- - **Role/Policy name**: The name of the roles/policies available to you.

- - **Role/Policy type**: **Custom**, **System**, or **CloudKnox only**

- - The **Users**, **Groups**, and **Roles** the task is **Directly assigned to**.

- - The **Group members** and **Role identities** the task is **Indirectly assessable by**.

- - The **Users**, **Groups**, **Enterprise applications** and **Managed identities** the task is **Directly assigned to**.

- - The **Group members** the task is **Indirectly assessable by**.

- - The **Users**, **Groups**, and **Service accounts** the task is **Directly assigned to**.

- - The **Group members** the task is **Indirectly assessable by**.

- When the file is successfully exported, a message appears: **Exported successfully.**

- - **Authorization system type**: Select **AWS**, **Azure**, or **GCP**.

- - **Authorization system**: Select the accounts you want.

- - **Role/Policy type**: Select from the following options:

- - **CloudKnox only**: A role/policy created by CloudKnox.

- - **Role/Policy status**: Select **All**, **Assigned**, or **Unassigned**.

- - **Role/Policy usage**: Select **All** or **Unused**.

- To discard your changes, select **Reset filter**.

- The **M-CIEM Onboarding - Summary** page displays.

- The **M-CIEM On Boarding - AWS Member Account Details** page displays.

-1. Return to CloudKnox, and the new account ID you added will be added to the list of account IDs displayed in the **M-CIEM Onboarding - Summary** page.

- The **M-CIEM Onboarding - Summary** page displays.

-1. Return to CloudKnox, and the new subscription ID you added will be added to the list of subscription IDs displayed in the **M-CIEM Onboarding - Summary** page.

- The **M-CIEM Onboarding - Summary** page displays.

-1. Return to CloudKnox, and the new project ID you added will be added to the list of project IDs displayed in the **M-CIEM Onboarding - Summary** page.

- > Perform the next 5 steps for each account ID you add.

- `az ad ap create --id b46c3ac5-9da6-418f-a849-0a7a10b3c6c`

-### 4. Run scripts in Cloud Shell. (Optional if not already executed.)

-1. In the CloudKnox home page, select the down arrow to the right of the **User** (your initials) menu, and then select **Account settings**.

- The **Personal information** box displays your **First name**, **Last name**, and the **Email address** that was used to register your account on CloudKnox.

-1. In the CloudKnox home page, select the down arrow to the right of the **User** (your initials) menu, and then select **Account settings**.

- The **Current organization information** displays the **Name** of your organization, the **Tenant ID** box, and the **User session timeout (min)**.

-1. To change duration of the **User session timeout (min)**, select **Edit** (the pencil icon), and then enter the number of minutes before you want a user session to time out.

-1. Select the **Authorization system** box to display a **List** of accounts and **Folders** available to you.

- The **Permission creep index (PCI)** chart updates to display information about the accounts and folders you selected. The number of days since the information was last updated displays in the upper right corner.

-1. In the Permission creep index (PCI) graph, select a bubble.

-The **Permission creep index (PCI)** heat map shows the incurred risk of users with access to high-risk privileges. The distribution graph displays all the users who contribute to the privilege creep. It displays how many users contribute to a particular score. For example, if the score from the PCI chart is 14, the graph shows how many users have a score of 14.

- The **M-CIEM Onboarding - Summary** box displays.

-The **Permission creep index** heat map shows the incurred risk of users with access to high-risk permissions, and provides information about:

- - **Role/Policy template**: Use this subtab to create a template for roles/policies template.

- - **My requests**: Use this tab to manage lifecycle of the POD request either created by you or needs your approval.

- - **Settings**: Use this subtab to select **Request role/policy filters**, **Request settings**, and **Auto-approve** settings.

-The **Role/Policies list** displays a list of existing roles/policies and the following information about each role/policy.

- When the file is successfully exported, a message appears: **Exported successfully.**

- When the file is successfully exported, a message appears: **Exported successfully.**

-Use the **Role/Policy template** subtab to create a template for roles/policies.

- - **Authorization system type**: Displays a dropdown with authorization system types you can access, WS, Azure, and GCP.

- - **Create template**: Select this option to create a template.

- - **Authorization system type**: Select the authorization system types you want, **AWS**, **Azure**, or **GCP**.

- - **Template name**: Enter a name for your template, and then select **Next**.

-1. In the **Statements** page, complete the **Tasks**, **Resources**, **Request conditions** and **Effect** sections. Then select **Save** to save your role/policy template.

- - **Authorization system type**: Displays a dropdown with authorization system types you can access, AWS, Azure, and GCP.

- - **Authorization system**: Displays a list of authorization systems accounts you can access.

- - **Submitted by**

- - **On behalf of**

- - **Authorization system**

- - **Tasks/scope/policies**

- - **Request date**

- - **Reset to default**: Select this option to discard your settings.

- - **Authorization system type**: Displays a dropdown with authorization system types you can access, AWS, Azure, and GCP.

- - **Authorization system**: Displays a list of authorization systems accounts you can access.

- - **On behalf of**

- - **Authorization system**

- - **Tasks/scope/policies**

- - **Request date**

- - **Reset to default**: Select this option to discard your settings.

-The **Settings** subtab provides the following settings that you can use to make setting selections to **Request role/policy filters**, **Request settings**, and **Auto-approve** requests.

-1. On the main **Analytics** dashboard, select **Access keys** from the drop-down list at the top of the screen.

- The following components make up the **Access keys** dashboard:

- - **Authorization system type**: Select the authorization you want to use: Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP).

- - **Authorization system**: Select from a **List** of accounts and **Folders***.

- - **Key status**: Select **All**, **Active**, or **Inactive**.

- - **Key activity state**: Select **All**, how long the access key has been used, or **Not used**.

- - **Key age**: Select **All** or how long ago the access key was created.

- - **Task type**: Select **All** tasks, **High-risk tasks** or, for a list of tasks where users have deleted data, select **Delete tasks**.

- Select **Reset filter** to discard your changes.

-The **Access keys** table displays the results of your query.

-There are many filter options within the **Active tasks** screen, including filters by **Authorization system**, filters by **User** and filters by **Task**.

-1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.

- Select **Reset filter** to discard your changes.

-1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.

-1. From the **Authorization system** dropdown, select accounts from a **List** of accounts and **Folders**.

- Select **Reset filter** to discard your changes.

-1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.

-1. From the **Authorization system** dropdown, select from a **List** of accounts and **Folders**.

-1. From the **Key status** dropdown, select the type of key: **All**, **Active**, or **Inactive**.

- Select **Reset filter** to discard your changes.

-1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.

-1. From the **Authorization system** dropdown, select from a **List** of accounts and **Folders**.

-1. From the **Key activity state** dropdown, select **All**, the duration for how long the access key has been used, or **Not used**.

- Select **Reset filter** to discard your changes.

-1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.

-1. From the **Authorization system** dropdown, select from a **List** of accounts and **Folders**.

-1. From the **Key age** dropdown, select **All** or how long ago the access key was created.

- Select **Reset filter** to discard your changes.

-1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.

-1. From the **Authorization system** dropdown, select from a **List** of accounts and **Folders**.

-1. From the **Task type** dropdown, select **All** tasks, **High-risk tasks** or, for a list of tasks where users have deleted data, select **Delete tasks**.

- Select **Reset filter** to discard your changes.

-1. On the main **Analytics** dashboard, select **Active resources** from the drop-down list at the top of the screen.

- The dashboard only lists tasks that are active. The following components make up the **Active resources** dashboard:

- - **Authorization system type**: The authorization you want to use: Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP).

- - **Authorization system**: The **List** of accounts and **Folders** you want to include.

- - **Tasks type**: Select **All** tasks, **High-risk tasks** or, for a list of tasks where users have deleted data, select **Delete tasks**.

- - **Service resource type**: The service resource type.

- Select **Reset filter** to discard your changes.

-The **Active resources** table displays the results of your query:

-1. From the **Select a tag** dropdown, select a tag.

-1. To create a custom tag select **New custom tag**, add a tag name, and then select **Create**.

-1. Select the ellipses **(...)** to select **Advanced save** options, and then select **Save**.

-1. To add the tag to the serverless function, select **Add tag**.

-There are many filter options within the **Active resources** screen, including filters by **Authorization system**, filters by **User** and filters by **Task**.

-1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.

- Select **Reset filter** to discard your changes.

-1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.

-1. From the **Authorization system** dropdown, select from a **List** of accounts and **Folders**.

- Select **Reset filter** to discard your changes.

-1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.

-1. From the **Authorization system** dropdown, select from a **List** of accounts and **Folders**.

-1. From the **Task type**, select the type of user: **All**, **User**, **Role/App/Service a/c**, or **Resource**.

- Select **Reset filter** to discard your changes.

-1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.

-1. From the **Authorization system** dropdown, select from a **List** of accounts and **Folders**.

-1. From the **Service Resource type**, select the type of service resource.

- Select **Reset filter** to discard your changes.

-When you select **Active tasks**, the **Analytics** dashboard provides a high-level overview of tasks used by various identities.

-1. On the main **Analytics** dashboard, select **Active tasks** from the drop-down list at the top of the screen.

- The dashboard only lists tasks that are active. The following components make up the **Active tasks** dashboard:

- - **Authorization system type**: Select the authorization you want to use: Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP).

- - **Authorization system**: Select from a **List** of accounts and **Folders***.

- - **Tasks type**: Select **All** tasks, **High-risk tasks** or, for a list of tasks where users have deleted data, select **Delete tasks**.

- Select **Reset filter** to discard your changes.

-The **Active tasks** table displays the results of your query.

- - A **Normal task** icon displays to the left of the task name if the task is normal (that is, not risky).

- - A **Deleted task** icon displays to the left of the task name if the task involved deleting data.

- - A **High-risk task** icon displays to the left of the task name if the task is high-risk.

- - **With access**: Displays the number of users that have access to the task but haven't accessed it.

-There are many filter options within the **Active tasks** screen, including **Authorization system**, **User**, and **Task**.

-1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.

- Select **Reset filter** to discard your changes.

-1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.

-1. From the **Authorization system** dropdown, select accounts from a **List** of accounts and **Folders**.

- Select **Reset filter** to discard your changes.

-1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.

-1. From the **Authorization system** dropdown, select from a **List** of accounts and **Folders**.

-1. From the **Task type** dropdown, select the type of tasks: **All**, **High risk tasks**, or **Delete tasks**.

- Select **Reset filter** to discard your changes.

- - **Authorization system type**: Select the authorization you want to use: Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP).

- - **Authorization system**: Select from a **List** of accounts and **Folders**.

- - **Group type**: Select **All**, **ED**, or **Local**.

- - **Group activity status**: Select **All**, **Active**, or **Inactive**.

- - **Tasks Type**: Select **All**, **High-risk tasks**, or **Delete tasks**

- - **Reset filter**: Select to discard your changes.

-1. From the **Select a tag** dropdown, select a tag.

-1. To create a custom tag select **New custom tag**, add a tag name, and then select **Create**.

-1. Select the ellipses **(...)** to select **Advanced save** options, and then select **Save**.

-1. To add the tag to the serverless function, select **Add tag**.

-1. Select the down arrow to the left of the **Group name**.

-1. From the **Tasks** dropdown, select **All tasks**, **High-risk tasks**, and **Delete tasks**.

-There are many filter options within the **Groups** screen, including filters by **Authorization system type**, **Authorization system**, **Group type**, **Group activity status**, and **Tasks type**.

-1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.

- Select **Reset filter** to discard your changes.

-1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.

-1. From the **Authorization system** dropdown, select accounts from a **List** of accounts and **Folders**.

- Select **Reset filter** to discard your changes.

-1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.

-1. From the **Authorization system** dropdown, select from a **List** of accounts and **Folders**.

-1. From the **Group type** dropdown, select the type of user: **All**, **ED**, or **Local**.

- Select **Reset filter** to discard your changes.

-1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.

-1. From the **Authorization system** dropdown, select from a **List** of accounts and **Folders**.

-1. From the **Group activity status** dropdown, select the type of user: **All**, **Active**, or **Inactive**.

- Select **Reset filter** to discard your changes.

-1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.

-1. From the **Authorization system** dropdown, select from a **List** of accounts and **Folders**.

-1. From the **Tasks type** dropdown, select the type of user: **All**, **High-risk tasks**, or **Delete tasks**.

- Select **Reset filter** to discard your changes.

-When you select **Serverless functions**, the **Analytics** dashboard provides a high-level overview of tasks used by various identities.

-1. On the main **Analytics** dashboard, select **Serverless functions** from the dropdown list at the top of the screen.

- The following components make up the **Serverless functions** dashboard:

- - **Authorization system type**: Select the authorization you want to use: Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP).

- - **Authorization system**: Select from a **List** of accounts and **Folders**.

- Select **Reset filter** to discard your changes.

-The **Serverless functions** table displays the results of your query.

-1. From the **Select a tag** dropdown, select a tag.

-1. To create a custom tag select **New custom tag**, add a tag name, and then select **Create**.

-1. Select the ellipses **(...)** to select **Advanced save** options, and then select **Save**.

-1. To add the tag to the serverless function, select **Add tag**.

-1. From the **Tasks** dropdown, select **All tasks**, **High-risk tasks**, and **Delete tasks**.

-You can filter the **Serverless functions** results by **Authorization system type** and **Authorization system**.

-1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.

- Select **Reset filter** to discard your changes.

-1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.

-1. From the **Authorization system** dropdown, select accounts from a **List** of accounts and **Folders**.

- Select **Reset filter** to discard your changes.

- - **Authorization system type**: Select the authorization you want to use: Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP).

- - **Authorization system**: Select from a **List** of accounts and **Folders***.

- - **Identity type**: Select **All** identity types, **User**, **Role/App/Service a/c** or **Resource**.

-1. From the **Select a tag** dropdown, select a tag.

-1. To create a custom tag select **New custom tag**, add a tag name, and then select **Create**.

-1. Select the ellipses **(...)** to select **Advanced save** options, and then select **Save**.

-1. To add the tag to the serverless function, select **Add tag**.

-There are many filter options within the **Users** screen, including filters by **Authorization system**, **Identity type**, and **Identity state**.

-1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.

- Select **Reset filter** to discard your changes.

-1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.

-1. From the **Authorization system** dropdown, select accounts from a **List** of accounts and **Folders**.

-1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.

-1. From the **Authorization system** dropdown, select from a **List** of accounts and **Folders**.

-1. From the **Identity type**, select the type of user: **All**, **User**, **Role/App/Service a/c**, or **Resource**.

- Select **Reset filter** to discard your changes.

-1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.

-1. From the **Authorization system** dropdown, select from a **List** of accounts and **Folders**.

-1. From the **Identity subtype**, select the type of user: **All**, **ED**, **Local**, or **Cross-account**.

-1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.

-1. From the **Authorization system** dropdown, select from a **List** of accounts and **Folders**.

-1. From the **Identity state**, select the type of user: **All**, **Active**, or **Inactive**.

- Select **Reset filter** to discard your changes.

-1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.

-1. From the **Authorization system** dropdown, select from a **List** of accounts and **Folders**.

-1. From the **Identity type**, select: **Risky** or **Inc. in PCI calculation only**.

- Select **Reset filter** to discard your changes.

-1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.

-1. From the **Authorization system** dropdown, select from a **List** of accounts and **Folders**.

-1. From the **Task type**, select the type of user: **All** or **High-risk tasks**.

- Select **Reset filter** to discard your changes.

-1. Run the query `https://graph.microsoft.com/beta/serviceprincipals/?$filter=startswith(Displayname,'Active')`. This query returns a filtered list of service principals.

-| trustType | Equals, NotEquals | A valid registered state for devices. Supported values are: AzureAD (used for Azure AD joined devices), ServerAD (used for Hybrid Azure AD joined devices), Workplace (used for Azure AD registered devices) | (device.trustType -notIn 'ServerAD, Workplace') |

-The app registration part that's related to API permissions is classical. The app configuration involves using the OAuth 2.0 On-Behalf-Of flow to exchange the JWT bearer token against a token for a downstream API. This token is added to the token cache, where it's available in the web API's controllers, and it can then acquire a token silently to call downstream APIs.

-Your web app will need to acquire a token for the downstream API. You specify it by adding the `.EnableTokenAcquisitionToCallDownstreamApi()` line after `.AddMicrosoftIdentityWebApi(Configuration)`. This line exposes the `ITokenAcquisition` service that you can use in your controller and page actions. However, as you'll see in the following two options, it can be done more simply. You'll also need to choose a token cache implementation, for example `.AddInMemoryTokenCaches()`, in *Startup.cs*:

-| Tags | Individual tag size must be between 1 and 256 characters (inclusive). No whitespaces or duplicate tags allowed. | Individual tag size must be between 1 and 256 characters (inclusive). No whitespaces or duplicate tags allowed. | Individual tag size must be between 1 and 256 characters (inclusive). No whitespaces or duplicate tags allowed. |

-## Delete the application

-## Delete the conditional access policy

-## Delete the group

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Cloudmore

-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).

-* Cloudmore supports **SP and IDP** initiated SSO

-## Adding Cloudmore from the gallery

-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.

-## Configure and test Azure AD single sign-on for Cloudmore

-To configure and test Azure AD SSO with Cloudmore, complete the following building blocks:

-1. In the [Azure portal](https://portal.azure.com/), on the **Cloudmore** application integration page, find the **Manage** section and select **single sign-on**.

-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.

- 

- In the **Sign-on URL** text box, type a URL:

- 

- 

-In this section, you test your Azure AD single sign-on configuration using the Access Panel.

-When you click the Cloudmore tile in the Access Panel, you should be automatically signed in to the Cloudmore for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-## Additional resources

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with CloudSign

-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).

-* CloudSign supports **SP** initiated SSO

-* Once you configure CloudSign you can enforce session control, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

-## Adding CloudSign from the gallery

-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.

-To configure and test Azure AD SSO with CloudSign, complete the following building blocks:

-1. In the [Azure portal](https://portal.azure.com/), on the **CloudSign** application integration page, find the **Manage** section and select **single sign-on**.

-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.

-1. On the **Basic SAML Configuration** section, enter the values for the following fields:

- a. In the **Sign on URL** text box, type the URL:

- `https://www.cloudsign.jp/login`

- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:

- c. In the **Reply URL** text box, type a URL using the following pattern:

- > These values are not real. Update these values with the actual Reply URL and Identifier. Contact [CloudSign Client support team](mailto:contact@cloudsign.jp) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

- 

- 

-In this section, you test your Azure AD single sign-on configuration using the Access Panel.

-When you click the CloudSign tile in the Access Panel, you should be automatically signed in to the CloudSign for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-## Additional resources

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with EZRentOut

-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).

-* EZRentOut supports **SP** initiated SSO

-* EZRentOut supports **Just In Time** user provisioning

-## Adding EZRentOut from the gallery

-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.

-## Configure and test Azure AD single sign-on for EZRentOut

-To configure and test Azure AD SSO with EZRentOut, complete the following building blocks:

- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

- * **[Create EZRentOut test user](#create-ezrentout-test-user)** - to have a counterpart of B.Simon in EZRentOut that is linked to the Azure AD representation of user.

-1. In the [Azure portal](https://portal.azure.com/), on the **EZRentOut** application integration page, find the **Manage** section and select **single sign-on**.

-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.

-1. On the **Basic SAML Configuration** section, enter the values for the following fields:

- 

- 

-In this section, you test your Azure AD single sign-on configuration using the Access Panel.

-When you click the EZRentOut tile in the Access Panel, you should be automatically signed in to the EZRentOut for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-## Additional resources

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Foko Retail

-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).

-* Foko Retail supports **SP** initiated SSO

-## Adding Foko Retail from the gallery

-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.

-## Configure and test Azure AD single sign-on for Foko Retail

-To configure and test Azure AD SSO with Foko Retail, complete the following building blocks:

- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

- * **[Create Foko Retail test user](#create-foko-retail-test-user)** - to have a counterpart of B.Simon in Foko Retail that is linked to the Azure AD representation of user.

-1. In the [Azure portal](https://portal.azure.com/), on the **Foko Retail** application integration page, find the **Manage** section and select **single sign-on**.

-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.

-1. On the **Basic SAML Configuration** section, enter the values for the following fields:

- a. In the **Sign on URL** text box, type a URL using the following pattern:

- `https://api.foko.io/sso/{$CUSTOM_ID}/login`

- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:

- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Foko Retail Client support team](mailto:support@fokoretail.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

- 

- 

-In this section, you test your Azure AD single sign-on configuration using the Access Panel.

-When you click the Foko Retail tile in the Access Panel, you should be automatically signed in to the Foko Retail for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-## Additional resources

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Raketa

-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).

-* Once you configure Raketa you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

-## Adding Raketa from the gallery

-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.

- 

-## Configure and test Azure AD single sign-on for Raketa

-To configure and test Azure AD SSO with Raketa, complete the following building blocks:

-1. In the [Azure portal](https://portal.azure.com/), on the **Raketa** application integration page, find the **Manage** section and select **single sign-on** [9].

- 

- 

-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** [11] to edit the settings.

-1. On the **Basic SAML Configuration** section, enter the values for the following fields:

- 

- 

-In this section, you test your Azure AD single sign-on configuration using the Access Panel.

-When you click the Raketa tile in the Access Panel, you should be automatically signed in to the Raketa for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-## Additional resources

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Terraform Enterprise

- a. In the **Sign on URL** text box, type a URL using the following pattern:

- `https://<TFE HOSTNAME>/session`

- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:

- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Terraform Enterprise Client support team](https://support.hashicorp.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

-To configure single sign-on on **Terraform Enterprise** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Terraform Enterprise support team](https://support.hashicorp.com). They set this setting to have the SAML SSO connection set properly on both sides.

-description: Learn how to configure single sign-on between Azure Active Directory and UltiPro.

-# Tutorial: Azure Active Directory integration with UltiPro

-In this tutorial, you'll learn how to integrate UltiPro with Azure Active Directory (Azure AD). When you integrate UltiPro with Azure AD, you can:

-* Control in Azure AD who has access to UltiPro.

-* Enable your users to be automatically signed-in to UltiPro with their Azure AD accounts.

-* UltiPro single sign-on (SSO) enabled subscription.

-* UltiPro supports **SP** initiated SSO.

-## Adding UltiPro from the gallery

-To configure the integration of UltiPro into Azure AD, you need to add UltiPro from the gallery to your list of managed SaaS apps.

-1. In the **Add from the gallery** section, type **UltiPro** in the search box.

-1. Select **UltiPro** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

-## Configure and test Azure AD SSO for UltiPro

-Configure and test Azure AD SSO with UltiPro using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in UltiPro.

-To configure and test Azure AD SSO with UltiPro, perform the following steps:

-2. **[Configure UltiPro SSO](#configure-ultipro-sso)** - to configure the Single Sign-On settings on application side.

- 1. **[Create UltiPro test user](#create-ultipro-test-user)** - to have a counterpart of B.Simon in UltiPro that is linked to the Azure AD representation of user.

-1. In the Azure portal, on the **UltiPro** application integration page, find the **Manage** section and select **Single sign-on**.

- > These values are not real. Update these values with the actual Sign-On URL, Identifier and Reply URL. Contact [UltiPro Client support team](https://www.ultimatesoftware.com/ContactUs) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

-6. On the **Set up UltiPro** section, copy the appropriate URL(s) as per your requirement.

-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to UltiPro.

-1. In the applications list, select **UltiPro**.

-## Configure UltiPro SSO

-To configure single sign-on on **UltiPro** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [UltiPro support team](https://www.ultimatesoftware.com/ContactUs). They set this setting to have the SAML SSO connection set properly on both sides.

-### Create UltiPro test user

-In this section, you create a user called Britta Simon in UltiPro. Work with [UltiPro support team](https://www.ultimatesoftware.com/ContactUs) to add the users in the UltiPro platform. Users must be created and activated before you use single sign-on.

-* Click on **Test this application** in Azure portal. This will redirect to UltiPro Sign-on URL where you can initiate the login flow.

-* Go to UltiPro Sign-on URL directly and initiate the login flow from there.

-* You can use Microsoft My Apps. When you click the UltiPro tile in the My Apps, this will redirect to UltiPro Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-Once you configure the UltiPro you can enforce session controls, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session controls extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Zendesk

-* Zendesk supports **SP** initiated SSO

-* Zendesk supports [**Automated** user provisioning](zendesk-provisioning-tutorial.md)

-1. In the **Zendesk Admin Center**, click on **Security settings** in the **Security** tab.

-1. Go to the **Single sign-on** page and click on **Edit** in the **SAML**.

- 

-1. Perform the following steps in the **SSO** page.

- a. In **SAML SSO URL** textbox, paste the value of **Login URL** which you have copied from Azure portal.

- b. In **Certificate Fingerprint** textbox, paste the **Thumbprint** value of certificate which you have copied from Azure portal.

- c. In **Remote Logout URL** textbox, paste the value of **Logout URL** which you have copied from Azure portal.

- d. Click **Save**.

- <api name="API name" id="API id" calls="number" renewal-period="seconds">

- <operation name="operation name" id="operation id" calls="number" renewal-period="seconds" />

-| renewal-period | The time period in seconds after which the quota resets. When it's set to `0` the period is set to infinite. | Yes | N/A |

- A tool called [Creator](https://github.com/Azure/azure-api-management-devops-resource-kit/blob/main/src/README.md#Creator) in the resource kit can help automate the creation of API templates based on an Open API Specification file. Additionally, developers can supply API Management policies for an API in XML format.

-* For customers who are already using API Management, another challenge is to extract existing configurations into Resource Manager templates. For those customers, a tool called [Extractor](https://github.com/Azure/azure-api-management-devops-resource-kit/blob/main/src/README.md#extractor) in the resource kit can help generate templates by extracting configurations from their API Management instances.

-* The public IP address of the API Management instance in its primary location

-* The hostname of the instance's management endpoint: `<apim-service-name>.management.azure-api.net`

-* The hostname of the instance's associated blob storage account: `<blob-storage-account-name>.blob.core.windows.net`

-* The hostname of the instance's associated table storage account: `<table-storage-account-name>.table.core.windows.net`

-* Public IP addresses from the Storage [service tag](../virtual-network/service-tags-overview.md) corresponding to the primary location of the API Management instance

-description: In this tutorial, you learn how to access data in Microsoft Graph by using managed identities.

-# Tutorial: Access Microsoft Graph from a secured app as the app

-Learn how to access Microsoft Graph from a web app running on Azure App Service.

-You want to call Microsoft Graph for the web app. A safe way to give your web app access to data is to use a [system-assigned managed identity](../active-directory/managed-identities-azure-resources/overview.md). A managed identity from Azure Active Directory allows App Service to access resources through role-based access control (RBAC), without requiring app credentials. After assigning a managed identity to your web app, Azure takes care of the creation and distribution of a certificate. You don't have to worry about managing secrets or app credentials.

-In this tutorial, you learn how to:

-> [!div class="checklist"]

->

-> * Create a system-assigned managed identity on a web app.

-> * Add Microsoft Graph API permissions to a managed identity.

-> * Call Microsoft Graph from a web app by using managed identities.

-## Prerequisites

-* A web application running on Azure App Service that has the [App Service authentication/authorization module enabled](scenario-secure-app-authentication-app-service.md).

-## Enable managed identity on app

-If you create and publish your web app through Visual Studio, the managed identity was enabled on your app for you. In your app service, select **Identity** in the left pane and then select **System assigned**. Verify that **Status** is set to **On**. If not, select **Save** and then select **Yes** to enable the system-assigned managed identity. When the managed identity is enabled, the status is set to **On** and the object ID is available.

-Take note of the **Object ID** value, which you'll need in the next step.

-## Grant access to Microsoft Graph

-When accessing the Microsoft Graph, the managed identity needs to have proper permissions for the operation it wants to perform. Currently, there's no option to assign such permissions through the Azure portal. The following script will add the requested Microsoft Graph API permissions to the managed identity service principal object.

-# [PowerShell](#tab/azure-powershell)

-```powershell

-# Install the module. (You need admin on the machine.)

-# Install-Module AzureAD.

-# Your tenant ID (in the Azure portal, under Azure Active Directory > Overview).

-$TenantID="<tenant-id>"

-$resourceGroup = "securewebappresourcegroup"

-$webAppName="SecureWebApp-20201102125811"

-# Get the ID of the managed identity for the web app.

-$spID = (Get-AzWebApp -ResourceGroupName $resourceGroup -Name $webAppName).identity.principalid

-# Check the Microsoft Graph documentation for the permission you need for the operation.

-$PermissionName = "User.Read.All"

-Connect-AzureAD -TenantId $TenantID

-# Get the service principal for Microsoft Graph.

-# First result should be AppId 00000003-0000-0000-c000-000000000000

-$GraphServicePrincipal = Get-AzureADServicePrincipal -SearchString "Microsoft Graph" | Select-Object -first 1

-# Assign permissions to the managed identity service principal.

-$AppRole = $GraphServicePrincipal.AppRoles | `

-Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}

-New-AzureAdServiceAppRoleAssignment -ObjectId $spID -PrincipalId $spID `

-```

-# [Azure CLI](#tab/azure-cli)

-```azurecli-interactive

-az login

-webAppName="SecureWebApp-20201106120003"

-spId=$(az resource list -n $webAppName --query [*].identity.principalId --out tsv)

-graphResourceId=$(az ad sp list --display-name "Microsoft Graph" --query [0].objectId --out tsv)

-appRoleId=$(az ad sp list --display-name "Microsoft Graph" --query "[0].appRoles[?value=='User.Read.All' && contains(allowedMemberTypes, 'Application')].id" --output tsv)

-uri=https://graph.microsoft.com/v1.0/servicePrincipals/$spId/appRoleAssignments

-body="{'principalId':'$spId','resourceId':'$graphResourceId','appRoleId':'$appRoleId'}"

-az rest --method post --uri $uri --body $body --headers "Content-Type=application/json"

-```

-After executing the script, you can verify in the [Azure portal](https://portal.azure.com) that the requested API permissions are assigned to the managed identity.

-Go to **Azure Active Directory**, and then select **Enterprise applications**. This pane displays all the service principals in your tenant. In **Managed Identities**, select the service principal for the managed identity.

-If you're following this tutorial, there are two service principals with the same display name (SecureWebApp2020094113531, for example). The service principal that has a **Homepage URL** represents the web app in your tenant. The service principal that appears in **Managed Identities** should *not* have a **Homepage URL** listed and the **Object ID** should match the object ID value of the managed identity in the [previous step](#enable-managed-identity-on-app).

-Select the service principal for the managed identity.

-In **Overview**, select **Permissions**, and you'll see the added permissions for Microsoft Graph.

-# [C#](#tab/programming-language-csharp)

-To see this code as part of a sample application, see the [sample on GitHub](https://github.com/Azure-Samples/ms-identity-easyauth-dotnet-storage-graphapi/tree/main/3-WebApp-graphapi-managed-identity).

-### Example

-# [Node.js](#tab/programming-language-nodejs)

-The `DefaultAzureCredential` class from [@azure/identity](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/README.md) package is used to get a token credential for your code to authorize requests to Azure Storage. Create an instance of the `DefaultAzureCredential` class, which uses the managed identity to fetch tokens and attach them to the service client. The following code example gets the authenticated token credential and uses it to create a service client object, which gets the users in the group.

-To see this code as part of a sample application, see the [sample on GitHub](https://github.com/Azure-Samples/ms-identity-easyauth-nodejs-storage-graphapi/tree/main/3-WebApp-graphapi-managed-identity).

-### Example

-```nodejs

-const graphHelper = require('../utils/graphHelper');

-const { DefaultAzureCredential } = require("@azure/identity");

-exports.getUsersPage = async(req, res, next) => {

- const defaultAzureCredential = new DefaultAzureCredential();

-

- try {

- const tokenResponse = await defaultAzureCredential.getToken("https://graph.microsoft.com/.default");

- const graphClient = graphHelper.getAuthenticatedClient(tokenResponse.token);

- const users = await graphClient

- .api('/users')

- .get();

- res.render('users', { user: req.session.user, users: users });

- } catch (error) {

- next(error);

- }

-}

-```

-To query Microsoft Graph, the sample uses the [Microsoft Graph JavaScript SDK](https://github.com/microsoftgraph/msgraph-sdk-javascript). The code for this is located in [utils/graphHelper.js](https://github.com/Azure-Samples/ms-identity-easyauth-nodejs-storage-graphapi/blob/main/3-WebApp-graphapi-managed-identity/controllers/graphController.js) of the full sample:

-```nodejs

-getAuthenticatedClient = (accessToken) => {

- // Initialize Graph client

- const client = graph.Client.init({

- // Use the provided access token to authenticate requests

- authProvider: (done) => {

- done(null, accessToken);

- }

- });

- return client;

-}

-```

-## Clean up resources

-If you're finished with this tutorial and no longer need the web app or associated resources, [clean up the resources you created](scenario-secure-app-clean-up-resources.md).

-## Next steps

-In this tutorial, you learned how to:

-> [!div class="checklist"]

->

-> * Create a system-assigned managed identity on a web app.

-> * Add Microsoft Graph API permissions to a managed identity.

-> * Call Microsoft Graph from a web app by using managed identities.

-Learn how to connect a [.NET Core app](tutorial-dotnetcore-sqldb-app.md), [Python app](tutorial-python-postgresql-app.md), [Java app](tutorial-java-spring-cosmosdb.md), or [Node.js app](tutorial-nodejs-mongodb-app.md) to a database.

-To see this code as part of a sample application, see the [sample on GitHub](https://github.com/Azure-Samples/ms-identity-easyauth-dotnet-storage-graphapi/tree/main/2-WebApp-graphapi-on-behalf).

-description: In this tutorial, you learn how to access Azure Storage for an app by using managed identities.

-# Tutorial: Access Azure Storage from a web app

-Learn how to access Azure Storage for a web app (not a signed-in user) running on Azure App Service by using managed identities.

-You want to add access to the Azure data plane (Azure Storage, Azure SQL Database, Azure Key Vault, or other services) from your web app. You could use a shared key, but then you have to worry about operational security of who can create, deploy, and manage the secret. It's also possible that the key could be checked into GitHub, which hackers know how to scan for. A safer way to give your web app access to data is to use [managed identities](../active-directory/managed-identities-azure-resources/overview.md).

-A managed identity from Azure Active Directory (Azure AD) allows App Service to access resources through role-based access control (RBAC), without requiring app credentials. After assigning a managed identity to your web app, Azure takes care of the creation and distribution of a certificate. People don't have to worry about managing secrets or app credentials.

-In this tutorial, you learn how to:

-> [!div class="checklist"]

->

-> * Create a system-assigned managed identity on a web app.

-> * Create a storage account and an Azure Blob Storage container.

-> * Access storage from a web app by using managed identities.

-## Prerequisites

-* A web application running on Azure App Service that has the [App Service authentication/authorization module enabled](scenario-secure-app-authentication-app-service.md).

-## Enable managed identity on an app

-If you create and publish your web app through Visual Studio, the managed identity was enabled on your app for you. In your app service, select **Identity** in the left pane, and then select **System assigned**. Verify that the **Status** is set to **On**. If not, select **Save** and then select **Yes** to enable the system-assigned managed identity. When the managed identity is enabled, the status is set to **On** and the object ID is available.

-This step creates a new object ID, different than the app ID created in the **Authentication/Authorization** pane. Copy the object ID of the system-assigned managed identity. You'll need it later.

-## Create a storage account and Blob Storage container

-Now you're ready to create a storage account and Blob Storage container.

-Every storage account must belong to an Azure resource group. A resource group is a logical container for grouping your Azure services. When you create a storage account, you have the option to either create a new resource group or use an existing resource group. This article shows how to create a new resource group.

-A general-purpose v2 storage account provides access to all of the Azure Storage

-Blobs in Azure Storage are organized into containers. Before you can upload a blob later in this tutorial, you must first create a container.

-# [Portal](#tab/azure-portal)

-To create a general-purpose v2 storage account in the Azure portal, follow these steps.

-1. On the Azure portal menu, select **All services**. In the list of resources, enter **Storage Accounts**. As you begin typing, the list filters based on your input. Select **Storage Accounts**.

-1. In the **Storage Accounts** window that appears, select **Add**.

-1. Select the subscription in which to create the storage account.

-1. Under the **Resource group** field, select the resource group that contains your web app from the drop-down menu.

-1. Next, enter a name for your storage account. The name you choose must be unique across Azure. The name also must be between 3 and 24 characters in length and can include numbers and lowercase letters only.

-1. Select a location for your storage account, or use the default location.

-1. Leave these fields set to their default values:

- |Field|Value|

- |--|--|

- |Deployment model|Resource Manager|

- |Performance|Standard|

- |Account kind|StorageV2 (general-purpose v2)|

- |Replication|Read-access geo-redundant storage (RA-GRS)|

- |Access tier|Hot|

-1. Select **Review + Create** to review your storage account settings and create the account.

-1. Select **Create**.

-To create a Blob Storage container in Azure Storage, follow these steps.

-1. Go to your new storage account in the Azure portal.

-1. In the left menu for the storage account, scroll to the **Data storage** section, and then select **Containers**.

-1. Select the **+ Container** button.

-1. Type a name for your new container. The container name must be lowercase, must start with a letter or number, and can include only letters, numbers, and the dash (-) character.

-1. Set the level of public access to the container. The default level is **Private (no anonymous access)**.

-1. Select **OK** to create the container.

-# [PowerShell](#tab/azure-powershell)

-To create a general-purpose v2 storage account and Blob Storage container, run the following script. Specify the name of the resource group that contains your web app. Enter a name for your storage account. The name you choose must be unique across Azure. The name also must be between 3 and 24 characters in length and can include numbers and lowercase letters only.

-Specify the location for your storage account. To see a list of locations valid for your subscription, run ```Get-AzLocation | select Location```. The container name must be lowercase, must start with a letter or number, and can include only letters, numbers, and the dash (-) character.

-Remember to replace placeholder values in angle brackets with your own values.

-```powershell

-Connect-AzAccount

-$resourceGroup = "securewebappresourcegroup"

-$location = "<location>"

-$storageName="securewebappstorage"

-$containerName = "securewebappblobcontainer"

-$storageAccount = New-AzStorageAccount -ResourceGroupName $resourceGroup `

- -Name $storageName `

- -Location $location `

- -SkuName Standard_RAGRS `

- -Kind StorageV2

-$ctx = $storageAccount.Context

-New-AzStorageContainer -Name $containerName -Context $ctx -Permission blob

-```

-# [Azure CLI](#tab/azure-cli)

-To create a general-purpose v2 storage account and Blob Storage container, run the following script. Specify the name of the resource group that contains your web app. Enter a name for your storage account. The name you choose must be unique across Azure. The name also must be between 3 and 24 characters in length and can include numbers and lowercase letters only.

-Specify the location for your storage account. The container name must be lowercase, must start with a letter or number, and can include only letters, numbers, and the dash (-) character.

-The following example uses your Azure AD account to authorize the operation to create the container. Before you create the container, assign the Storage Blob Data Contributor role to yourself. Even if you're the account owner, you need explicit permissions to perform data operations against the storage account.

-Remember to replace placeholder values in angle brackets with your own values.

-```azurecli-interactive

-az login

-az storage account create \

- --name securewebappstorage \

- --resource-group securewebappresourcegroup \

- --location <location> \

- --sku Standard_ZRS \

- --encryption-services blob

-storageId=$(az storage account show -n securewebappstorage -g securewebappresourcegroup --query id --out tsv)

-az ad signed-in-user show --query objectId -o tsv | az role assignment create \

- --role "Storage Blob Data Contributor" \

- --assignee @- \

- --scope $storageId

-az storage container create \

- --account-name securewebappstorage \

- --name securewebappblobcontainer \

- --auth-mode login

-```

-## Grant access to the storage account

-You need to grant your web app access to the storage account before you can create, read, or delete blobs. In a previous step, you configured the web app running on App Service with a managed identity. Using Azure RBAC, you can give the managed identity access to another resource, just like any security principal. The Storage Blob Data Contributor role gives the web app (represented by the system-assigned managed identity) read, write, and delete access to the blob container and data.

-# [Portal](#tab/azure-portal)

-In the [Azure portal](https://portal.azure.com), go into your storage account to grant your web app access. Select **Access control (IAM)** in the left pane, and then select **Role assignments**. You'll see a list of who has access to the storage account. Now you want to add a role assignment to a robot, the app service that needs access to the storage account. Select **Add** > **Add role assignment** to open the **Add role assignment** page.

-Assign the **Storage Blob Data Contributor** role to the **App Service** at subscription scope. For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).

-Your web app now has access to your storage account.

-# [PowerShell](#tab/azure-powershell)

-Run the following script to assign your web app (represented by a system-assigned managed identity) the Storage Blob Data Contributor role on your storage account.

-```powershell

-$resourceGroup = "securewebappresourcegroup"

-$webAppName="SecureWebApp20201102125811"

-$storageName="securewebappstorage"

-$spID = (Get-AzWebApp -ResourceGroupName $resourceGroup -Name $webAppName).identity.principalid

-$storageId= (Get-AzStorageAccount -ResourceGroupName $resourceGroup -Name $storageName).Id

-New-AzRoleAssignment -ObjectId $spID -RoleDefinitionName "Storage Blob Data Contributor" -Scope $storageId

-```

-# [Azure CLI](#tab/azure-cli)

-Run the following script to assign your web app (represented by a system-assigned managed identity) the Storage Blob Data Contributor role on your storage account.

-```azurecli-interactive

-spID=$(az resource list -n SecureWebApp20201102125811 --query [*].identity.principalId --out tsv)

-storageId=$(az storage account show -n securewebappstorage -g securewebappresourcegroup --query id --out tsv)

-az role assignment create --assignee $spID --role 'Storage Blob Data Contributor' --scope $storageId

-```

-## Access Blob Storage

-# [C#](#tab/programming-language-csharp)

-Open a command line, and switch to the directory that contains your project file.

-Run the install commands.

-```dotnetcli

-dotnet add package Azure.Storage.Blobs

-dotnet add package Azure.Identity

-```

-Open the project or solution in Visual Studio, and open the console by using the **Tools** > **NuGet Package Manager** > **Package Manager Console** command.

-Run the install commands.

-```powershell

-Install-Package Azure.Storage.Blobs

-Install-Package Azure.Identity

-```

-### Example

-# [Node.js](#tab/programming-language-nodejs)

-The `DefaultAzureCredential` class from [@azure/identity](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/README.md) package is used to get a token credential for your code to authorize requests to Azure Storage. The `BlobServiceClient` class from [@azure/storage-blob](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/storage/storage-blob) package is used to upload a new blob to storage. Create an instance of the `DefaultAzureCredential` class, which uses the managed identity to fetch tokens and attach them to the blob service client. The following code example gets the authenticated token credential and uses it to create a service client object, which uploads a new blob.

-To see this code as part of a sample application, see *StorageHelper.js* in the [sample on GitHub](https://github.com/Azure-Samples/ms-identity-easyauth-nodejs-storage-graphapi/tree/main/1-WebApp-storage-managed-identity).

-### Example

-```nodejs

-const { DefaultAzureCredential } = require("@azure/identity");

-const { BlobServiceClient } = require("@azure/storage-blob");

-const defaultAzureCredential = new DefaultAzureCredential();

-// Some code omitted for brevity.

-async function uploadBlob(accountName, containerName, blobName, blobContents) {

- const blobServiceClient = new BlobServiceClient(

- `https://${accountName}.blob.core.windows.net`,

- defaultAzureCredential

- );

- const containerClient = blobServiceClient.getContainerClient(containerName);

- try {

- await containerClient.createIfNotExists();

- const blockBlobClient = containerClient.getBlockBlobClient(blobName);

- const uploadBlobResponse = await blockBlobClient.upload(blobContents, blobContents.length);

- console.log(`Upload block blob ${blobName} successfully`, uploadBlobResponse.requestId);

- } catch (error) {

- console.log(error);

- }

-}

-```

-## Clean up resources

-If you're finished with this tutorial and no longer need the web app or associated resources, [clean up the resources you created](scenario-secure-app-clean-up-resources.md).

-## Next steps

-In this tutorial, you learned how to:

-> [!div class="checklist"]

->

-> * Create a system-assigned managed identity.

-> * Create a storage account and Blob Storage container.

-> * Access storage from a web app by using managed identities.

-> [!div class="nextstepaction"]

-> [Tutorial: Isolate back-end communication with Virtual Network integration](tutorial-networking-isolate-vnet.md)

-> [!div class="nextstepaction"]

-> [App Service accesses Microsoft Graph on behalf of the user](scenario-secure-app-access-microsoft-graph-as-user.md)

-> [!div class="nextstepaction"]

-> [Map an existing custom DNS name to Azure App Service](app-service-web-tutorial-custom-domain.md)

-description: Learn how to secure connectivity to back-end Azure services that don't support managed identity natively.

-# Tutorial: Secure Cognitive Service connection from App Service using Key Vault

-[Azure App Service](overview.md) can use [managed identities](overview-managed-identity.md) to connect to back-end services without a connection string, which eliminates connection secrets to manage and keeps your back-end connectivity secure in a production environment. For back-end services that don't support managed identities and still requires connection secrets, you can use Key Vault to manage connection secrets. This tutorial uses Cognitive Services as an example to show you how it's done in practice. When you're finished, you have an app that makes programmatic calls to Cognitive Services, without storing any connection secrets inside App Service.

-> [!TIP]

-> Azure Cognitive Services do [support authentication through managed identities](../cognitive-services/authentication.md#authorize-access-to-managed-identities), but this tutorial uses the [subscription key authentication](../cognitive-services/authentication.md#authenticate-with-a-single-service-subscription-key) to demonstrate how you could connect to an Azure service that doesn't support managed identities from App Services.

-

-With this architecture:

-What you will learn:

-> [!div class="checklist"]

-> * Enable managed identities

-> * Use managed identities to connect to Key Vault

-> * Use Key Vault references

-> * Access Cognitive Services

-## Prerequisites

-Prepare your environment for the Azure CLI.

-## Create app with connectivity to Cognitive Services

-1. Create a resource group to contain all of your resources:

- ```azurecli-interactive

- # Save resource group name as variable for convenience

- groupName=myKVResourceGroup

- region=westeurope

- az group create --name $groupName --location $region

- ```

-1. Create a Cognitive Services resource. Replace *\<cs-resource-name>* with a unique name of your choice.

- ```azurecli-interactive

- # Save resource name as variable for convenience.

- csResourceName=<cs-resource-name>

- az cognitiveservices account create --resource-group $groupName --name $csResourceName --location $region --kind TextAnalytics --sku F0 --custom-domain $csResourceName

- ```

- > [!NOTE]

- > `--sku F0` creates a free tier Cognitive Services resource. Each subscription is limited to a quota of one free-tier `TextAnalytics` resource. If you're already over the quota, use `--sku S` instead.

-1. Clone the sample repository locally and deploy the sample application to App Service. Replace *\<app-name>* with a unique name.

- ### [.NET 5](#tab/dotnet)

- ```azurecli-interactive

- # Save app name as variable for convenience

- appName=<app-name>

- # Clone sample application

- git clone https://github.com/Azure-Samples/app-service-language-detector.git

- cd app-service-language-detector/dotnet

-

- az webapp up --sku F1 --resource-group $groupName --name $appName --plan $appName --location $region

- ```

- ### [PHP](#tab/php)

- ```azurecli-interactive

- # Clone and prepare sample application

- git clone https://github.com/Azure-Samples/app-service-language-detector.git

- cd app-service-language-detector/php

- zip default.zip index.php

-

- # Save app name as variable for convenience

- appName=<app-name>

- az appservice plan create --resource-group $groupName --name $appName --sku FREE --location $region

- az webapp create --resource-group $groupName --plan $appName --name $appName

- az webapp deployment source config-zip --resource-group $groupName --name $appName --src ./default.zip

- ```

- --

-1. Configure the Cognitive Services secrets as app settings `CS_ACCOUNT_NAME` and `CS_ACCOUNT_KEY`.

- ```azurecli-interactive

- # Get subscription key for Cognitive Services resource

- csKey1=$(az cognitiveservices account keys list --resource-group $groupName --name $csResourceName --query key1 --output tsv)

- az webapp config appsettings set --resource-group $groupName --name $appName --settings CS_ACCOUNT_NAME="$csResourceName" CS_ACCOUNT_KEY="$csKey1"

- ````

-1. In the browser, navigate to your deploy app at `<app-name>.azurewebsites.net` and try out the language detector with strings in various languages.

- 

- If you look at the application code, you may notice the debug output for the detection results in the same font color as the background. You can see it by trying to highlight the white space directly below the result.

-## Secure back-end connectivity

-At the moment, connection secrets are stored as app settings in your App Service app. This approach is already securing connection secrets from your application codebase. However, any contributor who can manage your app can also see the app settings. In this step, you move the connection secrets to a key vault, and lock down access so that only you can manage it and only the App Service app can read it using its managed identity.

-1. Create a key vault. Replace *\<vault-name>* with a unique name.

- ```azurecli-interactive

- # Save app name as variable for convenience

- vaultName=<vault-name>

- az keyvault create --resource-group $groupName --name $vaultName --location $region --sku standard --enable-rbac-authorization

- ```

- The `--enable-rbac-authorization` parameter [sets Azure role-based access control (RBAC) as the permission model](../key-vault/general/rbac-guide.md#using-azure-rbac-secret-key-and-certificate-permissions-with-key-vault). This setting by default invalidates all access policies permissions.

-1. Give yourself the *Key Vault Secrets Officer* RBAC role for the vault.

-

- ```azurecli-interactive

- vaultResourceId=$(az keyvault show --name $vaultName --query id --output tsv)

- myId=$(az ad signed-in-user show --query objectId --output tsv)

- az role assignment create --role "Key Vault Secrets Officer" --assignee-object-id $myId --assignee-principal-type User --scope $vaultResourceId

- ```

-1. Enable the system-assigned managed identity for your app, and give it the *Key Vault Secrets User* RBAC role for the vault.

- ```azurecli-interactive

- az webapp identity assign --resource-group $groupName --name $appName --scope $vaultResourceId --role "Key Vault Secrets User"

- ```

-1. Add the Cognitive Services resource name and subscription key as secrets to the vault, and save their IDs as environment variables for the next step.

- ```azurecli-interactive

- csResourceKVUri=$(az keyvault secret set --vault-name $vaultName --name csresource --value $csResourceName --query id --output tsv)

- csKeyKVUri=$(az keyvault secret set --vault-name $vaultName --name cskey --value $csKey1 --query id --output tsv)

- ```

-1. Previously, you set the secrets as app settings `CS_ACCOUNT_NAME` and `CS_ACCOUNT_KEY` in your app. Now, set them as [key vault references](app-service-key-vault-references.md) instead.

- ```azurecli-interactive

- az webapp config appsettings set --resource-group $groupName --name $appName --settings CS_ACCOUNT_NAME="@Microsoft.KeyVault(SecretUri=$csResourceKVUri)" CS_ACCOUNT_KEY="@Microsoft.KeyVault(SecretUri=$csKeyKVUri)"

- ```

-1. In the browser, navigate to `<app-name>.azurewebsites.net` again. If you get detection results back, then you're connecting to the Cognitive Services endpoint with key vault references.

-Congratulations, your app is now connecting to Cognitive Services using secrets kept in your key vault, without any changes to your application code.

-## Clean up resources

-In the preceding steps, you created Azure resources in a resource group. If you don't expect to need these resources in the future, delete the resource group by running the following command in the Cloud Shell:

-```azurecli-interactive

-az group delete --name $groupName

-This command may take a minute to run.

-## Next steps

-description: Learn how to make database connectivity more secure by using a managed identity, and also how to apply it to other Azure services.

-# Tutorial: Connect to SQL Database from App Service without secrets using a managed identity

-|[Direct connection from App Service managed identity](#connect-to-azure-services-with-managed-identity)|Dependent service [supports managed identity](../active-directory/managed-identities-azure-resources/managed-identities-status.md)<br><br>* Best for enterprise-level security<br>* Connection to dependent service is secured with managed identity<br>* Large team or automated connection string and secret management<br>* Don't manage credentials manually.<br>* Credentials arenΓÇÖt accessible to you.|

-|[Connect using Key Vault secrets from App Service managed identity](#connect-to-key-vault-with-managed-identity)|Dependent service doesn't support managed identity<br><br>* Best for enterprise-level security<br>* Connection includes non-Azure services such as GitHub, Twitter, Facebook, Google<br>* Large team or automated connection string and secret management<br>* Don't manage credentials manually.<br>* Credentials arenΓÇÖt accessible to you.<br>* Manage connection information with environment variables.|

-|[Connect with app settings](#connect-with-app-settings)|* Best for small team or individual owner of Azure resources.<br>* Stage 1 of multi-stage migration to Azure<br>* Temporary or proof-of-concept applications<br>* Manually manage connection information with environment variables|

-if ($WebhookData.RequestBody) {

- $names = (ConvertFrom-Json -InputObject $WebhookData.RequestBody)

-* To trigger a runbook from an alert, see [Use an alert to trigger an Azure Automation runbook](automation-create-alert-triggered-runbook.md).

- 1. Specify a cluster name

- 1. Specify a region

- 1. Under **Availability zones**, remove all selected zones. You should not specify any zones.

- 1. Verify the Kubernetes version. For minimum supported version, see [Plan an Azure Arc-enabled data services deployment](plan-azure-arc-data-services.md).

- 1. Under **Node size**, select a node size for your cluster based on the [Sizing guidance](sizing-guidance.md).

- 1. For **Scale method**, select **Manual**.

-az sql mi-arc create -n <instanceName> --k8s-namespace <namespace> --use-k8s

-az sql mi-arc create -n sqldemo --k8s-namespace my-namespace --use-k8s

-az sql mi-arc create --name <name> --resource-group <group> --location <Azure location> -ΓÇôsubscription <subscription> --custom-location <custom-location>

-az sql mi-arc create --name sqldemo --resource-group rg --location uswest2 -ΓÇôsubscription xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --custom-location private-location

-## Basic Installation of Azure Arc-enabled OSM on an Azure Arc-enabled Kubernetes Cluster

-## Custom Installations of Azure Arc-enabled OSM

-To install OSM with cert-manager as the certificate provider, create a JSON file with the `certificateProvider.kind` value set to

-cert-manager as shown below. If you would like to change from default cert-manager values specified in OSM documentation,

-To set required values for configuring Contour during OSM installation, create the following JSON file:

-Values that need to be set during OSM installation need to be saved to a JSON file and passed in through the Azure CLI

-After connecting your cluster to Azure Arc, create a json file with the following format, making sure to update the \<cluster-name\> and \<osm-arc-version\> values:

- In the [az functionapp create](/cli/azure/functionapp#az_functionapp_create) command, the *deployment-container-image-name* parameter specifies the image to use for the function app. You can use the [az functionapp config container show](/cli/azure/functionapp/config/container#az_functionapp_config_container_show) command to view information about the image used for deployment. You can also use the [az functionapp config container set](/cli/azure/functionapp/config/container#az_functionapp_config_container_set) command to deploy from a different image.

- In this example, replace `<STORAGE_NAME>` with the name you used in the previous section for the storage account. Also replace `<APP_NAME>` with a globally unique name appropriate to you, and `<DOCKER_ID>` with your DockerHub ID.

-[authorization keys]: functions-bindings-http-webhook-trigger.md#authorization-keys

-As in the previous example, you commonly iterate through an array using a `foreach` loop. Within this loop and before processing the message, you should check the value of `cancellationToken.IsCancellationRequested` to see if cancellation is pending. In the case where `IsCancellationRequested` is `true`, you might need to take some actions to prepare for a graceful shutdown. For example, you might want to log the status of your code before the shutdown, or perhaps write to a persisted store the portion of the message batch which hasn't yet been processed. If you write this kind of information to a persisted store, your startup code needs to check the store for any unprocessed message batches that were written during shutdown. What your code needs to do during graceful shutdown depends on your specific scenario.

-Azure Event Hubs is an other trigger that supports batch processing messages. The following example is a function method definition for an Event Hubs trigger with a cancellation token that accepts an incoming batch as an array of [EventData](/dotnet/api/microsoft.azure.eventhubs.eventdata) objects:

-```csharp

-public async Task Run([EventHubTrigger("csharpguitar", Connection = "EH_CONN")]

- EventData[] events, CancellationToken cancellationToken, ILogger log)

-```

-The pattern to process a batch of Event Hubs events is similar to the previous example of processing a batch of Service Bus messages. In each case, you should check the cancellation token for a cancellation state before processing each item in the array. When a pending shutdown is detected in the middle of the batch, handle it gracefully based on your business requirements.

-Automatically deploy to Azure Functions with [Azure Pipelines](/azure/devops/pipelines/). Azure Pipelines lets you automate your software development and continuously test, build, and deploy your code.

-YAML pipelines aren't available for Azure DevOps 2019 and earlier.

-* An Azure DevOps organization. If you don't have one, you can [create one for free](/azure/devops/pipelines/get-started/pipelines-sign-up). (An Azure DevOps organization is different from your GitHub organization. You can give your DevOps organization and your GitHub organization the same name if you want alignment between them.)

- If your team already has one, then make sure you're an administrator of the Azure DevOps project that you want to use.

-* An ability to run pipelines on Microsoft-hosted agents. You can either purchase a [parallel job](/azure/devops/pipelines/licensing/concurrent-jobs) or you can request a free tier. To request a free tier, follow the instructions in [this article](/azure/devops/pipelines/licensing/concurrent-jobs). Note that it may take us 2-3 business days to grant access to the free tier.

-As an Express.js, Node.js, or JavaScript developer, if you are new to Azure Functions, please consider first reading one of the following articles:

-When using the [`async function`](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Statements/async_function) declaration or plain JavaScript [Promises](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Promise) in version 2.x, 3.x, or 4.x of the Functions runtime, you do not need to explicitly call the [`context.done`](#contextdone-method) callback to signal that your function has completed. Your function completes when the exported async function/Promise completes.

-In 2.x, 3.x, and 4.x, the function should be marked as async even if there is no awaited function call inside the function, and the function doesn't need to call context.done to indicate the end of the function.

-The **context.done** method is used by 1.x synchronous functions. In 2.x, 3.x, and 4.x, the function should be marked as async even if there is no awaited function call inside the function, and the function doesn't need to call context.done to indicate the end of the function.

-Note that request and response keys are in lowercase.

-When deploying Function Apps from source control, any `package.json` file present in your repo, will trigger an `npm install` in its folder during deployment. But when deploying via the Portal or CLI, you will have to manually install the packages.

-2. Click **Debug Console** > **CMD**.

-In this example, it is important to note that although an object is being exported, there are no guarantees for preserving state between executions.

-## Local Debugging

-In version 1.x, setting `languageWorkers:node:arguments` will not work. The debug port can be selected with the [`--nodeDebugPort`](./functions-run-local.md#start) parameter on Azure Functions Core Tools.

-TypeScript files (.ts) are transpiled into JavaScript files (.js) in the `dist` output directory. TypeScript templates use the [`scriptFile` parameter](#using-scriptfile) in `function.json` to indicate the location of the corresponding .js file in the `dist` folder. The output location is set by the template by using `outDir` parameter in the `tsconfig.json` file. If you change this setting or the name of the folder, the runtime is not able to find the code to run.

-When you create a function app that uses the App Service plan, we recommend that you select a single-vCPU plan rather than a plan with multiple vCPUs. Today, Functions runs JavaScript functions more efficiently on single-vCPU VMs, and using larger VMs does not produce the expected performance improvements. When necessary, you can manually scale out by adding more single-vCPU VM instances, or you can enable autoscale. For more information, see [Scale instance count manually or automatically](../azure-monitor/autoscale/autoscale-get-started.md?toc=/azure/app-service/toc.json).

-When developing Azure Functions in the serverless hosting model, cold starts are a reality. *Cold start* refers to the fact that when your function app starts for the first time after a period of inactivity, it takes longer to start up. For JavaScript functions with large dependency trees in particular, cold start can be significant. To speed up the cold start process, [run your functions as a package file](run-functions-from-deployment-package.md) when possible. Many deployment methods use the run from package model by default, but if you're experiencing large cold starts and are not running this way, this change can offer a significant improvement.

-In the example below, the asynchronous method `fs.readFile` is invoked with an error-first callback function as its second parameter. This code causes both of the issues mentioned above. An exception that is not explicitly caught in the correct scope crashed the entire process (issue #1). Calling the 1.x `context.done()` outside of the scope of the callback function means that the function invocation may end before the file is read (issue #2). In this example, calling 1.x `context.done()` too early results in missing log entries starting with `Data from file:`.

-description: Create automated tests for a C# Function in Visual Studio and JavaScript Function in VS Code

-# Strategies for testing your code in Azure Functions

-This article demonstrates how to create automated tests for Azure Functions.

-Testing all code is recommended, however you may get the best results by wrapping up a Function's logic and creating tests outside the Function. Abstracting logic away limits a Function's lines of code and allows the Function to be solely responsible for calling other classes or modules. This article, however, demonstrates how to create automated tests against an HTTP and timer-triggered functions.

-The content that follows is split into two different sections meant to target different languages and environments. You can learn to build tests in:

-The sample repository is available on [GitHub](https://github.com/Azure-Samples/azure-functions-tests).

-## C# in Visual Studio

-The following example describes how to create a C# Function app in Visual Studio and run and tests with [xUnit](https://github.com/xunit/xunit).

-

-### Setup

-To set up your environment, create a Function and test app. The following steps help you create the apps and functions required to support the tests:

-1. [Create a new Functions app](./functions-get-started.md) and name it **Functions**

-2. [Create an HTTP function from the template](./functions-get-started.md) and name it **MyHttpTrigger**.

-3. [Create a timer function from the template](./functions-create-scheduled-function.md) and name it **MyTimerTrigger**.

-4. [Create an xUnit Test app](https://xunit.net/docs/getting-started/netcore/cmdline) in the solution and name it **Functions.Tests**.

-5. Use NuGet to add a reference from the test app to [Microsoft.AspNetCore.Mvc](https://www.nuget.org/packages/Microsoft.AspNetCore.Mvc/)

-6. [Reference the *Functions* app](/visualstudio/ide/managing-references-in-a-project) from *Functions.Tests* app.

-### Create test classes

-Now that the projects are created, you can create the classes used to run the automated tests.

-Each function takes an instance of [ILogger](/dotnet/api/microsoft.extensions.logging.ilogger) to handle message logging. Some tests either don't log messages or have no concern for how logging is implemented. Other tests need to evaluate messages logged to determine whether a test is passing.

-You'll create a new class named `ListLogger` which holds an internal list of messages to evaluate during a testing. To implement the required `ILogger` interface, the class needs a scope. The following class mocks a scope for the test cases to pass to the `ListLogger` class.

-Create a new class in *Functions.Tests* project named **NullScope.cs** and enter the following code:

-```csharp

-using System;

-namespace Functions.Tests

-{

- public class NullScope : IDisposable

- {

- public static NullScope Instance { get; } = new NullScope();

- private NullScope() { }

- public void Dispose() { }

- }

-}

-```

-Next, create a new class in *Functions.Tests* project named **ListLogger.cs** and enter the following code:

-```csharp

-using Microsoft.Extensions.Logging;

-using System;

-using System.Collections.Generic;

-using System.Text;

-namespace Functions.Tests

-{

- public class ListLogger : ILogger

- {

- public IList<string> Logs;

- public IDisposable BeginScope<TState>(TState state) => NullScope.Instance;

- public bool IsEnabled(LogLevel logLevel) => false;

- public ListLogger()

- {

- this.Logs = new List<string>();

- }

- public void Log<TState>(LogLevel logLevel,

- EventId eventId,

- TState state,

- Exception exception,

- Func<TState, Exception, string> formatter)

- {

- string message = formatter(state, exception);

- this.Logs.Add(message);

- }

- }

-}

-```

-The `ListLogger` class implements the following members as contracted by the `ILogger` interface:

-The `Logs` collection is an instance of `List<string>` and is initialized in the constructor.

-Next, create a new file in *Functions.Tests* project named **LoggerTypes.cs** and enter the following code:

-```csharp

-namespace Functions.Tests

-{

- public enum LoggerTypes

- {

- Null,

- List

- }

-}

-```

-This enumeration specifies the type of logger used by the tests.

-Now create a new class in *Functions.Tests* project named **TestFactory.cs** and enter the following code:

-```csharp

-using Microsoft.AspNetCore.Http;

-using Microsoft.AspNetCore.Http.Internal;

-using Microsoft.Extensions.Logging;

-using Microsoft.Extensions.Logging.Abstractions;

-using Microsoft.Extensions.Primitives;

-using System.Collections.Generic;

-namespace Functions.Tests

-{

- public class TestFactory

- {

- public static IEnumerable<object[]> Data()

- {

- return new List<object[]>

- {

- new object[] { "name", "Bill" },

- new object[] { "name", "Paul" },

- new object[] { "name", "Steve" }

- };

- }

- private static Dictionary<string, StringValues> CreateDictionary(string key, string value)

- {

- var qs = new Dictionary<string, StringValues>

- {

- { key, value }

- };

- return qs;

- }

- public static HttpRequest CreateHttpRequest(string queryStringKey, string queryStringValue)

- {

- var context = new DefaultHttpContext();

- var request = context.Request;

- request.Query = new QueryCollection(CreateDictionary(queryStringKey, queryStringValue));

- return request;

- }

- public static ILogger CreateLogger(LoggerTypes type = LoggerTypes.Null)

- {

- ILogger logger;

- if (type == LoggerTypes.List)

- {

- logger = new ListLogger();

- }

- else

- {

- logger = NullLoggerFactory.Instance.CreateLogger("Null Logger");

- }

- return logger;

- }

- }

-}

-```

-The `TestFactory` class implements the following members:

-Finally, create a new class in *Functions.Tests* project named **FunctionsTests.cs** and enter the following code:

-```csharp

-using Microsoft.AspNetCore.Mvc;

-using Microsoft.Extensions.Logging;

-using Xunit;

-namespace Functions.Tests

-{

- public class FunctionsTests

- {

- private readonly ILogger logger = TestFactory.CreateLogger();

- [Fact]

- public async void Http_trigger_should_return_known_string()

- {

- var request = TestFactory.CreateHttpRequest("name", "Bill");

- var response = (OkObjectResult)await MyHttpTrigger.Run(request, logger);

- Assert.Equal("Hello, Bill. This HTTP triggered function executed successfully.", response.Value);

- }

- [Theory]

- [MemberData(nameof(TestFactory.Data), MemberType = typeof(TestFactory))]

- public async void Http_trigger_should_return_known_string_from_member_data(string queryStringKey, string queryStringValue)

- {

- var request = TestFactory.CreateHttpRequest(queryStringKey, queryStringValue);

- var response = (OkObjectResult)await MyHttpTrigger.Run(request, logger);

- Assert.Equal($"Hello, {queryStringValue}. This HTTP triggered function executed successfully.", response.Value);

- }

- [Fact]

- public void Timer_should_log_message()

- {

- var logger = (ListLogger)TestFactory.CreateLogger(LoggerTypes.List);

- MyTimerTrigger.Run(null, logger);

- var msg = logger.Logs[0];

- Assert.Contains("C# Timer trigger function executed at", msg);

- }

- }

-}

-```

-The members implemented in this class are:

-If you want to access application settings in your tests, you can [inject](./functions-dotnet-dependency-injection.md) an `IConfiguration` instance with mocked environment variable values into your function.

-### Run tests

-To run the tests, navigate to the **Test Explorer** and click **Run all**.

-

-### Debug tests

-To debug the tests, set a breakpoint on a test, navigate to the **Test Explorer** and click **Run > Debug Last Run**.

-## JavaScript in VS Code

-The following example describes how to create a JavaScript Function app in VS Code and run and tests with [Jest](https://jestjs.io). This procedure uses the [VS Code Functions extension](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azurefunctions) to create Azure Functions.

-

-### Setup

-To set up your environment, initialize a new Node.js app in an empty folder by running `npm init`.

-```bash

-npm init -y

-```

-Next, install Jest by running the following command:

-```bash

-npm i jest

-```

-Now update _package.json_ to replace the existing test command with the following command:

-```bash

-"scripts": {

- "test": "jest"

-}

-```

-### Create test modules

-With the project initialized, you can create the modules used to run the automated tests. Begin by creating a new folder named *testing* to hold the support modules.

-In the *testing* folder add a new file, name it **defaultContext.js**, and add the following code:

-```javascript

-module.exports = {

- log: jest.fn()

-};

-```

-This module mocks the *log* function to represent the default execution context.

-Next, add a new file, name it **defaultTimer.js**, and add the following code:

-```javascript

-module.exports = {

- IsPastDue: false

-};

-```

-This module implements the `IsPastDue` property to stand is as a fake timer instance. Timer configurations like NCRONTAB expressions are not required here as the test harness is simply calling the function directly to test the outcome.

-Next, use the VS Code Functions extension to [create a new JavaScript HTTP Function](/azure/developer/javascript/tutorial-vscode-serverless-node-01) and name it *HttpTrigger*. Once the function is created, add a new file in the same folder named **index.test.js**, and add the following code:

-```javascript

-const httpFunction = require('./index');

-const context = require('../testing/defaultContext')

-test('Http trigger should return known text', async () => {

- const request = {

- query: { name: 'Bill' }

- };

- await httpFunction(context, request);

- expect(context.log.mock.calls.length).toBe(1);

- expect(context.res.body).toEqual('Hello Bill');

-});

-```

-The HTTP function from the template returns a string of "Hello" concatenated with the name provided in the query string. This test creates a fake instance of a request and passes it to the HTTP function. The test checks that the *log* method is called once and the returned text equals "Hello Bill".

-Next, use the VS Code Functions extension to create a new JavaScript Timer Function and name it *TimerTrigger*. Once the function is created, add a new file in the same folder named **index.test.js**, and add the following code:

-```javascript

-const timerFunction = require('./index');

-const context = require('../testing/defaultContext');

-const timer = require('../testing/defaultTimer');

-test('Timer trigger should log message', () => {

- timerFunction(context, timer);

- expect(context.log.mock.calls.length).toBe(1);

-});

-```

-The timer function from the template logs a message at the end of the body of the function. This test ensures the *log* function is called once.

-### Run tests

-To run the tests, press **CTRL + ~** to open the command window, and run `npm test`:

-```bash

-npm test

-```

-

-### Debug tests

-To debug your tests, add the following configuration to your *launch.json* file:

-```json

-{

- "type": "node",

- "request": "launch",

- "name": "Jest Tests",

- "disableOptimisticBPs": true,

- "program": "${workspaceRoot}/node_modules/jest/bin/jest.js",

- "args": [

- "-i"

- ],

- "internalConsoleOptions": "openOnSessionStart"

-}

-```

-Next, set a breakpoint in your test and press **F5**.

-## Next steps

-Now that you've learned how to write automated tests for your functions, continue with these resources:

- - Microsoft 365 Groups are not supported for B2B users and can't be enabled.

-| [Microsoft Sentinel](../../sentinel/index.yml) (incl. [UEBA](../../sentinel/identify-threats-with-entity-behavior-analytics.md#what-is-user-and-entity-behavior-analytics-ueba)) | &#x2705; | &#x2705; |

-* Install the [.NET Core SDK 2.1.2 or later](https://dotnet.microsoft.com/download/archives).

- services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);

- 

- ### If the above line throws an 'Unable to find type [System.Web.HttpUtility].' error, execute the line below separately from the rest of the code

- # Add-Type -AssemblyName System.Web

-### Script returns error `Unable to find type [System.Web.HttpUtility]`

-Run the last line in section 1 of the script for a fix and execute it directly. Executing it uncommented as part of the script will not resolve the issue. The command must be executed separately.

-1. Update the values of `$tenantId`, `$appId`, and `$appSecret` with the values you noted for **Directory (tenant) ID**, **Application (client) ID**, and secret **Value** and then save with the file name *LogGenerator.ps1*.

- ## If the above line throws an 'Unable to find type [System.Web.HttpUtility].' error, execute the line below separately from the rest of the code

- # Add-Type -AssemblyName System.Web

-2. Copy the sample log data from [sample data](#sample-data) or copy your own Apache log data into a file called *sample_access.log*. Run the script using the following command to read this data and create a JSON file called *data_sample.json* that you can send to the custom logs API.

-3. Run the script using the following command to read this data and create a JSON file called *data_sample.json* that you can send to the custom logs API.

- :::image type="content" source="media/tutorial-custom-logs/new-custom-log.png" lightbox="media/tutorial-custom-logs/new-custom-log.png" alt-text="Screenshot showing new DCR-based custom log.":::

-.\LogGenerator.ps1 -Log "sample_access.log" -Type "API" -Table "ApacheAccess_CL" -DcrImmutableId <immutable ID> -DceUrl <data collection endpoint URL>

-### Script returns error `Unable to find type [System.Web.HttpUtility]`

-Run the last line in section 1 of the script for a fix and execute it directly. Executing it uncommented as part of the script will not resolve the issue. The command must be executed separately.

-* West US 3

-* West Europe

-| Microsoft.Network | [Application Gateway](../../application-gateway/index.yml)<br />[Azure Bastion](../../bastion/index.yml)<br />[Azure DDoS Protection](../../ddos-protection/ddos-protection-overview.md)<br />[Azure DNS](../../dns/index.yml)<br />[Azure ExpressRoute](../../expressroute/index.yml)<br />[Azure Firewall](../../firewall/index.yml)<br />[Azure Front Door Service](../../frontdoor/index.yml)<br />[Azure Private Link](../../private-link/index.yml)<br />[Load Balancer](../../load-balancer/index.yml)<br />[Network Watcher](../../network-watcher/index.yml)<br />[Traffic Manager](../../traffic-manager/index.yml)<br />[Virtual Network](../../virtual-network/index.yml)<br />[Virtual Network NAT](../../virtual-network/nat-gateway/nat-overview.md)<br />[Virtual WAN](../../virtual-wan/index.yml)<br />[VPN Gateway](../../vpn-gateway/index.yml)<br /> |

- - A table has very large number of partitions/indexes that are modified. For example, a DROP TABLE operation on such table would require a large reservation of SLOG memory, which would delay truncation of the transaction log and delay undo/redo operations. The workaround can be drop the indexes individually and gradually, then drop the table. For more information on the SLOG, see [ADR recovery components](/sql/relational-databases/accelerated-database-recovery-conceptsadr-recovery-components).

-This guide discusses two options to rotate the TDE protector on the server.

-> Do not delete previous versions of the key after a rollover. When keys are rolled over, some data is still encrypted with the previous keys, such as older database backups.

- > [!NOTE]

- > If you're running the function version other than v3.0, please check [Azure Functions runtime versions documentation](../azure-functions/functions-versions.md#languages) to set `--runtime` parameter to supported value.

- > [!NOTE]

- > If you're running the function version other than v3.0, please check [Azure Functions runtime versions documentation](../azure-functions/functions-versions.md#languages) to set `--runtime` parameter to supported value.

-| SQL Server in Azure Virtual Machines/ SAP HANA in Azure Virtual Machines | None | Australia East, Central India, North Europe, South East Asia, East Asia, Australia South East, Canada Central, Brazil South, Canada East, France Central, France South, Japan East, Japan West, Korea Central, Korea South, South India, UK West, UK South, Central US, East US 2, West US, West US 2, West Central US, East US, South Central US, North Central US, West Europe, US Gov Virginia, US Gov Texas, US Gov Arizona. |

-| Azure Virtual Machines | East US, East US 2, Central US, South Central US, West US, West US 2, West Central US, North Central US, Brazil South, Canada East, Canada Central, West Europe, UK South, UK West, East Asia, Japan East, South India, South East Asia, Australia East, Central India, North Europe, Australia South East, France Central, France South, Japan West, Korea Central, Korea South. | None |

-### GA regions for Azure file shares backup

-Azure file shares backup is available in all regions **except** for: Germany Central (Sovereign), Germany Northeast (Sovereign), China East, China East 2, China North, China North 2, US Gov Iowa

-Azure Backup now supports _Enhanced policy_ that's needed to support new Azure offerings. For example, [Trusted Launch VM](../virtual-machines/trusted-launch.md) is supported with _Enhanced policy_ only. To enroll your subscription for backup of Trusted Launch VM, write to us at [askazurebackupteam@microsoft.com](mailto:askazurebackupteam@microsoft.com).

-The following table captures the Backup management actions and corresponding role required to perform Azure File share operation.

-| Enable backup of Azure File shares | Backup Contributor |Recovery Services vault |

-| | Storage Account Backup Contributor | Storage account resource |

-<a name="tvm-backup">Trusted Launch VM</a> | Backup supported (in preview) <br><br> To enroll your subscription for this feature, write to us at [askazurebackupteam@microsoft.com](mailto:askazurebackupteam@microsoft.com). <br><br> Backup of Trusted Launch VM is supported through [Enhanced policy](backup-azure-vms-enhanced-policy.md). You can enable backup only through [Recovery Services vault](./backup-azure-arm-vms-prepare.md) and [VM Manage blade](./backup-during-vm-creation.md#start-a-backup-after-creating-the-vm). <br><br> **Feature details** <br> <ul><li> Migration of an existing [Generation 2](../virtual-machines/generation-2.md) VM (protected with Azure Backup) to Trusted Launch VM is currently not supported. Learn about how to [create a Trusted Launch VM](../virtual-machines/trusted-launch-portal.md?tabs=portal#deploy-a-trusted-vm). </li><li> Configurations of Backup, Alerts, and Monitoring for Trusted Launch VM are currently not supported through Backup center. </li><li> Currently, you can restore as [Create VM](./backup-azure-arm-restore-vms.md#create-a-vm), or [Restore disk](./backup-azure-arm-restore-vms.md#restore-disks) only. </li><li> [vTPM state](../virtual-machines/trusted-launch.md#vtpm) doesn't persist while you restore a VM from a recovery point. Therefore, scenarios that require vTPM persistence may not work across backup and restore operations. </li></ul>

-Each instance can support 10 concurrent RDP connections and 50 concurrent SSH connections. The number of connections per instances depends on what actions you are taking when connected to the client VM. For example, if you are doing something data intensive, it creates a larger load for the instance to process. Once the concurrent sessions are exceeded, an additional scale unit (instance) is required.

-description: Learn how to create an Azure Bastion host from virtual machine settings and connect to the VM securely through your browser via private IP address.

-# Quickstart: Deploy Azure Bastion from VM settings

-This quickstart article shows you how to deploy Azure Bastion to your virtual network from the Azure portal based on settings from an existing virtual machine. After you deploy Bastion, the RDP/SSH experience is available to all of the virtual machines in the virtual network. Azure Bastion is a PaaS service that is maintained for you. For more information about Azure Bastion, see [What is Azure Bastion?](bastion-overview.md)

-In this quickstart, after you deploy Bastion, you connect to your VM via private IP address using the Azure portal. When you connect to the VM, it doesn't need a public IP address, client software, agent, or a special configuration. If your VM has a public IP address that you don't need for anything else, you can remove it.

-* **A VM in a VNet**. This quickstart lets you quickly deploy Bastion to a VNet using settings from the virtual machine to which you want to connect. Bastion pulls the required values from the VM and deploys to the VNet based on these values. The virtual machine itself doesn't become a bastion host.

- * If you don't already have a VM in a VNet, create one using [Quickstart: Create a VM](../virtual-machines/windows/quick-create-portal.md).

- * If you need example values, see the provided [Example values](#values).

- * If you already have a virtual network, make sure to select it on the Networking tab when you create your VM.

- * If you don't already have a virtual network, you can create one at the same time you create your VM.

- * You don't need to have a public IP address for this VM in order to connect via Azure Bastion.

-When you deploy from VM settings, Bastion is automatically configured with default values. You don't need to specify any additional values for this exercise. However, once Bastion deploys, you can later modify [configuration settings](configuration-settings.md). For example, the SKU that is automatically configured is the Basic SKU. To support more Bastion features, you can easily [upgrade the SKU](upgrade-sku.md) after the deployment completes.

-After completing this configuration, you'll have an Azure Bastion deployment with the values listed in the following table:

-|**Name** | **Value** |

-## <a name="createvmset"></a>Deploy Bastion to a VNet

-There are a few different ways to deploy Bastion to a virtual network. In this quickstart, you deploy Bastion from your virtual machine settings in the Azure portal (you don't sign in and deploy from your VM directly).

-1. In the portal, navigate to the VM to which you want to connect. The values from the virtual network in which this VM resides will be used to create the Bastion deployment.

-In this quickstart, you created a bastion host for your virtual network, and then connected to a virtual machine securely via Bastion. Next, you can continue with the following step if you want to connect to a virtual machine scale set.

-> [Connect to a virtual machine scale set using Azure Bastion](bastion-connect-vm-scale-set.md)

-[githubtoken]: https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line/

-| [LUIS][lu-containers] | **LUIS** ([image](https://go.microsoft.com/fwlink/?linkid=2043204&clcid=0x409)) | Loads a trained or published Language Understanding model, also known as a LUIS app, into a docker container and provides access to the query predictions from the container's API endpoints. You can collect query logs from the container and upload these back to the [LUIS portal](https://www.luis.ai) to improve the app's prediction accuracy. | Generally available |

-| [Language service][ta-containers-sentiment] | **Sentiment Analysis** ([image](https://go.microsoft.com/fwlink/?linkid=2018654&clcid=0x409)) | Analyzes raw text for clues about positive or negative sentiment. This version of sentiment analysis returns sentiment labels (for example *positive* or *negative*) for each document and sentence within it. | Generally available. This <br> container can also [run in disconnected environments](containers/disconnected-containers.md). |

-COPY ./app/ /usr/src/app/

-* **Virtual Network NAT** - Container groups deployed to a virtual network don't currently support using a NAT gateway resource for outbound internet connectivity.

-[az-network-profile-list]: /cli/azure/network/profile#az_network_profile_list

-* Assign a user write action on the specific resource group. This action is required to create a new account in the resource group.

-* Assign the *CosmosRestoreOperator* built-in role to the specific restorable database account that needs to be restored. In the following command, the scope for the *RestorableDatabaseAccount* is retrieved from the `ID` property in the output of `az cosmosdb restorable-database-account list` (if using CLI) or `Get-AzCosmosDBRestorableDatabaseAccount` (if using PowerShell).

- ```azurecli-interactive

- az role assignment create --role "CosmosRestoreOperator" --assignee <email> --scope <RestorableDatabaseAccount>

- ```

- "<account-endpoint>",

-This tutorial is a quick start guide to show how to use Cosmos DB Spark Connector to read from or write to Cosmos DB. Cosmos DB Spark Connector is based on Spark 3.1.x.

-Throughout this quick tutorial, we rely on [Azure Databricks Runtime 8.0 with Spark 3.1.1](/azure/databricks/release-notes/runtime/8.0) and a Jupyter Notebook to show how to use the Cosmos DB Spark Connector.

-You can use any other Spark 3.1.1 spark offering as well, also you should be able to use any language supported by Spark (PySpark, Scala, Java, etc.), or any Spark interface you are familiar with (Jupyter Notebook, Livy, etc.).

-* [Azure Databricks](/azure/databricks/release-notes/runtime/8.0) runtime 8.0 with Spark 3.1.1.

-Install Cosmos DB Spark Connector, in your spark Cluster [azure-cosmos-spark_3-1_2-12-4.3.1.jar](https://search.maven.org/artifact/com.azure.cosmos.spark/azure-cosmos-spark_3-1_2-12/4.3.1/jar)

-* [Download of Cosmos DB Spark connectro for Spark 3.1](https://aka.ms/azure-cosmos-spark-3-1-changelog)

-* [Download of Cosmos DB Spark connectro for Spark 3.2](https://aka.ms/azure-cosmos-spark-3-2-download)

-To verify if there is a hot partition, navigate to **Insights** > **Throughput** > **Normalized RU Consumption (%) By PartitionKeyRangeID**. Filter to a specific database and container.

-Each PartitionKeyRangeId maps to one physical partition. If there is one PartitionKeyRangeId that has significantly higher Normalized RU consumption than others (for example, one is consistently at 100%, but others are at 30% or less), this can be a sign of a hot partition. Learn more about the [Normalized RU Consumption metric](../monitor-normalized-request-units.md).

-If there is high percent of rate limited requests and no hot partition:

-If there is high percent of rate limited requests and there is an underlying hot partition:

-There is a system-reserved RU limit for these operations, so increasing the provisioned RU/s of the database or container will have no impact and is not recommended. See [limits on metadata operations](../concepts-limits.md#metadata-request-limits).

-This 429 error is returned when the request encounters a transient service error. Increasing the RU/s on the database or container will have no impact and is not recommended.

- :::image type="content" source="media/connector-rest/pagination-rule-example-4-1.png" alt-text="Screenshot showing the EndCondition setting for Example 4.1.":::

- :::image type="content" source="media/connector-rest/pagination-rule-example-4-2.png" alt-text="Screenshot showing the EndCondition setting for Example 4.2.":::

- :::image type="content" source="media/connector-rest/pagination-rule-example-4-3.png" alt-text="Screenshot showing the EndCondition setting for Example 4.3.":::

- :::image type="content" source="media/connector-rest/pagination-rule-example-4-4.png" alt-text="Screenshot showing the EndCondition setting for Example 4.4.":::

- :::image type="content" source="media/connector-rest/pagination-rule-example-4-5.png" alt-text="Screenshot showing the EndCondition setting for Example 4.5.":::

- :::image type="content" source="media/connector-rest/pagination-rule-example-4-6.png" alt-text="Screenshot showing the EndCondition setting for Example 4.6.":::

-> :::image type="content" source="media/connector-rest/pagination-rule-example-7-disable-rfc5988.png" alt-text="Screenshot showing how to disable RFC 5988 setting for Example 7.":::

-| **Kubernetes events deleted**<br>(K8S_DeleteEvents) | Defender for Cloud detected that some Kubernetes events have been deleted. Kubernetes events are objects in Kubernetes which contain information about changes in the cluster. Attackers might delete those events for hiding their operations in the cluster. | Defense Evasion | Medium |

-[Further details and notes](other-threat-protections.md#cosmos-db)

-| **PREVIEW - Access from a Tor exit node** | This Cosmos DB account was successfully accessed from an IP address known to be an active exit node of Tor, an anonymizing proxy. Authenticated access from a Tor exit node is a likely indication that a threat actor is trying to hide their identity. | Initial Access | High/Medium |

-| **PREVIEW - Access from a suspicious IP** | This Cosmos DB account was successfully accessed from an IP address that was identified as a threat by Microsoft Threat Intelligence. | Initial Access | Medium |

-| **PREVIEW - Access from an unusual location** | This Cosmos DB account was accessed from a location considered unfamiliar, based on the usual access pattern. <br><br> Either a threat actor has gained access to the account, or a legitimate user has connected from a new or unusual geographic location | Initial Access | Low |

-| **PREVIEW - Unusual volume of data extracted** | An unusually large volume of data has been extracted from this Cosmos DB account. This might indicate that a threat actor exfiltrated data. | Exfiltration | Medium |

-| **PREVIEW - Extraction of Cosmos DB accounts keys via a potentially malicious script** | A PowerShell script was run in your subscription and performed a suspicious pattern of key-listing operations to get the keys of Cosmos DB accounts in your subscription. Threat actors use automated scripts, like Microburst, to list keys and find Cosmos DB accounts they can access. <br><br> This operation might indicate that an identity in your organization was breached, and that the threat actor is trying to compromise Cosmos DB accounts in your environment for malicious intentions. <br><br> Alternatively, a malicious insider could be trying to access sensitive data and perform lateral movement. | Collection | High |

-| **PREVIEW - SQL injection: potential data exfiltration** | A suspicious SQL statement was used to query a container in this Cosmos DB account. <br><br> The injected statement might have succeeded in exfiltrating data that the threat actor isnΓÇÖt authorized to access. <br><br> Due to the structure and capabilities of Cosmos DB queries, many known SQL injection attacks on Cosmos DB accounts cannot work. However, the variation used in this attack may work and threat actors can exfiltrate data. | Exfiltration | Medium |

-| **PREVIEW - SQL injection: fuzzing attempt** | A suspicious SQL statement was used to query a container in this Cosmos DB account. <br><br> Like other well-known SQL injection attacks, this attack wonΓÇÖt succeed in compromising the Cosmos DB account. <br><br> Nevertheless, itΓÇÖs an indication that a threat actor is trying to attack the resources in this account, and your application may be compromised. <br><br> Some SQL injection attacks can succeed and be used to exfiltrate data. This means that if the attacker continues performing SQL injection attempts, they may be able to compromise your Cosmos DB account and exfiltrate data. <br><br> You can prevent this threat by using parameterized queries. | Pre-attack | Low |

- | Containers should only use allowed AppArmor profiles | Remediate security configurations | **Yes** |

-Defender for Containers for Kubernetes workloads previously only protected AKS. We have now extended the protective coverage to include Azure Arc enabled Kubernetes clusters.

-| - [Threat protection for Cosmos DB](./other-threat-protections.md#threat-protection-for-azure-cosmos-db-preview) | Public Preview | Not Available | Not Available |

-FastPath support for virtual network peering is now in Public preview.

-|Network filtering rules for non-TCP/UDP protocols (for example ICMP) don't work for Internet bound traffic|Network filtering rules for non-TCP/UDP protocols don't work with SNAT to your public IP address. Non-TCP/UDP protocols are supported between spoke subnets and VNets.|Azure Firewall uses the Standard Load Balancer, [which doesn't support SNAT for IP protocols today](../load-balancer/load-balancer-overview.md). We're exploring options to support this scenario in a future release.|

- `curl -A "BlackSun" <your web server address>`

- :::image type="content" source="media/premium-deploy/alert-message.png" alt-text="Alert message":::

-5. Add a signature rule for signature 2008983:

- 1. Under **Signature ID**, in the open text box type *2008983*.

- `curl -A "BlackSun" <your web server address>`

-1. Run the test again: `curl -A "BlackSun" http://server.2020-private-preview.com` and now you should get the `Hello World` response and no log alert. >

-`curl --ssl-no-revoke -A "BlackSun" <your web server address>`

-This VNet will have three subnets.

-> [Deploy and configure Azure Firewall Premium](premium-deploy.md)

-## Supported versions

-Azure IoT Edge for Linux on Windows supports the following versions:

-Try out Azure IoT Edge in this quickstart by deploying containerized code to a Linux on Windows IoT Edge device. IoT Edge allows you to remotely manage code on your devices so that you can send more of your workloads to the edge. For this quickstart, we recommend using your own device to see how easy it is to use Azure IoT Edge for Linux on Windows.

- * Windows Server 2019¹/2022

- _{¹ Windows 10 and Windows Server 2019 minimum build 17763 with all current cumulative updates installed.}

-### Remove Azure IoT Edge for Linux on Windows

-<!-- 1.1 -->

-Use the dashboard extension in Windows Admin Center to uninstall Azure IoT Edge for Linux on Windows.

-1. Connect to the IoT Edge device in Windows Admin Center. The Azure dashboard tool extension loads.

-1. Select **Uninstall**. After Azure IoT Edge is removed, Windows Admin Center removes the Azure IoT Edge device connection entry from the **Start** page.

->[!Note]

->Another way to remove Azure IoT Edge from your Windows system is to select **Start** > **Settings** > **Apps** > **Azure IoT Edge LTS** > **Uninstall** on your IoT Edge device. This method removes Azure IoT Edge from your IoT Edge device, but leaves the connection behind in Windows Admin Center. To complete the removal, uninstall Windows Admin Center from the **Settings** menu as well.

-<!-- end 1.1 -->

-<!-- 1.2 -->

-1. On the Windows host OS, select **Start** > **Settings** > **Apps** > **Apps & features**.

-1. Then select **Azure IoT Edge** > **Uninstall**

-<!-- end 1.2 -->

- * This documentation version will be stable through the supported lifetime of version 1.1, and will not reflect new features released in later versions. IoT Edge 1.1 LTS will be supported until December 3, 2022 to match the [.NET Core 3.1 release lifecycle](https://dotnet.microsoft.com/platform/support/policy/dotnet-core).

-description: Using an Azure quickstart template, create, deploy, and manage an example serverless app with Azure Logic Apps and Azure Functions in Visual Studio

-description: How to write, edit, and extend your logic app's JSON workflow definitions in Azure Logic Apps

-description: Send and receive messages in groups between your workflows by using batch processing in Azure Logic Apps

-description: Learn how to handle various content types in workflows during design time and run time in Azure Logic Apps

-description: Learn how to create or merge parallel running branches for independent workflow actions in Azure Logic Apps

-* [Run steps based on a condition (conditional statements)](../logic-apps/logic-apps-control-flow-conditional-statement.md)

-* [Run steps based on different values (switch statements)](../logic-apps/logic-apps-control-flow-switch-statement.md)

-description: How to create conditions that control actions in workflows in Azure Logic Apps

-# Create conditional statements that control workflow actions in Azure Logic Apps

-add a *conditional statement*. This control structure compares the data in your

-You can add a conditional statement to send email only

-Here's the high-level code definition behind a conditional statement:

-* [Run steps based on different values (switch statements)](../logic-apps/logic-apps-control-flow-switch-statement.md)

-description: Create loops that repeat workflow actions or process arrays in Azure Logic Apps

-* [Run steps based on a condition (conditional statements)](../logic-apps/logic-apps-control-flow-conditional-statement.md)

-* [Run steps based on different values (switch statements)](../logic-apps/logic-apps-control-flow-switch-statement.md)

-description: Create scoped actions that run based on group status in Azure Logic Apps

-* A conditional statement that checks whether the

-1. Add the **Bing Maps - Get route** action.

-* [Run steps based on a condition (conditional statements)](../logic-apps/logic-apps-control-flow-conditional-statement.md)

-* [Run steps based on different values (switch statements)](../logic-apps/logic-apps-control-flow-switch-statement.md)

-description: How to create switch statements that control workflow actions based on specific values in Azure Logic Apps

-# Create switch statements that run workflow actions based on specific values in Azure Logic Apps

-or tokens, add a *switch* statement. This structure evaluates the object,

-and runs specific actions only for that case. When the switch statement runs,

-> Like all programming languages, switch statements

-> [conditional statement](../logic-apps/logic-apps-control-flow-conditional-statement.md).

-## Add switch statement

-1. For this example, add a switch statement at the end

- When you want to add a switch statement between steps,

- the switch statement. Choose the **plus sign** (**+**)

- A switch statement appears with one case and a default case.

- By default, a switch statement requires at least one case plus the default case.

- 

- 

-Now that you created a logic app using a switch statement,

-let's look at the high-level code definition behind the switch statement.

-| `"Switch"` | The name of the switch statement, which you can rename for readability |

-| `"type": "Switch"` | Specifies that the action is a switch statement |

-| `"case"` | Specifies the case's value, which must be a constant and unique value that the switch statement uses for comparison. If no cases match the switch expression result, the actions in the `"default"` section are run. |

-* [Run steps based on a condition (conditional statements)](../logic-apps/logic-apps-control-flow-conditional-statement.md)

- * [Visual Studio 2019, 2017, or 2015 - Community edition or greater](https://aka.ms/download-visual-studio). This quickstart uses Visual Studio Community 2017, which is free.

-

-> Azure Monitor supports using Azure Private Link to connect to a VNet. However, Azure Machine Learning does not support using a private link-enabled Azure Monitor (including Azure Application Insights). Do __not_ configure private link for the Azure Monitor or Azure Application Insights you plan to use with Azure Machine Learning.

-> [!div class="mx-imgBorder"]

-> 

-1. In the Extensions view, search for "Azure Machine Learning".

-> [!NOTE]

-> Alternatively, you can install the Azure Machine Learning extension via the Visual Studio Marketplace by [downloading the installer directly](https://aka.ms/vscodetoolsforai).

-The rest of the steps in this tutorial have been tested with the latest version of the extension.

-To sign into you Azure account, select the **Azure: Sign In** button on the Visual Studio Code status bar to start the sign in process.

-Alternatively, use the command palette:

-1. Open the command palette by selecting **View > Command Palette** from the menu bar.

-1. Enter the command "> Azure: Sign In" into the command palette to start the sign in process.

-A commercial marketplace test drive is a great tool for marketers. We recommend you incorporate it in your go-to-market efforts when you launch to generate more leads for your business. For detailed guidance, see [Customer leads from your commercial marketplace offer](https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/marketplace/partner-center-portal/commercial-marketplace-get-customer-leads.md).

-If you close a deal with a test drive lead, be sure to register it at [Microsoft Partner Sales Connect](https://support.microsoft.com/help/3155788/getting-started-with-microsoft-partner-sales-connect). Also, we would love to hear about your customer wins where a test drive played a role.

-> - Make sure that both the subscription has the **Microsoft.DBforMySQL** resource provider registered. For more information refer [resource-manager-registration][resource-manager-portal]

-1. [Navigate to your Red Hat OpenShift cluster manager portal](https://cloud.redhat.com/openshift/install/azure/aro-provisioned) and log in.

-After you create a server, the compute tier, number of vCores and storage size can be changed up or down within seconds. You also can independently adjust the backup retention period up or down. For more information, see the [Scale resources](#scale-resources) section.

-* managing sharded data between multiple servers

-* compressing data with columnar storage

-* automating timeseries partitioning

-* parallelizing query execution across shards

-| [alter_distributed_table](reference-functions.md#alter_distributed_table) | change the distribution column, shard count or colocation properties of a distributed table |

-| [citus_copy_shard_placement](reference-functions.md#master_copy_shard_placement) | repair an inactive shard placement using data from a healthy placement |

-| [create_distributed_table](reference-functions.md#create_distributed_table) | turn a PostgreSQL table into a distributed (sharded) table |

-| [create_reference_table](reference-functions.md#create_reference_table) | maintain full copies of a table in sync across all nodes |

-| [isolate_tenant_to_new_shard](reference-functions.md#isolate_tenant_to_new_shard) | create a new shard to hold rows with a specific single value in the distribution column |

-| [truncate_local_data_after_distributing_table](reference-functions.md#truncate_local_data_after_distributing_table) | truncate all local rows after distributing a table |

-| [undistribute_table](reference-functions.md#undistribute_table) | undo the action of create_distributed_table or create_reference_table |

-| [citus_add_rebalance_strategy](reference-functions.md#citus_add_rebalance_strategy) | append a row to `pg_dist_rebalance_strategy` |

-| [citus_move_shard_placement](reference-functions.md#master_move_shard_placement) | typically used indirectly during shard rebalancing rather than being called directly by a database administrator |

-| [citus_set_default_rebalance_strategy](reference-functions.md#) | change the strategy named by its argument to be the default chosen when rebalancing shards |

-| [get_rebalance_progress](reference-functions.md#get_rebalance_progress) | monitor the moves planned and executed by `rebalance_table_shards` |

-| [get_rebalance_table_shards_plan](reference-functions.md#get_rebalance_table_shards_plan) | output the planned shard movements of rebalance_table_shards without performing them |

-| [rebalance_table_shards](reference-functions.md#rebalance_table_shards) | move shards of the given table to distribute them evenly among the workers |

-| [create_distributed_function](reference-functions.md#create_distributed_function) | make function run on workers near colocated shards |

-| [update_distributed_table_colocation](reference-functions.md#update_distributed_table_colocation) | update or break colocation of a distributed table |

-| [alter_columnar_table_set](reference-functions.md#alter_columnar_table_set) | change settings on a columnar table |

-| [alter_table_set_access_method](reference-functions.md#alter_table_set_access_method) | convert a table between heap or columnar storage |

-| [alter_old_partitions_set_access_method](reference-functions.md#alter_old_partitions_set_access_method) | change storage method of partitions |

-| [create_time_partitions](reference-functions.md#create_time_partitions) | create partitions of a given interval to cover a given range of time |

-| [drop_old_time_partitions](reference-functions.md#drop_old_time_partitions) | remove all partitions whose intervals fall before a given timestamp |

-| [citus_get_active_worker_nodes](reference-functions.md#citus_get_active_worker_nodes) | get active worker host names and port numbers |

-| [citus_relation_size](reference-functions.md#citus_relation_size) | get disk space used by all the shards of the specified distributed table |

-| [citus_remote_connection_stats](reference-functions.md#citus_remote_connection_stats) | show the number of active connections to each remote node |

-| [citus_stat_statements_reset](reference-functions.md#citus_stat_statements_reset) | remove all rows from `citus_stat_statements` |

-| [citus_table_size](reference-functions.md#citus_table_size) | get disk space used by all the shards of the specified distributed table, excluding indexes |

-| [citus_total_relation_size](reference-functions.md#citus_total_relation_size) | get total disk space used by the all the shards of the specified distributed table, including all indexes and TOAST data |

-| [column_to_column_name](reference-functions.md#column_to_column_name) | translate the `partkey` column of `pg_dist_partition` into a textual column name |

-| [get_shard_id_for_distribution_column](reference-functions.md#get_shard_id_for_distribution_column) | find the shard ID associated with a value of the distribution column |

-| [citus.all_modifications_commutative](reference-parameters.md#citusall_modifications_commutative) | allow all commands to claim a shared lock |

-| [citus.count_distinct_error_rate](reference-parameters.md#cituscount_distinct_error_rate-floating-point) | tune error rate of postgresql-hll approximate counting |

-| [citus.enable_repartition_joins](reference-parameters.md#citusenable_repartition_joins-boolean) | allow JOINs made on non-distribution columns |

-| [citus.enable_repartitioned_insert_select](reference-parameters.md#citusenable_repartition_joins-boolean) | allow repartitioning rows from the SELECT statement and transferring them between workers for insertion |

-| [citus.limit_clause_row_fetch_count](reference-parameters.md#cituslimit_clause_row_fetch_count-integer) | the number of rows to fetch per task for limit clause optimization |

-| [citus.local_table_join_policy](reference-parameters.md#cituslocal_table_join_policy-enum) | where data moves when doing a join between local and distributed tables |

-| [citus.multi_shard_commit_protocol](reference-parameters.md#citusmulti_shard_commit_protocol-enum) | the commit protocol to use when performing COPY on a hash distributed table |

-| [citus.propagate_set_commands](reference-parameters.md#cituspropagate_set_commands-enum) | which SET commands are propagated from the coordinator to workers |

-| [citus.explain_all_tasks](reference-parameters.md#citusexplain_all_tasks-boolean) | make EXPLAIN output show all tasks |

-| [citus.explain_analyze_sort_method](reference-parameters.md#citusexplain_analyze_sort_method-enum) | sort method of the tasks in the output of EXPLAIN ANALYZE |

-| [citus.log_remote_commands](reference-parameters.md#cituslog_remote_commands-boolean) | log queries the coordinator sends to worker nodes |

-| [citus.multi_task_query_log_level](reference-parameters.md#citusmulti_task_query_log_level-enum-multi_task_logging) | log-level for any query that generates more than one task |

-| [citus.stat_statements_max](reference-parameters.md#citusstat_statements_max-integer) | max number of rows to store in `citus_stat_statements` |

-| [citus.stat_statements_purge_interval](reference-parameters.md#citusstat_statements_purge_interval-integer) | frequency at which the maintenance daemon removes records from `citus_stat_statements` that are unmatched in `pg_stat_statements` |

-| [citus.stat_statements_track](reference-parameters.md#citusstat_statements_track-enum) | enable/disable statement tracking |

-| [citus.executor_slow_start_interval](reference-parameters.md#citusexecutor_slow_start_interval-integer) | time to wait in milliseconds between opening connections to the same worker node |

-| [citus.force_max_query_parallelization](reference-parameters.md#citusforce_max_query_parallelization-boolean) | open as many connections as possible |

-| [citus.max_adaptive_executor_pool_size](reference-parameters.md#citusmax_adaptive_executor_pool_size-integer) | max worker connections per session |

-| [citus.max_cached_conns_per_worker](reference-parameters.md#citusmax_cached_conns_per_worker-integer) | number of connections kept open to speed up subsequent commands |

-| [citus.node_connection_timeout](reference-parameters.md#citusnode_connection_timeout-integer) | max duration (in milliseconds) to wait for connection establishment |

-| [citus.enable_binary_protocol](reference-parameters.md#citusenable_binary_protocol-boolean) | use PostgreSQLΓÇÖs binary serialization format (when applicable) to transfer data with workers |

-| [citus.max_intermediate_result_size](reference-parameters.md#citusmax_intermediate_result_size-integer) | size in KB of intermediate results for CTEs and subqueries that are unable to be pushed down |

-| [citus.distributed_deadlock_detection_factor](reference-parameters.md#citusdistributed_deadlock_detection_factor-floating-point) | time to wait before checking for distributed deadlocks |

-| [citus.log_distributed_deadlock_detection](reference-parameters.md#cituslog_distributed_deadlock_detection-boolean) | whether to log distributed deadlock detection-related processing in the server log |

-| [citus_dist_stat_activity](reference-metadata.md#distributed-query-activity) | distributed queries that are executing on all nodes |

-| [citus_lock_waits](reference-metadata.md#distributed-query-activity) | queries blocked throughout the server group |

-| [citus_shards](reference-metadata.md#shard-information-view) | the location of each shard, the type of table it belongs to, and its size |

-| [citus_stat_statements](reference-metadata.md#query-statistics-table) | stats about how queries are being executed, and for whom |

-| [citus_tables](reference-metadata.md#distributed-tables-view) | a summary of all distributed and reference tables |

-| [citus_worker_stat_activity](reference-metadata.md#distributed-query-activity) | queries on workers, including tasks on individual shards |

-| [pg_dist_colocation](reference-metadata.md#colocation-group-table) | which tables' shards should be placed together |

-| [pg_dist_node](reference-metadata.md#worker-node-table) | information about worker nodes in the server group |

-| [pg_dist_object](reference-metadata.md#distributed-object-table) | objects such as types and functions that have been created on the coordinator node and propagated to worker nodes |

-| [pg_dist_placement](reference-metadata.md#shard-placement-table) | the location of shard replicas on worker nodes |

-| [pg_dist_rebalance_strategy](reference-metadata.md#rebalancer-strategy-table) | strategies that `rebalance_table_shards` can use to determine where to move shards |

-| [pg_dist_shard](reference-metadata.md#shard-table) | the table, distribution column, and value ranges for every shard |

-| [time_partitions](reference-metadata.md#time-partitions-view) | information about each partition managed by such functions as `create_time_partitions` and `drop_old_time_partitions` |

-> | **Management + governance** | | |

-> | **Other** | | |

-> | [Azure Digital Twins Data Owner](#azure-digital-twins-data-owner) | Full access role for Digital Twins data-plane | bcd981a7-7f74-457b-83e1-cceb9e632ffe |

-> | [Azure Digital Twins Data Reader](#azure-digital-twins-data-reader) | Read-only role for Digital Twins data-plane properties | d57506d4-4c8d-48b1-8587-93c323f6a5a3 |

-> | [BizTalk Contributor](#biztalk-contributor) | Lets you manage BizTalk services, but not access to them. | 5e3c6656-6cfa-4708-81fe-0de47ac73342 |

-> | [Disk Backup Reader](#disk-backup-reader) | Provides permission to backup vault to perform disk backup. | 3e5e47e6-65f7-47ef-90b5-e5dd4d455f24 |

-> | [Disk Pool Operator](#disk-pool-operator) | Provide permission to StoragePool Resource Provider to manage disks added to a disk pool. | 60fc6e62-5479-42d4-8bf4-67625fcc2840 |

-> | [Disk Restore Operator](#disk-restore-operator) | Provides permission to backup vault to perform disk restore. | b50d9833-a0cb-478e-945f-707fcc997c13 |

-> | [Disk Snapshot Contributor](#disk-snapshot-contributor) | Provides permission to backup vault to manage disk snapshots. | 7efff54f-a5b4-42b5-a1c5-5411624893ce |

-## Management + governance

-## Other

-### Azure Digital Twins Data Owner

-Full access role for Digital Twins data-plane [Learn more](../digital-twins/concepts-security.md)

-> | *none* | |

-> | [Microsoft.DigitalTwins](resource-provider-operations.md#microsoftdigitaltwins)/eventroutes/* | Read, delete, create, or update any Event Route |

-> | [Microsoft.DigitalTwins](resource-provider-operations.md#microsoftdigitaltwins)/digitaltwins/* | Read, create, update, or delete any Digital Twin |

-> | [Microsoft.DigitalTwins](resource-provider-operations.md#microsoftdigitaltwins)/digitaltwins/commands/* | Invoke any Command on a Digital Twin |

-> | [Microsoft.DigitalTwins](resource-provider-operations.md#microsoftdigitaltwins)/digitaltwins/relationships/* | Read, create, update, or delete any Digital Twin Relationship |

-> | [Microsoft.DigitalTwins](resource-provider-operations.md#microsoftdigitaltwins)/models/* | Read, create, update, or delete any Model |

-> | [Microsoft.DigitalTwins](resource-provider-operations.md#microsoftdigitaltwins)/query/* | Query any Digital Twins Graph |

- "description": "Full access role for Digital Twins data-plane",

- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe",

- "name": "bcd981a7-7f74-457b-83e1-cceb9e632ffe",

- "actions": [],

- "notActions": [],

- "dataActions": [

- "Microsoft.DigitalTwins/eventroutes/*",

- "Microsoft.DigitalTwins/digitaltwins/*",

- "Microsoft.DigitalTwins/digitaltwins/commands/*",

- "Microsoft.DigitalTwins/digitaltwins/relationships/*",

- "Microsoft.DigitalTwins/models/*",

- "Microsoft.DigitalTwins/query/*"

- ],

- "notDataActions": []

- }

- ],

- "roleName": "Azure Digital Twins Data Owner",

- "roleType": "BuiltInRole",

- "type": "Microsoft.Authorization/roleDefinitions"

-}

-```

-### Azure Digital Twins Data Reader

-Read-only role for Digital Twins data-plane properties [Learn more](../digital-twins/concepts-security.md)

-> [!div class="mx-tableFixed"]

-> | Actions | Description |

-> | | |

-> | *none* | |

-> | **NotActions** | |

-> | *none* | |

-> | **DataActions** | |

-> | [Microsoft.DigitalTwins](resource-provider-operations.md#microsoftdigitaltwins)/digitaltwins/read | Read any Digital Twin |

-> | [Microsoft.DigitalTwins](resource-provider-operations.md#microsoftdigitaltwins)/digitaltwins/relationships/read | Read any Digital Twin Relationship |

-> | [Microsoft.DigitalTwins](resource-provider-operations.md#microsoftdigitaltwins)/eventroutes/read | Read any Event Route |

-> | [Microsoft.DigitalTwins](resource-provider-operations.md#microsoftdigitaltwins)/models/read | Read any Model |

-> | [Microsoft.DigitalTwins](resource-provider-operations.md#microsoftdigitaltwins)/query/action | Query any Digital Twins Graph |

-> | **NotDataActions** | |

-> | *none* | |

-```json

-{

- "assignableScopes": [

- "/"

- ],

- "description": "Read-only role for Digital Twins data-plane properties",

- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3",

- "name": "d57506d4-4c8d-48b1-8587-93c323f6a5a3",

- "permissions": [

- {

- "actions": [],

- "notActions": [],

- "dataActions": [

- "Microsoft.DigitalTwins/digitaltwins/read",

- "Microsoft.DigitalTwins/digitaltwins/relationships/read",

- "Microsoft.DigitalTwins/eventroutes/read",

- "Microsoft.DigitalTwins/models/read",

- "Microsoft.DigitalTwins/query/action"

- ],

- "notDataActions": []

- }

- ],

- "roleName": "Azure Digital Twins Data Reader",

- "roleType": "BuiltInRole",

- "type": "Microsoft.Authorization/roleDefinitions"

-}

-```

-### BizTalk Contributor

-Lets you manage BizTalk services, but not access to them.

-> [!div class="mx-tableFixed"]

-> | Actions | Description |

-> | | |

-> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |

-> | Microsoft.BizTalkServices/BizTalk/* | Create and manage BizTalk services |

-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |

-> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |

-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment |

-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |

-> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |

-> | **NotActions** | |

-> | *none* | |

-> | **DataActions** | |

-> | *none* | |

-> | **NotDataActions** | |

-> | *none* | |

-```json

-{

- "assignableScopes": [

- "/"

- ],

- "description": "Lets you manage BizTalk services, but not access to them.",

- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342",

- "name": "5e3c6656-6cfa-4708-81fe-0de47ac73342",

- "permissions": [

- {

- "actions": [

- "Microsoft.Authorization/*/read",

- "Microsoft.BizTalkServices/BizTalk/*",

- "Microsoft.Insights/alertRules/*",

- "Microsoft.ResourceHealth/availabilityStatuses/read",

- "Microsoft.Resources/deployments/*",

- "Microsoft.Resources/subscriptions/resourceGroups/read",

- "Microsoft.Support/*"

- ],

- "notActions": [],

- "dataActions": [],

- "notDataActions": []

- }

- ],

- "roleName": "BizTalk Contributor",

- "roleType": "BuiltInRole",

- "type": "Microsoft.Authorization/roleDefinitions"

-}

-```

-### Desktop Virtualization Application Group Contributor

-Contributor of the Desktop Virtualization Application Group. [Learn more](../virtual-desktop/rbac.md)

-> [!div class="mx-tableFixed"]

-> | Actions | Description |

-> | | |

-> | [Microsoft.DesktopVirtualization](resource-provider-operations.md#microsoftdesktopvirtualization)/applicationgroups/* | |

-> | [Microsoft.DesktopVirtualization](resource-provider-operations.md#microsoftdesktopvirtualization)/hostpools/read | Read hostpools |

-> | [Microsoft.DesktopVirtualization](resource-provider-operations.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/read | Read hostpools/sessionhosts |

-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |

-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment |

-> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |

-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |

-> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |

-> | **NotActions** | |

-> | *none* | |

-> | **DataActions** | |

-> | *none* | |

-> | **NotDataActions** | |

-> | *none* | |

-```json

-{

- "assignableScopes": [

- "/"

- ],

- "description": "Contributor of the Desktop Virtualization Application Group.",

- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/86240b0e-9422-4c43-887b-b61143f32ba8",

- "name": "86240b0e-9422-4c43-887b-b61143f32ba8",

- "permissions": [

- {

- "actions": [

- "Microsoft.DesktopVirtualization/applicationgroups/*",

- "Microsoft.DesktopVirtualization/hostpools/read",

- "Microsoft.DesktopVirtualization/hostpools/sessionhosts/read",

- "Microsoft.Resources/subscriptions/resourceGroups/read",

- "Microsoft.Resources/deployments/*",

- "Microsoft.Authorization/*/read",

- "Microsoft.Insights/alertRules/*",

- "Microsoft.Support/*"

- ],

-### Disk Backup Reader

-Provides permission to backup vault to perform disk backup. [Learn more](../backup/disk-backup-faq.yml)

-> [!div class="mx-tableFixed"]

-> | Actions | Description |

-> | | |

-> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |

-> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/disks/read | Get the properties of a Disk |

-> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/disks/beginGetAccess/action | Get the SAS URI of the Disk for blob access |

-> | **NotActions** | |

-> | *none* | |

-> | **DataActions** | |

-> | *none* | |

-> | **NotDataActions** | |

-> | *none* | |

-```json

-{

- "assignableScopes": [

- "/"

- ],

- "description": "Provides permission to backup vault to perform disk backup.",

- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3e5e47e6-65f7-47ef-90b5-e5dd4d455f24",

- "name": "3e5e47e6-65f7-47ef-90b5-e5dd4d455f24",

- "permissions": [

- {

- "actions": [

- "Microsoft.Authorization/*/read",

- "Microsoft.Compute/disks/read",

- "Microsoft.Compute/disks/beginGetAccess/action"

- ],

- "notActions": [],

- "dataActions": [],

- "notDataActions": []

- }

- ],

- "roleName": "Disk Backup Reader",

- "roleType": "BuiltInRole",

- "type": "Microsoft.Authorization/roleDefinitions"

-}

-```

-### Disk Pool Operator

-Provide permission to StoragePool Resource Provider to manage disks added to a disk pool.

-> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/disks/write | Creates a new Disk or updates an existing one |

-> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/disks/read | Get the properties of a Disk |

-> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |

-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |

-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment |

-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |

-> | *none* | |

- "description": "Used by the StoragePool Resource Provider to manage Disks added to a Disk Pool.",

- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/60fc6e62-5479-42d4-8bf4-67625fcc2840",

- "name": "60fc6e62-5479-42d4-8bf4-67625fcc2840",

- "actions": [

- "Microsoft.Compute/disks/write",

- "Microsoft.Compute/disks/read",

- "Microsoft.Authorization/*/read",

- "Microsoft.Insights/alertRules/*",

- "Microsoft.Resources/deployments/*",

- "Microsoft.Resources/subscriptions/resourceGroups/read"

- ],

- "dataActions": [],

- "roleName": "Disk Pool Operator",

-### Disk Restore Operator

-Provides permission to backup vault to perform disk restore. [Learn more](../backup/restore-managed-disks.md)

-> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |

-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |

-> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/disks/write | Creates a new Disk or updates an existing one |

-> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/disks/read | Get the properties of a Disk |

-> | *none* | |

- "description": "Provides permission to backup vault to perform disk restore.",

- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b50d9833-a0cb-478e-945f-707fcc997c13",

- "name": "b50d9833-a0cb-478e-945f-707fcc997c13",

- "actions": [

- "Microsoft.Authorization/*/read",

- "Microsoft.Resources/subscriptions/resourceGroups/read",

- "Microsoft.Compute/disks/write",

- "Microsoft.Compute/disks/read"

- ],

- "dataActions": [],

- "roleName": "Disk Restore Operator",

-### Disk Snapshot Contributor

-Provides permission to backup vault to manage disk snapshots. [Learn more](../backup/backup-managed-disks.md)

-> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/snapshots/delete | Delete a Snapshot |

-> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/snapshots/write | Create a new Snapshot or update an existing one |

-> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/snapshots/read | Get the properties of a Snapshot |

-> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/snapshots/beginGetAccess/action | Get the SAS URI of the Snapshot for blob access |

-> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/snapshots/endGetAccess/action | Revoke the SAS URI of the Snapshot |

-> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/disks/beginGetAccess/action | Get the SAS URI of the Disk for blob access |

-> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/listkeys/action | Returns the access keys for the specified storage account. |

-> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/write | Creates a storage account with the specified parameters or update the properties or tags or adds custom domain for the specified storage account. |

-> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. |

-> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/delete | Deletes an existing storage account. |

- "description": "Provides permission to backup vault to manage disk snapshots.",

- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7efff54f-a5b4-42b5-a1c5-5411624893ce",

- "name": "7efff54f-a5b4-42b5-a1c5-5411624893ce",

- "Microsoft.Compute/snapshots/delete",

- "Microsoft.Compute/snapshots/write",

- "Microsoft.Compute/snapshots/read",

- "Microsoft.Compute/snapshots/beginGetAccess/action",

- "Microsoft.Compute/snapshots/endGetAccess/action",

- "Microsoft.Compute/disks/beginGetAccess/action",

- "Microsoft.Storage/storageAccounts/listkeys/action",

- "Microsoft.Storage/storageAccounts/write",

- "Microsoft.Storage/storageAccounts/read",

- "Microsoft.Storage/storageAccounts/delete"

- "roleName": "Disk Snapshot Contributor",

-| **Migrate** |

-| **Management + governance** |

-| **Other** |

-## Migrate

-## Management + governance

-## Other

-> Starting November 2021, the role assignments limit for a subscription is being increased from **2000** to **4000** over the next several months. Subscriptions that are near the limit will be prioritized first. The limit for the remaining subscriptions will be increased over time. Once the limit increase process is started for a subscription, it still takes multiple weeks to increase the limit.

-This syntax is similar to [the JSON Pointer specification](https://datatracker.ietf.org/doc/html/rfc6901.htmlhttps://datatracker.ietf.org/doc/html/rfc6901.html).

-+ [Reference annotations in an Azure Cognitive Search skillset](cognitive-search-concept-annotations-syntax.md)

-Configure a [search indexer](search-indexer-overview.md) to extract content from Azure File Storage and make it searchable in Azure Cognitive Search.

-This article supplements [**Create an indexer**](search-howto-create-indexers.md) with information specific to indexing files in Azure Storage. It uses the REST APIs to demonstrate a three-part workflow common to all indexers: create a data source, create an index, create an indexer. Data extraction occurs when you submit the Create Indexer request.

- { "name": "metadata_storage_content_type", "type": "Edm.String", "searchable": true, "filterable": true, "sortable": true },

-## Configure the file indexer

-Indexer configuration specifies the inputs, parameters, and properties controlling run time behaviors. Under "configuration", you can specify which files are indexed by file type or by properties on the files themselves.

-1. [Create or update an indexer](/rest/api/searchservice/create-indexer) to use the predefined data source and search index.

- "name" : "my-file-indexer,

- "batchSize": null,

- "maxFailedItems": null,

- "maxFailedItemsPerBatch": null,

- "base64EncodeKeys": null,

- "configuration:" {

-In this article, learn how to configure an [**indexer**](search-indexer-overview.md) that imports content from Azure SQL and makes it searchable in Azure Cognitive Search. The workflow creates a search index and loads it with text extracted from Azure SQL Database and Azure SQL managed instances.

-This article supplements [**Create an indexer**](search-howto-create-indexers.md) with information about settings that are specific to Azure SQL. You can create indexers using the [Azure portal](https://portal.azure.com), [Search REST APIs](/rest/api/searchservice/Indexer-operations) or an Azure SDK. This article uses REST to explain each step.

-+ Read permissions. Azure Cognitive Search supports SQL Server authentication, where the user name and password are provided on the connection string. Alternatively, you can [set up a managed identity and use Azure roles](search-howto-managed-identities-sql.md) to omit credentials on the connection.

-Indexer configuration specifies the inputs, parameters, and properties controlling run time behaviors.

- "batchSize": null,

- "maxFailedItems": 0,

- "maxFailedItemsPerBatch": 0,

- "base64EncodeKeys": false,

- "configuration": {

- "queryTimeout": "00:05:00",

- "disableOrderByHighWaterMarkColumn": false

-Within an indexer definition, you can specify a change detection policies that tells the indexer which change tracking mechanism is used on your table or view. There are two policies to choose from:

-When configuring an [Azure SQL indexer](search-howto-connecting-azure-sql-database-to-azure-search-using-indexers.md#faq) to extract content from a database on an Azure virtual machine, additional steps are required for secure connections.

-If you are setting up an Azure Cognitive Search indexer that connects to an Azure SQL managed instance, you will need to enable a public endpoint on the managed instance as a prerequisite. An indexer connects to a managed instance over a public endpoint.

-## Change detection and internal state

-Change detection logic is a capability that's built into source platforms. If your data source support change detection, an indexer can detect changes in the underlying data and only process new or updated documents on each indexer run, leaving unchanged content as-is. If indexer execution history says that a run was successful with `0/0` documents processed, it means that the indexer didn't find any new or changed rows or blobs in the underlying data source.

-How an indexer supports change detection varies by data source:

-+ Azure Blob Storage, Azure Table Storage, and Azure Data Lake Storage Gen2 stamp each blob or row update with a date and time. The various indexers use this information to determine which documents to update in the index. Built-in change detection means that an indexer can recognize new and updated documents automatically.

-+ Azure SQL and Cosmos DB provide change detection features in their platforms. You can specify the change detection policy in your data source definition.

-For large indexing loads, an indexer also keeps track of the last document it processed through an internal "high water mark". The marker is never exposed in the API, but internally the indexer keeps track of where it stopped. When indexing resumes, either through a scheduled run or an on-demand invocation, the indexer references the high water mark so that it can pick up where it left off.

-If you need to clear the high water mark to re-index in full, you can use [Reset Indexer](/rest/api/searchservice/reset-indexer). For more selective re-indexing, use [Reset Skills](/rest/api/searchservice/preview-api/reset-skills) or [Reset Documents](/rest/api/searchservice/preview-api/reset-documents). Through the reset APIs, you can clear internal state, and also flush the cache if you enabled [incremental enrichment](search-howto-incremental-index.md). For more background and comparison of each reset option, see [Run or reset indexers, skills, and documents](search-howto-run-reset-indexers.md).

-## Check results

-[Monitor indexer status](search-howto-monitor-indexers.md) to check for status. Successful execution can still include warning and notifications. Be sure to check both successful and failed status notifications for details about the job.

-For content verification, [run queries](search-query-create.md) on the populated index that return entire documents or selected fields.

-Configure a [search indexer](search-indexer-overview.md) to extract content and metadata from Azure Data Lake Storage (ADLS) Gen2 and make it searchable in Azure Cognitive Search.

-ADLS Gen2 is available through Azure Storage. When setting up a storage account, you have the option of enabling [hierarchical namespace](../storage/blobs/data-lake-storage-namespace.md), organizing files into a hierarchy of directories and nested subdirectories. By enabling a hierarchical namespace, you enable ADLS Gen2.

-This article supplements [**Create an indexer**](search-howto-create-indexers.md) with information specific to indexing from ADLS Gen2. It uses the REST APIs to demonstrate a three-part workflow common to all indexers: create a data source, create an index, create an indexer. Data extraction occurs when you submit the Create Indexer request.

-+ [ADLS Gen2](../storage/blobs/data-lake-storage-introduction.md) with [hierarchical namespace](../storage/blobs/data-lake-storage-namespace.md) enabled.

-## Configure the ADLS Gen2 indexer

-Indexer configuration specifies the inputs, parameters, and properties controlling run time behaviors. The "configuration" section determines what content gets indexed.

-1. [Create or update an indexer](/rest/api/searchservice/create-indexer) to use the predefined data source and search index.

- "batchSize": null,

- "maxFailedItems": null,

- "maxFailedItemsPerBatch": null,

- "base64EncodeKeys": null,

- "configuration:" {

- "indexedFileNameExtensions" : ".pdf,.docx",

- "excludedFileNameExtensions" : ".png,.jpeg",

- "dataToExtract": "contentAndMetadata",

- "parsingMode": "default",

- "imageAction": "none"

- }

-1. See [Create an indexer](search-howto-create-indexers.md) for more information about other properties.

-For the full list of parameter descriptions, see [Blob configuration parameters](/rest/api/searchservice/create-indexer#blob-configuration-parameters) in the REST API.

-This article shows you how to configure an Azure Cosmos DB indexer to extract content and make it searchable in Azure Cognitive Search. This workflow creates a search index on Azure Cognitive Search and loads it with existing content extracted from Azure Cosmos DB using the [Gremlin API](../cosmos-db/choose-api.md#gremlin-api).

-Because terminology can be confusing, it's worth noting that [Azure Cosmos DB indexing](../cosmos-db/index-overview.md) and [Azure Cognitive Search indexing](search-what-is-an-index.md) are different operations. Indexing in Cognitive Search creates and loads a search index on your search service.

-By default the Azure Cognitive Search Cosmos DB Gremlin API indexer will make every vertex in your graph a document in the index. Edges will be ignored. Alternatively, you could set the query to only index the edges.

-Although Cosmos DB indexing is easiest with the [Import data wizard](search-import-data-portal.md), this article uses the REST APIs to explain concepts and steps.

-Unfamiliar with indexers? See [**Create an indexer**](search-howto-create-indexers.md) before you get started.

-1. Set "container" to the collection. The "name" property is required and it specifies the ID of the graph. The "query" property is optional. The query default is `g.V()`. To index the edges, set the query to `g.E()`.

-Indexer configuration specifies the inputs, parameters, and properties controlling run time behaviors.

-1. [Create or update an indexer](/rest/api/searchservice/create-indexer) to use the predefined data source and search index.

- "batchSize": null,

- "maxFailedItems": 0,

- "maxFailedItemsPerBatch": 0,

- "base64EncodeKeys": false,

- "configuration": {}

- },

-## Indexing changed documents

-The purpose of a data change detection policy is to efficiently identify changed data items. Currently, the only supported policy is the [`HighWaterMarkChangeDetectionPolicy`](/dotnet/api/azure.search.documents.indexes.models.highwatermarkchangedetectionpolicy) using the `_ts` (timestamp) property provided by Azure Cosmos DB, which is specified in the data source definition as follows:

-Using this policy is highly recommended to ensure good indexer performance.

-This article shows you how to configure an Azure Cosmos DB [indexer](search-indexer-overview.md) to extract content and make it searchable in Azure Cognitive Search. This workflow creates an Azure Cognitive Search index and loads it with existing text extracted from Azure Cosmos DB using the [MongoDB API](../cosmos-db/choose-api.md#api-for-mongodb).

-Because terminology can be confusing, it's worth noting that [Azure Cosmos DB indexing](../cosmos-db/index-overview.md) and [Azure Cognitive Search indexing](search-what-is-an-index.md) are different operations. Indexing in Cognitive Search creates and loads a search index on your search service.

-Although Cosmos DB indexing is easiest with the [Import data wizard](search-import-data-portal.md), this article uses the REST APIs to explain concepts and steps.

-Unfamiliar with indexers? See [**Create an indexer**](search-howto-create-indexers.md) before you get started.

-Indexer configuration specifies the inputs, parameters, and properties controlling run time behaviors.

-1. [Create or update an indexer](/rest/api/searchservice/create-indexer) to use the predefined data source and search index.

- "batchSize": null,

- "maxFailedItems": 0,

- "maxFailedItemsPerBatch": 0,

- "base64EncodeKeys": false,

- "configuration": {}

- },

-## Indexing changed documents

-The purpose of a data change detection policy is to efficiently identify changed data items. Currently, the only supported policy is the [`HighWaterMarkChangeDetectionPolicy`](/dotnet/api/azure.search.documents.indexes.models.highwatermarkchangedetectionpolicy) using the `_ts` (timestamp) property provided by Azure Cosmos DB, which is specified in the data source definition as follows:

-Using this policy is highly recommended to ensure good indexer performance.

-In this article, learn how to configure an [**indexer**](search-indexer-overview.md) that imports content from Azure Cosmos DB and makes it searchable in Azure Cognitive Search. The workflow creates a search index and loads it with text extracted from Azure Cosmos DB using the [SQL API](../cosmos-db/choose-api.md#coresql-api).

-Because terminology can be confusing, it's worth noting that [Cosmos DB indexing](../cosmos-db/index-overview.md) and [Cognitive Search indexing](search-what-is-an-index.md) are different operations. Indexing in Cognitive Search creates and loads a search index on your search service.

-This article supplements [**Create an indexer**](search-howto-create-indexers.md) with information about settings that are specific to Cosmos DB SQL API. You can create indexers using the [Azure portal](https://portal.azure.com), [Search REST APIs](/rest/api/searchservice/Indexer-operations) or an Azure SDK. This article uses REST to explain each step.

-Indexer configuration specifies the inputs, parameters, and properties controlling run time behaviors.

-1. [Create or update an indexer](/rest/api/searchservice/create-indexer) by giving it a name and referencing the data source and target index.

- "batchSize": null,

- "maxFailedItems": 0,

- "maxFailedItemsPerBatch": 0,

- "base64EncodeKeys": false,

- "configuration": {}

- },

-## Indexing changed documents

-The purpose of a data change detection policy is to efficiently identify changed data items. Currently, the only supported policy is the [`HighWaterMarkChangeDetectionPolicy`](/dotnet/api/azure.search.documents.indexes.models.highwatermarkchangedetectionpolicy) using the `_ts` (timestamp) property provided by Azure Cosmos DB, which is specified in the data source definition as follows:

-Using this policy is highly recommended to ensure good indexer performance.

-If you're using a custom query, make sure that the `_ts` property is projected by the query.

-### Incremental progress and custom queries

-Incremental progress during indexing ensures that if indexer execution is interrupted by transient failures or execution time limit, the indexer can pick up where it left off next time it runs, instead of having to reindex the entire collection from scratch. This is especially important when indexing large collections.

-To enable incremental progress when using a custom query, ensure that your query orders the results by the `_ts` column. This enables periodic check-pointing that Azure Cognitive Search uses to provide incremental progress in the presence of failures.

-In some cases, even if your query contains an `ORDER BY [collection alias]._ts` clause, Azure Cognitive Search may not infer that the query is ordered by the `_ts`. You can tell Azure Cognitive Search that results are ordered by using the `assumeOrderByHighWaterMarkColumn` configuration property. To specify this hint, create or update your indexer as follows:

-Configure a [search indexer](search-indexer-overview.md) to extract content from Azure Database for MySQL and make it searchable in Azure Cognitive Search. The indexer will crawl your MySQL database on Azure, extract searchable data, and index it in Azure Cognitive Search. When configured to include a high water mark and soft deletion, the indexer will take all changes, uploads, and deletes for your MySQL database and reflect these changes in your search index.

-This article supplements [**Create an indexer**](search-howto-create-indexers.md) with information specific to indexing files in Azure DB for MySQL. It uses the REST APIs to demonstrate a three-part workflow common to all indexers: create a data source, create an index, create an indexer. Data extraction occurs when you submit the Create Indexer request.

-## Configure the MySQL indexer

-Once the index and data source have been created, you're ready to create the indexer.

-[Create or Update Indexer](/rest/api/searchservice/create-indexer) specifies the predefined data source and search index.

-```http

-POST https://[search service name].search.windows.net/indexers?api-version=2020-06-30

-{

- "name" : "hotels-mysql-idxr",

- "dataSourceName" : "hotels-mysql-ds",

- "targetIndexName" : "hotels-mysql-ix",

- "disabled": null,

- "schedule": null,

- "parameters": {

- "batchSize": null,

- "maxFailedItems": null,

- "maxFailedItemsPerBatch": null,

- "base64EncodeKeys": null,

- "configuration": { }

- },

- "fieldMappings" : [ ],

- "encryptionKey": null

-}

-```

-By default, the indexer runs when it's created on the search service. You can set "disabled" to true if you want to run the indexer manually.

-You can now [run the indexer](search-howto-run-reset-indexers.md), [monitor status](search-howto-monitor-indexers.md), or [schedule indexer execution](search-howto-schedule-indexers.md).

-To put the indexer on a schedule, set the "schedule" property when creating or updating the indexer. Here is an example of a schedule that runs every 15 minutes.

-PUT https://[search service name].search.windows.net/indexers/hotels-mysql-idxr?api-version=2020-06-30

-Content-Type: application/json

-api-key: [admin-key]

-{

- "dataSourceName" : "hotels-mysql-ds",

- "targetIndexName" : "hotels-mysql-ix",

- "schedule" : {

- "interval" : "PT15M",

- "startTime" : "2022-01-01T00:00:00Z"

-}

-Configure a [search indexer](search-indexer-overview.md) to extract content and metadata from Azure Blob Storage and make it searchable in Azure Cognitive Search.

-Blob indexers are frequently used for both [AI enrichment](cognitive-search-concept-intro.md) and text-based processing. This article focuses on indexers for text-based indexing, where just the textual content and metadata are ingested for full text search scenarios.

-Inputs to the indexer are your blobs, in a single container. Output is a search index with searchable content and metadata stored in individual fields.

-This article supplements [**Create an indexer**](search-howto-create-indexers.md) with information specific to indexing from Blob Storage. It uses the REST APIs to demonstrate a three-part workflow common to all indexers: create a data source, create an index, create an indexer. Data extraction occurs when you submit the Create Indexer request.

-## Configure the blob indexer

-Indexer configuration specifies the inputs, parameters, and properties controlling run time behaviors. The "configuration" section determines what content gets indexed.

-1. [Create or update an indexer](/rest/api/searchservice/create-indexer) to use the predefined data source and search index.

- "batchSize": null,

- "maxFailedItems": null,

- "maxFailedItemsPerBatch": null,

- "base64EncodeKeys": null,

- "configuration:" {

- "indexedFileNameExtensions" : ".pdf,.docx",

- "excludedFileNameExtensions" : ".png,.jpeg",

- "dataToExtract": "contentAndMetadata",

- "parsingMode": "default",

- "imageAction": "none"

- }

-1. See [Create an indexer](search-howto-create-indexers.md) for more information about other properties.

-For the full list of parameter descriptions, see [Blob configuration parameters](/rest/api/searchservice/create-indexer#blob-configuration-parameters) in the REST API.

-Configure a [search indexer](search-indexer-overview.md) to extract content from Azure Table Storage and make it searchable in Azure Cognitive Search.

-This article supplements [**Create an indexer**](search-howto-create-indexers.md) with information specific to indexing from Azure Table Storage. It uses the REST APIs to demonstrate a three-part workflow common to all indexers: create a data source, create an index, create an indexer. Data extraction occurs when you submit the Create Indexer request.

-## Configure the table indexer

-1. [Create or update an indexer](/rest/api/searchservice/create-indexer) to use the predefined data source and search index.

- },

- - [Atlassian Jira Audit data connector](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AtlassianJiraAudit/JiraNativePollerConnector/azuredeploy_Jira_native_poller_connector.json)

-| <a name="networkdirection"></a>**NetworkDirection** | Optional | Enumerated | The direction of the connection or session:<br><br> - For the [EventType](#eventtype) `NetworkSession`, **NetworkDirection** represents the direction relative to the organization or cloud environment boundary. Supported values are `Inbound`, `Outbound`, `Local` (to the organization), `Extenral` (to the organization) or `NA` (Not Applicable).<br><br> - For the [EventType](#eventtype) `EndpointNetworkSession`, **NetworkDirection** represents the direction relative to the endpoint. Supported values are `Inbound`, `Outbound`, `Local` (to the system), 'Listen' or `NA` (Not Applicable). The `Listen` value indicates that a device has started accepting network connections but isn't actually, necessarily, connected. |

-| Microsoft | - AAD<br> - Azure Firewall<br> - Azure File Storage<br> - DNS Server<br> - Microsoft 365 Defender for Endpoint<br> - Microsoft Defender for IoT<br> - NSGFlow <br> - Security Events<br> - Sharepoint 365<br>- Sysmon<br> - Sysmon for Linux<br> - VMConnection<br> - Windows Firewall<br> - WireData <br>

-|**System prerequisites** | **Software**. The SAP data connector deployment script automatically installs software prerequisites. For more information, see [Automatically installed software](#automatically-installed-software). <br><br> **System connectivity**. Ensure that the VM serving as your SAP data connector host has access to: <br>- Microsoft Sentinel <br>- Your Azure key vault <br>- The SAP environment host, via the following TCP ports: *32xx*, *5xx13*, and *33xx*, where *xx* is the SAP instance number. <br><br>Make sure that you also have an SAP user account in order to access the SAP software download page.<br><br>**System architecture**. The SAP solution is deployed on a VM as a Docker container, and each SAP client requires its own container instance. For sizing recommendations, see [Recommended virtual machine sizing](sap-solution-detailed-requirements.md#recommended-virtual-machine-sizing). <br>Your VM and the Microsoft Sentinel workspace can be in different Azure subscriptions, and even different Azure AD tenants.|

-<!--

-

-[X] Make sure you have internet on your Hl2

-[X] User Debug - ARM64 - Device, Debug -> Start Debugging to see logs

-[X] "After closing session you could have a different device on a different day (depending on your anchor expiration), as long as you still have the IDs"

-[X] Tapping will be middle of the hand, not your fingers

-[X] Using Legacy shader since it's included in a default Unity build. Default shaders are only included if part of the scene.

-> [!NOTE]

-> **Data protection** and hierarchical namespace can't be enabled simultaneously.

-

-

-

-

-

- $resourceId -MetricName "UsedCapacity" -TimeGrain 01:00:00

-description: In this quickstart, you learn how to use the Azure Blob storage client library version 12 for JavaScript in a browser. You create a container and an object in Blob storage. Next, you learn how to list all of the blobs in a container. Finally, you learn how to delete blobs and delete a container.

- - [Debugger for Microsoft Edge](https://devblogs.microsoft.com/visualstudio/debug-javascript-in-microsoft-edge-from-visual-studio/)

- - [Debugger for Chrome](https://marketplace.visualstudio.com/items?itemName=msjsdiag.debugger-for-chrome)

- - [Debugger for Firefox](https://marketplace.visualstudio.com/items?itemName=firefox-devtools.vscode-firefox-debug)

-## Setting up

-This section walks you through preparing a project to work with the Azure Blob storage client library v12 for JavaScript.

-In the Azure portal, select your storage account. To define a new CORS rule, navigate to the **Settings** section and select **CORS**. For this quickstart, you create an open CORS rule:

-After you fill in the fields with the values from this table, click the **Save** button.

-### Create a shared access signature

-2. Navigate to the **Security + networking** section and select **Shared access signature**.

-3. Scroll down and click the **Generate SAS and connection string** button.

-4. Scroll down further and locate the **Blob service SAS URL** field

-5. Click the **Copy to clipboard** button at the far-right end of the **Blob service SAS URL** field.

-6. Save the copied URL somewhere for use in an upcoming step.

-### Add the Azure Blob storage client library

-On your local computer, create a new folder called *azure-blobs-js-browser* and open it in Visual Studio Code.

-Select **View > Terminal** to open a console window inside Visual Studio Code. Run the following Node.js Package Manager (npm) command in the terminal window to create a [package.json](https://docs.npmjs.com/files/package.json) file.

-```console

-npm init -y

-```

-The Azure SDK is composed of many separate packages. You can choose which packages you need based on the services you intend to use. Run following `npm` command in the terminal window to install the `@azure/storage-blob` package.

-```console

-npm install --save @azure/storage-blob

-```

-#### Bundle the Azure Blob storage client library

-To use Azure SDK libraries on a website, convert your code to work inside the browser. You do this using a tool called a bundler. Bundling takes JavaScript code written using [Node.js](https://nodejs.org) conventions and converts it into a format that's understood by browsers. This quickstart article uses the [Parcel](https://parceljs.org/) bundler.

-Install Parcel by running the following `npm` command in the terminal window:

-```console

-npm install -g parcel-bundler

-```

-In Visual Studio Code, open the *package.json* file and add a `browserlist` between the `license` and `dependencies` entries. This `browserlist` targets the latest version of three popular browsers. The full *package.json* file should now look like this:

-Save the *package.json* file.

-### Import the Azure Blob storage client library

-To use Azure SDK libraries inside JavaScript, import the `@azure/storage-blob` package. Create a new file in Visual Studio Code containing the following JavaScript code.

-Save the file as *index.js* in the *azure-blobs-js-browser* directory.

-### Implement the HTML page

-Create a new file in Visual Studio Code and add the following HTML code.

-Save the file as *https://docsupdatetracker.net/index.html* in the *azure-blobs-js-browser* folder.

-## Code examples

-The example code shows you how to accomplish the following tasks with the Azure Blob storage client library for JavaScript:

-You'll run the code after you add all the snippets to the *index.js* file.

-### Declare fields for UI elements

-Add the following code to the end of the *index.js* file.

-Save the *index.js* file.

-This code declares fields for each HTML element and implements a `reportStatus` function to display output.

-In the following sections, add each new block of JavaScript code after the previous block.

-### Add your storage account info

-Add code to access your storage account. Replace the placeholder with your Blob service SAS URL that you generated earlier. Add the following code to the end of the *index.js* file.

-Save the *index.js* file.

-### Create client objects

-Create [BlobServiceClient](/javascript/api/@azure/storage-blob/blobserviceclient) and [ContainerClient](/javascript/api/@azure/storage-blob/containerclient) objects for interacting with the Azure Blob storage service. Add the following code to the end of the *index.js* file.

-Save the *index.js* file.

-### Create and delete a storage container

-Create and delete the storage container when you click the corresponding button on the web page. Add the following code to the end of the *index.js* file.

-Save the *index.js* file.

-### List blobs

-List the contents of the storage container when you click the **List files** button. Add the following code to the end of the *index.js* file.

-Save the *index.js* file.

-### Upload blobs

-Upload files to the storage container when you click the **Select and upload files** button. Add the following code to the end of the *index.js* file.

-Save the *index.js* file.

-### Delete blobs

-Delete files from the storage container when you click the **Delete selected files** button. Add the following code to the end of the *index.js* file.

-Save the *index.js* file.

-To run the code inside the Visual Studio Code debugger, configure the *launch.json* file for your browser.

-### Configure the debugger

-To set up the debugger extension in Visual Studio Code:

-1. Select **Run > Add Configuration**

-2. Select **Edge**, **Chrome**, or **Firefox**, depending on which extension you installed in the [Prerequisites](#prerequisites) section earlier.

-Adding a new configuration creates a *launch.json* file and opens it in the editor. Modify the *launch.json* file so that the `url` value is `http://localhost:1234/https://docsupdatetracker.net/index.html`, as shown here:

-After updating, save the *launch.json* file. This configuration tells Visual Studio Code which browser to open and which URL to load.

-### Launch the web server

-To launch the local development web server, select **View > Terminal** to open a console window inside Visual Studio Code, then enter the following command.

-```console

-parcel https://docsupdatetracker.net/index.html

-```

-Parcel bundles your code and starts a local development server for your page at `http://localhost:1234/https://docsupdatetracker.net/index.html`. Changes you make to *index.js* will automatically be built and reflected on the development server whenever you save the file.

-If you receive a message that says **configured port 1234 could not be used**, you can change the port by running the command `parcel -p <port#> https://docsupdatetracker.net/index.html`. In the *launch.json* file, update the port in the URL path to match.

-### Start debugging

-Run the page in the debugger and get a feel for how blob storage works. If any errors occur, the **Status** pane on the web page will display the error message received.

-To open *https://docsupdatetracker.net/index.html* in the browser with the Visual Studio Code debugger attached, select **Run > Start Debugging** or press F5 in Visual Studio Code.

-### Use the web app

-In the [Azure portal](https://portal.azure.com), you can verify the results of the API calls as you follow the steps below.

-#### Step 1 - Create a container

-2. To verify in the Azure portal, select your storage account. Under **Blob service**, select **Containers**. Verify that the new container appears. (You may need to select **Refresh**.)

-#### Step 2 - Upload a blob to the container

-2. In the web app, click **Select and upload files**.

-#### Step 3 - Delete the blob

-#### Step 4 - Delete the container

-### Clean up resources

-Click on the **Terminal** console in Visual Studio Code and press CTRL+C to stop the web server.

-To clean up the resources created during this quickstart, go to the [Azure portal](https://portal.azure.com) and delete the resource group you created in the [Prerequisites](#prerequisites) section.

-description: In this quickstart, you learn how to use the Azure Blob storage client library version 12 for JavaScript to create a container and a blob in Blob (object) storage. Next, you learn how to download the blob to your local computer, and how to list all of the blobs in a container.

-In this quickstart, you learn to manage blobs by using Node.js. Blobs are objects that can hold large amounts of text or binary data, including images, documents, streaming media, and archive data. You'll upload, download, and list blobs, and you'll create and delete containers.

-## Setting up

-This section walks you through preparing a project to work with the Azure Blob storage client library v12 for JavaScript.

-### Create the project

-1. Create a new text file called *package.json*. This file defines the Node.js project. Save this file in the *blob-quickstart-v12* directory. Here is the contents of the file:

- ```json

- {

- "name": "blob-quickstart-v12",

- "version": "1.0.0",

- "description": "Use the @azure/storage-blob SDK version 12 to interact with Azure Blob storage",

- "main": "blob-quickstart-v12.js",

- "scripts": {

- "start": "node blob-quickstart-v12.js"

- },

- "author": "Your Name",

- "license": "MIT",

- "dependencies": {

- "@azure/storage-blob": "^12.0.0",

- "@types/dotenv": "^4.0.3",

- "dotenv": "^6.0.0"

- }

- }

- You can put your own name in for the `author` field, if you'd like.

-### Install the package

-While still in the *blob-quickstart-v12* directory, install the Azure Blob storage client library for JavaScript package by using the `npm install` command. This command reads the *package.json* file and installs the Azure Blob storage client library v12 for JavaScript package and all the libraries on which it depends.

-```console

-npm install

-```

-### Set up the app framework

-From the project directory:

-1. Open another new text file in your code editor

-1. Add `require` calls to load Azure and Node.js modules

-1. Create the structure for the program, including basic exception handling

- Here's the code:

- main().then(() => console.log('Done')).catch((ex) => console.log(ex.message));

-1. Save the new file as *blob-quickstart-v12.js* in the *blob-quickstart-v12* directory.

-## Object model

-Azure Blob storage is optimized for storing massive amounts of unstructured data. Unstructured data is data that does not adhere to a particular data model or definition, such as text or binary data. Blob storage offers three types of resources:

-The following diagram shows the relationship between these resources.

-

-Use the following JavaScript classes to interact with these resources:

-## Code examples

-These example code snippets show you how to perform the following with the Azure Blob storage client library for JavaScript:

-### Get the connection string

-```javascript

-// Retrieve the connection string for use with the application. The storage

-// connection string is stored in an environment variable on the machine

-// running the application called AZURE_STORAGE_CONNECTION_STRING. If the

-// environment variable is created after the application is launched in a

-// console or with Visual Studio, the shell or application needs to be closed

-// and reloaded to take the environment variable into account.

-const AZURE_STORAGE_CONNECTION_STRING = process.env.AZURE_STORAGE_CONNECTION_STRING;

-```

-### Create a container

-Decide on a name for the new container. The code below appends a UUID value to the container name to ensure that it is unique.

-> [!IMPORTANT]

-> Container names must be lowercase. For more information about naming containers and blobs, see [Naming and Referencing Containers, Blobs, and Metadata](/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata).

-Create an instance of the [BlobServiceClient](/javascript/api/@azure/storage-blob/blobserviceclient) class by calling the [fromConnectionString](/javascript/api/@azure/storage-blob/blobserviceclient#fromconnectionstring-string--storagepipelineoptions-) method. Then, call the [getContainerClient](/javascript/api/@azure/storage-blob/blobserviceclient#getcontainerclient-string-) method to get a reference to a container. Finally, call [create](/javascript/api/@azure/storage-blob/containerclient#create-containercreateoptions-) to actually create the container in your storage account.

-Add this code to the end of the `main` function:

-```javascript

-// Create the BlobServiceClient object which will be used to create a container client

-const blobServiceClient = BlobServiceClient.fromConnectionString(AZURE_STORAGE_CONNECTION_STRING);

-// Create a unique name for the container

-const containerName = 'quickstart' + uuidv1();

-console.log('\nCreating container...');

-console.log('\t', containerName);

-// Get a reference to a container

-const containerClient = blobServiceClient.getContainerClient(containerName);

-// Create the container

-const createContainerResponse = await containerClient.create();

-console.log("Container was created successfully. requestId: ", createContainerResponse.requestId);

-```

-### Upload blobs to a container

-The following code snippet:

-1. Creates a text string to upload to a blob.

-1. Gets a reference to a [BlockBlobClient](/javascript/api/@azure/storage-blob/blockblobclient) object by calling the [getBlockBlobClient](/javascript/api/@azure/storage-blob/containerclient#getblockblobclient-string-) method on the [ContainerClient](/javascript/api/@azure/storage-blob/containerclient) from the [Create a container](#create-a-container) section.

-1. Uploads the text string data to the blob by calling the [upload](/javascript/api/@azure/storage-blob/blockblobclient#upload-httprequestbody--number--blockblobuploadoptions-) method.

-Add this code to the end of the `main` function:

-```javascript

-// Create a unique name for the blob

-const blobName = 'quickstart' + uuidv1() + '.txt';

-// Get a block blob client

-const blockBlobClient = containerClient.getBlockBlobClient(blobName);

-console.log('\nUploading to Azure storage as blob:\n\t', blobName);

-// Upload data to the blob

-const data = 'Hello, World!';

-const uploadBlobResponse = await blockBlobClient.upload(data, data.length);

-console.log("Blob was uploaded successfully. requestId: ", uploadBlobResponse.requestId);

-```

-### List the blobs in a container

-List the blobs in the container by calling the [listBlobsFlat](/javascript/api/@azure/storage-blob/containerclient#listblobsflat-containerlistblobsoptions-) method. In this case, only one blob has been added to the container, so the listing operation returns just that one blob.

-Add this code to the end of the `main` function:

-```javascript

-console.log('\nListing blobs...');

-// List the blob(s) in the container.

-for await (const blob of containerClient.listBlobsFlat()) {

- console.log('\t', blob.name);

-}

-```

-### Download blobs

-Download the previously created blob by calling the [download](/javascript/api/@azure/storage-blob/blockblobclient#download-undefinednumber--undefinednumber--blobdownloadoptions-) method. The example code includes a helper function called `streamToString`, which is used to read a Node.js readable stream into a string.

-Add this code to the end of the `main` function:

-```javascript

-// Get blob content from position 0 to the end

-// In Node.js, get downloaded data by accessing downloadBlockBlobResponse.readableStreamBody

-// In browsers, get downloaded data by accessing downloadBlockBlobResponse.blobBody

-const downloadBlockBlobResponse = await blockBlobClient.download(0);

-console.log('\nDownloaded blob content...');

-console.log('\t', await streamToString(downloadBlockBlobResponse.readableStreamBody));

-```

-Add this helper function *after* the `main` function:

-```javascript

-// A helper function used to read a Node.js readable stream into a string

-async function streamToString(readableStream) {

- return new Promise((resolve, reject) => {

- const chunks = [];

- readableStream.on("data", (data) => {

- chunks.push(data.toString());

- });

- readableStream.on("end", () => {

- resolve(chunks.join(""));

- });

- readableStream.on("error", reject);

- });

-}

-```

-### Delete a container

-The following code cleans up the resources the app created by removing the entire container using the [ΓÇïdelete](/javascript/api/@azure/storage-blob/containerclient#delete-containerdeletemethodoptions-) method. You can also delete the local files, if you like.

-Add this code to the end of the `main` function:

-```javascript

-console.log('\nDeleting container...');

-// Delete container

-const deleteContainerResponse = await containerClient.delete();

-console.log("Container was deleted successfully. requestId: ", deleteContainerResponse.requestId);

-```

-This app creates a text string and uploads it to Blob storage. The example then lists the blob(s) in the container, downloads the blob, and displays the downloaded data.

-From a console prompt, navigate to the directory containing the *blob-quickstart-v12.js* file, then execute the following `node` command to run the app.

-```console

-node blob-quickstart-v12.js

-```

-The output of the app is similar to the following example:

-```output

-Azure Blob storage v12 - JavaScript quickstart sample

-Creating container...

- quickstart4a0780c0-fb72-11e9-b7b9-b387d3c488da

-Uploading to Azure Storage as blob:

- quickstart4a3128d0-fb72-11e9-b7b9-b387d3c488da.txt

-Listing blobs...

- quickstart4a3128d0-fb72-11e9-b7b9-b387d3c488da.txt

-Downloaded blob content...

- Hello, World!

-Deleting container...

-Done

-```

-Step through the code in your debugger and check your [Azure portal](https://portal.azure.com) throughout the process. Check to see that the container is being created. You can open the blob inside the container and view the contents.

-$userIdentityId = (Get-AzUserAssignedIdentity -Name <user-assigned-identity> -ResourceGroupName <resource-group>).Id

-Previous example uses full path to the file. As an alternative, you can create an external data source with the location that points to the root folder of the storage, and use that data source and the relative path to the file in the `OPENROWSET` function:

-1. Select **+ Create** to create a new disk.

-1. Select **+ Create** to create a new disk.

-1. Select **+ Create** to create a new disk.

-Previous supported driver version for Windows builds up to 1909 is [20.Q4](https://download.microsoft.com/download/f/1/6/f16e6275-a718-40cd-a366-9382739ebd39/AMD-Azure-NVv4-Driver-20Q4.exe) (.exe)

-### InsideyYour application

-For the HANA certified VMs of the Azure [Esv3](../../ev3-esv3-series.md?toc=/azure/virtual-machines/linux/toc.json&bc=/azure/virtual-machines/linux/breadcrumb/toc.json#esv3-series) family and the [Edsv4](../../edv4-edsv4-series.md?toc=/azure/virtual-machines/linux/toc.json&bc=/azure/virtual-machines/linux/breadcrumb/toc.json#edsv4-series), you need to ANF for the **/hana/data** and **/hana/log** volume. Or you need to leverage Azure Ultra disk storage instead of Azure premium storage only for the **/hana/log** volume. As a result, the configurations for the **/hana/data** volume on Azure premium storage could look like:

-| E20ds_v4 | 160 GiB | 480 MBps | 3 x P10 | 300 MBps | 510 MBps | 1,500 | 10,500 |

-| E64ds_v4 | 504 GiB | 1,200 MBps | 3 x P15 | 375 MBps | 510 MBps | 3,300 | 10,500 |

-| E64ds_v4 | 504 GiB | 1,200 MBps | 256 GB | 250 MBps | 1,800 | 1 x P20 | 1 x P6 | 1 x P6 |

->The following command works for Az.Network module version 4.5.0 or later. For more information about the Powershell modules currently being used, please refer to the [PowerShellGet documentation](/powershell/module/powershellget/).

-The following table includes links to Azure Powershell scripts:

-To use this feature specify a Service Tag name for the address prefix parameter in route table commands. For example, in Powershell you can create a new route to direct traffic sent to an Azure Storage IP prefix to a virtual appliance by using: </br></br>

-> While in Public Preview, there are several limitations. The feature is not currently supported in the Azure Portal and is only available through Powershell and CLI. There is no support for use with containers.

-# Use Powershell to configure a VNet-to-VNet VPN gateway connection

-Point-to-Site connections use certificates to authenticate. This article shows you how to create a self-signed root certificate and generate client certificates using the Linux CLI and strongSwan. If you are looking for different certificate instructions, see the [Powershell](vpn-gateway-certificates-point-to-site.md) or [MakeCert](vpn-gateway-certificates-point-to-site-makecert.md) articles. For information about how to install strongSwan using the GUI instead of CLI, see the steps in the [Client configuration](point-to-site-vpn-client-configuration-azure-cert.md#install) article.