing the user to the `/authorize` endpoint. This is the interactive part of the flow, where the user takes action. In this request, the client indicates in the `scope` parameter the permissions that it needs to acquire from the user. The following three examples (with line breaks for readability) each use a different user flow.

-description: Learn how to manage SSO sessions using custom policies in Azure AD B2C.

-# Single sign-on session management in Azure Active Directory B2C

-[Single sign-on (SSO) session](session-behavior.md) management uses the same semantics as any other technical profile in custom policies. When an orchestration step is executed, the technical profile associated with the step is queried for a `UseTechnicalProfileForSessionManagement` reference. If one exists, the referenced SSO session provider is then checked to see if the user is a session participant. If so, the SSO session provider is used to repopulate the session. Similarly, when the execution of an orchestration step is complete, the provider is used to store information in the session if an SSO session provider has been specified.

-Azure AD B2C has defined a number of SSO session providers that can be used:

-|Session provider |Scope |

-|||

-|[NoopSSOSessionProvider](#noopssosessionprovider) | None |

-|[DefaultSSOSessionProvider](#defaultssosessionprovider) | Azure AD B2C internal session manager. |

-|[ExternalLoginSSOSessionProvider](#externalloginssosessionprovider) | Between Azure AD B2C and OAuth1, OAuth2, or OpenId Connect identity provider. |

-|[OAuthSSOSessionProvider](#oauthssosessionprovider) | Between an OAuth2 or OpenId connect relying party application and Azure AD B2C. |

-|[SamlSSOSessionProvider](#samlssosessionprovider) | Between Azure AD B2C and SAML identity provider. And between a SAML service provider (relying party application) and Azure AD B2C. |

-SSO management classes are specified using the `<UseTechnicalProfileForSessionManagement ReferenceId="{ID}" />` element of a technical profile.

-## Input claims

-The `InputClaims` element is empty or absent.

-## Persisted claims

-Claims that need to be returned to the application or used by preconditions in subsequent steps, should be stored in the session or augmented by a read from the user's profile in the directory. Using persisted claims ensures that your authentication journeys won't fail on missing claims. To add claims in the session, use the `<PersistedClaims>` element of the technical profile. When the provider is used to repopulate the session, the persisted claims are added to the claims bag.

-## Output claims

-The `<OutputClaims>` is used for retrieving claims from the session.

-## Session providers

-### NoopSSOSessionProvider

-As the name dictates, this provider does nothing. This provider can be used for suppressing SSO behavior for a specific technical profile. The following `SM-Noop` technical profile is included in the [custom policy starter pack](tutorial-create-user-flows.md?pivots=b2c-custom-policy#custom-policy-starter-pack).

-```xml

-<TechnicalProfile Id="SM-Noop">

- <DisplayName>Noop Session Management Provider</DisplayName>

- <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.NoopSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />

-</TechnicalProfile>

-```

-### DefaultSSOSessionProvider

-This provider can be used for storing claims in a session. This provider is typically referenced in a technical profile used for managing local and federated accounts. The following `SM-AAD` technical profile is included in the [custom policy starter pack](tutorial-create-user-flows.md?pivots=b2c-custom-policy#custom-policy-starter-pack).

- <PersistedClaim ClaimTypeReferenceId="signInName" />

- <PersistedClaim ClaimTypeReferenceId="authenticationSource" />

- <PersistedClaim ClaimTypeReferenceId="identityProvider" />

- <PersistedClaim ClaimTypeReferenceId="newUser" />

- <PersistedClaim ClaimTypeReferenceId="executed-SelfAsserted-Input" />

-The following `SM-MFA` technical profile is included in the [custom policy starter pack](tutorial-create-user-flows.md?pivots=b2c-custom-policy#custom-policy-starter-pack) `SocialAndLocalAccountsWithMfa`. This technical profile manages the multi-factor authentication session.

-<TechnicalProfile Id="SM-MFA">

- <DisplayName>Session Mananagement Provider</DisplayName>

- <PersistedClaim ClaimTypeReferenceId="Verified.strongAuthenticationPhoneNumber" />

- <OutputClaim ClaimTypeReferenceId="isActiveMFASession" DefaultValue="true"/>

-### ExternalLoginSSOSessionProvider

-This provider is used to suppress the "choose identity provider" screen and sign-out from a federated identity provider. It is typically referenced in a technical profile configured for a federated identity provider, such as Facebook, or Azure Active Directory. The following `SM-SocialLogin` technical profile is included in the [custom policy starter pack](tutorial-create-user-flows.md?pivots=b2c-custom-policy#custom-policy-starter-pack).

-#### Metadata

-| Attribute | Required | Description|

-| | | |

-| AlwaysFetchClaimsFromProvider | No | Not currently used, can be ignored. |

-### OAuthSSOSessionProvider

-This provider is used for managing the Azure AD B2C sessions between a OAuth2 or OpenId Connect relying party and Azure AD B2C.

-### SamlSSOSessionProvider

-This provider is used for managing the Azure AD B2C SAML sessions between a relying party application or a federated SAML identity provider. When using the SSO provider for storing a SAML identity provider session, the `RegisterServiceProviders` must be set to `false`. The following `SM-Saml-idp` technical profile is used by the [SAML identity provider](identity-provider-generic-saml.md).

-When using the provider for storing the B2C SAML session, the `RegisterServiceProviders` must set to `true`. SAML session logout requires the `SessionIndex` and `NameID` to complete.

-The following `SM-Saml-issuer` technical profile is used by [SAML issuer technical profile](saml-service-provider.md)

-#### Metadata

-```Javascript

-```Javascript

-```Javascript

-```Javascript

-| end_session_endpoint | No | The URL of the end session endpoint. The value of authorization_endpoint metadata takes precedence over the `end_session_endpoint` specified in the OpenID well-known configuration endpoint. |

-By default, `switchValue` for the ECMA Connector Host is set to `Error`. This setting means it will only log events that are errors. To enable verbose logging for the ECMA host service or wizard, set `switchValue` to `Verbose` in both locations as shown.

- <source name="ConnectorsLog" switchValue="Verbose">

- <source name="ECMA2Host" switchValue="Verbose">

-The file location for verbose wizard logging is C:\Program Files\Microsoft ECMA2Host\Wizard\Microsoft.ECMA2Host.ConfigWizard.exe.config.

- <source name="ConnectorsLog" switchValue="Verbose">

- <source name="ECMA2Host" switchValue="Verbose">

-Azure Active Directory (Azure AD) Multi-Factor Authentication (MFA) helps safeguard access to data and applications, providing another layer of security by using a second form of authentication. Organizations can enable multifactor authentication with [Conditional Access](../conditional-access/overview.md) to make the solution fit their specific needs.

-This deployment guide shows you how to plan and implement an [Azure AD MFA](concept-mfa-howitworks.md) roll-out.

-## Prerequisites for deploying Azure AD MFA

-| Microsoft Authenticator (Push notification and passwordless phone sign-in) | MFA settings or Authentication methods policy | Authenticator passwordless phone sign-in can be scoped to users and groups |

-| SMS verification | MFA settings <br/>Manage SMS sign-in for primary authentication in authentication policy | SMS sign-in can be scoped to users and groups. |

-Azure AD MFA is enforced with Conditional Access policies. These policies allow you to prompt users for multifactor authentication when needed for security and stay out of users' way when not needed.

-To learn more about creating Conditional Access policies, see [Conditional Access policy to prompt for Azure AD MFA when a user signs in to the Azure portal](tutorial-enable-azure-mfa.md). This helps you to:

-### Common policies for Azure AD MFA

-Common use cases to require Azure AD MFA include:

-If your organization uses [Azure AD Identity Protection](../identity-protection/overview-identity-protection.md) to detect risk signals, consider using [risk-based policies](../identity-protection/howto-identity-protection-configure-risk-policies.md) instead of named locations. Policies can be created to force password changes when there is a threat of compromised identity or require multifactor authentication when a sign-in is deemed [risky by events](../identity-protection/overview-identity-protection.md#risk-detection-and-remediation) such as leaked credentials, sign-ins from anonymous IP addresses, and more.

-If your users were enabled using per-user enabled and enforced Azure AD Multi-Factor Authentication the following PowerShell can assist you in making the conversion to Conditional Access based Azure AD Multi-Factor Authentication.

-When planning your MFA deployment, it's important to think about how frequently you would like to prompt your users. Asking users for credentials often seems like a sensible thing to do, but it can backfire. If users are trained to enter their credentials without thinking, they can unintentionally supply them to a malicious credential prompt.

-Azure AD has multiple settings that determine how often you need to reauthenticate. Understand the needs of your business and users and configure settings that provide the best balance for your environment.

-We recommend using devices with Primary Refresh Tokens (PRT) for improved end user experience and reduce the session lifetime with sign-in frequency policy only on specific business use cases.

-For more information, see [Optimize reauthentication prompts and understand session lifetime for Azure AD MFA](concepts-azure-multi-factor-authentication-prompts-session-lifetime.md).

-A major step in every MFA deployment is getting users registered to use MFA. Authentication methods such as Voice and SMS allow pre-registration, while others like the Authenticator App require user interaction. Administrators must determine how users will register their methods.

-We recommend using the [combined registration experience](howto-registration-mfa-sspr-combined.md) for Azure AD MFA and [Azure AD self-service password reset (SSPR)](concept-sspr-howitworks.md). SSPR allows users to reset their password in a secure way using the same methods they use for Azure AD MFA. Combined registration is a single step for end users.

-Azure AD Identity Protection contributes both a registration policy for and automated risk detection and remediation policies to the Azure AD MFA story. Policies can be created to force password changes when there is a threat of compromised identity or require MFA when a sign-in is deemed risky.

-If you don't have licenses that enable Azure AD Identity Protection, users are prompted to register the next time that MFA is required at sign-in.

-If you have users registered for MFA using SMS or voice calls, you may want to move them to more secure methods such as the Microsoft Authenticator app. Microsoft now offers a public preview of functionality that allows you to prompt users to set up the Microsoft Authenticator app during sign-in. You can set these prompts by group, controlling who is prompted, enabling targeted campaigns to move users to the more secure method.

-It's critical to inform users about upcoming changes, Azure AD MFA registration requirements, and any necessary user actions.

-We provide [communication templates](https://aka.ms/mfatemplates) and [end-user documentation](https://support.microsoft.com/account-billing/set-up-your-security-info-from-a-sign-in-prompt-28180870-c256-4ebf-8bd7-5335571bf9a8) to help draft your communications. Send users to [https://myprofile.microsoft.com](https://myprofile.microsoft.com/) to register by selecting the **Security Info** link on that page.

-Some legacy and on-premises applications do not authenticate directly against Azure AD and require additional steps to use Azure AD MFA. You can integrate them by using Azure AD Application proxy or [Network policy services](/windows-server/networking/core-network-guide/core-network-guide#BKMK_optionalfeatures).

-We recommend migrating applications secured with Active Directory Federation Services (AD FS) to Azure AD. However, if you are not ready to migrate these to Azure AD, you can use the Azure MFA adapter with AD FS 2016 or newer.

-If your organization is federated with Azure AD, you can [configure Azure AD MFA as an authentication provider with AD FS resources](/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa) both on-premises and in the cloud.

-### RADIUS clients and Azure AD MFA

-## Deploy Azure AD MFA

-Your MFA rollout plan should include a pilot deployment followed by deployment waves that are within your support capacity. Begin your rollout by applying your Conditional Access policies to a small group of pilot users. After evaluating the effect on the pilot users, process used, and registration behaviors, you can either add more groups to the policy or add more users to the existing groups.

-## Manage Azure AD MFA

-This section provides reporting and troubleshooting information for Azure AD MFA.

-Azure AD has reports that provide technical and business insights, follow the progress of your deployment and check if your users are successful at sign-in with MFA. Have your business and technical application owners assume ownership of and consume these reports based on your organization's requirements.

-#### Sign-in report to review MFA events

-The Azure AD sign-in reports include authentication details for events when a user is prompted for multi-factor authentication, and if any Conditional Access policies were in use. You can also use PowerShell for reporting on users registered for MFA.

-For more information, and additional MFA reports, see [Review Azure AD Multi-Factor Authentication events](howto-mfa-reporting.md#view-the-azure-ad-sign-ins-report).

-### Troubleshoot Azure AD MFA

-See [Troubleshooting Azure AD MFA](https://support.microsoft.com/help/2937344/troubleshooting-azure-multi-factor-authentication-issues) for common issues.

-* [Password Writeback](./concept-sspr-writeback.md) allows management of on-premises passwords and resolution of account lockout though the cloud.

-Microsoft recommends that organizations enable the combined registration experience for SSPR and multi-factor authentication. When you enable this combined registration experience, users need only select their registration information once to enable both features.

-The combined registration experience does not require organizations to enable both SSPR and Azure AD Multi-Factor Authentication. Combined registration provides organizations a better user experience. For more information, see [Combined security information registration](concept-registration-mfa-sspr-combined.md)

-### Plan communications

-Communication is critical to the success of any new service. You should proactively communicate with your users how their experience will change, when it will change, and how to gain support if they experience issues. Review the [Self-service password reset rollout materials on the Microsoft download center](https://www.microsoft.com/download/details.aspx?id=56768) for ideas on how to plan your end-user communication strategy.

-1. Created and begun executing your [communication plan](#plan-communications).

-1. Identified the users and groups for the [pilot](#plan-a-pilot) and production environments.

-1. [Determined configuration settings](#plan-configuration) for registration and self-service.

-1. [Configured password writeback](#password-writeback) if you have a hybrid environment.

-If your app is structured such that there is one central Javascript file that defines the app's initialization, routing, and other stuff, you can conditionally load your app modules based on whether the app is loading in an `iframe` or not. For example:

-To manage custom security attribute assignments for users in your Azure AD organization, you can use the Microsoft Graph API. The following API calls can be made to manage assignments.

-To remove a single-valued custom security attribute assignment, set the value to null.

-To remove a multi-valued custom security attribute assignment, set the value to an empty collection.

-The following example, retrieves users with an `AppCountry` attribute that equals `Canada`. You must add `ConsistencyLevel: eventual` in the header. You must also include `$count=true` to ensure the request is routed correctly.

-The following example, retrieves users with an `EmployeeId` attribute that starts with `111`. You must add `ConsistencyLevel: eventual` in the header. You must also include `$count=true` to ensure the request is routed correctly.

-The following example, retrieves users with a `AppCountry` attribute that does not equal `Canada`. This query will also retrieve users that do not have the `AppCountry` attribute assigned. You must add `ConsistencyLevel: eventual` in the header. You must also include `$count=true` to ensure the request is routed correctly.

-#### Get the properties of a predefined value

-GET https://graph.microsoft.com/beta/directory/customSecurityAttributeDefinitions/Engineering_Project/allowedValues/Alpine

-#### Get all predefined values

-GET https://graph.microsoft.com/beta/directory/customSecurityAttributeDefinitions/Engineering_Project/allowedValues

-## [Javascript](#tab/javascript)

-* It is not supported to use the same custom domain name in more than one Azure AD tenant, with one exception: it is supported to use a custom domain name in the Azure Commercial environment and use that same domain name in the Azure GCCH environment. Note that the custom domain name MUST exist in Commercial before it can be verified in the GCCH environment.

-Related information to enable cross cloud federation can be found in [the dual federation article](./how-to-connect-fed-single-adfs-multitenant-federation.md)

-#### Other examples

-For other similar Microsoft Graph API examples for users, see [Assign or remove custom security attributes for a user](../enterprise-users/users-custom-security-attributes.md#microsoft-graph-api).

-* Manage Identities and access from a single control plane, [the Azure portal](https://portal.azure.com/)

-Initiate **Easy Button** configuration to set up a SAML Service Provider (SP) and Azure AD as an Identity Provider (IdP) for your application.

-You can include additional Azure AD attributes if necessary, but the example PeopleSoft scenario only requires the default attributes.

-The **Easy Button wizard** supports Kerberos, OAuth Bearer, and HTTP authorization headers for SSO to published applications. As the PeopleSoft application expects headers, enable **HTTP Headers** and enter the following properties.

-From a browser, connect to the **PeopleSoft applicationΓÇÖs external URL** or select the applicationΓÇÖs icon in the [Microsoft MyApps portal](https://myapps.microsoft.com/). After authenticating to Azure AD, youΓÇÖll be redirected to the BIG-IP virtual server for the application and automatically signed in through SSO.

-There may be cases where the Guided Configuration templates lack the flexibility to achieve more specific requirements. For those scenarios, see [Advanced Configuration for kerberos-based SSO](./f5-big-ip-kerberos-advanced.md). Alternatively, the BIG-IP gives the option to disable **Guided ConfigurationΓÇÖs strict management mode**. This allows you to manually tweak your configurations, even though bulk of your configurations are automated through the wizard-based templates.

-> - [JAVA](/java/api/overview/azure/identity-readme)

-> - [Javascript](/javascript/api/overview/azure/identity-readme)

-description: Learn how to configure single sign-on between Azure Active Directory and Adobe Identity Management.

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Adobe Identity Management

-In this tutorial, you'll learn how to integrate Adobe Identity Management with Azure Active Directory (Azure AD). When you integrate Adobe Identity Management with Azure AD, you can:

-* Control in Azure AD who has access to Adobe Identity Management.

-* Enable your users to be automatically signed-in to Adobe Identity Management with their Azure AD accounts.

-* Adobe Identity Management single sign-on (SSO) enabled subscription.

-* Adobe Identity Management supports **SP** initiated SSO

-* Adobe Identity Management supports [**automated** user provisioning and deprovisioning](adobe-identity-management-provisioning-tutorial.md) (recommended).

-## Adding Adobe Identity Management from the gallery

-To configure the integration of Adobe Identity Management into Azure AD, you need to add Adobe Identity Management from the gallery to your list of managed SaaS apps.

-1. In the **Add from the gallery** section, type **Adobe Identity Management** in the search box.

-1. Select **Adobe Identity Management** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

-## Configure and test Azure AD SSO for Adobe Identity Management

-Configure and test Azure AD SSO with Adobe Identity Management using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Adobe Identity Management.

-To configure and test Azure AD SSO with Adobe Identity Management, perform the following steps:

-1. **[Configure Adobe Identity Management SSO](#configure-adobe-identity-management-sso)** - to configure the single sign-on settings on application side.

- 1. **[Create Adobe Identity Management test user](#create-adobe-identity-management-test-user)** - to have a counterpart of B.Simon in Adobe Identity Management that is linked to the Azure AD representation of user.

-1. In the Azure portal, on the **Adobe Identity Management** application integration page, find the **Manage** section and select **single sign-on**.

-1. On the **Basic SAML Configuration** section, enter the values for the following fields:

- > The Identifier value is not real. Update the value with the actual Identifier. Contact [Adobe Identity Management Client support team](mailto:identity@adobe.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

-1. On the **Set up Adobe Identity Management** section, copy the appropriate URL(s) based on your requirement.

-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Adobe Identity Management.

-1. In the applications list, select **Adobe Identity Management**.

-## Configure Adobe Identity Management SSO

-1. To automate the configuration within Adobe Identity Management, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.

-2. After adding extension to the browser, click on **Set up Adobe Identity Management** will direct you to the Adobe Identity Management application. From there, provide the admin credentials to sign into Adobe Identity Management. The browser extension will automatically configure the application for you and automate steps 3-8.

-3. If you want to setup Adobe Identity Management manually, in a different web browser window, sign in to your Adobe Identity Management company site as an administrator.

-### Create Adobe Identity Management test user

-* Click on **Test this application** in Azure portal. This will redirect to Adobe Identity Management Sign-on URL where you can initiate the login flow.

-* Go to Adobe Identity Management Sign-on URL directly and initiate the login flow from there.

-* You can use Microsoft My Apps. When you click the Adobe Identity Management tile in the My Apps, this will redirect to Adobe Identity Management Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-Once you configure Adobe Identity Management you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

-> This Conerstone OnDemand automatic provisioning service is deprecated and support will end soon.

-description: Learn how to configure single sign-on between Azure Active Directory and Euromonitor Passport.

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Euromonitor Passport

-In this tutorial, you'll learn how to integrate Euromonitor Passport with Azure Active Directory (Azure AD). When you integrate Euromonitor Passport with Azure AD, you can:

-* Control in Azure AD who has access to Euromonitor Passport.

-* Enable your users to be automatically signed-in to Euromonitor Passport with their Azure AD accounts.

-* Euromonitor Passport single sign-on (SSO) enabled subscription.

-* Euromonitor Passport supports **SP and IDP** initiated SSO.

-## Add Euromonitor Passport from the gallery

-To configure the integration of Euromonitor Passport into Azure AD, you need to add Euromonitor Passport from the gallery to your list of managed SaaS apps.

-1. In the **Add from the gallery** section, type **Euromonitor Passport** in the search box.

-1. Select **Euromonitor Passport** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

-## Configure and test Azure AD SSO for Euromonitor Passport

-Configure and test Azure AD SSO with Euromonitor Passport using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Euromonitor Passport.

-To configure and test Azure AD SSO with Euromonitor Passport, perform the following steps:

-1. **[Configure Euromonitor Passport SSO](#configure-euromonitor-passport-sso)** - to configure the single sign-on settings on application side.

- 1. **[Create Euromonitor Passport test user](#create-euromonitor-passport-test-user)** - to have a counterpart of B.Simon in Euromonitor Passport that is linked to the Azure AD representation of user.

-1. In the Azure portal on the **Euromonitor Passport** application integration page, find the **Manage** section and select **single sign-on**.

-1. If you wish to configure the application in **SP** initiated mode, you need to get the Sign-on URL form the [Euromonitor Passport support team](mailto:passport.support@euromonitor.com). After you get the Sign-on URL from the Euromonitor Passport support team, click **Set additional URLs** and perform the following step:

- Paste the obtained Sign-on URL value from the Euromonitor Passport support team into the Sign-on URL textbox.

-1. Euromonitor Passport application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

-1. In addition to above, Euromonitor Passport application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.

-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Euromonitor Passport.

-1. In the applications list, select **Euromonitor Passport**.

-## Configure Euromonitor Passport SSO

-To configure single sign-on on **Euromonitor Passport** side, you need to send the **App Federation Metadata Url** to [Euromonitor Passport support team](mailto:passport.support@euromonitor.com). They set this setting to have the SAML SSO connection set properly on both sides.

-### Create Euromonitor Passport test user

-In this section, you create a user called B.Simon in Euromonitor Passport. Work with [Euromonitor Passport support team](mailto:passport.support@euromonitor.com) to add the users in the Euromonitor Passport platform. Users must be created and activated before you use single sign-on.

-* Click on **Test this application** in Azure portal. This will redirect to Euromonitor Passport Sign on URL where you can initiate the login flow.

-* Go to Euromonitor Passport Sign-on URL directly and initiate the login flow from there.

-* Click on **Test this application** in Azure portal and you should be automatically signed in to the Euromonitor Passport for which you set up the SSO.

-You can also use Microsoft My Apps to test the application in any mode. When you click the Euromonitor Passport tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Euromonitor Passport for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-Once you configure Euromonitor Passport you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

- `https://<subdomain>.Insight4GRC.com/SAML`

- `https://<subdomain>.Insight4GRC.com/Public/SAML/ACS.aspx`

- `https://<subdomain>.Insight4GRC.com/Public/Login.aspx`

-Once you configure Insight4GRC you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

-description: Learn how to configure single sign-on between Azure Active Directory and Litmos.

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Litmos

-In this tutorial, you'll learn how to integrate Litmos with Azure Active Directory (Azure AD). When you integrate Litmos with Azure AD, you can:

-* Control in Azure AD who has access to Litmos.

-* Enable your users to be automatically signed-in to Litmos with their Azure AD accounts.

-* Litmos single sign-on (SSO) enabled subscription.

-* Litmos supports **IDP** initiated SSO.

-* Litmos supports **Just In Time** user provisioning.

-## Add Litmos from the gallery

-To configure the integration of Litmos into Azure AD, you need to add Litmos from the gallery to your list of managed SaaS apps.

-1. In the **Add from the gallery** section, type **Litmos** in the search box.

-1. Select **Litmos** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

-## Configure and test Azure AD SSO for Litmos

-Configure and test Azure AD SSO with Litmos using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Litmos.

-To configure and test Azure AD SSO with Litmos, perform the following steps:

-1. **[Configure Litmos SSO](#configure-litmos-sso)** - to configure the single sign-on settings on application side.

- 1. **[Create Litmos test user](#create-litmos-test-user)** - to have a counterpart of B.Simon in Litmos that is linked to the Azure AD representation of user.

-1. In the Azure portal, on the **Litmos** application integration page, find the **Manage** section and select **single sign-on**.

-1. On the **Set up single sign-on with SAML** page, perform the following steps:

- a. In the **Identifier** text box, type a URL using the following pattern:

- `https://<companyname>.litmos.com/account/Login`

- b. In the **Reply URL** text box, type a URL using the following pattern:

- `https://<companyname>.litmos.com/integration/samllogin`

- > [!NOTE]

- > These values are not real. Update these values with the actual Identifier and Reply URL, which are explained later in tutorial or contact [Litmos Client support team](https://www.litmos.com/contact-us) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

-1. On the **Set up Litmos** section, copy the appropriate URL(s) based on your requirement.

-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Litmos.

-1. In the applications list, select **Litmos**.

-## Configure Litmos SSO

-1. In a different browser window, sign-on to your Litmos company site as administrator.

-6. In your **Litmos** application, perform the following steps:

-### Create Litmos test user

-In this section, a user called B.Simon is created in Litmos. Litmos supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in Litmos, a new one is created after authentication.

-**To create a user called Britta Simon in Litmos, perform the following steps:**

-1. In a different browser window, sign-on to your Litmos company site as administrator.

-In this section, you test your Azure AD single sign-on configuration with following options.

-* Click on Test this application in Azure portal and you should be automatically signed in to the Litmos for which you set up the SSO.

-* You can use Microsoft My Apps. When you click the Litmos tile in the My Apps, you should be automatically signed in to the Litmos for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-Once you configure Litmos you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).

-description: Learn how to configure single sign-on between Azure Active Directory and Mimecast Personal Portal.

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Mimecast Personal Portal

-In this tutorial, you'll learn how to integrate Mimecast Personal Portal with Azure Active Directory (Azure AD). When you integrate Mimecast Personal Portal with Azure AD, you can:

-* Control in Azure AD who has access to Mimecast Personal Portal.

-* Enable your users to be automatically signed-in to Mimecast Personal Portal with their Azure AD accounts.

-* Mimecast Personal Portal single sign-on (SSO) enabled subscription.

-* Mimecast Personal Portal supports **SP and IDP** initiated SSO

-## Add Mimecast Personal Portal from the gallery

-To configure the integration of Mimecast Personal Portal into Azure AD, you need to add Mimecast Personal Portal from the gallery to your list of managed SaaS apps.

-1. In the **Add from the gallery** section, type **Mimecast Personal Portal** in the search box.

-1. Select **Mimecast Personal Portal** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

-## Configure and test Azure AD SSO for Mimecast Personal Portal

-Configure and test Azure AD SSO with Mimecast Personal Portal using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Mimecast Personal Portal.

-To configure and test Azure AD SSO with Mimecast Personal Portal, perform the following steps:

-1. **[Configure Mimecast Personal Portal SSO](#configure-mimecast-personal-portal-sso)** - to configure the single sign-on settings on application side.

- 1. **[Create Mimecast Personal Portal test user](#create-mimecast-personal-portal-test-user)** - to have a counterpart of B.Simon in Mimecast Personal Portal that is linked to the Azure AD representation of user.

-1. In the Azure portal, on the **Mimecast Personal Portal** application integration page, find the **Manage** section and select **single sign-on**.

- a. In the **Identifier** textbox, type the URL using the following pattern:

- > You will find the `accountcode` value in the Mimecast Personal Portal under **Account** > **Settings** > **Account Code**. Append the `accountcode` to the Identifier.

- b. In the **Reply URL** textbox, type the URL:

- In the **Sign-on URL** textbox, type the URL:

-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Mimecast Personal Portal .

-1. In the applications list, select **Mimecast Personal Portal**.

-## Configure Mimecast Personal Portal SSO

-1. Provide a valid description in the **Description** textbox and select **Enforce SAML Authentication for Mimecast Personal Portal** checkbox.

-1. On the **SAML Configuration for Mimecast Personal Portal** page, perform the following steps:

-### Create Mimecast Personal Portal test user

- 

-* Click on **Test this application** in Azure portal. This will redirect to Mimecast Personal Portal Sign on URL where you can initiate the login flow.

-* Go to Mimecast Personal Portal Sign-on URL directly and initiate the login flow from there.

-* Click on **Test this application** in Azure portal and you should be automatically signed in to the Mimecast Personal Portal for which you set up the SSO

-You can also use Microsoft My Apps to test the application in any mode. When you click the Mimecast Personal Portal tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Mimecast Personal Portal for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-Once you configure Mimecast Personal Portal you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

-description: Steps to configure an OpenID/OAuth application from the Azure AD app gallery.

-# Configure an OpenID/OAuth application from the Azure AD app gallery

-| `receipt`| string | Optional. The receipt contains the original payload sent from the authenticator to Verifiable Credentials. |

- counter-key="key value" />

-1. Enter the values from the following table. Then select **Create** to create your API.

- :::image type="content" source="media/import-and-publish/create-api.png" alt-text="Create an API":::

- |**OpenAPI specification**|*https:\//conferenceapi.azurewebsites.net?format=json*|The service implementing the API. API Management forwards requests to this address. The service must be hosted at a publicly accessible internet address. |

-2. Select **Create**.

- :::image type="content" source="media/import-and-publish/01-import-first-api-01.png" alt-text="Test API in Azure portal":::

-> [Create and publish a product](api-management-howto-add-products.md)

-* Central India (*)

-Run the following command in the [Cloud Shell](https://shell.azure.com) to set the PHP version to 7.4:

-az webapp config set --resource-group <resource-group-name> --name <app-name> --php-version 7.4

-Run the following command in the [Cloud Shell](https://shell.azure.com) to set the PHP version to 7.2:

-az webapp config set --resource-group <resource-group-name> --name <app-name> --linux-fx-version "PHP|7.2"

-

-| Name | A friendly name for your App Service certificate. |

-| Naked Domain Host Name | Specify the root domain here. The issued certificate secures *both* the root domain and the `www` subdomain. In the issued certificate, the Common Name field contains the root domain, and the Subject Alternative Name field contains the `www` domain. To secure any subdomain only, specify the fully qualified domain name of the subdomain here (for example, `mysubdomain.contoso.com`).|

-| Certificate SKU | Determines the type of certificate to create, whether a standard certificate or a [wildcard certificate](https://wikipedia.org/wiki/Wildcard_certificate). |

-| Legal Terms | Click to confirm that you agree with the legal terms. The certificates are obtained from GoDaddy. |

-2. [Bind the new certificate to the same custom domain](configure-ssl-bindings.md) without deleting the existing (expiring) certificate. This action replaces the binding instead of removing the existing certificate binding.

-> Beginning on September 23 2021, App Service certificates require domain verification every 395 days.

-> Unlike App Service Managed Certificate, domain re-verification for App Service certificates is *not* automated. Refer to [verify domain ownership](#verify-domain-ownership) for more information on how to verify your App Service certificate.

-To toggle the automatic renewal setting of your App Service certificate at any time, select the certificate in the [App Service Certificates](https://portal.azure.com/#blade/HubsExtension/Resources/resourceType/Microsoft.CertificateRegistration%2FcertificateOrders) page, then click **Auto Renew Settings** in the left navigation. By default, App Service Certificates have a one-year validity period.

-Select **On** or **Off** and click **Save**. Certificates can start automatically renewing 31 days before expiration if you have automatic renewal turned on.

-* To learn how to troubleshoot your Hybrid Runbook Workers, see [Troubleshoot Hybrid Runbook Worker issues](troubleshoot/hybrid-runbook-worker.md#general).

-Applications can choose to subscribe to these events either directly from Event Grid, or through a web hook, or by forwarding events to Azure Service Bus. The Azure Service Bus SDK provides an API to register a message handler that simplifies this process for applications that either don't have an HTTP endpoint or don't wish to poll the event grid for changes continuously.

-This tutorial shows how you can implement dynamic configuration updates in your code using push refresh. It builds on the app introduced in the quickstarts. Before you continue, finish [Create a .NET Core app with App Configuration](./quickstart-dotnet-core-app.md) first.

-To do this tutorial, install the [.NET Core SDK](https://dotnet.microsoft.com/download).

-This tutorial uses the Service Bus integration for Event Grid to simplify the detection of configuration changes for applications that don't wish to poll App Configuration for changes continuously. The Azure Service Bus SDK provides an API to register a message handler that can be used to update configuration when changes are detected in App Configuration. Follow steps in the [Quickstart: Use the Azure portal to create a Service Bus topic and subscription](../service-bus-messaging/service-bus-quickstart-topics-subscriptions-portal.md) to create a service bus namespace, topic, and subscription.

-using System.Diagnostics;

-using System.Text;

-using System.Text.Json;

- private const string AppConfigurationConnectionStringEnvVarName = "AppConfigurationConnectionString"; // e.g. Endpoint=https://{store_name}.azconfig.io;Id={id};Secret={secret}

- private const string ServiceBusConnectionStringEnvVarName = "ServiceBusConnectionString"; // e.g. Endpoint=sb://{service_bus_name}.servicebus.windows.net/;SharedAccessKeyName={key_name};SharedAccessKey={key}

- .SetCacheExpiration(TimeSpan.FromDays(30)) // Important: Reduce poll frequency

-

- {

- string messageText = Encoding.UTF8.GetString(message.Body);

- JsonElement messageData = JsonDocument.Parse(messageText).RootElement.GetProperty("data");

- string key = messageData.GetProperty("key").GetString();

- Console.WriteLine($"Event received for Key = {key}");

- _refresher.SetDirty();

- return Task.CompletedTask;

- },

-The [SetDirty](/dotnet/api/microsoft.extensions.configuration.azureappconfiguration.iconfigurationrefresher.setdirty) method is used to set the cached value for key-values registered for refresh as dirty. This ensures that the next call to `RefreshAsync` or `TryRefreshAsync` revalidates the cached values with App Configuration and updates them if needed.

-A random delay is added before the cached value is marked as dirty to reduce potential throttling in case multiple instances refresh at the same time. The default maximum delay before the cached value is marked as dirty is 30 seconds, but can be overridden by passing an optional `TimeSpan` parameter to the `SetDirty` method.

-> [!NOTE]

-> To reduce the number of requests to App Configuration when using push refresh, it is important to call `SetCacheExpiration(TimeSpan cacheExpiration)` with an appropriate value of `cacheExpiration` parameter. This controls the cache expiration time for pull refresh and can be used as a safety net in case there is an issue with the Event subscription or the Service Bus subscription. The recommended value is `TimeSpan.FromDays(30)`.

-> [Managed identity integration](./howto-integrate-azure-managed-service-identity.md)

- var connectionString = builder.Configuration["AppConfig"];

-| [Geo-replication](#geo-replication) | Linked cache instances in two regions, with user-controlled failover | Up to 99.999% (see [details](https://azure.microsoft.com/support/legal/sla/cache/v1_1/)) |-|Γ£ö|Preview|

-### Enterprise tiers

-### Premium tier

-### Enterprise tiers

->[!NOTE]

->This is available as a preview.

->

->

-The Enterprise tiers support a more advanced form of geo-replication. We call it [active geo-replication](cache-how-to-active-geo-replication.md). Using conflict-free replicated data types, the Redis Enterprise software supports writes to multiple cache instances and takes care of merging of changes and resolving conflicts. You can join two or more Enterprise tier cache instances in different Azure regions to form an active geo-replicated cache.

-# Configure active geo-replication for Enterprise Azure Cache for Redis instances (Preview)

-> Data transfer between Azure regions will be charged at standard [bandwidth rates](https://azure.microsoft.com/pricing/details/bandwidth/).

- :::image type="content" source="media/cache-how-to-active-geo-replication/cache-active-geo-replication-not-configured.png" alt-text="Configure active geo-replication":::

-| [Geo-replication](cache-how-to-geo-replication.md) |-|-|Γ£ö|Preview|Preview|

-High server load means the Redis server is busy and unable to keep up with requests, leading to timeouts. Check the **Redis Server Load** metric on your cache by selecting **Monitor** from the Resource menu on the left. You can Redis Server Load graph in the working pane.

-Azure Cache for Redis now integrates with Azure diagnostic settings to log information on all client connections to your cache. Logging and then analyzing this diagnostic setting helps you understand who is connecting to your caches and the timestamp of those connections. This data could be used to identify the scope of a security breach and for security auditing purposes. Users can route these logs to a destination of their choice, such as a storage account or event hub.

-Both Enterprise and Enterprise Flash support open-source Redis 6 and some new features that aren't yet available in the Basic, Standard, or Premium tiers. The supported features include some Redis modules that enable additional features like search, bloom filters, and time series.

-1. Select **Next: Advanced**.

-

- :::image type="content" source="media/cache-create/enterprise-tier-advanced.png" alt-text="Screenshot that shows the Enterprise tier Advanced tab.":::

- > Redis Enterprise supports two clustering policies. Use the **Enterprise** policy to access your cache using the regular Redis API, and **OSS** the OSS Cluster API.

-The Enterprise Cluster mode is a simpler configuration that exposes a single endpoint for client connections. This mode allows an application designed to use a standalone, or non-clustered, Redis server to seamlessly operate with a scalable, multi-node, Redis implementation. Enterprise Cluster mode abstracts the Redis Cluster implementation from the client by internally routing requests to the correct node in the cluster. Clients are not required to support OSS Cluster mode.

-# Customer intent: As an IT admin, I need to understand how to create an order via the Azure Edge Hardware Center.

-+ The [Azure Functions Core Tools](functions-run-local.md#install-the-azure-functions-core-tools) version 3.x.

-+ Both [.NET Core 3.1 runtime](https://dotnet.microsoft.com/download) and [.NET Core 2.1 runtime](https://dotnet.microsoft.com/download/dotnet/2.1)

-You can extract values from the `IConfiguration` instance into a custom type. Copying the app settings values to a custom type makes it easy test your services by making these values injectable. Settings read into the configuration instance must be simple key/value pairs.

-The following tables provide information about what kind of traffic information you can request from each country or region. If a market is missing in the following tables, it is not currently supported.

-## Middle East and Africa

-For more information about incorporating Azure Maps traffic data into your mapping applications, see the [Traffic](/rest/api/maps/traffic) REST API reference.

-| Country/region | Infrared Satellite Tiles | Minute Forecast, Radar Tiles | Severe Weather Alerts | Other* |

-| Country/region | Infrared Satellite Tiles | Minute Forecast, Radar Tiles | Severe Weather Alerts | Other* |

-| Country/region | Infrared Satellite Tiles | Minute Forecast, Radar Tiles | Severe Weather Alerts | Other* |

-| Country/region | Infrared Satellite Tiles | Minute Forecast, Radar Tiles | Severe Weather Alerts | Other* |

-1. Search for and select the Microsoft Teams connector. Choose the **Microsoft Teams - Post message** action.

- 

- 1. In the **If true** condition, follow the instructions in steps 11 through 13 in [Create an activity log alert](#create-an-activity-log-alert-administrative) to add the Microsoft Teams action.

- 1. Define the message by using a combination of HTML and dynamic content. Copy and paste the following content into the **Message** field. Replace the `[incidentType]`, `[trackingID]`, `[title]`, and `[communication]` fields with dynamic content tags of the same name:

- ```html

- <p>

- <b>Alert Type:</b>&nbsp;<strong>[incidentType]</strong>&nbsp;

- <strong>Tracking ID:</strong>&nbsp;[trackingId]&nbsp;

- <strong>Title:</strong>&nbsp;[title]</p>

- <p>

- <a href="https://ms.portal.azure.com/#blade/Microsoft_Azure_Health/AzureHealthBrowseBlade/serviceIssues">For details, log in to the Azure Service Health dashboard.</a>

- </p>

- <p>[communication]</p>

- ```

- 

- ```html

- <p><strong>Service Health Alert</strong></p>

- <p><b>Unrecognized alert schema</b></p>

- <p><a href="https://ms.portal.azure.com/#blade/Microsoft_Azure_Health/AzureHealthBrowseBlade/serviceIssues">For details, log in to the Azure Service Health dashboard.\</a></p>

- ```

- 

- 

- 

-Change Analysis lives in a standalone pane under Azure Monitor, where you can view all changes and application dependency/resource insights.

-1. Use [these instructions](../../../active-directory/develop/quickstart-create-new-tenant.md) to set up Azure Active Directory, using these settings at the relevant steps:

-1. After completing the Active Directory setup, request an authorization token as described in the section below.

-1. (Optional) If you only want to work with sample data in a non-production environment, use an API key for authentication as described below.

-When making a request to the Authorize URL, the client\_id is the Application ID from your Azure AD App, copied from the App's properties menu. The redirect\_uri is the home page/login URL from the same Azure AD App. When a request is successful, this endpoint redirects you to the login page you provided at sign-up with the authorization code appended to the URL. See the following example:

-All values are the same as before, with some additions. The authorization code is the same code you received in the previous request after a successful redirect. We now combine it with the key we previously obtained from our Azure AD App, or if you did not save the key you can delete it and create a new one from the keys tab of the Azure AD App menu. The response is a JSON string containing the token with the following schema. Exact values are indicated where they should not be changed. Types are indicated for the token values.

-| [Azure Security Center](../security-center/index.yml) | Collect and analyze security events and perform threat analysis. See [Data collection in Azure Security Center](../security-center/security-center-enable-data-collection.md) |

-| [Azure Sentinel](../sentinel/index.yml) | Connects to different sources including Office 365 and Amazon Web Services Cloud Trail. See [Connect data sources](../sentinel/connect-data-sources.md). |

-* [Log Analytics query optimization tips](../logs/query-optimization.md)

- 2. Replace the value in the URL to the <strong>HTTP Trigger Url</strong> you noted down in section 2 (ex: https://xxx.azurewebsites.net/api/httpexample)

-The ability to change to a different maintenance window is not available for every service level or in every region. For details on availability, see [Maintenance window availability](maintenance-window.md#availability).

-The maintenance window can be configured on creation or for existing Azure SQL resources. It can be configured using the Azure portal, PowerShell, CLI, or Azure API.

-### Cost and eligibility

-Configuring and using maintenance window is free of charge for all eligible [offer types](https://azure.microsoft.com/support/legal/offer-details/): Pay-As-You-Go, Cloud Solution Provider (CSP), Microsoft Enterprise Agreement, or Microsoft Customer Agreement.

-> [!Note]

-> An Azure offer is the type of the Azure subscription you have. For example, a subscription with [pay-as-you-go rates](https://azure.microsoft.com/offers/ms-azr-0003p/), [Azure in Open](https://azure.microsoft.com/offers/ms-azr-0111p/), and [Visual Studio Enterprise](https://azure.microsoft.com/offers/ms-azr-0063p/) are all Azure offers. Each offer or plan has different terms and benefits. Your offer or plan is shown on the subscription's Overview. For more information on switching your subscription to a different offer, see [Change your Azure subscription to a different offer](../../cost-management-billing/manage/switch-azure-offer.md).

-## Advance notifications

-Maintenance notifications can be configured to alert you on upcoming planned maintenance events for your Azure SQL Database 24 hours in advance, at the time of maintenance, and when the maintenance is complete. For more information, see [Advance Notifications](advance-notifications.md).

-## Availability

-| Service | Domain names to be accessed |

-| -- | |

-| Azure Backup | `*.backup.windowsazure.com` |

-| Azure Storage | `*.blob.core.windows.net` <br><br> `*.queue.core.windows.net` <br><br> `*.blob.storage.azure.net` |

-| Azure AD | Allow access to FQDNs under sections 56 and 59 according to [this article](/office365/enterprise/urls-and-ip-address-ranges#microsoft-365-common-and-office-online) |

-```json

-> Uploading and downloading files is supported using the native client only. You can't upload and download files using PowerShell or via the Azure portal.

-1. Sign in to your Azure account and select your subscription containing your Bastion resource.

-1. Sign in to your Azure account and select your subscription containing your Bastion resource.

-Refer to the [Try Content Moderator on the web](quick-start.md) quickstart for instructions on how to sign up for the [Content Moderator Review tool](https://contentmoderator.cognitive.microsoft.com/) and create a review team. Take note of the **Team ID** value on the **Credentials** page.

-> [!div class="nextstepaction"]

-The QnA Maker resource provides access to the authoring and publishing APIs as well as the natural language processing (NLP) based second ranking layer (ranker #2) of the QnA pairs at runtime.

-The second ranking applies intelligent filters that can include metadata and follow-up prompts.

-The [App service](../../../app-service/index.yml) is used by your client application to access the published knowledge bases via the runtime endpoint.

-description: Conversation Transcription is a solution for meetings, that combines recognition, speaker ID, and diarization to provide transcription of any conversation.

-# What is Conversation Transcription (Preview)?

-Conversation Transcription is a [speech-to-text](speech-to-text.md) solution that provides real-time or asynchronous transcription of any conversation. Conversation Transcription combines speech recognition, speaker identification, and sentence attribution to determine who said what and when in a conversation.

-> Although Conversation Transcription does not put a limit on the number of speakers in the room, it is optimized for 2-10 speakers per session.

-To make meetings inclusive for everyone, such as participants who are deaf and hard of hearing, it is important to have transcription in real time. Conversation Transcription in real-time mode takes meeting audio and determines who is saying what, allowing all meeting participants to follow the transcript and participate in the meeting without a delay.

-### Improved efficiency

-Meeting participants can focus on the meeting and leave note-taking to Conversation Transcription. Participants can actively engage in the meeting and quickly follow up on next steps, using the transcript instead of taking notes and potentially missing something during the meeting.

-This is a high-level overview of how Conversation Transcription works.

-

-User voice samples for voice signatures are required for speaker identification. Speakers who do not have voice samples will be recognized as "Unidentified". Unidentified speakers can still be differentiated when the `DifferentiateGuestSpeakers` property is enabled (see example below). The transcription output will then show speakers as "Guest_0", "Guest_1", etc. instead of recognizing as pre-enrolled specific speaker names.

-Conversation Transcription offers three transcription modes:

-Audio data is processed live to return speaker identifier + transcript. Select this mode if your transcription solution requirement is to provide conversation participants a live transcript view of their ongoing conversation. For example, building an application to make meetings more accessible the deaf and hard of hearing participants is an ideal use case for real-time transcription.

-Audio data is batch processed to return speaker identifier and transcript. Select this mode if your transcription solution requirement is to provide higher accuracy without live transcript view. For example, if you want to build an application to allow meeting participants to easily catch up on missed meetings, then use the asynchronous transcription mode to get high-accuracy transcription results.

-Audio data is processed live to return speaker identifier + transcript, and, in addition, a request is created to also get a high-accuracy transcript through asynchronous processing. Select this mode if your application has a need for real-time transcription but also requires a higher accuracy transcript for use after the conversation or meeting occurred.

-Currently, Conversation Transcription supports [all speech-to-text languages](language-support.md#speech-to-text) in the following regions:ΓÇ»`centralus`, `eastasia`, `eastus`, `westeurope`. If you require additional locale support, contact the [Conversation Transcription Feature Crew](mailto:CTSFeatureCrew@microsoft.com).

-description: Custom Neural Voice is a text-to-Speech feature that allows you to create a one-of-a-kind customized synthetic voice for your applications by providing your own audio data as a sample.

-Custom Neural Voice is a Text-to-Speech (TTS) feature that lets you create a one-of-a-kind customized synthetic voice for your applications. With Custom Neural Voice, you can build a highly natural-sounding voice by providing your audio samples as training data. Based on the Neural Text-to-Speech technology and the multi-lingual multi-speaker universal model, Custom Neural Voice lets you create synthetic voices that are rich in speaking styles, or adaptable cross languages. The realistic and natural sounding voice of Custom Neural Voice can represent brands, personify machines, and allow users to interact with applications conversationally. See the supported [languages](language-support.md#custom-neural-voice) for Custom Neural Voice and cross-lingual feature.

-> The Custom Neural Voice feature requires registration, and access to it is limited based upon MicrosoftΓÇÖs eligibility and use criteria. Customers who wish to use this feature are required to register their use cases through the [intake form](https://aka.ms/customneural).

-The underlying Neural TTS technology used for Custom Neural Voice

-consists of three major components: Text Analyzer, Neural Acoustic

-Model, and Neural Vocoder. To generate natural synthetic speech from

-text, text is first input into Text Analyzer, which provides output in

-the form of phoneme sequence. A phoneme is a basic unit of sound that

-distinguishes one word from another in a particular language. A sequence

-of phonemes defines the pronunciations of the words provided in the

-text.

-Next, the phoneme sequence goes into the Neural Acoustic Model to

-predict acoustic features that define speech signals, such as the

-timbre, the speaking style, speed, intonations, and stress patterns. Finally, the Neural Vocoder converts the acoustic features into audible waves so that synthetic speech is generated.

-

-Neural Text-to-Speech voice models are trained using deep neural networks based on

-the recording samples of human voices. In this

-[blog](https://techcommunity.microsoft.com/t5/azure-ai/neural-text-to-speech-extends-support-to-15-more-languages-with/ba-p/1505911),

-we describe how Neural Text-to-Speech works with state-of-the-art neural speech

-synthesis models. The blog also explains how a universal base model can be adapted to a target speaker's voice with less

-than 2 hours of speech data (or less than 2,000 recorded utterances), and additionally transfer the voice to another language or style. To read about how a neural vocoder is trained, see the [blog post](https://techcommunity.microsoft.com/t5/azure-ai/azure-neural-tts-upgraded-with-hifinet-achieving-higher-audio/ba-p/1847860).

-Custom Neural Voice lets you adapt the Neural Text-to-Speech engine to fit your scenarios. To create a custom neural voice, use [Speech Studio](https://speech.microsoft.com/customvoice) to upload the recorded audio and corresponding scripts, train the model, and deploy the voice to a custom endpoint. Custom Neural Voice can use text provided by the user to convert text into speech in real-time, or generate audio content offline with text input. This is made available via the [REST API](./rest-text-to-speech.md), the [Speech SDK](./get-started-text-to-speech.md), or the [web portal](https://speech.microsoft.com/audiocontentcreation).

-| Voice model | A Text-to-Speech model that can mimic the unique vocal characteristics of a target speaker. A *voice model* is also known as a *voice font* or *synthetic voice*. A voice model is a set of parameters in binary format that is not human readable and does not contain audio recordings. It cannot be reverse engineered to derive or construct the audio of a human voice. |

-| Voice talent | Individuals or target speakers whose voices are recorded and used to create voice models that are intended to sound like the voice talentΓÇÖs voice.|

-| Standard TTS | The standard, or "traditional," method of Text-to-Speech that breaks down spoken language into phonetic snippets so that they can be remixed and matched using classical programming or statistical methods.|

-| Neural TTS | Neural TTS synthesizes speech using deep neural networks that have "learned" the way phonetics are combined in natural human speech, rather than using procedural programming or statistical methods. In addition to the recordings of a target voice talent, Neural TTS uses a source library/base model that is built with voice recordings from many different speakers. |

-| Training data | A custom neural voice training dataset that includes the audio recordings of the voice talent, and the associated text transcriptions.|

-| Persona | A persona describes who you want this voice to be. A good persona design will inform all voice creation whether itΓÇÖs choosing an available voice model already created, or starting from scratch by casting and recording a new voice talent.|

-| Script | A script is a text file that contains the utterances to be spoken by your voice talent. (The term "*utterances*" encompasses both full sentences and shorter phrases.)|

-To learn how to use Custom Neural Voice responsibly, see the [transparency note](/legal/cognitive-services/speech-service/custom-neural-voice/transparency-note-custom-neural-voice?context=/azure/cognitive-services/speech-service/context/context). MicrosoftΓÇÖs transparency notes are intended to help you understand how our AI technology works, the choices system owners can make that influence system performance and behavior, and the importance of thinking about the whole system, including the technology, the people, and the environment.

-description: Learn how to use the Speech SDK to convert speech-to-text. In this quickstart, you learn about object construction, supported audio input formats, and configuration options for speech recognition.

-If there are uncommon terms without standard pronunciations that your users will encounter or use, you can provide a custom pronunciation file to improve recognition. For a list of languages that support custom pronunciation, see **Pronunciation** in the **Customizations** column in [the Speech-to-text table](language-support.md#speech-to-text).

-> [!IMPORTANT]

-> We don't recommend that you use custom pronunciation files to alter the pronunciation of common words.

-Provide pronunciations in a single text file. This file includes examples of a spoken utterance and a custom pronunciation for each:

-| Recognized/displayed form | Spoken form |

-The spoken form is the phonetic sequence spelled out. It can be composed of letters, words, syllables, or a combination of all three.

-Use the following table to ensure that your related data file for pronunciations is correctly formatted. Pronunciation files are small and should be only a few kilobytes in size.

-description: "Custom Neural Voice is a set of online tools that allow you to create a recognizable, one-of-a-kind voice for your brand. All it takes to get started are a handful of audio files and the associated transcriptions."

-[Custom Neural Voice](https://aka.ms/customvoice) is a set of online tools that allow you to create a recognizable, one-of-a-kind voice for your brand. All it takes to get started are a handful of audio files and the associated transcriptions. Follow the links below to start creating a custom Text-to-Speech experience. See the supported [languages](language-support.md#custom-neural-voice) and [regions](regions.md#custom-neural-voices) for Custom Neural Voice.

-> As part of Microsoft's commitment to designing responsible AI, we have limited the use of Custom Neural Voice. You may gain access to the technology only after your applications are reviewed and you have committed to using it in alignment with our responsible AI principles. Learn more about our [policy on the limit access](/legal/cognitive-services/speech-service/custom-neural-voice/limited-access-custom-neural-voice?context=%2fazure%2fcognitive-services%2fspeech-service%2fcontext%2fcontext) and [apply here](https://aka.ms/customneural).

-A Speech service subscription is required before you can use Custom Neural Voice. Follow these instructions to create a Speech service subscription in Azure. If you do not have an Azure account, you can sign up for a new one.

-Once you've created an Azure account and a Speech service subscription, you'll need to sign in Speech Studio and connect your subscription.

-2. Sign in to [Speech Studio](https://speech.microsoft.com), then select **Custom Voice**.

-3. Select your subscription and create a speech project.

-4. If you'd like to switch to another Speech subscription, use the cog icon located in the top navigation.

-> You must have a F0 or a S0 Speech service key created in Azure before you can use the service. Custom Neural Voice only supports the S0 tier.

-Content like data, models, tests, and endpoints are organized into **Projects** in Speech Studio. Each project is specific to a country/language and the gender of the voice you want to create. For example, you may create a project for a female voice for your call center's chat bots that use English in the United States ('en-US').

-1. Sign in [Speech Studio](https://speech.microsoft.com).

-1. After you've created a project, you will see four tabs: **Set up voice talent**, **Prepare training data**, **Train model**, and **Deploy model**. See [Prepare data for custom neural voice](how-to-custom-voice-prepare-data.md) to set up voice talent and proceed to training data.

-Creating a great custom neural voice requires careful quality control in each step, from voice design and data preparation, to the deployment of the voice model to your system. Below are some key steps to take when creating a custom neural voice for your organization.

-First, design a persona of the voice that represents your brand using a persona brief document that defines elements such as the features of the voice, and the character behind the voice. This will help to guide the process of creating a custom neural voice model, including defining the scripts, selecting your voice talent, training and voice tuning.

-Carefully select the recording script to represent the user scenarios for your voice. For example, you can use the phrases from bot conversations as your recording script if you are creating a customer service bot. Include different sentence types in your scripts, including statements, questions, exclamations, etc.

-We recommend that the audio recordings be captured in a professional quality recording studio to achieve a high signal-to-noise ratio. The quality of the voice model heavily depends on your training data. Consistent volume, speaking rate, pitch, and consistency in expressive mannerisms of speech are required.

-Once the recordings are ready, follow [Prepare training data](how-to-custom-voice-prepare-data.md) to prepare the training data in the right format.

-Once you have prepared the training data, go to [Speech Studio](https://aka.ms/custom-voice) to create your custom neural voice. You need to select at least 300 utterances to create a custom neural voice. A series of data quality checks are automatically performed when you upload them. To build high-quality voice models, you should fix the errors and submit again.

-Prepare test scripts for your voice model that cover the different use cases for your apps. ItΓÇÖs recommended that you use scripts within and outside the training dataset so you can test the quality more broadly for different content.

-The style and the characteristics of the trained voice model depend on the style and the quality of the recordings from the voice talent used for training. However, several adjustments can be made using [SSML (Speech Synthesis Markup Language)](./speech-synthesis-markup.md?tabs=csharp) when you make the API calls to your voice model to generate synthetic speech. SSML is the markup language used to communicate with the TTS service to convert text into audio. The adjustments include change of pitch, rate, intonation, and pronunciation correction. If the voice model is built with multiple styles, SSML can also be used to switch the styles.

-## Migrate to Custom Neural Voice

-If you are using the old version of Custom Voice (to be retired in 2/2024), check the instructions [here](how-to-migrate-to-custom-neural-voice.md) on how to migrate it to Custom Neural Voice.

-* [Create a free Azure account](https://azure.microsoft.com/free/cognitive-services/)

-* [See how to recognize speech in C#](./get-started-speech-to-text.md?pivots=programming-language-chsarp)

-The Speech service allows your application to convert audio to text, perform speech translation, and convert text to speech. The service is available in multiple regions with unique endpoints for the Speech SDK and REST APIs.

-The Speech portal, where you can perform custom configurations to your speech experience for all regions, is available at [speech.microsoft.com](https://speech.microsoft.com).

-Keep in mind the following points when considering regions:

-* If your application uses a [Speech SDK](speech-sdk.md), you provide the region identifier, such as `westus`, when creating a speech configuration. Make sure the region matches the region of your subscription.

-* Keys created for a region are valid only in that region. Attempting to use them with other regions will result in authentication errors.

-> Speech Services doesn't store/process customer data outside the region the customer deploys the service instance in.

-In the [Speech SDK](speech-sdk.md), the region is specified as a parameter (for example, as a parameter to `SpeechConfig.FromSubscription` in the Speech SDK for C#).

-### Speech-to-Text, Text-to-Speech, and translation

-The Speech service is available in these regions for **Speech-to-Text**, **Text-to-Speech**, and **translation**:

-Available regions for **intent recognition** via the Speech SDK are in the following table.

-The [Speech SDK](speech-sdk.md) supports **voice assistant** capabilities through [Direct Line Speech](./direct-line-speech.md) for regions in the following table.

-### Speaker Recognition

-Available regions for **Speaker Recognition** are in the following table.

-Available regions for **Keyword recognition** are in the following table.

-| Region | Custom Keyword (Basic models) | Custom Keyword (Advanced models) | Keyword Verification |

-The Speech service also exposes REST endpoints for Speech-to-Text, Text-to-Speech and speaker recognition requests.

-### Speech-to-Text

-For Speech-to-Text reference documentation, see [Speech-to-Text REST API](rest-speech-to-text.md).

-> The language parameter must be appended to the URL to avoid receiving an 4xx HTTP error. For example, the language set to US English using the West US endpoint is: `https://westus.stt.speech.microsoft.com/speech/recognition/conversation/cognitiveservices/v1?language=en-US`.

-### Text-to-Speech

-For Text-to-Speech reference documentation, see [Text-to-Speech REST API](rest-text-to-speech.md).

-### Speaker Recognition

-For speaker recognition reference documentation, see [Speaker Recognition REST API](/rest/api/speakerrecognition/). Available regions are the same as Speaker Recognition SDK.

-description: Quick reference, detailed description, and best practices on Azure Cognitive Speech service Quotas and Limits

-# Speech service Quotas and Limits

-This article contains a quick reference and the **detailed description** of Azure Cognitive Speech service Quotas and Limits for all [pricing tiers](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services/). It also contains some best practices to avoid request throttling.

-## Quotas and Limits quick reference

-Jump to [Text-to-Speech Quotas and limits](#text-to-speech-quotas-and-limits-per-speech-resource)

-### Speech-to-Text Quotas and Limits per Speech resource

-In the following tables, the parameters without "Adjustable" row are **not** adjustable for all price tiers.

-#### Online Transcription

-For the usage with [Speech SDK](speech-sdk.md) and/or [Speech-to-text REST API for short audio](rest-speech-to-text.md#speech-to-text-rest-api-for-short-audio).

-| **Concurrent Request limit - Base model endpoint** | 1 | 100 (default value) |

-| **Concurrent Request limit - Custom endpoint** | 1 | 100 (default value) |

-#### Batch Transcription

-| [Speech-to-text REST API V2.0 and v3.0](rest-speech-to-text.md#speech-to-text-rest-api-v30) limit | Batch transcription is not available for F0 | 300 requests per minute |

-| Max input blob size (may contain more than one file, for example, in a zip archive; ensure to note the file size limit above) | N/A | 2.5 GB |

-| Max number of files per Transcription request (when using multiple content URLs as input) | N/A | 1000 |

-#### Model Customization

-| Max acoustic dataset file size for Data Import | 2 GB | 2 GB |

-| Max language dataset file size for Data Import | 200 MB | 1.5 GB |

-| Max pronunciation dataset file size for Data Import | 1 KB | 1 MB |

-| Max text size when using `text` parameter in [Create Model](https://westcentralus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/CreateModel/) API request | 200 KB | 500 KB |

-¹ For **Free (F0)** pricing tier see also monthly allowances at the [pricing page](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services/).<br/>

-² See [additional explanations](#detailed-description-quota-adjustment-and-best-practices), [best practices](#general-best-practices-to-mitigate-throttling-during-autoscaling), and [adjustment instructions](#speech-to-text-increasing-online-transcription-concurrent-request-limit).<br/>

-### Text-to-Speech Quotas and limits per Speech resource

-In the tables below Parameters without "Adjustable" row are **not** adjustable for all price tiers.

-| **Max number of Transactions per Second (TPS) per Speech resource** | | |

-| Real-time API. Prebuilt neural voices and custom neural voices | 200⁴ | 200⁴ |

-| **HTTP-specific quotas** | | |

-| Max Audio length produced per request | 10 min | 10 min |

-| **Websocket specific quotas** | | |

-| Max Audio length produced per turn | 10 min | 10 min |

-| Max SSML Message size per turn | 64 KB | 64 KB |

-#### Custom neural voice

-| Max number of Transactions per Second (TPS) per Speech resource | [See above](#general) | [See above](#general) |

-| Max number of data sets per Speech resource | 10 | 500 |

-| Max number of simultaneous dataset upload per Speech resource | 2 | 5 |

-| Max number of simultaneous model trainings per Speech resource | N/A | 3 |

-| Max number of custom endpoints per Speech resource | N/A | 50 |

-| **Concurrent Request limit for custom neural voice** | | |

-³ For **Free (F0)** pricing tier see also monthly allowances at the [pricing page](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services/).<br/>

-⁵ See [additional explanations](#detailed-description-quota-adjustment-and-best-practices), [best practices](#general-best-practices-to-mitigate-throttling-during-autoscaling), and [adjustment instructions](#text-to-speech-increasing-concurrent-request-limit-for-custom-neural-voices).<br/>

-## Detailed description, Quota adjustment, and best practices

-Before requesting a quota increase (where applicable), ensure that it is necessary. Speech service is using autoscaling technologies to bring the required computational resources in "on-demand" mode and at the same time to keep the customer costs low by not maintaining an excessive amount of hardware capacity. Every time your application receives a Response Code 429 ("Too many requests") while your workload is within the defined limits (see [Quotas and Limits quick reference](#quotas-and-limits-quick-reference)) the most likely explanation is that the Service is scaling up to your demand and did not reach the required scale yet, thus does not immediately have enough resources to serve the request. This state is usually transient and should not last long.

-To minimize issues related to throttling (Response Code 429), we recommend using the following techniques:

-*Example.* Your application is using text-to-speech and your current workload is 5 Transactions per Second (TPS). The next second you increase the load to 20 TPS (that is four times more). The Service immediately starts scaling up to fulfill the new load, but likely it will not be able to do it within a second, so some of the requests will get Response Code 429.

-The next sections describe specific cases of adjusting quotas.<br/>

-Jump to [Text-to-Speech: increasing concurrent request limit for custom neural voices](#text-to-speech-increasing-concurrent-request-limit-for-custom-neural-voices)

-### Speech-to-text: increasing online transcription concurrent request limit

-By default the number of concurrent requests is limited to 100 per Speech resource (Base model) and to 100 per Custom endpoint (Custom model). For the Standard pricing tier, this amount can be increased. Before submitting the request, ensure you are familiar with the material in [this section](#detailed-description-quota-adjustment-and-best-practices) and aware of these [best practices](#general-best-practices-to-mitigate-throttling-during-autoscaling).

-> If you use custom models, please be aware, that one Speech resource may be associated with many custom endpoints hosting many custom model deployments. Each Custom endpoint has the default number of concurrent request limit (100) set by creation. If you need to adjust it, you need to make the adjustment of each custom endpoint **separately**. Please also note, that the value of the number of concurrent request limit for the base model of a Speech resource has **no** effect to the custom endpoints associated with this resource.

-Increasing the Concurrent Request limit does **not** directly affect your costs. Speech service uses "Pay only for what you use" model. The limit defines how high the Service may scale before it starts throttle your requests.

-Concurrent Request limits for **Base** and **Custom** models need to be adjusted **separately**.

-Existing value of Concurrent Request limit parameter is **not** visible via Azure portal, Command-Line tools, or API requests. To verify the existing value, create an Azure Support Request.

->[Speech containers](speech-container-howto.md) do not require increases of Concurrent Request limit, as containers are constrained only by the CPUs of the hardware they are hosted on. However Speech containers have their own capacity limitations that should be taken into account. See the question *"Could you help with capacity planning and cost estimation of on-prem Speech-to-text containers?"* from the [Speech containers FAQ](./speech-container-howto.md).

-#### Have the required information ready:

- - Speech Resource ID

- - Custom Endpoint ID

- - Go to [Azure portal](https://portal.azure.com/)

- - Select the Speech Resource for which you would like to increase the Concurrency Request limit

- - Select *Properties* (*Resource Management* group)

- - Copy and save the values of the following fields:

- - **Resource ID**

- - **Location** (your endpoint Region)

- - Go to [Speech Studio](https://speech.microsoft.com/) portal

- - Sign in if necessary

- - Go to Custom Speech

- - Select your project

- - Go to *Deployment*

- - Select the required Endpoint

- - Copy and save the values of the following fields:

- - **Service Region** (your endpoint Region)

- - **Endpoint ID**

-#### Create and submit support request

-Initiate the increase of Concurrent Request limit for your resource or if necessary check the today's limit by submitting the Support Request:

- - "Quota or concurrent requests increase" - for an increase request

- - "Quota or usage validation" to check existing limit

- - a note, that the request is about **Speech-to-Text** quota

- - **Base** or **Custom** model

- - Azure resource information you [collected before](#have-the-required-information-ready)

- - Complete entering the required information and click *Create* button in *Review + create* tab

- - Note the support request number in Azure portal notifications. You will be contacted shortly for further processing

-This example presents the approach we recommend following to mitigate possible request throttling due to [Autoscaling being in progress](#detailed-description-quota-adjustment-and-best-practices). It is not an "exact recipe", but merely a template we invite to follow and adjust as necessary.

-Let us suppose that a Speech resource has the Concurrent Request limit set to 300. Start the workload from 20 concurrent connections and increase the load by 20 concurrent connections every 1.5-2 minutes. Control the Service responses and implement the logic that falls back (reduces the load) if you get too many Response Codes 429. Then retry in 1-2-4-4 minute pattern. (That is retry the load increase in 1 min, if still does not work, then in 2 min, and so on)

-Generally, it is highly recommended to test the workload and the workload patterns before going to production.

-### Text-to-Speech: increasing concurrent request limit for custom neural voices

-By default the number of concurrent requests for custom neural voice endpoints is limited to 10. For the Standard pricing tier, this amount can be increased. Before submitting the request, ensure you are familiar with the material in [this section](#detailed-description-quota-adjustment-and-best-practices) and aware of these [best practices](#general-best-practices-to-mitigate-throttling-during-autoscaling).

-Increasing the Concurrent Request limit does **not** directly affect your costs. Speech service uses "Pay only for what you use" model. The limit defines how high the Service may scale before it starts throttle your requests.

-Existing value of Concurrent Request limit parameter is **not** visible via Azure portal, Command-Line tools, or API requests. To verify the existing value, create an Azure Support Request.

->[Speech containers](speech-container-howto.md) do not require increases of Concurrent Request limit, as containers are constrained only by the CPUs of the hardware they are hosted on.

-#### Prepare the required information:

-To create an increase request, you will need to provide your Deployment Region and the Custom Endpoint ID. To get it, perform the following actions:

- - **Service Region** (your endpoint Region)

- - **Endpoint ID**

-#### Create and submit support request

-Initiate the increase of Concurrent Request limit for your resource or if necessary check the today's limit by submitting the Support Request:

- - "Quota or concurrent requests increase" - for an increase request

- - "Quota or usage validation" to check existing limit

- - a note, that the request is about **Text-to-Speech** quota

- - Azure resource information you [collected before](#prepare-the-required-information)

- - Complete entering the required information and click *Create* button in *Review + create* tab

- - Note the support request number in Azure portal notifications. You will be contacted shortly for further processing

-| Decision | Content Moderator | https://contentmoderator.cognitive.microsoft.com/dashboard | [Quickstart](./content-moderator/review-tool-user-guide/human-in-the-loop.md) |

-|ML entities|All of your ML entities will be transferred as CLU entities with the same names. The ML labels will be persisted and used to train the Learned component of the entity. Structured ML entities will only be transferred as the top-level entity. The individual sub-entities will be ignored.|

-|List entities | Not currently supported |

-|Prebuilt entities | Not currently supported |

-|Required entity features in ML entities | Not currently supported |

-|Non-required entity features in ML entities | Not currently supported |

-|Roles | Not currently supported |

-In enterprise, having an abundance of electronic documents can mean that searching through them is a time-consuming and expensive task. [Azure Cognitive Search](../../../../search/search-create-service-portal.md) can help with searching through your files, based on their indices. Custom NER can help by extracting relevant entities from your files, and enriching the process of indexing these files.

-* Create a Custom Named Entity Recognition project.

-* Publish Azure Function.

-1. Login through the [Language studio portal](https://aka.ms/LanguageStudio) and select **Custom entity extraction**.

-2. Select your Language resource. Make sure you have [enabled identity management](../how-to/create-project.md#enable-identity-management-for-your-resource) and roles for your resource and storage account.

-3. From the top of the projects screen, select **Create new project**. If requested, choose your storage account from the menu that appears.

- :::image type="content" source="../media/create-project.png" alt-text="A screenshot of the project creation page." lightbox="../media/create-project.png":::

-4. Enter the information for your project:

- | Key | Description |

- |--|--|

- | Name | The name of your project. You will not be able to rename your project after you create it. |

- | Description | A description of your project |

- | Language | The language of the files in your project.|

- > [!NOTE]

- > If your documents will be in multiple languages, select the **multiple languages** option in project creation, and set the **language** option to the language of the majority of your documents.

-5. For this tutorial, use an **existing tags file** and select the tags file you downloaded from the sample data.

-1. Select **Train** from the left side menu.

-2. To train a new model, select **Train a new model** and type in the model name in the text box below.

- :::image type="content" source="../media/train-model.png" alt-text="Create a new model" lightbox="../media/train-model.png":::

-3. Select the **Train** button at the bottom of the page.

-4. After training is completed, you can [view the model's evaluation details](../how-to/view-model-evaluation.md) and [improve the model](../how-to/improve-model.md)

-2. Select the model you want to deploy and from the top menu click on **Deploy model**. You can only see models that have completed training successfully.

-## Prepare your secrets for the Azure function

-Next you will need to prepare your secrets for your Azure function. Your project secrets are your:

-* Endpoint

-* Resource key

-* Deployment name

-### Get your custom NER project secrets

-* You will need your **Project name**, Project names are case sensitive.

-* You will also need the deployment name.

- * If you have deployed your model via Language Studio, your deployment slot will be `prod` by default.

- * If you have deployed your model programmatically, using the API, this is the deployment name you assigned in your request.

-### Get your resource keys endpoint

-1. Navigate to your resource in the [Azure portal](https://ms.portal.azure.com/#home).

-2. From the menu on the left side, select **Keys and Endpoint**. You will need the endpoint and one of the keys for the API requests.

- :::image type="content" source="../../media/azure-portal-resource-credentials.png" alt-text="A screenshot showing the key and endpoint screen in the Azure portal" lightbox="../../media/azure-portal-resource-credentials.png":::

-

-## Edit and deploy your Azure Function

-1. Download and use the [provided sample function](https://aka.ms/ct-cognitive-search-integration-tool).

-2. After you download the sample function, open the *program.cs* file and enter your app secrets.

-3. [Publish the function to Azure](../../../../azure-functions/functions-develop-vs.md?tabs=in-process#publish-to-azure).

-## Use the integration tool

-In the following sections, you will use the [Cognitive Search Integration tool](https://aka.ms/ct-cognitive-search-integration-tool) to integrate your project with Azure Cognitive Search. Download this repo now.

-1. In the folder you just download, and find the [sample configuration file](https://github.com/microsoft/CognitiveServicesLanguageUtilities/blob/dev/CustomTextAnalytics.CognitiveSearch/Samples/configs.json). Open it in a text editor.

- 1. Navigating to your storage account overview page in the [Azure portal](https://ms.portal.azure.com/#home).

- 2. In the top section of the screen, copy your container name to the `containerName` field in the configuration file, under `blobStorage`.

- 3. In the **Access Keys** section in the menu to the left of the screen, copy your **Connection string** to the `connectionString` field in the configuration file, under `blobStorage`.

-1. Get your cognitive search endpoint and keys by:

-3. Get Azure Function endpoint and keys

-

- 2. Go to **Functions** menu on the left of the screen, and click on the function you created.

- 3. From the top menu, click **Get Function Url**. The URL will be formatted like this: `YOUR-ENDPOINT-URL?code=YOUR-API-KEY`.

-### Prepare schema file

-In the folder you downloaded earlier, find the [sample schema file](https://github.com/microsoft/CognitiveServicesLanguageUtilities/blob/dev/CustomTextAnalytics.CognitiveSearch/Samples/app-schema.json). Open it in a text editor.

-The entries in the `entityNames` array will be the entity names you have assigned while creating your project. You can copy and paste them from your project in [Language Studio](https://aka.ms/custom-extraction), or

-### Run the `Index` command

-After you have completed your configuration and schema file, you can index your project. Place your configuration file in the same path of the CLI tool, and run the following command:

- indexer index --schema <path/to/your/schema> --index-name <name-your-index-here>

-While on an ACS call (for both iOS and Android) if a phone call comes in or Voice assistant is activated, the OS will automatically mute the users microphone and camera. On Android the call automatically unmutes and video restarts after the phone call ends. On iOS it requires user action to "unmute" and "start video" again. You can listen for the notification that the microphone was muted unexpectedly with the quality event of `microphoneMuteUnexpectedly`. Do note in order to be able to rejoin a call properly you will need to used SDK 1.2.3-beta.1 or higher.

-### Request device permissions

-Signaling between the SDKs or between SDKs and Communication Services Signaling Controllers is handled with HTTP REST (TLS). For Real-Time Media Traffic (RTP), the User Datagram Protocol (UDP) is preferred. If the use of UDP is prevented by your firewall, the SDK will use the Transmission Control Protocol (TCP) for media.

-| Mid call control | Forward a call | ❌ |

-| | Receive simultaneous ringing | ❌ |

-| | Play music on hold | ❌ |

-**Static label selector -** Always attaches the given `LabelSelector`.

-**Conditional label selector -** Will evaluate a condition defined by a [rule](router-rule-concepts.md). If it resolves to `true`, then the specified collection of selectors will be applied.

-**Passthrough label selector -** Uses a key and `LabelOperator` to check for the existence of the key. This selector can be used in the `QueueLabelSelector` to match a Queue based on the set of labels. When used with the `WorkerSelectors`, the Job's key/value pair are attached to the `WorkerSelectors` of the Job.

-**Weighted allocation label selector -** Enables you to specify a percentage-based weighting and a collection of selectors to apply based on the weighting allocation. For example, you may want 30% of the Jobs to go to "Vendor 1" and 70% of Jobs to go to "Vendor 2".

-In this example, we are using a static attachment, which will always attach the specified label selector to a job.

-In this example, we are using a conditional attachment, which will evaluate a condition against the job labels to determine if the said label selectors should be attached to the job.

-In this example, we are using a weighted allocation attachment, which will divide up jobs according to the weightings specified and attach different selectors accordingly. Here, we are saying that 30% of jobs should go to workers with the label `Vendor` set to `A` and 70% should go to workers with the label `Vendor` set to `B`.

-There are three optional networking parameters you can choose to define when calling `containerapp env create`. You must either provide values for all three of these properties, or none of them. If they arenΓÇÖt provided, the CLI generates the values for you.

-## Restrictions

-Subnet address ranges can't overlap with the following reserved ranges:

-Additionally, subnets must have a size between /21 and /12.

-[app-nav]: https://github.com/Azure/azure-quickstart-templates/tree/master/demos/aci-dynamicsnav

-For more information, see the full [Catalog API](https://github.com/Azure/azure-sdk-for-jav) documentation.

-For more information related to ingesting data, see the full [write configuration](https://github.com/Azure/azure-sdk-for-jav#write-config) documentation.

-For more information related to querying data, see the full [query configuration](https://github.com/Azure/azure-sdk-for-jav#query-config) documentation.

-For more information related to schema inference, see the full [schema inference configuration](https://github.com/Azure/azure-sdk-for-jav#schema-inference-config) documentation.

-* [Getting started](https://github.com/Azure/azure-sdk-for-jav)

-* [Catalog API](https://github.com/Azure/azure-sdk-for-jav)

-* [Configuration Parameter Reference](https://github.com/Azure/azure-sdk-for-jav)

-### Additional details

-If you have a Microsoft Account (MSA), you can't create an Azure support ticket. Microsoft accounts are created for services including Outlook, Windows Live, and Hotmail.

-* [How to manage an Azure support request]()../../azure-portal/supportability/how-to-manage-azure-support-request.md)

-In the parse transformation configuration panel, you will first pick the type of data contained in the columns that you wish to parse inline. The parse transformation also contains the following configuration settings.

-Similar to derived columns and aggregates, this is where you will either modify an exiting column by selecting it from the drop-down picker. Or you can type in the name of a new column here. ADF will store the parsed source data in this column. In most cases, you will want to define a new column that parses the incoming embedded document string field.

-Here is where you will configure the target output schema from the parsing that will be written into a single column.

-|Could not reach {1}. |Critical |If the controller is turned off, restart the controller.<br>Make sure that the power supply is functional. For information on monitoring the power supply LEDs, go to https://www.microsoft.com/2.<!--Need new link target. This one goes nowhere--><br>If the issue persists, [contact Microsoft Support](azure-stack-edge-contact-microsoft-support.md). |

- - A hospital may want to send Azure Digital Twins event data to [Time Series Insights (TSI)](../time-series-insights/overview-what-is-tsi.md), to record time series data of handwashing-related events for bulk analytics.

-An event route lets you send event data from digital twins in Azure Digital Twins to custom-defined endpoints in your subscriptions. Three Azure services are currently supported for endpoints: [Event Hubs](../event-hubs/event-hubs-about.md), [Event Grid](../event-grid/overview.md), and [Service Bus](../service-bus-messaging/service-bus-messaging-overview.md). Each of these Azure services can be connected to other services and acts as the middleman, sending data along to final destinations such as TSI or Azure Maps for whatever processing you need.

-Typical downstream targets for event routes are resources like TSI, Azure Maps, storage, and analytics solutions.

-DTDL is used for data models throughout other Azure IoT services, including [IoT Plug and Play](../iot-develop/overview-iot-plug-and-play.md) and [Time Series Insights (TSI)](../time-series-insights/overview-what-is-tsi.md). This type of commonality helps you keep your Azure Digital Twins solution connected and compatible with other parts of the Azure ecosystem.

-### Output to ADX, TSI, storage, and analytics

-* [Connecting Azure Digital Twins to Time Series Insights (TSI)](how-to-integrate-time-series-insights.md) to track time series history of each twin

- > Only storage accounts of kind **StorageV2 (general purpose v2)** and **BlobStorage** support event integration. **Storage (genral purpose v1)** does *not* support integration with Event Grid.

-> During the preview, Event Grid on Kubernetes features are supported through API version [2020-10-15-Preview](/rest/api/eventgrid/version2021-06-01-preview/event-subscriptions/create-or-update).

-You can also specify retry policy limits on a per subscription basis. See our [API documentation](/rest/api/eventgrid/version2021-06-01-preview/event-subscriptions/create-or-update) for information on configuring defaults per subscriber. Subscription level defaults override the Event Grid module on Kubernetes level configurations.

-The way to configure Event Grid to send events to a destination is through the creation of an event subscription. It can be done through [Azure CLI](/cli/azure/eventgrid/event-subscription#az_eventgrid_event_subscription_create), [management SDK](../sdk-overview.md#management-sdks), or using direct HTTPs calls using the [2020-10-15-preview API](/rest/api/eventgrid/version2021-06-01-preview/event-subscriptions/create-or-update) version.

-Event Grid on Kubernetes offers a good level of feature parity with Azure Event Grid's support for event subscriptions. The following list enumerates the main differences in event subscription functionality. Apart from those differences, you can use Azure Event Grid's [REST api version 2020-10-15-preview](/rest/api/eventgrid/version2021-06-01-preview/event-subscriptions) as a reference when managing event subscriptions on Event Grid on Kubernetes.

-1. Use [REST api version 2020-10-15-preview](/rest/api/eventgrid/version2021-06-01-preview/event-subscriptions).

-5. Only CloudEvents schema is supported. The supported schema value is "[CloudEventSchemaV1_0](/rest/api/eventgrid/version2021-06-01-preview/event-subscriptions/create-or-update#eventdeliveryschema)". Cloud Events schema is extensible and based on open standards.

-6. Labels ([properties.labels](/rest/api/eventgrid/version2021-06-01-preview/event-subscriptions/create-or-update#request-body)) aren't applicable to Event Grid on Kubernetes. Hence, they are not available.

-7. [Delivery with resource identity](/rest/api/eventgrid/version2021-06-01-preview/event-subscriptions/create-or-update#deliverywithresourceidentity) isn't supported. So, all properties for [Event Subscription Identity](/rest/api/eventgrid/version2021-06-01-preview/event-subscriptions/create-or-update#eventsubscriptionidentity) aren't supported.

-Event Grid on Kubernetes offers a rich set of features that help you integrate your Kubernetes workloads and realize hybrid architectures. It shares the same [rest API](/rest/api/eventgrid/version2021-06-01-preview/topics) (starting with version 2020-10-15-preview), [Event Grid CLI](/cli/azure/eventgrid), Azure portal experience, [management SDKs](../sdk-overview.md#management-sdks), and [data plane SDKs](../sdk-overview.md#data-plane-sdks) with Azure Event Grid, the other edition of the same service. When you're ready to publish events, you can use the [data plane SDK examples provided in different languages](https://devblogs.microsoft.com/azure-sdk/event-grid-ga/) that work for both editions of Event Grid.

-| [Event Grid Topics](/rest/api/eventgrid/version2021-06-01-preview/topics) | Γ£ö | Γ£ö |

-| [Event delivery with resource identity](/rest/api/eventgrid/version2021-06-01-preview/event-subscriptions/create-or-update) | Γ£ÿ | Γ£ö |

-**Feature** that helps you realize above requirement: [Event Grid Topics](/rest/api/eventgrid/version2021-06-01-preview/topics).

-Event Grid on Kubernetes supports [Event Grid Topics](/rest/api/eventgrid/version2021-06-01-preview/topics), which is a feature also offered by [Azure Event Grid](../custom-topics.md). Event Grid topics help you realize the [primary integration use case](#use-case) where your requirements call for integrating your system with another workload that you own or otherwise is made accessible to your system.

-| **eir** |Supported |Supported |Dublin|

-1. In the dropdown for *Tell us more about the problem you are experiencing*, select **Connectivity to Azure Private, Azure Public, or Dynamics 365 services.**

-* **You see packet matches sent and received on both MSEEs:** This indicates healthy traffic inbound to and outbound from the MSEE on your circuit. If loss is occurring either on-premises or in Azure, it is happening downstream from the MSEE.

-1. Navigate to the **TLS Inspection** page of your Firewall policy and select your Managed identity, Key Vault, and certificate.

- :::image type="content" source="media/premium-deploy-certificates-enterprise-ca/tls-inspection.png" alt-text="TLS inspection":::

- | where ResourceType == "AZUREFIREWALLS"

- | where Category == "AzureFirewallApplicationRule"

- | where msg_s contains "Url:"

- | sort by TimeGenerated desc

-A hybrid network uses the hub-and-spoke architecture model to route traffic between Azure VNets and on-premise networks. The hub-and-spoke architecture has the following requirements:

-[Tutorial: Monitor Azure Firewall logs](./firewall-diagnostics.md)

-* Download the [Azure_RTOS_6.1_ATSAME54-XPRO_IAR_Samples_2020_10_10.zip](https://github.com/azure-rtos/samples/releases/download/v6.1_rel/Azure_RTOS_6.1_ATSAME54-XPRO_IAR_Samples_2021_11_03.zip) file and extract it to a working directory. Choose a directory with a short path to avoid compiler errors when you build.

-* Download the [Azure_RTOS_6.1_ATSAME54-XPRO_MPLab_Samples_2020_10_10.zip](https://github.com/azure-rtos/samples/releases/download/v6.1_rel/Azure_RTOS_6.1_ATSAME54-XPRO_MPLab_Samples_2021_11_03.zip) file and unzip it to a working directory. Choose a directory with a short path to avoid compiler errors when you build.

-* Download the [Azure_RTOS_6.1_MIMXRT1060_IAR_Samples_2021_11_03.zip](https://github.com/azure-rtos/samples/releases/download/v6.1_rel/Azure_RTOS_6.1_MIMXRT1060_IAR_Samples_2021_11_03.zip) file and extract it to a working directory. Choose a directory with a short path to avoid compiler errors when you build.

-* Download the [Azure_RTOS_6.1_MIMXRT1060_IAR_Samples_2021_11_03.zip](https://github.com/azure-rtos/samples/releases/download/v6.1_rel/Azure_RTOS_6.1_MIMXRT1060_IAR_Samples_2021_11_03.zip) file and extract it to a working directory. Choose a directory with a short path to avoid compiler errors when you build.

-## Create a device update account

-4. Specify the Azure Subscription to be associated with your Device Update Account and Resource Group

-5. Specify a Name and Location for your Device Update Account

-6. Optionally, you can check the box to assign the Device Update administrator role to yourself. You can also use the steps listed in the "Configure access control roles" section to provide a combination of roles to users and applications for the right level of access.

-8. Click **Next: Review + create>**

- :::image type="content" source="media/create-device-update-account/account-review.png" alt-text="Screenshot of account details review." lightbox="media/create-device-update-account/account-review.png":::

-7. Review the details and then select **Create**. You will see your deployment is in progress.

- :::image type="content" source="media/create-device-update-account/account-deployment-inprogress.png" alt-text="Screenshot of account deployment in progress." lightbox="media/create-device-update-account/account-deployment-inprogress.png":::

-8. You will see the deployment status change to "complete" in a few minutes. Click **Go to resource**

- :::image type="content" source="media/create-device-update-account/account-complete.png" alt-text="Screenshot of account deployment complete." lightbox="media/create-device-update-account/account-complete.png":::

-## Create a device update instance

-An instance of Device Update is associated with a single IoT hub. Select the IoT hub that will be used with Device Update. We will create a new Shared Access policy during this step to ensure Device Update uses only the required permissions to work with IoT Hub (registry write and service connect). This policy ensures that access is only limited to Device Update.

-To create a Device Update instance after an account has been created.

-1. Once you are in your newly created account resource, go to the Instance Management **Instances** blade

- :::image type="content" source="media/create-device-update-account/instance-blade.png" alt-text="Screenshot of instance management within account." lightbox="media/create-device-update-account/instance-blade.png":::

-2. Click **Create** and specify an instance name and select your IoT Hub

-3. Click **Create**. You will see the instance in a "Creating" state.

- :::image type="content" source="media/create-device-update-account/instance-creating.png" alt-text="Screenshot of instance creating." lightbox="media/create-device-update-account/instance-creating.png":::

-4. Allow 5-10 mins for the instance deployment to complete. Refresh the status till you see the "Provisioning State" turn to "Succeeded".

- :::image type="content" source="media/create-device-update-account/instance-succeeded.png" alt-text="Screenshot of instance creation succeeded." lightbox="media/create-device-update-account/instance-succeeded.png":::

-## Configure IoT Hub

-In order for Device Update to receive change notifications from IoT Hub, Device Update integrates with the "Built-In" Event Hub. Clicking the "Configure IoT Hub" button configures the required message routes and access policy required to communicate with IoT devices.

-To configure IoT Hub

-1. Once the Instance "Provisioning State" turns to "Succeeded", select the instance in the Instance Management blade. Click **Configure IoT Hub**

- :::image type="content" source="media/create-device-update-account/instance-configure.png" alt-text="Screenshot of configuring IoT Hub for an instance." lightbox="media/create-device-update-account/instance-configure.png":::

-2. Select **I agree to make these changes**

- :::image type="content" source="media/create-device-update-account/instance-configure-selected.png" alt-text="Screenshot of agreeing to configure IoT Hub for an instance." lightbox="media/create-device-update-account/instance-configure-selected.png":::

-3. Click **Update**

- > [!NOTE]

- > If you are using a Free tier of Azure IoT Hub, the allowed number of message routes are limited to 5. Device Update for IoT Hub needs to configure 4 message routes to work as expected.

-[Learn about the message routes that are configured.](device-update-resources.md)

-3. Select the Device Updates option under Automatic Device Management from the left-hand navigation bar.

-4. Select the Groups tab at the top of the page. You will be able to see the number of devices connected to Device Update that are not grouped yet.

-5. Select the Add button to create a new group.

-6. Select an IoT Hub tag from the list and then select Create update group.

-7. Once the group is created, you will see that the update compliance chart and groups list are updated. Update compliance chart shows the count of devices in various states of compliance: On latest update, New updates available, Updates in Progress and Devices not yet Grouped. [Learn about update compliance.](device-update-compliance.md)

-8. You should see your newly created group and any available updates for the devices in the new group. You can deploy the update to the new group from this view by clicking on the update name. See Next Step: Deploy Update for more details.

-* [A tag has been assigned to the IoT device you are trying to update. The device is part of at least one update group.](create-update-group.md)

-3. Select the Groups tab at the top of the page. [Learn More](device-update-groups.md) about device groups.

- :::image type="content" source="media/deploy-update/updated-view.png" alt-text="Groups tab" lightbox="media/deploy-update/updated-view.png":::

-4. View the update compliance chart and groups list. You should see a new update available for your device group, with a link to the update under Pending Updates (you may need to Refresh once). [Learn More about update compliance.](device-update-compliance.md)

-5. Select the available update.

-6. Confirm the correct group is selected as the target group. Schedule your deployment, then select Deploy update.

- :::image type="content" source="media/deploy-update/select-update.png" alt-text="Select update" lightbox="media/deploy-update/select-update.png":::

-7. View the compliance chart. You should see the update is now in progress.

-8. After your device is successfully updated, you should see your compliance chart and deployment details update to reflect the same.

-1. Select the Deployments tab at the top of the page.

- :::image type="content" source="media/deploy-update/deployments-tab.png" alt-text="Deployments tab" lightbox="media/deploy-update/deployments-tab.png":::

-2. Select the deployment you created to view the deployment details.

-3. Select Refresh to view the latest status details. Continue this process until the status changes to Succeeded.

-1. Go to the Deployments tab, and select the deployment that has failed.

- :::image type="content" source="media/deploy-update/deployment-details.png" alt-text="Deployment details" lightbox="media/deploy-update/deployment-details.png":::

-2. Click on the "Failed" Device Status in the detailed Deployment information pane.

-3. Click on "Retry failed devices" and acknowledge the confirmation notification.

-The Interface layer is made up of the [ADU Core Interface](https://github.com/Azure/iot-hub-device-update/tree/main/src/agent/adu_core_interface) and the [Device Information Interface](https://github.com/Azure/iot-hub-device-update/tree/main/src/agent/device_info_interface).

-These interfaces rely on a configuration file for default values. The default values include aduc_manufacturer and aduc_model for the AzureDeviceUpdateCore interface and model and manufacturer for the DeviceInformation interface. [Learn More](device-update-configuration-file.md) the configuration file.

-### ADU Core Interface

-The 'ADU Core' interface is the primary communication channel between Device Update Agent and Services. [Learn More](device-update-plug-and-play.md#adu-core-interface) about this interface.

-There are two implementations of the Platform Layer. The Simulator Platform

-Layer has a trivial implementation of the update actions and is used for quickly

-testing and evaluating Device Update for IoT Hub services and setup. When the Device Update Agent is built with

-the Simulator Platform Layer, we refer to it as the Device Update Simulator Agent or just

-simulator. [Learn More](https://github.com/Azure/iot-hub-device-update/blob/main/docs/agent-reference/how-to-run-agent.md) about how to use the simulator

-agent. The Linux Platform Layer integrates with [Delivery Optimization](https://github.com/microsoft/do-client) for

-### Simulator Platform Layer

-The Simulator Platform Layer implementation can be found in the

-`src/platform_layers/simulator_platform_layer` and can be used for

-testing and evaluating Device Update for IoT Hub. Many of the actions in the

-"simulator" implementation are mocked to reduce physical changes to experiment with Device Update for IoT Hub. An end to end

-"simulated" update can be performed using this Platform Layer. [Learn

-More](https://github.com/Azure/iot-hub-device-update/blob/main/docs/agent-reference/how-to-run-agent.md) about running the simulator agent.

-`src/platform_layers/linux_platform_layer` and it integrates with the [Delivery Optimization Client](https://github.com/microsoft/do-client/releases) for downloads and is used in our Raspberry Pi reference image, and all clients that run on Linux systems.

-installer. For

-instance, the `SWUpdate` Update Handler invokes a shell script to call into the

-`SWUpdate` executable to perform an update.

-Update Handlers are components that handle content or installer-specific parts

-of the update. Update Handler implementations are in `src/content_handlers`.

-### Simulator Update Handler

-The Simulator Update Handler is used by the Simulator Platform Layer and can

-be used with the Linux Platform Layer to fake interactions with a Content

-Handler. The Simulator Update Handler implements the Update Handler APIs with

-mostly no-ops. The implementation of the Simulator Update Handler can be found below:

-* [Image update simulator](https://github.com/Azure/iot-hub-device-update/blob/main/src/content_handlers/swupdate_handler/inc/aduc/swupdate_simulator_handler.hpp)

-* [Package update apt simulator](https://github.com/Azure/iot-hub-device-update/blob/main/src/content_handlers/apt_handler/inc/aduc/apt_simulator_handler.hpp)

->[!Note]

->The InstalledCriteria field in the AzureDeviceUpdateCore PnP interface should be the sha256 hash of the content. This is the same hash that is present in the [Import Manifest

-Object](import-update.md#create-a-device-update-import-manifest). [Learn More](device-update-plug-and-play.md) about `installedCriteria` and the `AzureDeviceUpdateCore` interface.

-### `SWUpdate` Update Handler

-The `SWUpdate` Update Handler integrates with the `SWUpdate` command-line

-executable and other shell commands to implement A/B updates specifically for

-the Raspberry Pi reference image. Find the latest Raspberry Pi reference image [here](https://github.com/Azure/iot-hub-device-update/releases). The `SWUpdate` Update Handler is implemented in [src/content_handlers/swupdate_content_handler](https://github.com/Azure/iot-hub-device-update/tree/main/src/content_handlers/swupdate_handler).

-### APT Update Handler

-The APT Update Handler processes an APT-specific Update Manifest and invokes APT to

-install or update the specified Debian package(s).

-## Self-update Device update agent

-The device update agent and its dependencies can be updated through the Device Update for IoT Hub pipeline. If you are using an image-based update, include the latest device update agent in your new image. If you are using a package-based update, include the device update agent and its desired version in the apt manifest like any other package. [Learn more](device-update-apt-manifest.md) about apt manifest. You can check the installed version of the Device Update agent and the Delivery Optimization agent in the Device Properties section of your [IoT device twin](../iot-hub/iot-hub-devguide-device-twins.md). [Learn more about device properties under ADU Core Interface](device-update-plug-and-play.md#device-properties).

-## Next steps

-[Understand Device Update agent configuration file](device-update-configuration-file.md)

-The following IoT device types are currently supported with Device Update:

- * Image A/B update:

- - Yocto - ARM64 (reference image), extensible via open source to [build your own images](device-update-agent-provisioning.md#how-to-build-and-run-device-update-agent) for other architecture as needed.

- - Ubuntu 18.04 simulator

-

- * Package Agent supported builds for the following platforms/architectures:

- - Ubuntu Server 18.04 x64 Package Agent

- - Debian 9

-

-1. Follow the instructions to [Manually provision a single Linux IoT Edge device](../iot-edge/how-to-provision-single-device-linux-symmetric.md?preserve-view=true&view=iotedge-2020-11).

- We provide sample images in the [Artifacts](https://github.com/Azure/iot-hub-device-update/releases) repository. The swUpdate file is the base image that you can flash onto a Raspberry Pi B3+ board. The .gz file is the update you would import through Device Update for IoT Hub. For an example, see [How to flash the image to your IoT Hub device](./device-update-raspberry-pi.md#flash-sd-card-with-image).

-### On non-Edge IoT Linux devices

-1. Install the IoT Identity Service and add the latest version to your IoT device.

- 1. Log onto the machine or IoT device.

- 1. Open a terminal window.

- 1. Install the latest [IoT Identity Service](https://github.com/Azure/iot-identity-service/blob/main/docs-dev/packaging.md#installing-and-configuring-the-package) on your IoT device using this command:

- > [!Note]

- > The IoT Identity service registers module identities with IoT Hub by using symmetric keys currently.

- ```shell

- sudo apt-get install aziot-identity-service

- ```

-

-1. Provisioning IoT Identity service to get the IoT device information.

- Create a custom copy of the configuration template so we can add the provisioning information. In a terminal, enter the following command:

-

- ```shell

- sudo cp /etc/aziot/config.toml.template /etc/aziot/config.toml

- ```

-

-1. Next edit the configuration file to include the connection string of the device you wish to act as the provisioner for this device or machine. In a terminal, enter the below command.

- ```shell

- sudo nano /etc/aziot/config.toml

- ```

-

-1. You should see a message like the following example:

- :::image type="content" source="media/understand-device-update/config.png" alt-text="Diagram of IoT Identity Service config file." lightbox="media/understand-device-update/config.png":::

- 1. In the same nano window, find the block with ΓÇ£Manual provisioning with connection stringΓÇ¥.

- 1. In the window, delete the ΓÇ£#ΓÇ¥ symbol ahead of 'provisioning'

- 1. In the window, delete the ΓÇ£#ΓÇ¥ symbol ahead of 'source'

- 1. In the window, delete the ΓÇ£#ΓÇ¥ symbol ahead of 'connection_string'

- 1. In the window, delete the string within the quotes to the right of 'connection_string' and then add your connection string there

- 1. Save your changes to the file with 'Ctrl+X' and then 'Y' and hit the 'enter' key to save your changes.

-1. Now apply and restart the IoT Identity service with the command below. You should now see a ΓÇ£Done!ΓÇ¥ printout that means you have successfully configured the IoT Identity Service.

- > [!Note]

- > The IoT Identity service registers module identities with IoT Hub by using symmetric keys currently.

-

- sudo aziotctl config apply

-

-1. Finally install the Device Update agent. We provide sample images in [Artifacts](https://github.com/Azure/iot-hub-device-update/releases). The swUpdate file is the base image that you can flash onto a Raspberry Pi B3+ board, and the .gz file is the update you would import through Device Update for IoT Hub. See example of [how to flash the image to your IoT Hub device](./device-update-raspberry-pi.md#flash-sd-card-with-image).

-1. You are now ready to start the Device Update agent on your IoT device.

-1. We provide sample images in the [Artifacts](https://github.com/Azure/iot-hub-device-update/releases) repository. The swUpdate file is the base image that you can flash onto a Raspberry Pi B3+ board. The .gz file is the update you would import through Device Update for IoT Hub. For an example, see [How to flash the image to your IoT Hub device](./device-update-raspberry-pi.md#flash-sd-card-with-image).

- - [For Package updates](device-update-ubuntu-agent.md) use: sudo nano /etc/adu/adu-conf.txt

- - [For Image updates](device-update-raspberry-pi.md) use: sudo nano /adu/adu-conf.txt

- 1. You should see a window open with some text in it. Delete the entire string following 'connection_String=' the first time you provision the Device Update agent on the IoT device. It is just place holder text.

- 1. In the terminal, replace \<your-connection-string\> with the connection string of the device for your instance of Device Update agent. Select Enter and then **Save.** It should look like this example:

-

- ```text

- connection_string=<ADD CONNECTION STRING HERE>

- ```

-

- > [!Important]

- > Do not add quotes around the connection string.

-

-You can use the following pre-built images and binaries for a simple demonstration of Device Update for IoT Hub:

-If you donΓÇÖt have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

-1. Go to the IoT Hub you previously connected to your Device Update instance.

-2. Select the Updates option under "Device management" from the left-hand navigation bar.

-3. Select the Groups tab at the top of the page.

-4. Select the Add button to create a new group.

-5. Select the IoT Hub tag that you created in the previous step from the list. Select Create update group.

- :::image type="content" source="media/create-update-group/select-tag.PNG" alt-text="Screenshot showing tag selection." lightbox="media/create-update-group/select-tag.PNG":::

-1. Once the group is created, you should see a new update available for your device group, with a link to the update under Pending Updates. You might need to Refresh once.

-2. Click on the available update.

-3. Confirm that the correct group is selected as the target group. Schedule your deployment, then select Deploy update.

- :::image type="content" source="media/deploy-update/select-update.png" alt-text="Select update" lightbox="media/deploy-update/select-update.png":::

-4. View the compliance chart. You should see the update is now in progress.

- :::image type="content" source="media/deploy-update/update-in-progress.png" alt-text="Update in progress" lightbox="media/deploy-update/update-in-progress.png":::

-5. After your device is successfully updated, you should see your compliance chart and deployment details update to reflect the same.

-1. Select the Deployments tab at the top of the page.

- :::image type="content" source="media/deploy-update/deployments-tab.png" alt-text="Deployments tab" lightbox="media/deploy-update/deployments-tab.png":::

-2. Select the deployment that you created to view the deployment details.

-3. Select Refresh to view the latest status details. Continue this process until the status changes to Succeeded.

-To learn more about Azure RTOS and how it works with Azure IoT, view https://azure.com/rtos.

-The "adu-conf.txt" is an optional file that can be created to manage the following configurations.

-* Device Connection String (if it is not known by the Device Update Agent).

-## Purpose

-The Device Update Agent will first try to get the `manufacturer` and `model` values from the device to use for the [Interface Layer](device-update-agent-overview.md#the-interface-layer). If that fails, the Device Update Agent will next look for the "adu-conf.txt" file and use the values from there. If both attempts are not successful, the Device Update Agent will use [default](https://github.com/Azure/iot-hub-device-update/blob/main/CMakeLists.txt) values.

-Learn more about [ADU Core Interface](https://github.com/Azure/iot-hub-device-update/tree/main/src/agent/adu_core_interface) and [Device Information Interface](https://github.com/Azure/iot-hub-device-update/tree/main/src/agent/device_info_interface).

-Within Linux system, in the partition or disk called `adu`, create a text file called "adu-conf.txt" with the following fields.

-|connection_string|Pre-provisioned connection string the device can use to connect to the IoT Hub. Note: Not required if you are provisioning Device Update Agent through the [Azure IoT Identity Service](https://azure.github.io/iot-identity-service/)|

-## Example "adu-conf.txt" file contents

-connection_string = `HostName=<yourIoTHubName>;DeviceId=<yourDeviceId>;SharedAccessKey=<yourSharedAccessKey>`

-aduc_manufacturer = <value to send through `AzureDeviceUpdateCore:4.ClientMetadata:4.deviceProperties["manufacturer"]`

-aduc_model = <value to send through `AzureDeviceUpdateCore:4.ClientMetadata:4.deviceProperties["model"]`

-manufacturer = <value to send through `DeviceInformation.manufacturer`

-model = <value to send through `DeviceInformation.manufacturer`

-In order for other users and applications to have access to Device Update, users or applications must be granted access to this resource. Here are the roles that are supported by Device Update

-## Authenticate to Device Update REST APIs for Publishing and Management

-Device Update also uses Azure AD for authentication to publish and manage content via service APIs. To get started, you need to create and configure a client application.

-To integrate an application or service with Azure AD, [first register](../active-directory/develop/quickstart-register-app.md) an application with Azure AD. Client application setup varies depending on the authorization flow used. Configuration below is for guidance when using the Device Update REST APIs.

-* Set client authentication: 'redirect URIs for native or web client'.

-* Set API Permissions - Device Update for IoT Hub exposes:

- * Delegated permissions: 'user_impersonation'

- * **Optional**, grant admin consent

-[Next steps: Create device update resources and configure access control roles](./create-device-update-account.md)

-description: This document provides a table of client error codes for various Device Update components.

-This document provides a table of error codes for various Device Update components. This is meant to be used as a reference for users who want to try parsing their own error codes to diagnose and troubleshoot issues.

-There are two primary client-side components that may throw error codes: the Device Update agent, and the Delivery Optimization agent.

-The Device Update for IoT Hub Core PnP interface reports `ResultCode` and

-`ExtendedResultCode`, which can be used to diagnose failures. [Learn

-More](device-update-plug-and-play.md) about the Device Update Core PnP interface.

-#### ResultCode

-`ResultCode` is a general status code and follows http status code convention.

-[Learn More](https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html) about http

-status codes.

-#### ExtendedResultCode

-`ExtendedResultCode` is an integer with encoded error information.

-You will most likely see the `ExtendedResultCode` as a signed integer in the PnP

-interface. To decode the `ExtendedResultCode`, convert the signed integer to

-unsigned hex. Only the first 4 bytes of the `ExtendedResultCode` are used and

-are of the form `F` `FFFFFFF` where the first nibble is the **Facility Code** and

-**Facility Codes**

-| Facility Code | Description |

-|-|--|

-| D | Error raised from the DO SDK|

-| E | Error code is an errno |

-For example:

-`ExtendedResultCode` is `-536870781`

-The unsigned hex representation of `-536870781` is `FFFFFFFF E0000083`.

-| Ignore | Facility Code | Error Code |

-|--|-|--|

-| FFFFFFFF | E | 0000083 |

-`0x83` in hex is `131` in decimal, which is the errno value for `ENOLCK`.

-## Delivery Optimization agent

-The following table lists error codes pertaining to the Delivery Optimization (DO) component of the Device Update client. The DO component is responsible for downloading update content onto the IoT device.

-The DO error code can be obtained by examining the exceptions thrown in response to an API call. All DO error codes can be identified by the 0x80D0 prefix.

-| Error Code | String Error | Type | Description |

-|-||-|-|

-| 0x80D01001L | DO_E_NO_SERVICE | n/a | Delivery Optimization was unable to provide the service |

-| 0x80D02002L | DO_E_DOWNLOAD_NO_PROGRESS | Download Job | Download of a file saw no progress within the defined period |

-| 0x80D02011L | DO_E_UNKNOWN_PROPERTY_ID | Download Job | SetProperty() or GetProperty() called with an unknown property ID |

-| 0x80D02012L | DO_E_READ_ONLY_PROPERTY | Download Job | Unable to call SetProperty() on a read-only property |

-| 0x80D02013L | DO_E_INVALID_STATE | Download Job | The requested action is not allowed in the current job state. The job might have been canceled or completed transferring. It is in a read-only state now. |

-| 0x80D02018L | DO_E_FILE_DOWNLOADSINK_UNSPECIFIED | Download Job | Unable to start a download because no download sink (either local file or stream interface) was specified |

-| 0x80D02200L | DO_E_DOWNLOAD_NO_URI | IDODownload Interface| The download was started without providing a URI |

-| 0x80D03805L | DO_E_BLOCKED_BY_NO_NETWORK | Transient conditions | Download paused due to loss of network connectivity |

-The following table lists error codes pertaining to the content service component of the Device Update service. The content service component is responsible for handling importing of update content.

-| "CannotProcessImportManifest" | Error processing import manifest. | Refer to [import concepts](./import-concepts.md) and [import update](./import-update.md) documentation for proper import manifest formatting. |

-| "CannotParse" | Cannot parse import manifest. | Check your import manifest for accuracy against the schema defined in the [import update](./import-update.md) documentation. |

-| "UnsupportedVersion" | Import manifest schema version is not supported. | Make sure your import manifest is using the latest schema defined in the [import update](./import-update.md) documentation. |

-## Uncategorized device group

-Uncategorized is a reserved word that is used to group devices that:

-|Device4 |Uncategorized|

-Device Update for IoT Hub uses [IoT Plug and Play](../iot-develop/index.yml) to discover and manage devices that are over-the-air update capable. The Device Update service will send and receive properties and messages to and from devices using IoT Plug and Play interfaces. Device Update for IoT Hub requires IoT devices to implement the following interfaces and model-id as described below.

-Concepts:

-* Understand the [IoT Plug and Play device client](../iot-develop/concepts-developer-guide-device.md?pivots=programming-language-csharp).

-## ADU Core Interface

-The 'ADUCoreInterface' interface is used to send update actions and metadata to devices and receive update status from devices. The 'ADU Core' interface is split into two Object properties.

-The expected component name in your model is **"deviceUpdate"** when implementing this interface. [Learn more about Azure IoT Plug and Play Components](../iot-develop/concepts-modeling-guide.md)

-Agent Metadata contains fields that the device or Device Update agent uses to send

-information and status to Device Update services.

-|resultCode|integer|device to cloud|A code that contains information about the result of the last update action. Can be populated for either success or failure and should follow [http status code specification](https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html).|500|

-|state|integer|device to cloud|It is an integer that indicates the current state of the Device Update Agent. See below for details |Idle|

-|installedUpdateId|string|device to cloud|An ID of the update that is currently installed (through Device Update). This value will be a string capturing the Update Id JSON or null for a device that has never taken an update through Device Update.|"{\"provider\":\"contoso\",\"name\":\"image-update\",\"version\":\"1.0.0\"}"|

-|`deviceProperties`|Map|device to cloud|The set of properties that contain the manufacturer and model.|See below for details

-It is the status reported by the Device Update Agent after receiving an action from the Device Update Service. `State` is reported in response to an `Action` (see `Actions` below) sent to the Device Update Agent from the Device Update Service. See the [overview workflow](understand-device-update.md#device-update-agent) for requests that flow between the Device Update Service and the Device Update Agent.

-|Idle|0|The device is ready to receive an action from the Device Update Service. After a successful update, state is returned to the `Idle` state.|

-|DownloadSucceeded|2|A successful download.|

-|InstallSucceeded|4|A successful install.|

-|manufacturer|string|device to cloud|The device manufacturer of the device, reported through `deviceProperties`. This property is read from one of two places-the 'AzureDeviceUpdateCore' interface will first attempt to read the 'aduc_manufacturer' value from the [Configuration file](device-update-configuration-file.md) file. If the value is not populated in the configuration file, it will default to reporting the compile-time definition for ADUC_DEVICEPROPERTIES_MANUFACTURER. This property will only be reported at boot time. Default value 'Contoso'|

-|model|string|device to cloud|The device model of the device, reported through `deviceProperties`. This property is read from one of two places-the AzureDeviceUpdateCore interface will first attempt to read the 'aduc_model' value from the [Configuration file](device-update-configuration-file.md) file. If the value is not populated in the configuration file, it will default to reporting the compile-time definition for ADUC_DEVICEPROPERTIES_MODEL. This property will only be reported at boot time. Default value 'Video'|

- "azureDeviceUpdateAgent": {

- "__t": "c",

- "client": {

- "state": 0,

- "resultCode": 200,

- "extendedResultCode": 0,

- "deviceProperties": {

- "manufacturer": "Contoso",

- "model": "Video",

- "aduVer": "DU;agent/0.6.0",

- "doVer": "DU;lib/v0.4.0,DU;agent/v0.4.0,DU;plugin-apt/v0.2.0"

- },

- "installedUpdateId": "{\"provider\":\"Contoso\",\"name\":\"SampleUpdate1\",\"version\":\"1.0.4\"}"

- },

-Note:

-The device or module must add the {"__t": "c"} marker to indicate that the element refers to a component, learn more [here](../iot-develop/concepts-convention.md#sample-multiple-components-writable-property).

-|action|integer|cloud to device|It is an integer that corresponds to an action the agent should perform. Values listed below.|

-|updateManifest|string|cloud to device|Used to describe the content of an update. Generated from the [Import Manifest](import-update.md#create-a-device-update-import-manifest)|

-|fileUrls|Map|cloud to device|Map of `FileHash` to `DownloadUri`. Tells the agent, which files to download and the hash to use to verify the files were downloaded correctly.|

-`Actions` below represents the actions taken by the Device Update Agent as instructed by the Device Update Service. The Device Update Agent will report a `State` (see `State` section above) processing the `Action` received. See the [overview workflow](understand-device-update.md#device-update-agent) for requests that flow between the Device Update Service and the Device Update Agent.

-|Download|0|Download published content or update and any other content needed|

-|Install|1|Install the content or update. Typically this means calling the installer for the content or update.|

-|Apply|2|Finalize the update. It signals the system to reboot if necessary.|

-|Cancel|255|Stop processing the current action and go back to `Idle`. Will also be used to tell the agent in the `Failed` state to go back to `Idle`.|

-The Device Information Interface is a concept used within [IoT Plug and Play architecture](../iot-develop/overview-iot-plug-and-play.md). It contains device to cloud properties that provide information about the hardware and operating system of the device. Device Update for IoT Hub uses the DeviceInformation.manufacturer and DeviceInformation.model properties for telemetry and diagnostics. To learn more about Device Information interface, see this [example](https://devicemodels.azure.com/dtmi/azure/devicemanagement/deviceinformation-1.json).

-The expected component name in your model is **deviceInformation** when implementing this interface. [Learn about Azure IoT Plug and Play Components](../iot-develop/concepts-modeling-guide.md)

-|manufacturer|Property|string|device to cloud|Company name of the device manufacturer. This could be the same as the name of the original equipment manufacturer (OEM).|Contoso|

-## Model ID

-Device Update for IoT Hub requires the IoT Plug and Play smart device to announce a model ID with a value of **"dtmi:AzureDeviceUpdate;1"** as part of the device connection. [Learn how to announce a model ID](../iot-develop/concepts-developer-guide-device.md#model-id-announcement).

-Device Update for IoT Hub supports two forms of updates ΓÇô image-based

-and package-based.

-(adu-base-image) on the SD Card that will be used in the Raspberry Pi 3 B+

-Read the license terms prior to using the agent. Your installation and use constitutes your acceptance of these terms. If you do not agree with the license terms, do not use the Device update for IoT Hub agent.

-2. Create a new device.

-3. On the left-hand side of the page, navigate to 'IoT Devices' >

- Select "New".

-4. Provide a name for the device under 'Device ID'--Ensure that "Autogenerate

- keys" is checkbox is selected.

-5. Select 'Save'.

-6. Now you will be returned to the 'Devices' page and the device you created should be in the list.

-7. Get the device connection string:

-## Provision connection string on SD card

-2. In PowerShell, use the below command to ssh into the device

- ```markdown

- ssh raspberrypi3 -l root

- ```

-4. Enter login as 'root', and password should be left as empty.

-5. After you successfully ssh into the device, run the below commands

-Replace `<device connection string>` with your connection string

- ```markdown

- echo "connection_string=<device connection string>" > /adu/adu-conf.txt

- echo "aduc_manufacturer=ADUTeam" >> /adu/adu-conf.txt

- echo "aduc_model=RefDevice" >> /adu/adu-conf.txt

- ```

-4. Under the 'reported' section of the device twin properties, look for the Linux kernel version.

-1. Download the [sample import manifest](https://github.com/Azure/iot-hub-device-update/releases/download/0.7.0/TutorialImportManifest_Pi.json) and [sample image update](https://github.com/Azure/iot-hub-device-update/releases/download/0.7.0-rc1/adu-update-image-raspberrypi3-0.6.5073.1.swu).

-2. Log in to the [Azure portal](https://portal.azure.com/) and navigate to your IoT Hub with Device Update. Then, select the Device Updates option under Automatic Device Management from the left-hand navigation bar.

-5. Select the folder icon or text box under "Select an Import Manifest File". You will see a file picker dialog. Select the _sample import manifest_ you downloaded in step 1 above. Next, select the folder icon or text box under "Select one or more update files". You will see a file picker dialog. Select the _sample update file_ that you downloaded in step 1 above.

- :::image type="content" source="media/import-update/select-update-files.png" alt-text="Screenshot showing update file selection." lightbox="media/import-update/select-update-files.png":::

-6. Select the folder icon or text box under "Select a storage container". Then select the appropriate storage account.

-7. If youΓÇÖve already created a container, you can reuse it. (Otherwise, select "+ Container" to create a new storage container for updates.) Select the container you wish to use and click "Select".

-

- :::image type="content" source="media/import-update/container.png" alt-text="Screenshot showing container selection." lightbox="media/import-update/container.png":::

-8. Select "Submit" to start the import process.

-9. The import process begins, and the screen changes to the "Import History" section. Select "Refresh" to view progress until the import process completes. Depending on the size of the update, this may complete in a few minutes but could take longer.

-

- :::image type="content" source="media/import-update/update-publishing-sequence-2.png" alt-text="Screenshot showing update import sequence." lightbox="media/import-update/update-publishing-sequence-2.png":::

-10. When the Status column indicates the import has succeeded, select the "Ready to Deploy" header. You should see your imported update in the list now.

-1. Go to the IoT Hub you previously connected to your Device Update instance.

-2. Select the Updates option under Device Management from the left-hand navigation bar.

-3. Select the Groups tab at the top of the page.

-4. Select the Add button to create a new group.

-5. Select the IoT Hub tag you created in the previous step from the list. Select Create group.

- :::image type="content" source="media/create-update-group/select-tag.PNG" alt-text="Screenshot showing tag selection." lightbox="media/create-update-group/select-tag.PNG":::

-1. Once the group is created, you should see a new update available for your device group, with a link to the update under Pending Updates. You may need to Refresh once.

-2. Click on the available update.

-3. Confirm the correct group is selected as the target group. Schedule your deployment, then select Deploy update.

- :::image type="content" source="media/deploy-update/select-update.png" alt-text="Select update" lightbox="media/deploy-update/select-update.png":::

-4. View the compliance chart. You should see the update is now in progress.

- :::image type="content" source="media/deploy-update/update-in-progress.png" alt-text="Update in progress" lightbox="media/deploy-update/update-in-progress.png":::

-5. After your device is successfully updated, you should see your compliance chart and deployment details update to reflect the same.

-1. Select the Deployments tab at the top of the page.

- :::image type="content" source="media/deploy-update/deployments-tab.png" alt-text="Deployments tab" lightbox="media/deploy-update/deployments-tab.png":::

-2. Select the deployment you created to view the deployment details.

-3. Select Refresh to view the latest status details. Continue this process until the status changes to Succeeded.

-When no longer needed, clean up your device update account, instance, IoT Hub and IoT device.

-Device Update for IoT Hub supports two forms of updates ΓÇô image-based

-and package-based.

-### Download and install

-* Az (Azure CLI) cmdlets for PowerShell:

- * Open PowerShell > Install Azure CLI ("Y" for prompts to install from "untrusted" source)

-```powershell

-PS> Install-Module Az -Scope CurrentUser

-```

-### Enable WSL on your Windows device (Windows Subsystem for Linux)

-1. Open PowerShell as Administrator on your machine and run the following command (you might be asked to restart after each step; restart when asked):

-```powershell

-PS> Enable-WindowsOptionalFeature -Online -FeatureName VirtualMachinePlatform

-PS> Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux

-```

- (*You may be prompted to restart after this step*)

-2. Go to the Microsoft Store on the web and install [Ubuntu 18.04 LTS](https://www.microsoft.com/p/ubuntu-1804-lts/9n9tngvndl3q?activetab=pivot:overviewtab`).

-3. Start "Ubuntu 18.04 LTS" and install.

-4. When installed, you'll be asked to set root name (username) and password. Be sure to use a memorable root name password.

-5. In PowerShell, run the following command to set Ubuntu to be the default Linux distribution:

-```powershell

-PS> wsl --setdefault Ubuntu-18.04

-```

-6. List all Linux distributions, making sure that Ubuntu is the default one.

-```powershell

-PS> wsl --list

-```

-7. You should see: **Ubuntu-18.04 (Default)**

-## Download Device Update Ubuntu (18.04 x64) Simulator Reference Agent

-The Ubuntu reference agent can be downloaded from the *Assets* section from release notes [here](https://github.com/Azure/iot-hub-device-update/releases).

-There are two versions of the agent. For this tutorial, since you're exercising the image-based scenario, use AducIotAgentSim-microsoft-swupdate. If you were going to exercise the package-based scenario instead, you would use AducIotAgentSim-microsoft-apt.

-## Install Device Update Agent simulator

-1. Start Ubuntu WSL and enter the following command (note that extra space and dot at the end).

-```shell

-explorer.exe .

-```

-2. Copy AducIotAgentSim-microsoft-swupdate (or AducIotAgentSim-microsoft-apt) from your local folder where it was downloaded under /mnt to your home folder in WSL.

-3. Run the following command to make the binaries executable.

-```shell

-sudo chmod u+x AducIotAgentSim-microsoft-swupdate

-```

- or

-```shell

-sudo chmod u+x AducIotAgentSim-microsoft-apt

-```

-Device Update for Azure IoT Hub software is subject to the following license terms:

- * [Device update for IoT Hub license](https://github.com/Azure/iot-hub-device-update/blob/main/LICENSE.md)

- * [Delivery optimization client license](https://github.com/microsoft/do-client/blob/main/LICENSE)

-

-Read the license terms prior to using the agent. Your installation and use constitutes your acceptance of these terms. If you do not agree with the license terms, do not use the Device update for IoT Hub agent.

-Once the Device Update Agent is running on an IoT device, the device needs to be added to the Azure IoT Hub. From within Azure IoT Hub, a connection string will be generated for a particular device.

-## Add connection string to simulator

-Start Device Update Agent on your new Software Devices.

-1. Start Ubuntu.

-2. Run the Device Update Agent and specify the device connection string from the previous section wrapped with apostrophes:

-Replace `<device connection string>` with your connection string

-```shell

-sudo ./AducIotAgentSim-microsoft-swupdate "<device connection string>"

-```

-or

-```shell

-./AducIotAgentSim-microsoft-apt -c '<device connection string>'

-```

-3. Scroll up and look for the string indicating that the device is in "Idle" state. An "Idle" state signifies that the device is ready for service commands:

-```markdown

-Agent running. [main]

-```JSON

- "tags": {

- "ADUGroup": "<CustomTagValue>"

- }

-```

-1. Download the [sample import manifest](https://github.com/Azure/iot-hub-device-update/releases/download/0.7.0/TutorialImportManifest_Sim.json) and [sample image update](https://github.com/Azure/iot-hub-device-update/releases/download/0.7.0-rc1/adu-update-image-raspberrypi3-0.6.5073.1.swu). _Note_: these are re-used update files from the Raspberry Pi tutorial, because the update in this tutorial will be simulated and therefore the specific file content doesn't matter.

-2. Log in to the [Azure portal](https://portal.azure.com/) and navigate to your IoT Hub with Device Update. Then, select the Device Updates option under Automatic Device Management from the left-hand navigation bar.

-5. Select the folder icon or text box under "Select an Import Manifest File". You will see a file picker dialog. Select the _sample import manifest_ you downloaded in step 1 above. Next, select the folder icon or text box under "Select one or more update files". You will see a file picker dialog. Select the _sample image update_ that you downloaded in step 1 above.

- :::image type="content" source="media/import-update/select-update-files.png" alt-text="Screenshot showing update file selection." lightbox="media/import-update/select-update-files.png":::

-6. Select the folder icon or text box under "Select a storage container". Then select the appropriate storage account.

-7. If youΓÇÖve already created a container, you can reuse it. (Otherwise, select "+ Container" to create a new storage container for updates.). Select the container you wish to use and click "Select".

-

- :::image type="content" source="media/import-update/container.png" alt-text="Screenshot showing container selection." lightbox="media/import-update/container.png":::

-8. Select "Submit" to start the import process.

-9. The import process begins, and the screen changes to the "Import History" section. Select "Refresh" to view progress until the import process completes. Depending on the size of the update, this may complete in a few minutes but could take longer.

-

- :::image type="content" source="media/import-update/update-publishing-sequence-2.png" alt-text="Screenshot showing update import sequence." lightbox="media/import-update/update-publishing-sequence-2.png":::

-10. When the Status column indicates the import has succeeded, select the "Ready to Deploy" header. You should see your imported update in the list now.

-1. Go to the IoT Hub you previously connected to your Device Update instance.

-2. Select the Device Updates option under Automatic Device Management from the left-hand navigation bar.

-3. Select the Groups tab at the top of the page.

-4. Select the Add button to create a new group.

-5. Select the IoT Hub tag you created in the previous step from the list. Select Create update group.

- :::image type="content" source="media/create-update-group/select-tag.PNG" alt-text="Screenshot showing tag selection." lightbox="media/create-update-group/select-tag.PNG":::

-1. Once the group is created, you should see a new update available for your device group, with a link to the update under Pending Updates. You may need to Refresh once.

-2. Click on the available update.

-3. Confirm the correct group is selected as the target group. Schedule your deployment, then select Deploy update.

- :::image type="content" source="media/deploy-update/select-update.png" alt-text="Select update" lightbox="media/deploy-update/select-update.png":::

-4. View the compliance chart. You should see the update is now in progress.

- :::image type="content" source="media/deploy-update/update-in-progress.png" alt-text="Update in progress" lightbox="media/deploy-update/update-in-progress.png":::

-5. After your device is successfully updated, you should see your compliance chart and deployment details update to reflect the same.

-1. Select the Deployments tab at the top of the page.

- :::image type="content" source="media/deploy-update/deployments-tab.png" alt-text="Deployments tab" lightbox="media/deploy-update/deployments-tab.png":::

-2. Select the deployment you created to view the deployment details.

-3. Select Refresh to view the latest status details. Continue this process until the status changes to Succeeded.

-When no longer needed, clean up your device update account, instance, IoT Hub and IoT device.

-Device Update for IoT Hub supports two forms of updates ΓÇô image-based and package-based.

-### (Optional) Manually prepare a device

- > The Device Update package agent doesn't depend on IoT Edge. But, it does rely on the IoT Identity Service daemon that is installed with IoT Edge (1.2.0 and higher) to obtain an identity and connect to IoT Hub.

-1. Go to [Device Update releases](https://github.com/Azure/iot-hub-device-update/releases) in GitHub and click the "Assets" drop-down.

-3. Download the `Edge.package.update.samples.zip` by clicking on it.

-5. Extract the contents of the folder to discover a sample [APT manifest](device-update-apt-manifest.md) and its corresponding [import manifest](import-concepts.md).

-2. In Azure portal, select the Device Updates option under Automatic Device Management from the left-hand navigation bar in your IoT Hub.

-5. Select the folder icon or text box under "Select an Import Manifest File". You will see a file picker dialog. Select the `sample-1.0.1-aziot-edge-importManifest.json` import manifest from the folder you downloaded previously. Next, select the folder icon or text box under "Select one or more update files". You will see a file picker dialog. Select the `sample-1.0.1-aziot-edge-apt-manifest.json` apt manifest update file from the folder you downloaded previously.

-This update will update the `aziot-identity-service` and the `aziot-edge` packages to version 1.2.0~rc4-1 on your device.

- :::image type="content" source="media/import-update/select-update-files.png" alt-text="Screenshot showing update file selection." lightbox="media/import-update/select-update-files.png":::

-6. Select the folder icon or text box under "Select a storage container". Then select the appropriate storage account.

-7. If youΓÇÖve already created a container, you can reuse it. (Otherwise, select "+ Container" to create a new storage container for updates.). Select the container you wish to use and click "Select".

- :::image type="content" source="media/import-update/container.png" alt-text="Screenshot showing container selection." lightbox="media/import-update/container.png":::

-8. Select "Submit" to start the import process.

-9. The import process begins, and the screen changes to the "Import History" section. Select "Refresh" to view progress until the import process completes. Depending on the size of the update, the import process may complete in a few minutes but could take longer.

- :::image type="content" source="media/import-update/update-publishing-sequence-2.png" alt-text="Screenshot showing update import sequence." lightbox="media/import-update/update-publishing-sequence-2.png":::

-10. When the Status column indicates the import has succeeded, select the "Ready to Deploy" header. You should see your imported update in the list now.

-1. Go to the IoT Hub you previously connected to your Device Update instance.

-1. Select the Device Updates option under Automatic Device Management from the left-hand navigation bar.

-1. Select the Groups tab at the top of the page.

-1. Select the Add button to create a new group.

-1. Select the IoT Hub tag you created in the previous step from the list. Select Create update group.

- :::image type="content" source="media/create-update-group/select-tag.PNG" alt-text="Screenshot showing tag selection." lightbox="media/create-update-group/select-tag.PNG":::

-1. Once the group is created, you should see a new update available for your device group, with a link to the update in the _Available updates_ column. You may need to Refresh once.

-1. Click on the link to the available update.

-1. Confirm the correct group is selected as the target group and schedule your deployment

- :::image type="content" source="media/deploy-update/select-update.png" alt-text="Select update" lightbox="media/deploy-update/select-update.png":::

-1. Select Deploy update.

-1. View the compliance chart. You should see the update is now in progress.

- :::image type="content" source="media/deploy-update/update-in-progress.png" alt-text="Update in progress" lightbox="media/deploy-update/update-in-progress.png":::

-1. After your device is successfully updated, you should see your compliance chart and deployment details update to reflect the same.

-1. Select the Deployments tab at the top of the page.

- :::image type="content" source="media/deploy-update/deployments-tab.png" alt-text="Deployments tab" lightbox="media/deploy-update/deployments-tab.png":::

-1. Select the deployment you created to view the deployment details.

-1. Select Refresh to view the latest status details. Continue this process until the status changes to Succeeded.

-> [!div class="nextstepaction"]

-> [Image Update on Raspberry Pi 3 B+ tutorial](device-update-raspberry-pi.md)

-In order to deploy an update to devices from Device Update for IoT Hub, you first have to _import_ that update into the Device Update service. Here is an overview of some important concepts to understand when it comes to importing updates.

-## Limits on importing updates

-Certain limits are enforced for each Device Update for IoT Hub instance. If you haven't already reviewed them, please see [Device Update limits](./device-update-limits.md).

-The import manifest contains several items which represent important Device Update for IoT Hub concepts. These concepts are outlined below.

-### Update identity (Update ID)

-The update identity represents the unique identifer of an update. It defines important properties about an update that is being imported. The update identity is composed of three parts:

-* Provider: this is the entity who is creating or directly responsible for the update. It will often be a company name.

-* Name: an identifier for a class of updates. The class can be anything you choose. It will often be a device or model name.

-* Version: this is a version number distinguishing this update from others that have the same Provider and Name. This version is used by the Device Update for IoT Hub service, and may or may not match a version of an individual software component on the device.

-To simplify update deployments, Device Update for IoT Hub compares compatibility properties for an update, which are defined in the import manifest, with corresponding device properties. Only updates which have matching properties will be returned and available for deployment.

-### InstalledCriteria

-The InstalledCriteria is used by the update agent on a device to determine if an update has been installed successfully.

-If you're ready, try out the [Import How-To guide](./import-update.md), which will walk you through the import process step by step.

-If you want to import an update into Device Update for IoT Hub, be sure you've reviewed the [concepts](import-concepts.md) and [How-To guide](import-update.md) first. If you're interested in the details of the schema used when constructing an import manifest, or information about related objects, see below.

-## Import manifest schema

-| Name | Type | Description | Restrictions |

-| | | | |

-| UpdateId | `UpdateId` object | Update identity. |

-| UpdateType | string | Update type: <br/><br/> * Specify `microsoft/apt:1` when performing a package-based update using reference agent.<br/> * Specify `microsoft/swupdate:1` when performing an image-based update using reference agent.<br/> * Specify `microsoft/simulator:1` when using sample agent simulator.<br/> * Specify a custom type if developing a custom agent. | Format: <br/> `{provider}/{type}:{typeVersion}`<br/><br/> Maximum of 32 characters total |

-| InstalledCriteria | string | String interpreted by the agent to determine whether the update was applied successfully: <br/> * Specify **value** of SWVersion for update type `microsoft/swupdate:1`.<br/> * Specify `{name}-{version}` for update type `microsoft/apt:1`, of which name and version are obtained from the APT file.<br/> * Specify a custom string if developing a custom agent.<br/> | Maximum of 64 characters |

-| Compatibility | Array of `CompatibilityInfo` [objects](#compatibilityinfo-object) | Compatibility information of device compatible with this update. | Maximum of 10 items |

-| CreatedDateTime | date/time | Date and time at which the update was created. | Delimited ISO 8601 date and time format, in UTC |

-| ManifestVersion | string | Import manifest schema version. Specify `2.0`, which will be compatible with `urn:azureiot:AzureDeviceUpdateCore:1` interface and `urn:azureiot:AzureDeviceUpdateCore:4` interface. | Must be `2.0` |

-| Files | Array of `File` objects | Update payload files | Maximum of five files |

-## UpdateId Object

-| Name | Type | Description | Restrictions |

-| | | | |

-| Provider | string | Provider part of the update identity. | 1-64 characters, alphanumeric, dot, and dash. |

-| Name | string | Name part of the update identity. | 1-64 characters, alphanumeric, dot, and dash. |

-| Version | version | Version part of the update identity. | 2 to 4 part, dot-separated version number. The total number of _each_ dot-separated part can be between 0 and 2147483647. Leading zeroes are not supported.

-## File Object

-| Name | Type | Description | Restrictions |

-| | | | |

-| Filename | string | Name of file | Must be no more than 255 characters. Must be unique within an update |

-| SizeInBytes | Int64 | Size of file in bytes. | See [Device Update limits](./device-update-limits.md) for maximum size per individual file and collectively per update |

-| Hashes | `Hashes` object | JSON object containing hash(es) of the file |

-## CompatibilityInfo Object

-| Name | Type | Description | Restrictions |

-| | | | |

-| DeviceManufacturer | string | Manufacturer of the device the update is compatible with. | 1-64 characters, alphanumeric, dot and dash. |

-| DeviceModel | string | Model of the device the update is compatible with. | 1-64 characters, alphanumeric, dot and dash. |

-## Hashes Object

-| Name | Required | Type | Description |

-| | | | |

-| Sha256 | True | string | Base64-encoded hash of the file using the SHA-256 algorithm. See the relevant sections of the import manifest generation [PowerShell](https://github.com/Azure/iot-hub-device-update/blob/release/2021-q2/tools/AduCmdlets/AduUpdate.psm1#L81) and [bash](https://github.com/Azure/iot-hub-device-update/blob/release/2021-q2/tools/AduCmdlets/create-adu-import-manifest.sh#L266) scripts.|

-## Example import request body

-If you are using the sample import manifest output from the [How to add a new update](./import-update.md#review-the-generated-import-manifest) page, and want to call the Device Update [REST API](/rest/api/deviceupdate/updates) directly to perform the import, the corresponding request body should look like this:

-```json

-{

- "importManifest": {

- "url": "http://<your Azure Storage location file path>/importManifest.json",

- "sizeInBytes": <size of import manifest file>,

- "hashes": {

- "sha256": "<hash of import manifest file>"

- }

- },

- "files": [

- {

- "filename": "file1.json",

- "url": "http://<your Azure Storage location file path>/file1.json"

- },

- {

- "filename": "file2.zip",

- "url": "http://<your Azure Storage location file path>/file2.zip"

- },

- ]

-}

-```

-## OAuth authorization when calling Device Update APIs

-**azure_auth**

-Azure Active Directory OAuth2 Flow

-Type: oauth2

-Flow: any

-Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

-**Scopes**

-| Name | Description |

-| | |

-| `https://api.adu.microsoft.com/user_impersonation` | Impersonate your user account |

-| `https://api.adu.microsoft.com/.default` | Client credential flows |

-**Permissions**

-If an Azure AD application is used to sign the user in, the scope needs to have /user_impersonation.

-You will need to add permissions to your Azure AD app (in the API permissions tab in Azure AD Application view) to use Azure Device Update API. Request API permission to Azure Device Update (located in "APIs my organization uses") and grant the delegated user_impersonation permission.

-ADU accepts tokens acquiring tokens using any of the Azure AD supported flows for users, applications, or managed identities. However, some of the flows require extra Azure AD application setup:

-* For public client flows, make sure to enable mobile and desktop flows.

-* For implicit flows make, sure to add a Web platform and select "Access tokens" for the authorization endpoint.

-**Example using Azure CLI:**

-```azurecli

-az login

-az account get-access-token --resource 'https://api.adu.microsoft.com/'

-```

-**Examples to acquire a token using PowerShell MSAL library:**

-_Using user credentials_

-```powershell

-$clientId = '<app_id>ΓÇÖ

-$tenantId = '<tenant_id>ΓÇÖ

-$authority = "https://login.microsoftonline.com/$tenantId/v2.0"

-$Scope = 'https://api.adu.microsoft.com/user_impersonation'

-Get-MsalToken -ClientId $clientId -TenantId $tenantId -Authority $authority -Scopes $Scope

-```

-_Using user credentials with device code_

-```powershell

-$clientId = '<app_id>ΓÇÖ

-$tenantId = '<tenant_id>ΓÇÖ

-$authority = "https://login.microsoftonline.com/$tenantId/v2.0"

-$Scope = 'https://api.adu.microsoft.com/user_impersonation'

-Get-MsalToken -ClientId $clientId -TenantId $tenantId -Authority $authority -Scopes $Scope -Interactive -DeviceCode

-```

-_Using app credentials_

-```powershell

-$clientId = '<app_id>ΓÇÖ

-$tenantId = '<tenant_id>ΓÇÖ

-$cert = '<client_certificate>'

-$authority = "https://login.microsoftonline.com/$tenantId/v2.0"

-$Scope = 'https://api.adu.microsoft.com/.default'

-Get-MsalToken -ClientId $clientId -TenantId $tenantId -Authority $authority -Scopes $Scope -ClientCertificate $cert

-```

-description: How-To guide for adding a new update into Device Update for IoT Hub.

-# Add an update to Device Update for IoT Hub

-Learn how to obtain a new update and import it into Device Update for IoT Hub.

-* [Access to an IoT Hub with Device Update for IoT Hub enabled](create-device-update-account.md).

-* [PowerShell 5](/powershell/scripting/install/installing-powershell) or later (includes Linux, macOS and Windows installs)

-> [!NOTE]

-> Some data submitted to this service might be processed in a region outside the region this instance was created in.

-## Obtain an update for your devices

-Now that you've set up Device Update and provisioned your devices, you will need the update file(s) that you will be deploying to those devices.

-If youΓÇÖve purchased devices from an OEM or solution integrator, that organization will most likely provide update files for you, without you needing to create the updates. Contact the OEM or solution integrator to find out how they make updates available.

-If your organization already creates software for the devices you use, that same group will be the ones to create the updates for that software. When creating an update to be deployed using Device Update for IoT Hub, start with either the [image-based or package-based approach](understand-device-update.md#support-for-a-wide-range-of-update-artifacts) depending on your scenario. Note: if you want to create your own updates but are just starting out, GitHub is an excellent option to manage your development. You can store and manage your source code, and do Continuous Integration (CI) and Continuous Deployment (CD) using [GitHub Actions](https://docs.github.com/en/actions/guides/about-continuous-integration).

-## Create a Device Update import manifest

-If you haven't already done so, be sure to familiarize yourself with the basic [import concepts](import-concepts.md), and try out an [image-based](device-update-raspberry-pi.md) or [package-based](device-update-ubuntu-agent.md) tutorial first.

-1. Ensure that your update file(s) are located in a directory accessible from PowerShell.

-2. Create a text file named **AduUpdate.psm1** in the directory where your update image file or APT Manifest file is located. Then open the [AduUpdate.psm1](https://github.com/Azure/iot-hub-device-update/tree/main/tools/AduCmdlets) PowerShell cmdlet, copy the contents to your text file, and then save the text file.

-3. In PowerShell, navigate to the directory where you created your PowerShell cmdlet from step 2. Use the Copy option below and then paste into PowerShell to run the commands:

- ```powershell

- Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process

- Import-Module .\AduUpdate.psm1

- ```

-4. Run the following commands by replacing the sample parameter values to generate an import manifest, a JSON file that describes the update:

- ```powershell

- $compat = New-AduUpdateCompatibility -DeviceManufacturer 'deviceManufacturer' -DeviceModel 'deviceModel'

- $importManifest = New-AduImportManifest -Provider 'updateProvider' -Name 'updateName' -Version 'updateVersion' `

- -UpdateType 'updateType' -InstalledCriteria 'installedCriteria' `

- -CompatibilityΓÇ»$compat -Files 'updateFilePath(s)'

- $importManifest | Out-File '.\importManifest.json' -Encoding UTF8

- ```

- The following table is a quick reference for how to populate the above parameters. If you need more information, you can also view the complete [import manifest schema](import-schema.md).

- | Parameter | Description |

- | | -- |

- | deviceManufacturer | Manufacturer of the device the update is compatible with, for example, Contoso. Must match _manufacturer_ [device property](./device-update-plug-and-play.md#device-properties).

- | deviceModel | Model of the device the update is compatible with, for example, Toaster. Must match _model_ [device property](./device-update-plug-and-play.md#device-properties).

- | updateProvider | Entity who is creating or directly responsible for the update. It will often be a company name.

- | updateName | Identifier for a class of updates. The class can be anything you choose. It will often be a device or model name.

- | updateVersion | Version number distinguishing this update from others that have the same Provider and Name. Does not have match a version of an individual software component on the device (but can if you choose).

- | updateType | <ul><li>Specify `microsoft/swupdate:1` for image update</li><li>Specify `microsoft/apt:1` for package update</li></ul>

- | installedCriteria | Used during deployment to compare the version already on the device with the version of the update. Deploying the update to the device will return a ΓÇ£failedΓÇ¥ result if the installedCriteria value doesn't match the version that is on the device.<ul><li>For `microsoft/swupdate:1` update type, specify value of SWVersion </li><li>For `microsoft/apt:1` update type, specify **name-version**, where _name_ is the name of the APT Manifest and _version_ is the version of the APT Manifest. For example, contoso-iot-edge-1.0.0.0.

- | updateFilePath(s) | Path to the update file(s) on your computer.

-## Review the generated import manifest

-An example manifest output is below. For this example, there are two files that comprise this update: a .json file and a .zip file. If you have questions about any of the items, view the complete [import manifest schema](import-schema.md).

-```json

-{

- "updateId": {

- "provider": "Microsoft",

- "name": "Toaster",

- "version": "2.0"

- },

- "updateType": "microsoft/swupdate:1",

- "installedCriteria": "5",

- "compatibility": [

- {

- "deviceManufacturer": "Fabrikam",

- "deviceModel": "Toaster"

- },

- {

- "deviceManufacturer": "Contoso",

- "deviceModel": "Toaster"

- }

- ],

- "files": [

- {

- "filename": "file1.json",

- "sizeInBytes": 7,

- "hashes": {

- "sha256": "K2mn97qWmKSaSaM9SFdhC0QIEJ/wluXV7CoTlM8zMUo="

- }

- },

- {

- "filename": "file2.zip",

- "sizeInBytes": 11,

- "hashes": {

- "sha256": "gbG9pxCr9RMH2Pv57vBxKjm89uhUstD06wvQSioLMgU="

- }

- }

- ],

- "createdDateTime": "2020-10-08T03:32:52.477Z",

- "manifestVersion": "2.0"

-}

-```

-> The instructions below show how to import an update via the Azure portal UI. You can also use the [Device Update for IoT Hub APIs](#if-youre-importing-via-apis-instead) to import an update instead.

-2. On the left-hand side of the page, select "Device Updates" under "Automatic Device Management".

- :::image type="content" source="media/import-update/import-updates-3.png" alt-text="Import Updates" lightbox="media/import-update/import-updates-3.png":::

-3. You will see several tabs across the top of the screen. Select the Updates tab.

- :::image type="content" source="media/import-update/updates-tab.png" alt-text="Updates" lightbox="media/import-update/updates-tab.png":::

-4. Select "+ Import New Update" below the "Ready to Deploy" header.

- :::image type="content" source="media/import-update/import-new-update-2.png" alt-text="Import New Update" lightbox="media/import-update/import-new-update-2.png":::

-5. Select the folder icon or text box under "Select an Import Manifest File". You will see a file picker dialog. Select the Import Manifest you created previously using the PowerShell cmdlet. Next, select the folder icon or text box under "Select one or more update files". You will see a file picker dialog. Select the same update file(s) that you included when you created your import manifest.

- :::image type="content" source="media/import-update/select-update-files.png" alt-text="Select Update Files" lightbox="media/import-update/select-update-files.png":::

-6. Select the folder icon or text box under "Select a storage container". Then select the appropriate storage account. The storage container is used to stage the update files temporarily.

- :::image type="content" source="media/import-update/storage-account.png" alt-text="Storage Account" lightbox="media/import-update/storage-account.png":::

-7. If youΓÇÖve already created a container, you can reuse it. (Otherwise, select "+ Container" to create a new storage container for updates.). Select the container you wish to use and click "Select".

- :::image type="content" source="media/import-update/container.png" alt-text="Select Container" lightbox="media/import-update/container.png":::

-8. Select "Submit" to start the import process.

- :::image type="content" source="media/import-update/publish-update.png" alt-text="Publish Update" lightbox="media/import-update/publish-update.png":::

-9. The import process begins, and the screen switches to to the "Import History" section. Select "Refresh" to view progress until the import process completes (depending on the size of the update, this may complete in a few minutes but could take longer).

- :::image type="content" source="media/import-update/update-publishing-sequence-2.png" alt-text="Update Import Sequencing" lightbox="media/import-update/update-publishing-sequence-2.png":::

-10. When the Status column indicates the import has succeeded, select the "Ready to Deploy" header. You should see your imported update in the list now.

- :::image type="content" source="media/import-update/update-ready.png" alt-text="Job Status" lightbox="media/import-update/update-ready.png":::

-## Next Steps

-[Create Groups](create-update-group.md)

-[Learn about import concepts](import-concepts.md)

-If you want to use the [Device Update for IoT Hub Update APIs](/rest/api/deviceupdate/updates) to import an update instead of importing via the Azure portal, note the following:

- - You will need to upload your update file(s) to an Azure Blob Storage location before you call the Update APIs.

- - You can reference this [sample API call](import-schema.md#example-import-request-body) which uses the import manifest you created above.

- - If you re-use the same SAS URL while testing, you may encounter errors when the token expires. This is the case when submitting the import manifest as well as the update content itself.

-### Q: I'm encountering an error code when importing content and would like to parse it.

-_Please refer to the [Device Update Error Codes](./device-update-error-codes.md) documentation for information on parsing error codes._

-Device Update for IoT Hub uses an _update manifest_ to communicate actions and metadata that supports those actions through the

- [AzureDeviceUpdateCore.OrchestratorMetadata:4](./device-update-plug-and-play.md)interface properties.

- This document describes the fundamentals of how the `updateManifest` property, in the

- `AzureDeviceUpdateCore.OrchestratorMetadata:4` interface, is used by the Device Update Agent. The

- `AzureDeviceUpdateCore.OrchestratorMetadata:4` interface properties are sent from the Device Update for IoT Hub service

- to the Device Update Agent. The `updateManifest` is a serialized JSON Object that is parsed by the Device Update Agent.

-The update manifest is auto generated after creation of an import manifest. For more information on how to generate an import manifest, [see here](./import-update.md).

-### An example update manifest

-```JSON

-{

- "manifestVersion": "1",

- "updateId": {

- "provider": "DuTest",

- "name": "DuTestUser",

- "version": "2020.611.534.16"

- },

- "updateType": "microsoft/swupdate:1",

- "installedCriteria": "1.0",

- "files": {

- "00000": {

- "fileName": "image.swu",

- "sizeInBytes": 256000,

- "hashes": {

- "sha256": "IhIIxBJpLfazQOk/PVi6SzR7BM0jf4HDqw+6gdZ3vp8="

- }

- }

- },

- "createdDateTime": "2020-06-12T00:38:13.9350278"

-}

-```

-The purpose of the update manifest is to describe the contents of an update, namely its identity, type,

-installed criteria, and update file metadata. In addition, the update manifest is cryptographically signed to

-allow the Device Update Agent to verify its authenticity. For more information, see the document on [Device Update security](./device-update-security.md).

-It is important to understand the differences between the import manifest and the update manifest.

-* The [import manifest](./import-concepts.md) is created by whoever creates the corresponding update. It describes the contents of the update that will be imported into Device Update for IoT Hub.

-* The update manifest is automatically generated by the Device Update for IoT Hub service, using some of the properties that were defined in the import manifest. It is used to communicate relevant information to the Device Update Agent during the update process.

-Each manifest type has its own schema and schema version.

-## Update manifest properties

-The high-level definitions of the update manifest properties can be found in the interface definitions found

-[here](./device-update-plug-and-play.md). To provide deeper context, let's take a closer look

-at the properties and how they are used in the system.

-### updateId

-Contains the `provider`, `name`, and `version`, which represents the exact Device Update for IoT Hub update identity used

-to determine compatible devices for the update.

-### updateType

-Represents the type of update that is handled by a specific type of update handler. It follows the form

-of `microsoft/swupdate:1` for an image-based update and `microsoft/apt:1` for a package-based update (see `Update Handler Types` section below).

-### installedCriteria

-A string that contains information needed by Device Update Agent's Update Handler to determine whether the update is

-installed on the device. The `Update Handler Types` section documents the format of the `installedCriteria`,

-for each update type supported by Device Update for IoT Hub.

-### files

-Tells the Device Update Agent which files to download, and the hash that will be used to verify that the files downloaded correctly.

-Here's a closer look at the `files` property contents:

-"files":{

- <FILE_ID_STRING>:{

- "fileName":<STRING>,

- "sizeInBytes":<INTEGER>,

- "hashes":{

- <HASH-TYPE>:<HASH-STRING>

- }

- }

-Outside of the `updateManifest` is the `fileUrls` array of JSON Object.

-```json

-"fileUrls":{

- <FILE_ID_STRING>: <URL-in-String-Format>

- }

-```

-Both the `FILE_ID_STRING`, within `fileUrls`, and `files` are the same (for example, "0000" in `files` has the url

-at "0000" within `fileUrls`).

-### manifestVersion

-A string that represents the schema version.

-## Update Handler Types

-|Update Method|Update Handler Type|Update Type|Installed Criteria|Expected Files for Publishing|

-|-|-|-|--|--|

-|Image-based|SWUpdate|"microsoft/swupdate:version"|The reference image saves the hint of its version in the /etc/adu-version file. |.swu file that contains SWUpdate image|

-|Package-based|APT|"microsoft/apt:version"|`<name>` + "-" + `<version>` (defined properties in the APT Manifest file|`<APT Update Manifest>`.json that contains the APT configuration and package list|

- - Supported keytypes: RSA, RSA-HSM, EC, EC-HSM, oct (listed [here](/rest/api/keyvault/createcertificate/createcertificate#jsonwebkeytype))

-**Step 3.1** - Set up [certificate contacts](/rest/api/keyvault/setcertificatecontacts/setcertificatecontacts) for notifications. This is the contact for the Key Vault user. Key Vault does not enforce this step.

-[Get certificate operation](/rest/api/keyvault/getcertificateoperation/getcertificateoperation)

-If you need to covert the P7B's format to the supported one, you can use [certutil -encode](https://docs.microsoft.com/windows-server/administration/windows-commands/certutil#-encode)

-1. Select a name for your diagnostic setting. To configure logging for Azure Monitor for Key Vault, select **AuditEvent** and **Send to Log Analytics workspace**. Then choose the subscription and Log Analytics workspace to which you want to send your logs.

-| **VaultGet** |[Get information about a key vault](/rest/api/keyvault/vaults) |

-| **VaultPut** |[Create or update a key vault](/rest/api/keyvault/vaults) |

-| **VaultDelete** |[Delete a key vault](/rest/api/keyvault/vaults) |

-| **VaultPatch** |[Update a key vault](/rest/api/keyvault/vaults) |

-| **VaultList** |[List all key vaults in a resource group](/rest/api/keyvault/vaults) |

-| **VaultPurge** |[Purge deleted vault](/rest/api/keyvault/vaults/purgedeleted) |

-| **VaultGetDeleted** |[Get deleted vault](/rest/api/keyvault/vaults/getdeleted) |

-| **VaultListDeleted** |[List deleted vaults](/rest/api/keyvault/vaults/listdeleted) |

-| **KeyCreate** |[Create a key](/rest/api/keyvault/createkey) |

-| **KeyGet** |[Get information about a key](/rest/api/keyvault/getkey) |

-| **KeyImport** |[Import a key into a vault](/rest/api/keyvault/vaults) |

-| **KeyDelete** |[Delete a key](/rest/api/keyvault/deletekey) |

-| **KeySign** |[Sign with a key](/rest/api/keyvault/sign) |

-| **KeyVerify** |[Verify with a key](/rest/api/keyvault/vaults) |

-| **KeyWrap** |[Wrap a key](/rest/api/keyvault/wrapkey) |

-| **KeyUnwrap** |[Unwrap a key](/rest/api/keyvault/unwrapkey) |

-| **KeyEncrypt** |[Encrypt with a key](/rest/api/keyvault/encrypt) |

-| **KeyDecrypt** |[Decrypt with a key](/rest/api/keyvault/decrypt) |

-| **KeyUpdate** |[Update a key](/rest/api/keyvault/updatekey) |

-| **KeyList** |[List the keys in a vault](/rest/api/keyvault/getkeys) |

-| **KeyListVersions** |[List the versions of a key](/rest/api/keyvault/getkeyversions) |

-| **KeyPurge** |[Purge a key](/rest/api/keyvault/purgedeletedkey) |

-| **KeyBackup** |[Backup a key](/rest/api/keyvault/backupkey) |

-| **KeyRestore** |[Restore a key](/rest/api/keyvault/restorekey) |

-| **KeyRecover** |[Recover a key](/rest/api/keyvault/recoverdeletedkey) |

-| **KeyGetDeleted** |[Get deleted key](/rest/api/keyvault/getdeletedkey) |

-| **KeyListDeleted** |[List the deleted keys in a vault](/rest/api/keyvault/getdeletedkeys) |

-| **SecretSet** |[Create a secret](/rest/api/keyvault/updatecertificate) |

-| **SecretGet** |[Get a secret](/rest/api/keyvault/getsecret) |

-| **SecretUpdate** |[Update a secret](/rest/api/keyvault/updatesecret) |

-| **SecretDelete** |[Delete a secret](/rest/api/keyvault/deletesecret) |

-| **SecretList** |[List secrets in a vault](/rest/api/keyvault/getsecrets) |

-| **SecretListVersions** |[List versions of a secret](/rest/api/keyvault/getsecretversions) |

-| **SecretPurge** |[Purge a secret](/rest/api/keyvault/purgedeletedsecret) |

-| **SecretBackup** |[Backup a secret](/rest/api/keyvault/backupsecret) |

-| **SecretRestore** |[Restore a secret](/rest/api/keyvault/restoresecret) |

-| **SecretRecover** |[Recover a secret](/rest/api/keyvault/recoverdeletedsecret) |

-| **SecretGetDeleted** |[Get deleted secret](/rest/api/keyvault/getdeletedsecret) |

-| **SecretListDeleted** |[List the deleted secrets in a vault](/rest/api/keyvault/getdeletedsecrets) |

-| **CertificateGet** |[Get information about a certificate](/rest/api/keyvault/getcertificate) |

-| **CertificateCreate** |[Create a certificate](/rest/api/keyvault/createcertificate) |

-| **CertificateImport** |[Import a certificate into a vault](/rest/api/keyvault/importcertificate) |

-| **CertificateUpdate** |[Update a certificate](/rest/api/keyvault/updatecertificate) |

-| **CertificateList** |[List the certificates in a vault](/rest/api/keyvault/getcertificates) |

-| **CertificateListVersions** |[List the versions of a certificate](/rest/api/keyvault/getcertificateversions) |

-| **CertificateDelete** |[Delete a certificate](/rest/api/keyvault/deletecertificate) |

-| **CertificatePurge** |[Purge a certificate](/rest/api/keyvault/purgedeletedcertificate) |

-| **CertificateBackup** |[Backup a certificate](/rest/api/keyvault/backupcertificate) |

-| **CertificateRestore** |[Restore a certificate](/rest/api/keyvault/restorecertificate) |

-| **CertificateRecover** |[Recover a certificate](/rest/api/keyvault/recoverdeletedcertificate) |

-| **CertificateGetDeleted** |[Get deleted certificate](/rest/api/keyvault/getdeletedcertificate) |

-| **CertificateListDeleted** |[List the deleted certificates in a vault](/rest/api/keyvault/getdeletedcertificates) |

-| **CertificatePolicyGet** |[Get certificate policy](/rest/api/keyvault/getcertificatepolicy) |

-| **CertificatePolicyUpdate** |[Update certificate policy](/rest/api/keyvault/updatecertificatepolicy) |

-| **CertificatePolicySet** |[Create certificate policy](/rest/api/keyvault/createcertificate) |

-| **CertificateContactsGet** |[Get certificate contacts](/rest/api/keyvault/getcertificatecontacts) |

-| **CertificateContactsSet** |[Set certificate contacts](/rest/api/keyvault/setcertificatecontacts) |

-| **CertificateContactsDelete** |[Delete certificate contacts](/rest/api/keyvault/deletecertificatecontacts) |

-| **CertificateIssuerGet** |[Get certificate issuer](/rest/api/keyvault/getcertificateissuer) |

-| **CertificateIssuerSet** |[Set certificate issuer](/rest/api/keyvault/setcertificateissuer) |

-| **CertificateIssuerUpdate** |[Update certificate issuer](/rest/api/keyvault/updatecertificateissuer) |

-| **CertificateIssuerDelete** |[Delete certificate issuer](/rest/api/keyvault/deletecertificateissuer) |

-| **CertificateIssuersList** |[List the certificate issuers](/rest/api/keyvault/getcertificateissuers) |

-> For Azure Key Vault, ensure that the application accessing the Keyvault service should be running on a platform that supports TLS 1.2 or recent version. If the application is dependent on .Net framework, it should be updated as well. You can also make the registry changes mentioned in [this article](/troubleshoot/azure/active-directory/enable-support-tls-environment) to explicitly enable the use of TLS 1.2 at OS level and for .Net framework.

-For more information on working with keys, see [Key operations in the Key Vault REST API reference](/rest/api/keyvault). For information on establishing permissions, see [Vaults - Create or Update](/rest/api/keyvault/vaults/createorupdate) and [Vaults - Update Access Policy](/rest/api/keyvault/vaults/updateaccesspolicy).

-For more information, see the [Storage account operations in the Key Vault REST API reference](/rest/api/keyvault). For information on establishing permissions, see [Vaults - Create or Update](/rest/api/keyvault/vaults/createorupdate) and [Vaults - Update Access Policy](/rest/api/keyvault/vaults/updateaccesspolicy).

-| `configurationFiles` | array | List of relevant configuration files or other files that you reference in the Apache JMeter script. For example, a CSV data set file, images, or any other data file. These files will be uploaded to the Azure Load Testing resource alongside the test script. If the files are in a subfolder on your local machine, use file paths that are relative to the location of the test script. <BR><BR>Azure Load Testing currently doesn't support the use of file paths in the JMX file. When you reference an external file in the test script, make sure to only specify the file name.<BR><BR>By default, the wildcard `*.csv` is generated to reference all *.csv* files in the test plan's folder. |

- - '*.csv'

-# Migrate to Azure Machine Learning

-See the [Azure Machine Learning Adoption Framework](https://aka.ms/mlstudio-classic-migration-repo) for additional migration resources.

- 

- 

- 

- 

- 

- + [Use studio in a secured virtual network](how-to-enable-studio-virtual-network.md)

-All plans for the same offer must use the same pricing model. For example, a SaaS offer cannot have one plan that's flat rate and another plan thatΓÇÖs per user. See specific offer documentation for detailed information.

-[[!INCLUDE[applies-to-mysql-flexible-server](../includes/applies-to-mysql-flexible-server.md)]

-[[!INCLUDE[applies-to-mysql-flexible-server](../includes/applies-to-mysql-flexible-server.md)]

-or even hours depending on the workload and the latency between the primary and

-the replica. The data on the replica eventually becomes consistent with the

-The replica inherits the admin ("citus") account from the primary server group.

-For a server named **my replica** with the admin username **citus**, you can

-connect to the coordinator node of the replica by using psql:

-A replica is created by using the same compute, storage, and worker node

-settings as the primary. After a replica is created, several settings can be

-changed, including storage and backup retention period. Other settings can't be

-changed in replicas, such as storage size and number of worker nodes.

-Firewall rules and parameter settings are not inherited from the primary server

-[Azure Purview](/overview.md) supports Microsoft Conditional Access.

-* [What's New in Azure Purview at Microsoft Ignite 2021](https://techcommunity.microsoft.com/t5/azure-purview/what-s-new-in-azure-purview-at-microsoft-ignite-2021/ba-p/2915954)

-* [Enable Azure Purview data owner policies on an Azure Storage account](./tutorial-data-owner-policies-storage.md)

-1. Provide a name for the session, for example *cog-search-debug-sessions*.

-1. Specify a general-purpose storage account that will be used to cache the skill executions. You'll be prompted to select and optionally create a blob container in Blob Storage or Azure Data Lake Storage Gen2. You can reuse the same container for all subsequent debug sessions you create.

-1. Select the indexer that drives the skillset you want to debug. Copies of both the indexer and skillset are used to create the session.

-1. Choose a document. The session will default to the first document in the data source, but you can also choose which document to step through by providing its URL.

- If your document resides in a blob container in the same storage account used to cache your debug session, you can copy the document URL from the blob property page in the portal.

-1. Optionally, specify any indexer execution settings that should be used to create the session. The settings should mimic the settings used by the actual indexer. Any indexer options that you specify in a debug session have no effect on the indexer itself.

-1. Select **Save Session** to get started.

-AI enrichment pipelines extract or infer information and structure from source documents, creating an enriched document in the process. An enriched document is first created during document cracking and populated with a root node (`/document`), plus nodes for any content that is lifted directly from the data source, such as metadata and the document key. Additional nodes are created by skills during skill execution, where each skill output adds a new node to the enrichment tree.

-If skills produce output but the search index is empty, check the field mappings that specify how content moves out of the pipeline and into a search index.

-1. Select **Field Mappings** near the top. You should find at least the document key that uniquely identifies and associates each search document in the search index with it's source document in the data source.

-# Configure IP firewall rules to allow indexer connections in Azure Cognitive Search

-This article explains how to find the IP address of your search service, and then use Azure portal to configure an inbound IP rule on an Azure Storage account. While specific to Azure Storage, this approach also works for other Azure resources that use IP firewall rules for data access, such as Cosmos DB and Azure SQL.

-1. Determine the fully qualified domain name (FQDN) of your search service. This will look like `<search-service-name>.search.windows.net`. You can find out the FQDN by looking up your search service on the Azure portal.

- 

-1. Look up the IP address of the search service by performing a `nslookup` (or a `ping`) of the FQDN on a command prompt.

-Depending on your search service configuration, you might also need to create an inbound rule that admits requests from a range of IP addresses. Specifically, additional IP addresses are used for requests that originate from the indexer's [multi-tenant execution environment](search-indexer-securing-resources.md#indexer-execution-environment).

-You can get this IP address range from the `AzureCognitiveSearch` service tag.

-1. If the search service is the Azure Public cloud, the [Azure Public JSON file](https://www.microsoft.com/download/details.aspx?id=56519) should be downloaded.

- 

-1. From the JSON file, assuming the search service is in West Central US, the list of IP addresses for the multi-tenant indexer execution environment are listed below.

-```json

-{

-"name": "AzureCognitiveSearch.WestCentralUS",

-"id": "AzureCognitiveSearch.WestCentralUS",

-"properties": {

- "changeNumber": 1,

- "region": "westcentralus",

- "platform": "Azure",

- "systemService": "AzureCognitiveSearch",

- "addressPrefixes": [

- "52.150.139.0/26",

- "52.253.133.74/32"

- ]

-}

-}

-```

-For `/32` IP addresses, drop the "/32" (52.253.133.74/32 becomes 52.253.133.74 in the rule definition). All other IP addresses can be used verbatim.

-Once you have the IP addresses, you are ready to set up the rule. The easiest way to add IP address ranges to a storage account's firewall rule is via the Azure portal.

-1. Locate the storage account on the portal and navigate to the **Firewalls and virtual networks** tab.

- 

-1. Add the three IP addresses obtained previously (one for the search service IP, two for the `AzureCognitiveSearch` service tag) in the address range and select **Save**.

- 

-# Indexer access to Azure Storage using the trusted service exception (Azure Cognitive Search)

-If the resource that your indexer pulls data from exists behind a firewall, make sure that the IP ranges in inbound rules include all of the IPs from which an indexer request can originate. As stated above, there are two possible environments in which indexers run and from which access requests can originate. You will need to add the IP addresses of **both** environments for indexer access to work.

-For more information about this connectivity option, see [Indexer connections through an IP firewall](search-indexer-howto-access-ip-restricted.md).

-Azure Cognitive Search will validate that callers of this API have Azure RBAC permissions to approve private endpoint connection requests to the secure resource. For example, if you request a private endpoint connection to a storage account with read-only permissions, this call will be rejected.

-| - [Azure Information Protection](../../sentinel/data-connectors-reference.md#azure-information-protection) | Public Preview | Not Available |

-tags: azuread

-If you're reading this document, you're aware of the significance of security. You likely already carry the responsibility for securing your organization. If you need to convince others of the importance of security, send them to read the latest [Microsoft Security Intelligence report](https://www.microsoft.com/security/business/security-intelligence-report).

-This document will help you get a more secure posture using the capabilities of Azure Active Directory by using a five-step checklist to inoculate your organization against cyber-attacks.

-* Strengthen your credentials.

-* Reduce your attack surface area.

-* Automate threat response.

-* Utilize cloud intelligence.

-* Enable end-user self-service.

-Make sure you keep track of which features and steps are complete while reading this checklist.

-> Many of the recommendations in this document apply only to applications that are configured to use Azure Active Directory as their identity provider. Configuring apps for Single Sign-On assures the benefits of credential policies, threat detection, auditing, logging, and other features add to those applications. [Azure AD Application Management](../../active-directory/manage-apps/what-is-application-management.md) is the foundation - on which all these recommendations are based.

-The recommendations in this document are aligned with the [Identity Secure Score](../../active-directory/fundamentals/identity-secure-score.md), an automated assessment of your Azure AD tenantΓÇÖs identity security configuration. Organizations can use the Identity Secure Score page in the Azure AD portal to find gaps in their current security configuration to ensure they follow current Microsoft [best practices](identity-management-best-practices.md) for security. Implementing each recommendation in the Secure Score page will increase your score and allow you to track your progress, plus help you compare your implementation against other similar size organizations or your industry.

-

-> Many of the features described here require an Azure AD Premium subscription, while some are free. Please review our [Azure Active Directory pricing](https://azure.microsoft.com/pricing/details/active-directory/) and [Azure AD Deployment checklist](../../active-directory/fundamentals/active-directory-deployment-checklist-p2.md) for more information.

-Before you begin this checklist, make sure you don't get compromised while you're reading this checklist. You first need to protect your privileged accounts.

-Attackers who get control of privileged accounts can do tremendous damage, so it's critical to protect these accounts first. Enable and require [Azure AD Multi-Factor Authentication](../../active-directory/authentication/concept-mfa-howitworks.md) (MFA) for all administrators in your organization using [Azure AD Security Defaults](../../active-directory/fundamentals/concept-fundamentals-security-defaults.md) or [Conditional Access](../../active-directory/conditional-access/plan-conditional-access.md). If you haven't implemented MFA, do it now! It's that important.

-Most enterprise security breaches originate with an account compromised with one of a handful of methods such as password spray, breach replay, or phishing. Learn more about these attacks in this video (45 min):

-> [!VIDEO https://www.youtube.com/embed/uy0j1_t5Hd4]

-Given the frequency of passwords being guessed, phished, stolen with malware, or reused, it's critical to back the password with some form of strong credential ΓÇô learn more about [Azure AD Multi-Factor Authentication](../../active-directory/authentication/concept-mfa-howitworks.md).

-To easily enable the basic level of identity security, you can use the one-click enablement with [Azure AD Security Defaults](../../active-directory/fundamentals/concept-fundamentals-security-defaults.md). Security defaults enforce Azure AD MFA for all users in a tenant and blocks sign-ins from legacy protocols tenant-wide.

-Many organizations use the traditional complexity (requiring special characters, numbers, uppercase, and lowercase) and password expiration rules. [Microsoft's research](https://aka.ms/passwordguidance) has shown these policies cause users to choose passwords that are easier to guess.

-Azure AD's [dynamic banned password](../../active-directory/authentication/concept-password-ban-bad.md) feature uses current attacker behavior to prevent users from setting passwords that can easily be guessed. This capability is always on when users are created in the cloud, but is now also available for hybrid organizations when they deploy [Azure AD password protection for Windows Server Active Directory](../../active-directory/authentication/concept-password-ban-bad-on-premises.md). Azure AD password protection blocks users from choosing these common passwords and can be extended to block password containing custom keywords you specify. For example, you can prevent your users from choosing passwords containing your companyΓÇÖs product names or a local sport team.

-Microsoft recommends adopting the following modern password policy based on [NIST guidance](https://pages.nist.gov/800-63-3/sp800-63b.html):

-1. Require passwords have at least 8 characters. Longer isn't necessarily better, as they cause users to choose predictable passwords, save passwords in files, or write them down.

-2. Disable expiration rules, which drive users to easily guessed passwords such as **Spring2019!**

-3. Disable character-composition requirements and prevent users from choosing commonly attacked passwords, as they cause users to choose predictable character substitutions in passwords.

-You can use [PowerShell to prevent passwords from expiring](../../active-directory/authentication/concept-sspr-policy.md) for users if you create identities in Azure AD directly. Hybrid organizations should implement these policies using [domain group policy settings](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/hh994572(v%3dws.10)) or [Windows PowerShell](/powershell/module/activedirectory/set-addefaultdomainpasswordpolicy).

-### Protect against leaked credentials and add resilience against outages

-If your organization uses a hybrid identity solution with pass-through authentication or federation, then you should enable password hash sync for the following two reasons:

-* The [Users with leaked credentials](../../active-directory/identity-protection/overview-identity-protection.md) report in the Azure AD management warns you of username and password pairs, which have been exposed on the "dark web." An incredible volume of passwords is leaked via phishing, malware, and password reuse on third-party sites that are later breached. Microsoft finds many of these leaked credentials and will tell you, in this report, if they match credentials in your organization ΓÇô but only if you [enable password hash sync](../../active-directory/hybrid/how-to-connect-password-hash-synchronization.md) or have cloud-only identities!

-* In the event of an on-premises outage (for example, in a ransomware attack) you can switch over to using [cloud authentication using password hash sync](../../active-directory/hybrid/choose-ad-authn.md). This backup authentication method will allow you to continue accessing apps configured for authentication with Azure Active Directory, including Microsoft 365. In this case, IT staff won't need to resort to personal email accounts to share data until the on-premises outage is resolved.

-Learn more about how [password hash sync](../../active-directory/hybrid/how-to-connect-password-hash-synchronization.md) works.

-> [!NOTE]

-> If you enable password hash sync and are using Azure AD Domain services, Kerberos (AES 256) hashes and optionally NTLM (RC4, no salt) hashes will also be encrypted and synchronized to Azure AD.

-### Implement AD FS extranet smart lockout

-Organizations, which configure applications to authenticate directly to Azure AD benefit from [Azure AD smart lockout](../../active-directory/authentication/concept-sspr-howitworks.md). If you use AD FS in Windows Server 2012R2, implement AD FS [extranet lockout protection](/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-soft-lockout-protection). If you use AD FS on Windows Server 2016, implement [extranet smart lockout](https://support.microsoft.com/help/4096478/extranet-smart-lockout-feature-in-windows-server-2016). AD FS Smart Extranet lockout protects against brute force attacks, which target AD FS while preventing users from being locked out in Active Directory.

-### Take advantage of intrinsically secure, easier to use credentials

-Using [Windows Hello](/windows/security/identity-protection/hello-for-business/hello-identity-verification), you can replace passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied securely to a device and uses a biometric or PIN.

-## Step 2 - Reduce your attack surface

-Given the pervasiveness of password compromise, minimizing the attack surface in your organization is critical. Eliminating use of older, less secure protocols, limiting access entry points, and exercising more significant control of administrative access to resources can help reduce the attack surface area.

-### Block legacy authentication

-Apps using their own legacy methods to authenticate with Azure AD and access company data, pose another risk for organizations. Examples of apps using legacy authentication are POP3, IMAP4, or SMTP clients. Legacy authentication apps authenticate on behalf of the user and prevent Azure AD from doing advanced security evaluations. The alternative, modern authentication, will reduce your security risk, because it supports multi-factor authentication and Conditional Access. We recommend the following three actions:

-1. Block [legacy authentication if you use AD FS](/windows-server/identity/ad-fs/operations/access-control-policies-w2k12).

-2. Setup [SharePoint Online and Exchange Online to use modern authentication](../../active-directory/conditional-access/block-legacy-authentication.md).

-3. If you have Azure AD Premium, use Conditional Access policies to [block legacy authentication](../../active-directory/conditional-access/howto-conditional-access-policy-block-legacy.md), otherwise use [Azure AD Security Defaults](../../active-directory/fundamentals/concept-fundamentals-security-defaults.md).

-### Block invalid authentication entry points

-Using the assume breach mentality, you should reduce the impact of compromised user credentials when they happen. For each app in your environment consider the valid use cases: which groups, which networks, which devices and other elements are authorized ΓÇô then block the rest. With [Azure AD Conditional Access](../../active-directory/conditional-access/overview.md), you can control how authorized users access their apps and resources based on specific conditions you define.

-### Restrict user consent operations

-ItΓÇÖs important to understand the various [Azure AD application consent experiences](../../active-directory/develop/application-consent-experience.md), the [types of permissions and consent](../../active-directory/develop/v2-permissions-and-consent.md), and their implications on your organizationΓÇÖs security posture. By default, all users in Azure AD can grant applications that leverage the Microsoft identity platform to access your organizationΓÇÖs data. While allowing users to consent by themselves does allow users to easily acquire useful applications that integrate with Microsoft 365, Azure and other services, it can represent a risk if not used and monitored carefully.

-Microsoft recommends [restricting user consent](../../active-directory/manage-apps/configure-user-consent.md) to allow end-user consent only for apps from verified publishers and only for permissions you select. If end-user consent is restricted, previous consent grants will still be honored but all future consent operations must be performed by an administrator. For restricted cases, admin consent can be requested by users through an integrated [admin consent request workflow](../../active-directory/manage-apps/configure-admin-consent-workflow.md) or through your own support processes. Before restricting end-user consent, use our [recommendations](../../active-directory/manage-apps/manage-consent-requests.md) to plan this change in your organization. For applications you wish to allow all users to access, consider [granting consent on behalf of all users](../../active-directory/develop/v2-admin-consent.md), making sure users who have not yet consented individually will be able to access the app. If you do not want these applications to be available to all users in all scenarios, use [application assignment](../../active-directory/manage-apps/assign-user-or-group-access-portal.md) and Conditional Access to restrict user access to [specific apps](../../active-directory/conditional-access/concept-conditional-access-cloud-apps.md).

-Make sure users can request admin approval for new applications to reduce user friction, minimize support volume, and prevent users from signing up for applications using non-Azure AD credentials. Once you regulate your consent operations, administrators should audit app and consented permissions on a regular basis.

-### Implement Azure AD Privileged Identity Management

-Another impact of "assume breach" is the need to minimize the likelihood a compromised account can operate with a privileged role.

-[Azure AD Privileged Identity Management (PIM)](../../active-directory/privileged-identity-management/pim-configure.md) helps you minimized account privileges by helping you:

-* Identify and manage users assigned to administrative roles.

-* Understand unused or excessive privilege roles you should remove.

-* Establish rules to make sure privileged roles are protected by multi-factor authentication.

-* Establish rules to make sure privileged roles are granted only long enough to accomplish the privileged task.

-Enable Azure AD PIM, then view the users who are assigned administrative roles and remove unnecessary accounts in those roles. For remaining privileged users, move them from permanent to eligible. Finally, establish appropriate policies to make sure when they need to gain access to those privileged roles, they can do so securely, with the necessary change control.

-As part of deploying your privileged account process, follow the [best practice to create at least two emergency accounts](../../active-directory/roles/security-planning.md) to make sure you still have access to Azure AD if you lock yourself out.

-### Implement user risk security policy using Azure AD Identity Protection

-User risk indicates the likelihood a user's identity has been compromised and is calculated based on the [user risk detections](../../active-directory/identity-protection/overview-identity-protection.md) that are associated with a user's identity. A user risk policy is a Conditional Access policy that evaluates the risk level to a specific user or group. Based on Low, Medium, High risk-level, a policy can be configured to block access or require a secure password change using multi-factor authentication. Microsoft's recommendation is to require a secure password change for users on high risk.

-

-### Implement sign-in risk policy using Azure AD Identity Protection

-Sign-in risk is the likelihood someone other than the account owner is attempting to sign on using the identity. A [sign-in risk policy](../../active-directory/identity-protection/overview-identity-protection.md) is a Conditional Access policy that evaluates the risk level to a specific user or group. Based on the risk level (high/medium/low), a policy can be configured to block access or force multi-factor authentication. Make sure you force multi-factor authentication on Medium or above risk sign-ins.

-

-Auditing and logging of security-related events and related alerts are essential components of an efficient protection strategy. Security logs and reports provide you with an electronic record of suspicious activities and help you detect patterns that may indicate attempted or successful external penetration of the network, and internal attacks. You can use auditing to monitor user activity, document regulatory compliance, do forensic analysis, and more. Alerts provide notifications of security events.

-Microsoft Azure services and features provide you with configurable security auditing and logging options to help you identify gaps in your security policies and mechanisms and address those gaps to help prevent breaches. You can use [Azure Logging and Auditing](log-audit.md) and use [Audit activity reports in the Azure Active Directory portal](../../active-directory/reports-monitoring/concept-audit-logs.md).

-[Monitoring AD FS with Azure AD Connect Health](../../active-directory/hybrid/how-to-connect-health-adfs.md) provides you with greater insight into potential issues and visibility of attacks on your AD FS infrastructure. Azure AD Connect Health delivers alerts with details, resolution steps, and links to related documentation; usage analytics for several metrics related to authentication traffic; performance monitoring and reports.

-

-[Azure AD Identity Protection](../../active-directory/identity-protection/overview-identity-protection.md) is a notification, monitoring and reporting tool you can use to detect potential vulnerabilities affecting your organization's identities. It detects risk detections, such as leaked credentials, impossible travel, and sign-ins from infected devices, anonymous IP addresses, IP addresses associated with the suspicious activity, and unknown locations. Enable notification alerts to receive email of users at risk and/or a weekly digest email.

-Azure AD Identity Protection provides two important reports you should monitor daily:

-1. Risky sign-in reports will surface user sign-in activities you should investigate, the legitimate owner may not have performed the sign-in.

-2. Risky user reports will surface user accounts that may have been compromised, such as leaked credential that was detected or the user signed in from different locations causing an impossible travel event.

-

-Users can be tricked into navigating to a compromised web site or apps that will gain access to their profile information and user data, such as their email. A malicious actor can use the consented permissions it received to encrypt their mailbox content and demand a ransom to regain your mailbox data. [Administrators should review and audit](/office365/securitycompliance/detect-and-remediate-illicit-consent-grants) the permissions given by users or disable the ability of users to give consent by default.

-In addition to auditing the permissions given by users, you can [locate risky or unwanted OAuth applications](/cloud-app-security/investigate-risky-oauth) in premium environments.

-As much as possible you'll want to balance security with productivity. Along the same lines of approaching your journey with the mindset that you're setting a foundation for security in the long run, you can remove friction from your organization by empowering your users while remaining vigilant.

-Azure AD's [self-service password reset (SSPR)](../../active-directory/authentication/tutorial-enable-sspr.md) offers a simple means for IT administrators to allow users to reset or unlock their passwords or accounts without help desk or administrator intervention. The system includes detailed reporting that tracks when users have reset their passwords, along with notifications to alert you to misuse or abuse.

-Azure AD provides the ability to non-administrators to manage access to resources, using security groups, Microsoft 365 groups, application roles, and access package catalogs. [Self-service group management](../../active-directory/enterprise-users/groups-self-service-management.md) enables group owners to manage their own groups, without needing to be assigned an administrative role. Users can also create and manage Microsoft 365 groups without relying on administrators to handle their requests, and unused groups expire automatically. [Azure AD entitlement management](../../active-directory/governance/entitlement-management-overview.md) further enables delegation and visibility, with comprehensive access request workflows and automatic expiration. You can delegate to non-administrators the ability to configure their own access packages for groups, Teams, applications, and SharePoint Online sites they own, with custom policies for who is required to approve access, including configuring employee's managers and business partner sponsors as approvers.

-With [Azure AD access reviews](../../active-directory/governance/access-reviews-overview.md), you can manage access package and group memberships, access to enterprise applications, and privileged role assignments to make sure you maintain a security standard. Regular oversight by the users themselves, resource owners, and other reviewers ensure that users don't retain access for extended periods of time when they no longer need it.

-* Strengthen your credentials.

-* Reduce your attack surface area.

-* Automate threat response.

-* Utilize cloud intelligence.

-* Enable more predictable and complete end-user security with self-help.

-We appreciate how seriously you take Identity Security and hope this document is a useful roadmap to a more secure posture for your organization.

-## Azure Information Protection

-Hyper-V (running without Virtual Machine Manager) | Windows Server 2019, Windows Server 2016, Windows Server 2012 R2 with latest updates <br/><br/> **Note:** Server core installation of these operating systems are also supported. | If you have already configured Windows Server 2012 R2 with/or SCVMM 2012 R2 with Azure Site Recovery and plan to upgrade the OS, please follow the guidance [documentation.](upgrade-2012R2-to-2016.md)

-Hyper-V (running with Virtual Machine Manager) | Virtual Machine Manager 2019, Virtual Machine Manager 2016, Virtual Machine Manager 2012 R2 <br/><br/> **Note:** Server core installation of these operating systems are also supported. | If Virtual Machine Manager is used, Windows Server 2019 hosts should be managed in Virtual Machine Manager 2019. Similarly, Windows Server 2016 hosts should be managed in Virtual Machine Manager 2016.

-### Securing routes with roles

-## Disable cache for authenticated paths

-Make sure you have the following additional prerequisites installed:

- `go get -u github.com/Azure/azure-storage-blob-go/azblob`

-This command clones the repository to your local git folder. To open the Go sample for Blob storage, look for storage-quickstart.go file.

-## Configure your storage connection string

-This solution requires your storage account name and key to be securely stored in environment variables local to the machine running the sample. Follow one of the examples below depending on your operating System to create the environment variables.

-# [Linux](#tab/linux)

-```bash

-export AZURE_STORAGE_ACCOUNT="<youraccountname>"

-export AZURE_STORAGE_ACCESS_KEY="<youraccountkey>"

-# [Windows](#tab/windows)

-```shell

-setx AZURE_STORAGE_ACCOUNT "<youraccountname>"

-setx AZURE_STORAGE_ACCESS_KEY "<youraccountkey>"

-```

-This sample creates a test file in the current folder, uploads the test file to Blob storage, lists the blobs in the container, and downloads the file into a buffer.

-To run the sample, issue the following command:

-`go run storage-quickstart.go`

-Creating a container named quickstart-5568059279520899415

-Uploading the file with blob name: 630910657703031215

-Blob name: 630910657703031215

-Downloaded the blob: hello world

-this is a blob

-Press the enter key to delete the sample files, example container, and exit the application.

-// From the Azure portal, get your storage account name and key and set environment variables.

-accountName, accountKey := os.Getenv("AZURE_STORAGE_ACCOUNT"), os.Getenv("AZURE_STORAGE_ACCESS_KEY")

-if len(accountName) == 0 || len(accountKey) == 0 {

- log.Fatal("Either the AZURE_STORAGE_ACCOUNT or AZURE_STORAGE_ACCESS_KEY environment variable is not set")

-// Create a default request pipeline using your storage account name and account key.

-credential, err := azblob.NewSharedKeyCredential(accountName, accountKey)

-p := azblob.NewPipeline(credential, azblob.PipelineOptions{})

-// Create a random string for the quick start container

-// From the Azure portal, get your storage account blob service URL endpoint.

-URL, _ := url.Parse(

- fmt.Sprintf("https://%s.blob.core.windows.net/%s", accountName, containerName))

-// Create a ContainerURL object that wraps the container URL and a request

-// pipeline to make requests.

-containerURL := azblob.NewContainerURL(*URL, p)

-// Create the container

-fmt.Printf("Creating a container named %s\n", containerName)

-ctx := context.Background() // This example uses a never-expiring context

-_, err = containerURL.Create(ctx, azblob.Metadata{}, azblob.PublicAccessNone)

-handleErrors(err)

-To upload a file to a blob, open the file using **os.Open**. You can then upload the file to the specified path using one of the REST APIs: Upload (PutBlob), StageBlock/CommitBlockList (PutBlock/PutBlockList).

-Alternatively, the SDK offers [high-level APIs](https://github.com/Azure/azure-storage-blob-go/blob/master/azblob/highlevel.go) that are built on top of the low-level REST APIs. As an example, ***UploadFileToBlockBlob*** function uses StageBlock (PutBlock) operations to concurrently upload a file in chunks to optimize the throughput. If the file is less than 256 MB, it uses Upload (PutBlob) instead to complete the transfer in a single transaction.

-The following example uploads the file to your container called **quickstartblobs-[randomstring]**.

-// Create a file to test the upload and download.

-fmt.Printf("Creating a dummy file to test the upload and download\n")

-data := []byte("hello world this is a blob\n")

-fileName := randomString()

-err = ioutil.WriteFile(fileName, data, 0700)

-handleErrors(err)

-// Here's how to upload a blob.

-blobURL := containerURL.NewBlockBlobURL(fileName)

-file, err := os.Open(fileName)

-handleErrors(err)

-// You can use the low-level Upload (PutBlob) API to upload files. Low-level APIs are simple wrappers for the Azure Storage REST APIs.

-// Note that Upload can upload up to 256MB data in one shot. Details: https://docs.microsoft.com/rest/api/storageservices/put-blob

-// To upload more than 256MB, use StageBlock (PutBlock) and CommitBlockList (PutBlockList) functions.

-// Following is commented out intentionally because we will instead use UploadFileToBlockBlob API to upload the blob

-// _, err = blobURL.Upload(ctx, file, azblob.BlobHTTPHeaders{ContentType: "text/plain"}, azblob.Metadata{}, azblob.BlobAccessConditions{})

-// handleErrors(err)

-// The high-level API UploadFileToBlockBlob function uploads blocks in parallel for optimal performance, and can handle large files as well.

-// This function calls StageBlock/CommitBlockList for files larger 256 MBs, and calls Upload for any file smaller

-fmt.Printf("Uploading the file with blob name: %s\n", fileName)

-_, err = azblob.UploadFileToBlockBlob(ctx, file, blobURL, azblob.UploadToBlockBlobOptions{

- BlockSize: 4 * 1024 * 1024,

- Parallelism: 16})

-handleErrors(err)

-Get a list of files in the container using the **ListBlobs** method on a **ContainerURL**. ListBlobs returns a single segment of blobs (up to 5000) starting from the specified **Marker**. Use an empty Marker to start enumeration from the beginning. Blob names are returned in lexicographic order. After getting a segment, process it, and then call ListBlobs again passing the previously returned Marker.

-// List the container that we have created above

-fmt.Println("Listing the blobs in the container:")

-for marker := (azblob.Marker{}); marker.NotDone(); {

- // Get a result segment starting with the blob indicated by the current Marker.

- listBlob, err := containerURL.ListBlobsFlatSegment(ctx, marker, azblob.ListBlobsSegmentOptions{})

- handleErrors(err)

- // ListBlobs returns the start of the next segment; you MUST use this to get

- // the next segment (after processing the current result segment).

- marker = listBlob.NextMarker

- // Process the blobs returned in this result segment (if the segment is empty, the loop body won't execute)

- for _, blobInfo := range listBlob.Segment.BlobItems {

- fmt.Print(" Blob name: " + blobInfo.Name + "\n")

-Download blobs using the **Download** low-level function on a BlobURL. This will return a **DownloadResponse** struct. Run the function **Body** on the struct to get a **RetryReader** stream for reading data. If a connection fails while reading, it will make additional requests to re-establish a connection and continue reading. Specifying a RetryReaderOption's with MaxRetryRequests set to 0 (the default), returns the original response body and no retries will be performed. Alternatively, use the high-level APIs **DownloadBlobToBuffer** or **DownloadBlobToFile** to simplify your code.

-// Here's how to download the blob

-downloadResponse, err := blobURL.Download(ctx, 0, azblob.CountToEnd, azblob.BlobAccessConditions{}, false)

-// NOTE: automatically retries are performed if the connection fails

-bodyStream := downloadResponse.Body(azblob.RetryReaderOptions{MaxRetryRequests: 20})

-// read the body into a buffer

-downloadedData := bytes.Buffer{}

-_, err = downloadedData.ReadFrom(bodyStream)

-handleErrors(err)

-// Cleaning up the quick start by deleting the container and the file created locally

-fmt.Printf("Press enter key to delete the sample files, example container, and exit the application.\n")

-containerURL.Delete(ctx, azblob.ContainerAccessConditions{})

-file.Close()

-os.Remove(fileName)

-In this quickstart, you learned how to transfer files between a local disk and Azure blob storage using Go. For more information about the Azure Storage Blob SDK, view the [Source Code](https://github.com/Azure/azure-storage-blob-go/) and [API Reference](https://godoc.org/github.com/Azure/azure-storage-blob-go/azblob).

-To override the default parameter template, create a custom parameter template named*template-parameters-definition.json* in the root folder of your Git collaboration branch. You must use this exact file name. When Azure Synapse workspace publishes from the collaboration branch, it reads this file and uses its configuration to generate the parameters. If Azure Synapse workspace doesn't find that file, is uses the default parameter template.

-"Microsoft.Synapse/workspaces/notebooks": {

- "properties":{

- "bigDataPool":{

- "properties": {

- "content":{

- "currentConnection":{

- "*":"-"

- }

- }

- },

- "activities": [{

- "typeProperties": {

- "waitTimeInSeconds": "-::int",

- "headers": "=::object"

- }]

- "*": "="

- ```sql

- CREATE DATABASE DataExplorationDB

- COLLATE Latin1_General_100_BIN2_UTF8

- ```

-2. Switch to `DataExplorationDB` where you can create utility objects such as credentials and data sources.

- ```sql

- CREATE EXTERNAL DATA SOURCE ContosoLake

- WITH ( LOCATION = 'https://contosolake.dfs.core.windows.net')

- ```

-3. Optionally, use the newly created 'DataExplorationDB' database to create a login for a user in DataExplorationDB that will access external data:

- ```sql

- CREATE LOGIN data_explorer WITH PASSWORD = 'My Very Strong Password 1234!';

- ```

- Then create a database user in `DataExplorationDB` for the login and grant the `ADMINISTER DATABASE BULK OPERATIONS` permission.

- ```sql

- CREATE USER data_explorer FOR LOGIN data_explorer;

- GO

- GRANT ADMINISTER DATABASE BULK OPERATIONS TO data_explorer;

- GO

- ```

-4. Explore the content of the file using the relative path and the data source:

- ```sql

- SELECT

- TOP 100 *

- FROM

- OPENROWSET(

- BULK '/users/NYCTripSmall.parquet',

- DATA_SOURCE = 'ContosoLake',

- FORMAT='PARQUET'

- ) AS [result]

- ```

- | Assign access to | [USER |

-| **Dataverse** | No | Yes, you can read Dataverse tables using [Synapse link](https://docs.microsoft.com/powerapps/maker/data-platform/azure-synapse-link-data-lake). |

-| **Azure Cosmos DB analytical storage** | No | Yes, you can [query Cosmos DB analytical storage](query-cosmos-db-analytical-store.md) using [Synapse Link](../../cosmos-db/synapse-link.md?bc=%2fazure%2fsynapse-analytics%2fbreadcrumb%2ftoc.json&toc=%2fazure%2fsynapse-analytics%2ftoc.json). |

-| **Apache Spark tables (remote)** | No | No, serverless pool can access only the PARQUET and CSV tables that are [created in Apache Spark pools in the same Synapse workspace](develop-storage-files-spark-tables.md). |

-| **Databricks tables (remote)** | No | No, serverless pool can access only the PARQUET and CSV tables that are [created in Apache Spark pools in the same Synapse workspace](develop-storage-files-spark-tables.md). |

-8. All VHDs on Azure must have a virtual size aligned to 1 MB. When converting from a raw disk to VHD you must ensure that the raw disk size is a multiple of 1 MB before conversion, as described in the following steps.

-This disk has a maximum capacity of 4,095 GiB, however, most deployments use [master boot record (MBR)](https://wikipedia.org/wiki/Master_boot_record) by default. MBR limits the usable size to 2 TiB. If you need more than 2 TiB, create and attach [data disks](#data-disk) and use them for data storage. If you need to store data on the OS disk and require the additional space, [convert it to GUID Partition Table](/windows-server/storage/disk-management/change-an-mbr-disk-into-a-gpt-disk) (GPT). To learn about the differences between MBR and GPT on Windows deployments, see [Windows and GPT FAQ](/windows-hardware/manufacture/desktop/windows-and-gpt-faq?view=windows-11).

-| **PowerPlatformInfra** | This tag represents the IP addresses used by the infrastructure to host Power Platform services. | Outbound | Yes | No |