-An *access token* contains claims that you can use in Azure Active Directory B2C (Azure AD B2C) to identify the granted permissions to your APIs. When calling a resource server, an access token must be present in the HTTP request. An access token is denoted as **access_token** in the responses from Azure AD B2C.

-> **Web API chains (On-Behalf-Of) is not supported by Azure AD B2C.** - Many architectures include a web API that needs to call another downstream web API, both secured by Azure AD B2C. This scenario is common in clients that have a web API back end, which in turn calls a another service. This chained web API scenario can be supported by using the OAuth 2.0 JWT Bearer Credential grant, otherwise known as the On-Behalf-Of flow. However, the On-Behalf-Of flow is not currently implemented in Azure AD B2C. Although On-Behalf-Of works for applications registered in Azure AD, it does not work for applications registered in Azure AD B2C, regardless of the tenant (Azure AD or Azure AD B2C) that is issuing the tokens.

-To request an access token, you need an authorization code. Below is an example of a request to the `/authorize` endpoint for an authorization code.

-In the following example, you replace these values in the query string:

-This is the interactive part of the flow, where you take action. You're asked to complete the user flow's workflow. This might involve entering your username and password in a sign in form or any other number of steps. The steps you complete depend on how the user flow is defined.

-After successfully receiving the authorization code, you can use it to request an access token. Note that the parameters are in the body of the HTTP POST request:

-If you're testing this POST HTTP request, you can use any HTTP client such as [Microsoft PowerShell](/powershell/scripting/overview) or [Postman](https://www.postman.com/).

-To enable your app to sign in with Azure AD B2C and call a web API, you must register two applications in the Azure AD B2C directory:

-* [Visual Studio Code](https://code.visualstudio.com/) or another code editor.

-1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.

-1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.

-You're now ready to test the Angular scoped access to the API. In this step, run both the web API and the sample Angular application on your local machine. Then, log in to the Angular application, and select the **TodoList** button to start a request to the protected API.

-1. Complete the sign-up or login process.

-1. Upon successful login, you should see your profile. From the menu, select **TodoList**.

-* [Enable authentication in your own web API](enable-authentication-web-api.md)

-Your custom page content can contain any HTML elements, including CSS and JavaScript, but cannot include insecure elements like iframes. The only required element is a div element with `id` set to `api`, such as this one `<div id="api"></div>` within your HTML page.

-| Sign-in (only)| The sign-in page is also known as the *Identity provider selection*. It handles the user sign-in with local account, or federated identity providers. Use this page to allow sign-in without the ability to sign-up. For example before user can edit their profile. | [Classic](https://login.microsoftonline.com/static/tenant/default/idpSelector.cshtml), [Ocean Blue](https://login.microsoftonline.com/static/tenant/templates/AzureBlue/idpSelector.cshtml), and [Slate Gray](https://login.microsoftonline.com/static/tenant/templates/MSA/idpSelector.cshtml).

-* `imprint` - Default class that is used when the current language is neither English nor German.

-Content can be pulled from different places based on the locale that's used. In your CORS-enabled endpoint, you set up a folder structure to host content for specific languages. You'll call the right one if you use the wildcard value `{Culture:RFC5646}`.

-1. Copy the following HTML snippet. It is well-formed HTML5 with an empty element called *\<div id="api"\>\</div\>* located within the *\<body\>* tags. This element indicates where Azure AD B2C content is to be inserted.

-To host your HTML content in Blob storage, perform the following steps:

-1. Select **Create** to create the storage account. After the deployment is completed, the storage account page opens automatically or select **Go to resource**.

-1. In web browser, navigate to the URL you copied to verify the blob you uploaded is accessible. If it is inaccessible, for example if you encounter a `ResourceNotFound` error, make sure the container access type is set to **blob**.

-To configure UI customization, copy the **ContentDefinition** and its child elements from the base file to the extensions file.

-1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.

-1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.

-This article describes ways you can customize and enhance the Azure Active Directory B2C (Azure AD B2C) authentication experience for your Angular single-page application (SPA). Before you start, familiarize yourself with the article [Configure authentication in an Angular SPA](configure-authentication-sample-angular-spa-app.md) or [Enable authentication in your own Angular SPA](enable-authentication-angular-spa-app.md).

-## Sign-in and sign-out behavior

- - To sign out with redirection, in the `src/app/app.component.ts` class, use the `logoutRedirect` method. Configure the URI to which it should redirect after sign-out by setting `postLogoutRedirectUri`. This URI should be registered as a redirect URI in your application registration.

-Review the prerequisites and integration steps in the [Configure authentication in a sample Angular single-page application](configure-authentication-sample-angular-spa-app.md) article.

-Public client applications are not trusted to safely keep application secrets, so they don't have client secrets. In the *src/app* folder, open *app.module.ts* and make the following changes:

-The claims in ID tokens are not returned in any particular order. New claims can be introduced in ID tokens at any time. Your application shouldn't break as new claims are introduced. You can also include [custom user attributes](user-flow-custom-attributes.md) in your claims.

-| Authentication time | `auth_time` | `1438535543` | The time at which a user last entered credentials, represented in epoch time. There is no discrimination between that authentication being a fresh sign-in, a single sign-on (SSO) session, or another sign-in type. The `auth_time` is the last time the application (or user) initiated an authentication attempt against Azure AD B2C. The method used to authenticate isn't differentiated. |

-In the [Add claims and customize user input using custom policies](configure-user-input.md) article you learn how to use built-in [user profile attributes](user-profile-attributes.md). In this article, you enable a custom attribute in your Azure Active Directory B2C (Azure AD B2C) directory. Later, you can use the new attribute as a custom claim in [user flows](user-flow-overview.md) or [custom policies](user-flow-overview.md) simultaneously.

-1. Make sure you're using the directory that contains your Azure AD B2C tenant by switching to it in the top-right corner of the Azure portal. Select your subscription information, and then select **Switch Directory**.

-The custom attribute is now available in the list of **User attributes** and for use in your user flows. A custom attribute is only created the first time it is used in any user flow, and not when you add it to the list of **User attributes**.

-Extension attributes can only be registered on an application object, even though they might contain data for a user. The extension attribute is attached to the application called `b2c-extensions-app`. Do not modify this application, as it's used by Azure AD B2C for storing user data. You can find this application under Azure AD B2C, app registrations.

-1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.

-1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.

-1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.

-1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.

-To enable custom attributes in your policy, provide **Application ID** and Application **Object ID** in the AAD-Common technical profile metadata. The *AAD-Common* technical profile is found in the base [Azure Active Directory](active-directory-technical-profile.md) technical profile, and provides support for Azure AD user management. Other Azure AD technical profiles include the AAD-Common to leverage its configuration. Override the AAD-Common technical profile in the extension file.

-1. Make sure you're using the directory that contains your Azure B2C AD tenant. Select the **Directories + subscriptions** icon in the portal toolbar.

-1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.

-> The first time the Azure AD technical profile persists the claim to the directory, it checks whether the custom attribute exists. If not, it creates the custom attribute.

-Custom attributes (directory extensions) in the Microsoft Graph API are named by using the convention `extension_{appId-without-hyphens}_{extensionProperty-name}` where `{appId-without-hyphens}` is the stripped version of the **appId** (called Client ID on the Azure AD B2C portal) for the `b2c-extensions-app` with only characters 0-9 and A-Z. For example, if the **appId** of the `b2c-extensions-app` application is `25883231-668a-43a7-80b2-5685c3f874bc` and the attribute name is `loyaltyId`, then the custom attribute will be named `extension_25883231668a43a780b25685c3f874bc_loyaltyId`.

-Use the following steps to remove a custom attribute from a user flow in your:

-Follow the guidance for how to [add claims and customize user input using custom policies](configure-user-input.md). This sample uses a built-in claim 'city'. To use a custom attribute, replace 'city' with your own custom attributes.

-[powershell-script]: https://www.powershellgallery.com/packages/Migrate-Aadds/

-[associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md

-[New-AzResourceGroupDeployment]: /powershell/module/Az.Resources/New-AzResourceGroupDeployment

-The only acceptable TLS protocol versions are TLS 1.2 and TLS 1.3. No other versions of TLS are permitted. No version of SSL is permitted.

-For more information on HTTPS in ASP.NET Core use the following link:

-Requests from Azure AD Provisioning Service include an OAuth 2.0 bearer token. The bearer token is a security token that's issued by an authorization server, such as Azure AD and is trusted by your application. You can configure the Azure AD provisions service to use one of the following tokens:

- - In the token, the issuer is identified by an `iss` claim. For example, `"iss":"https://sts.windows.net/12345678-0000-0000-0000-000000000000/"`. In this example, the base address of the claim value, `https://sts.windows.net` identifies Azure AD as the issuer, while the relative address segment, _12345678-0000-0000-0000-000000000000_, is a unique identifier of the Azure AD tenant for which the token was issued.

-| physicalIds | Contains, NotContains | As an example all Windows Autopilot devices store ZTDId (a unique value assigned to all imported Windows Autopilot devices) in device physicalIds property. | (device.devicePhysicalIDs -contains "[ZTDId]:value") |

-#Customer intent: As an application developer, I want to learn how to access data in Microsoft Graph by using managed identities.

-> [Clean up resources](multi-service-web-app-clean-up-resources.md))

-* If you can't reactivate or regain control of your domain name immediately, you should delete it from your Azure AD tenant. Dom't readd/re-verify until you are able to resolve ownership of the domain name and verify the full TXT record for correctness.

-description: This topic describes four steps hybrid identity customers can take to build a strong identity foundation.

-Managing access to apps and data can no longer rely on the traditional network security boundary strategies such as perimeter networks and firewalls because of the rapid movement of apps to the cloud. Now organizations must trust their identity solution to control who and what has access to the organization's apps and data. More organizations are allowing employees to bring their own devices to work and use their devices from anywhere they can connect to the Internet. Ensuring those devices are compliant and secure has become an important consideration in the identity solution an organization chooses to implement. In today's digital workplace, [identity is the primary control plane](https://www.microsoft.com/security/technology/identity-access-management?rtc=1) of any organization moving to the cloud.

-In adopting an Azure Active Directory (Azure AD) hybrid identity solution, organizations gain access to premium features that unlock productivity through automation, delegation, self-service, and single sign-on capabilities. It allows your workers to access company resources from wherever they need to do their work while allowing your IT team to govern that access by ensuring that the right people have the right access to the right resources to establish secure productivity.

-Based on our learnings, this checklist of best practices will help you quickly deploy recommended actions to build a *strong* identity foundation in your organization:

-By connecting your apps with Azure AD, you can improve end-user productivity and security by enabling single sign-on (SSO) and do user provisioning. By managing your apps in a single place, Azure AD, you can minimize administrative overhead and achieve a single point of control for your security and compliance policies.

-Azure AD enables administrators to [add applications](../manage-apps/add-application-portal.md) to the Enterprise applications gallery in the [Azure portal](https://portal.azure.com/). Adding applications to the Enterprise applications gallery makes it easier for you to configure applications to use Azure AD as your identity provider. It also lets you manage user access to the application with Conditional Access policies and configure single sign-on (SSO) to applications so that users don't have to enter their passwords repeatedly and are automatically signed into both on-premises and cloud-based applications.

-Once applications are added to the Azure AD gallery, users can see apps that are assigned to them and search and request other apps as needed. Azure AD provides [several methods](../manage-apps/end-user-experiences.md) for users to access their apps:

-* Access panel/My Apps

-To learn more about user access to apps, see **Step 3 -- Empower Your Users** in this article.

-To learn more, see the [Migrating Your Applications to Azure Active Directory](https://aka.ms/migrateapps/whitepaper) whitepaper.

-[Azure AD Application Proxy](../app-proxy/what-is-application-proxy.md) provides a simple solution for organizations to publish on-premises apps to the cloud for remote users who need access to internal apps in a secure manner. After a single sign-on to Azure AD, users can access both cloud and on-premises applications through external URLs or an internal application portal.

-* No components in the perimeter network such as VPN and traditional reverse proxy solutions

-In modern enterprises, IT departments are often not aware of all the cloud applications that are used by the users to do their work. When IT admins are asked how many cloud apps they think their employees use, on average they say 30 or 40. In reality, the average is over 1,000 separate apps being used by employees in your organization. 80% of employees use non-sanctioned apps that no one has reviewed and may not be compliant with your security and compliance policies.

-[Microsoft Defender for Cloud Apps](/cloud-app-security/what-is-cloud-app-security) can help you identify useful apps that are popular with users that IT may sanction and add to the Enterprise applications gallery so that users benefit from capabilities such as SSO and Conditional Access.

-In addition to detecting shadow IT, Defender for Cloud Apps can also determine the risk level of apps, prevent unauthorized access to corporate data, possible data leakage, and other security risks inherent in the applications.

-Bringing on-premises and cloud-based directories together in an Azure AD hybrid identity solution will allow you to reuse your existing on-premises Active Directory investment by provisioning your existing identities in the cloud. The solution synchronizes on-premises identities with Azure AD, while IT keeps the on-premises Active Directory running with any existing governance solutions as the primary source of truth for identities. Microsoft's Azure AD hybrid identity solution spans on-premises and cloud-based capabilities, creating a common user identity for authentication and authorization to all resources regardless of their location.

-Integrating your on-premises directories with Azure AD makes your users more productive and prevents users from using multiple accounts across apps and services by providing a common identity for accessing both cloud and on-premises resources. Using multiple accounts is a pain point for end users and IT alike. From an end-user perspective, having multiple accounts means having to remember multiple passwords. To avoid this, many users reuse the same password for each account, which is bad from a security perspective. From an IT perspective, reuse often leads to more password resets and helpdesk costs along with the end-user complaints.

-Azure AD Connect is the tool that is used for to sync your on-premises identities to Azure AD, which can then be used to access cloud applications. Once the identities are in Azure AD, they can provision to SaaS applications like Salesforce or Concur.

-Azure AD Connect plays a key role in the provisioning process. If the Sync Server goes offline for any reason, changes to on-premises won't be updated in the cloud and cause access issues to users. It's important to define a failover strategy that allows administrators to quickly resume synchronization after the sync server goes offline.

-To provide high availability in the event your primary Azure AD Connect server goes offline, it's recommended that you deploy a separate [staging server](./how-to-connect-sync-staging-server.md) for Azure AD Connect. Deploying a server allows the administrator to "promote" the staging server to production by a simple configuration switch. Having a standby server configured in staging mode also allows you to test and deploy new configuration changes and introduce a new server if decommissioning the old one.

-The simplest and recommended method for enabling cloud authentication for on-premises directory objects in Azure AD is to enable [Password Hash Synchronization](./how-to-connect-password-hash-synchronization.md) (PHS). Alternatively, some organizations may consider enabling [Pass-through Authentication](./how-to-connect-pta-quick-start.md) (PTA).

-Whether you choose PHS or PTA, don't forget to enable [Seamless Single Sign-on](./how-to-connect-sso.md) to allow users to access cloud apps without constantly entering their username and password in the app when using Windows 7 and 8 devices on your corporate network. Without single sign-on, users must remember application-specific passwords and sign into each application. Likewise, IT staff needs to create and update user accounts for each application such as Microsoft 365, Box, and Salesforce. Users need to remember their passwords, plus spend the time to sign into each application. Providing a standardized single sign-on mechanism to the entire enterprise is crucial for best user experience, reduction of risk, ability to report, and governance.

-For organizations already using AD FS or another on-premises authentication provider, moving to Azure AD as your identity provider can reduce complexity and improve availability. Unless you have specific use cases for using federation, we recommend migrating from federated authentication to either PHS and Seamless SSO or PTA and Seamless SSO to enjoy the benefits of a reduced on-premises footprint and the flexibility the cloud offers with improved user experiences. For more information, see [Migrate from federation to password hash synchronization for Azure Active Directory](./migrate-from-federation-to-cloud-authentication.md).

-Enabling automated provisioning and deprovisioning to your applications is the best strategy for governing the lifecycle of identities across multiple systems. Azure AD supports [automated, policy-based provisioning and deprovisioning](../app-provisioning/configure-automatic-user-provisioning-portal.md) of user accounts to a variety of popular SaaS applications such as ServiceNow and Salesforce, and others that implement the [SCIM 2.0 protocol](../app-provisioning/use-scim-to-provision-users-and-groups.md). Unlike traditional provisioning solutions, which require custom code or manual uploading of CSV files, the provisioning service is hosted in the cloud, and features pre-integrated connectors that can be set up and managed using the Azure portal. A key benefit of automatic deprovisioning is that it helps secure your organization by instantly removing users' identities from key SaaS apps when they leave the organization.

-In today's digital workplace, it's important to balance security with productivity. However, end users often push back on security measures that slow their productivity and access to cloud apps. To help address this, Azure AD provides self-service capabilities that enable users to remain productive while minimizing administrative overhead.

-By default, Azure AD unlocks accounts when it performs a password reset. However, when you enable Azure AD Connect [integration on-premises](../authentication/concept-sspr-howitworks.md#on-premises-integration), you also have the option to separate those two operations, which enable users to unlock their account without having to reset the password.

-Azure provides reports that can be used by you and your organization to ensure users are registered for MFA and SSPR. Users who haven't registered may need to be educated on the process.

-Before your users can self-discover applications from their access panel, you need to enable [self-service application access](../manage-apps/access-panel-manage-self-service-access.md) to any applications that you wish to allow users to self-discover and request access to. Self-service application access is a great way to allow users to self-discover applications and optionally allow the business group to approve access to those applications. You can allow the business group to manage the credentials assigned to those users for [Password Single-Sign On Applications](../manage-apps/troubleshoot-password-based-sso.md#automatically-capture-sign-in-fields-for-an-app) right from their access panels.

-Azure AD provides the ability to manage access to resources using security groups and Microsoft 365 groups. These groups can be managed by a group owner who can approve or deny membership requests and delegate control of group membership. Known as [self-service group management](../enterprise-users/groups-self-service-management.md), this feature saves time by allowing group owners who aren't assigned an administrative role to create and manage groups without having to rely on administrators to handle their requests.

-Security logs and reports provide you with an electronic record of suspicious activities and help you detect patterns that may indicate attempted or successful external penetration of the network, and internal attacks. You can use auditing to monitor user activity, document regulatory compliance, do forensic analysis, and more. Alerts provide notifications of security events.

-As you think about your approach to operations, there are a couple levels of administration to consider. The first level places the burden of administration on your Hybrid Identity Administrator(s). Always using the Hybrid Identity Administrator role, might be appropriate for smaller companies. But for larger organizations with help desk personnel and administrators responsible for specific tasks, assigning the role of Hybrid Identity Administrator can be a security risk since it provides those individuals with the ability to manage tasks that are above and beyond what they should be capable of doing.

-Organizations that don't have a SIEM solution can download the [Power BI Content Pack](../reports-monitoring/howto-use-azure-monitor-workbooks.md) for Azure AD. The Power BI content pack contains pre-built reports to help you understand how your users adopt and use Azure AD features, which allows you to gain insights into all the activities within your directory. You can also create your own [custom dashboard](/power-bi/service-dashboards) and share with your leadership team to report on day-to-day activities. Dashboards are a great way to monitor your business and see all of your most important metrics at a glance. The visualizations on a dashboard may come from one underlying dataset or many, and from one underlying report or many. A dashboard combines on-premises and cloud data, providing a consolidated view regardless of where the data lives.

-

-If you don't observe a reduction in support calls, we recommend that you analyze your support call drivers in an attempt to confirm if SSPR or self-service application access has been configured correctly or if there are any other new issues that can be systematically addressed.

-There are many aspects to implementing a hybrid Identity solution, but this four-step checklist will help you quickly accomplish an identity infrastructure that will enable users to be more productive and secure.

-Learn how the identity features in Azure AD can help you accelerate your transition to cloud governed management by providing the solutions and capabilities that allow organizations to quickly adopt and move more of their identity management from traditional on-premises systems to Azure AD - [How Azure AD Delivers Cloud Governed Management for On-Premises Workloads](./cloud-governed-management-for-on-premises.md).

-7. Create a **public** GitHub Repository, add the following config and commit the change.

-Select a [deployment scenario](f5-aad-integration.md) and start your implementation.

-description: Learn how to automatically provision and de-provision user accounts from Azure AD to Facebook Work Accounts.

-# Tutorial: Configure Facebook Work Accounts for automatic user provisioning

-This tutorial describes the steps you need to perform in both Facebook Work Accounts and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Facebook Work Accounts](https://work.facebook.com) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

-> * Create users in Facebook Work Accounts

-> * Remove users in Facebook Work Accounts when they do not require access anymore

-> * Keep user attributes synchronized between Azure AD and Facebook Work Accounts

-> * Single sign-on to Facebook Work Accounts (recommended)

-1. Determine what data to [map between Azure AD and Facebook Work Accounts](../app-provisioning/customize-application-attributes.md).

-## Step 2. Add Facebook Work Accounts from the Azure AD application gallery

-Add Facebook Work Accounts from the Azure AD application gallery to start managing provisioning to Facebook Work Accounts. If you have previously setup Facebook Work Accounts for SSO, you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).

-## Step 4. Configure automatic user provisioning to Facebook Work Accounts

-### To configure automatic user provisioning for Facebook Work Accounts in Azure AD:

-1. In the applications list, select **Facebook Work Accounts**.

-1. Under the **Admin Credentials** section, click on **Authorize**. You will be redirected to **Facebook Work Accounts**'s authorization page. Input your Facebook Work Accounts username and click on the **Continue** button. Click **Test Connection** to ensure Azure AD can connect to Facebook Work Accounts. If the connection fails, ensure your Facebook Work Accounts account has Admin permissions and try again.

- :::image type="content" source="media/facebook-work-accounts-provisioning-tutorial/azure-connect.png" alt-text="Screenshot shows the Facebook Work Accounts authorization page.":::

-1. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Facebook Work Accounts**.

-1. Review the user attributes that are synchronized from Azure AD to Facebook Work Accounts in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Facebook Work Accounts for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the Facebook Work Accounts API supports filtering users based on that attribute. Select the **Save** button to commit any changes.

-1. To enable the Azure AD provisioning service for Facebook Work Accounts, change the **Provisioning Status** to **On** in the **Settings** section.

-1. Define the users and/or groups that you would like to provision to Facebook Work Accounts by choosing the desired values in **Scope** in the **Settings** section.

-description: Learn how to configure single sign-on between Azure Active Directory and HawkeyeBSB.

-# Azure Active Directory SSO integration with HawkeyeBSB

-In this article, you'll learn how to integrate HawkeyeBSB with Azure Active Directory (Azure AD). HawkeyeBSB was developed by Redbridge Debt & Treasury Advisory to help Clients manage their bank fees. When you integrate HawkeyeBSB with Azure AD, you can:

-* Control in Azure AD who has access to HawkeyeBSB.

-* Enable your users to be automatically signed-in to HawkeyeBSB with their Azure AD accounts.

-You'll configure and test Azure AD single sign-on for HawkeyeBSB in a test environment. HawkeyeBSB supports both **SP** and **IDP** initiated single sign-on.

-To integrate Azure Active Directory with HawkeyeBSB, you need:

-* HawkeyeBSB single sign-on (SSO) enabled subscription.

-Before you begin the process of configuring single sign-on, you need to add the HawkeyeBSB application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

-### Add HawkeyeBSB from the Azure AD gallery

-Add HawkeyeBSB from the Azure AD application gallery to configure single sign-on with HawkeyeBSB. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

-1. In the Azure portal, on the **HawkeyeBSB** application integration page, find the **Manage** section and select **single sign-on**.

- > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [HawkeyeBSB Client support team](mailto:casemanagement@redbridgedta.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

-1. On the **Set up HawkeyeBSB** section, copy the appropriate URL(s) based on your requirement.

-## Configure HawkeyeBSB SSO

-To configure single sign-on on **HawkeyeBSB** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [HawkeyeBSB support team](mailto:casemanagement@redbridgedta.com). They set this setting to have the SAML SSO connection set properly on both sides.

-### Create HawkeyeBSB test user

-In this section, you create a user called Britta Simon at HawkeyeBSB. Work with [HawkeyeBSB support team](mailto:casemanagement@redbridgedta.com) to add the users in the HawkeyeBSB platform. Users must be created and activated before you use single sign-on.

-1. Click on **Test this application** in Azure portal. This will redirect to HawkeyeBSB Sign-on URL where you can initiate the login flow.

-1. Go to HawkeyeBSB Sign-on URL directly and initiate the login flow from there.

-1. Click on **Test this application** in Azure portal and you should be automatically signed in to the HawkeyeBSB for which you set up the SSO.

-1. You can also use Microsoft My Apps to test the application in any mode. When you click the HawkeyeBSB tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the HawkeyeBSB for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-Once you configure HawkeyeBSB you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

-# Tutorial: Azure Active Directory integration with Infinite Campus

-In this tutorial, you'll learn how to integrate Infinite Campus with Azure Active Directory (Azure AD). When you integrate Infinite Campus with Azure AD, you can:

- Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides)

- 1. **[Create Infinite Campus test user](#create-infinite-campus-test-user)** - to have a counterpart of B.Simon in Infinite Campus that is linked to the Azure AD representation of user.

-4. On the Basic SAML Configuration section, perform the following steps (note that the domain will vary with Hosting Model, but the **FULLY-QUALIFIED-DOMAIN** value must match your Infinite Campus installation):

-In this section, you'll create a test user in the Azure portal called B.Simon.

-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Infinite Campus.

-1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

-1. In a different web browser window, sign in to Infinite Campus as a Security Administrator.

-2. On the left side of menu, click **System Administration**.

- 

-3. Navigate to **User Security** > **SAML Management** > **SSO Service Provider Configuration**.

- 

-4. On the **SSO Service Provider Configuration** page, perform the following steps:

- 

- a. Select **Enable SAML Single Sign On**.

- b. Edit the **Optional Attribute Name** to contain **name**.

- c. On the **Select an option to retrieve Identity Provider (IDP) server data** section, select **Metadata URL**, paste the **App Federation Metadata Url** value, which you have copied from the Azure portal in the box, and then click **Sync**.

- d. After clicking **Sync** the values get auto-populated in **SSO Service Provider Configuration** page. These values can be verified to match the values seen in Step 4 above.

- e. Click **Save**.

-### Create Infinite Campus test user

-Infinite Campus has a demographics centered architecture. Please contact [Infinite Campus support team](mailto:sales@infinitecampus.com) to add the users in the Infinite Campus platform.

-## Test SSO

-In this section, you test your Azure AD single sign-on configuration with following options.

-* Click on **Test this application** in Azure portal. This will redirect to Infinite Campus Sign-on URL where you can initiate the login flow.

-* Go to Infinite Campus Sign-on URL directly and initiate the login flow from there.

-* You can use Microsoft My Apps. When you click the Infinite Campus tile in the My Apps, this will redirect to Infinite Campus Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with zeroheight

-In this tutorial, you'll learn how to integrate zeroheight with Azure Active Directory (Azure AD). When you integrate zeroheight with Azure AD, you can:

- > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [zeroheight Client support team](mailto:support@zeroheight.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

-To configure single sign-on on **zeroheight** side, you need to send the **App Federation Metadata Url** to [zeroheight support team](mailto:support@zeroheight.com). They set this setting to have the SAML SSO connection set properly on both sides.

-[enable-azure-ad-integration-existing-cluster]: managed-aad.md#enable-aks-managed-azure-ad-integration-on-your-existing-cluster

-> [!NOTE]

-> Azure Blob CSI driver only supports NFS 3.0 protocol for Kubernetes versions 1.25 on AKS.

-The overlay solution has the following limitations:

-* Overlay can be enabled only for new clusters. Existing (already deployed) clusters can't be configured to use overlay.

-1. The cluster must use Azure CNI without the pod subnet feature.

-1. The cluster is _not_ using network policies.

-1. The Overlay Pod CIDR needs to be an address range that _does not_ overlap with the existing cluster's VNet.

-[az-feature-show]: /cli/azure/feature#az-feature-show

-[customer-usage-attribution]: ../marketplace/azure-partner-customer-usage-attribution.md

-|fsType | File System Type | `ext4`, `ext3`, `ext2`, `xfs`| Yes | `ext4` for Linux|

-|accountAccessTier | [Access tier for storage account][access-tiers-overview] | Standard account can choose `Hot` or `Cool`, and Premium account can only choose `Premium`. | No | Empty. Use default setting for different storage account types. |

-[baseline-reference-architecture-aks]: /azure/architecture/reference-architectures/containers/aks/baseline-aks

-[arc-k8s-regions]: https://azure.microsoft.com/global-infrastructure/services/?products=azure-arc&regions=all

-[az-feature-show]: /cli/azure/feature#az-feature-show

-[az-ad-group-show]: /cli/azure/ad/group#az_ad_group_show

-[az-provider-register]: /cli/azure/provider#az-provider-register

-[marketplace-troubleshoot]: /troubleshoot/azure/azure-kubernetes/troubleshoot-failed-kubernetes-deployment-offer

-[alb-outbound-rules]: ../load-balancer/outbound-rules.md

-description: Learn a cluster operator's best practices to achieve maximum uptime for your applications, providing high availability and preparing for disaster recovery in Azure Kubernetes Service (AKS).

-> * Route traffic across multiple clusters by using Azure Traffic Manager.

- * Choose regions close to your users.

- * AKS platform updates (planned maintenance) are serialized with a delay of at least 24 hours between paired regions.

- * Recovery efforts for paired regions are prioritized where needed.

- * Do you want to run both regions at the same time, with one region *ready* to start serving traffic? Or,

-* Session affinity

->

-To deploy and run your applications in AKS, you need a way to store and pull the container images. Container Registry integrates with AKS, so it can securely store your container images or Helm charts. Container Registry supports multimaster geo-replication to automatically replicate your images to Azure regions around the world.

-To improve performance and availability:

-1. Use Container Registry geo-replication to create a registry in each region where you have an AKS cluster.

-1. Each AKS cluster then pulls container images from the local container registry in the same region:

-When you use Container Registry geo-replication to pull images from the same region, the results are:

->

-[start-azakscluster]: /powershell/module/az.aks/start-azakscluster

-[gitops-flux-tutorial-aks]: ../azure-arc/kubernetes/tutorial-use-gitops-flux2.md?toc=/azure/aks/toc.json#for-azure-kubernetes-service-clusters

-[drain-nodes]: resize-node-pool.md#drain-the-existing-nodes

-|`azure.workload.identity/proxy-sidecar-port` |Represents the port of the proxy sidecar. |8080 |

-|Azure Event Hubs | [Trused-access-to-azure-event-hub](../event-hubs/event-hubs-ip-filtering.md#trusted-microsoft-services)|

-[ConfigureSSL]: ../../app-service/configure-ssl-certificate.md

-For the deployment type, you can choose *single zone*, *zone redundant*, or *host group*. The single zone is available in all regions where App Service Environment v3 is available. With the single zone deployment type, you have a minimum charge in your App Service plan of one instance of Windows Isolated v2. As soon as you've one or more instances, then that charge goes away. It isn't an additive charge.

-3. From the **Hosting** tab, for **Physical hardware isolation**, select **Enabled** or **Disabled**. If you enable this option, you can deploy onto dedicated hardware. With a dedicated host deployment, you're charged for two dedicated hosts per our pricing when you create the App Service Environment v3 and then, as you scale, you're charged a specialized Isolated v2 rate per vCore. I1v2 uses two vCores, I2v2 uses four vCores, and I3v2 uses eight vCores per instance.

-* *zoneRedundant*: Optional. Defines with true/false if the App Service Environment will be deployed into Availability Zones (AZ). For more information, see [zone redundancy](./zone-redundancy.md).

-#Customer intent: As an application developer, I want to learn how to access data in Microsoft Graph by using managed identities.

-#Customer intent: As an application developer, I want to learn how to access data in Microsoft Graph by using managed identities.

-* Explore the [Immersive Reader SDK](https://github.com/microsoft/immersive-reader-sdk) and the [Immersive Reader SDK Reference](./reference.md)

-* To learn how to troubleshoot your Hybrid Runbook Workers, see [Troubleshoot Hybrid Runbook Worker issues - Linux](troubleshoot/hybrid-runbook-worker.md#linux).

-* To learn how to troubleshoot your Hybrid Runbook Workers, see [Troubleshoot Hybrid Runbook Worker issues](troubleshoot/hybrid-runbook-worker.md#general).

-> [Tutorial: Create a PowerShell Workflow runbook](automation-tutorial-runbook-textual.md)

-* File an Azure support incident. Go to the [Azure support site](https://azure.microsoft.com/support/options/), and select **Get Support**.

-* To delete VMs from Update Management, see [Remove VMs from Update Management](remove-vms.md).

-#Customer intent: I want to move my App Configuration resource from one Azure region to another.

->[Disable public access in Azure App Configuration](howto-disable-public-access.md)

-* An existing Azure Arc-enabled Kubernetes connected cluster.

-* An identity (user or service principal) which can be used to [log in to Azure CLI](/cli/azure/authenticate-azure-cli) and connect your cluster to Azure Arc.

- > [!IMPORTANT]

- >

- > * The identity must have 'Read' and 'Write' permissions on the Azure Arc-enabled Kubernetes resource type (`Microsoft.Kubernetes/connectedClusters`).

- > * If connecting the cluster to an existing resource group (rather than a new one created by this identity), the identity must have 'Read' permission for that resource group.

- > * The [Kubernetes Cluster - Azure Arc Onboarding built-in role](../../role-based-access-control/built-in-roles.md#kubernetes-clusterazure-arc-onboarding) can be used for this identity. This role is useful for at-scale onboarding, as it has only the granular permissions required to connect clusters to Azure Arc, and doesn't have permission to update, delete, or modify any other clusters or other Azure resources.

-* [Install or upgrade Azure CLI](/cli/azure/install-azure-cli) to the latest version.

-* Install the latest version of **connectedk8s** Azure CLI extension:

- > The cluster needs to have at least one node of operating system and architecture type `linux/amd64`. Clusters with only `linux/arm64` nodes aren't yet supported.

-* At least 850 MB free for the Arc agents that will be deployed on the cluster, and capacity to use approximately 7% of a single CPU. For a multi-node Kubernetes cluster environment, pods can get scheduled on different nodes.

-* Install the **Az.ConnectedKubernetes** PowerShell module:

-* An identity (user or service principal) which can be used to [log in to Azure PowerShell](/powershell/azure/authenticate-azureps) and connect your cluster to Azure Arc.

- > [!IMPORTANT]

- >

- > * The identity must have 'Read' and 'Write' permissions on the Azure Arc-enabled Kubernetes resource type (`Microsoft.Kubernetes/connectedClusters`).

- > * If connecting the cluster to an existing resource group (rather than a new one created by this identity), the identity must have 'Read' permission for that resource group.

- > * The [Kubernetes Cluster - Azure Arc Onboarding built-in role](../../role-based-access-control/built-in-roles.md#kubernetes-clusterazure-arc-onboarding) is useful for at-scale onboarding as it has the granular permissions required to only connect clusters to Azure Arc. This role doesn't have the permissions to update, delete, or modify any other clusters or other Azure resources.

- > The cluster needs to have at least one node of operating system and architecture type `linux/amd64`. Clusters with only `linux/arm64` nodes aren't yet supported.

-* At least 850 MB free for the Arc agents that will be deployed on the cluster, and capacity to use approximately 7% of a single CPU. For a multi-node Kubernetes cluster environment, pods can get scheduled on different nodes.

-description: Learn about the Azure CLI commands which can be used to manage your Azure Arc resource bridge (preview) deployment.

-The `createconfig` command features two modes: interactive and non-interactive. Interactive mode provides helpful prompts that explain the parameter and what to pass. To initiate interactive mode, pass only the three required parameters. Non-interactive mode allows you to pass all the parameters needed to create the configuration files without being prompted, which saves time and is useful for automation scripts.

-The `validate` command checks the configuration files for a valid schema, cloud and core validations (such as management machine connectivity to required URLs), network settings, and proxy settings. It also performs tests on identity privileges and role assignments, network configuration, loadbalancer configuration and content delivery network connectivity.

-The `deploy` command deploys an on-premises instance of Arc resource bridge as an appliance VM, bootstrapped to be a Kubernetes management cluster. This command gets all necessary pods and agents within the Kubernetes cluster into a running state. Once the appliance VM is up, the kubeconfig file is generated.

-Once the `create` command initiates the connection, it will return in the terminal even though the connection between the ARM resource and on-premises appliance VM is not yet complete. The resource bridge needs about 5 minutes to establish the connection between the ARM resource and the on-premises VM.

-While the Arc resource bridge is connecting the ARM resource to the on-premises VM, the resource bridge will progress through the stages below:

-`ProvisioningState` will be `Creating`, `Created`, `Failed`, `Deleting`, or `Succeeded`.

-`Status` will transition between `WaitingForHeartbeat` -> `Validating` -> `Connected` -> `Running`.

-If the user account is set to periodically change passwords, the credentials must be immediately updated on the resource bridge. This user account may also be set with a lockout policy to protect the on-premises infrastructure, in case the credentials aren't updated and the resource bridge makes multiple attempts to use expired credentials to access the on-premises control center.

-When a new version of a VM extension is published, it becomes available for installation and manual upgrade on Arc-enabled servers. For servers that already have the extension installed and automatic extension upgrade enabled, it may take up to 5 weeks for every server with that extension to get the automatic upgrade. Upgrades are issued in batches across Azure regions and subscriptions, so you may see the extension get upgraded on some of your servers before others. If you need to upgrade an extension immediately, follow the guidance to manually upgrade extensions using the [Azure portal](manage-vm-extensions-portal.md#upgrade-extensions), [Azure PowerShell](manage-vm-extensions-powershell.md#upgrade-extension) or [Azure CLI](manage-vm-extensions-cli.md#upgrade-extensions).

-[See how to create a Azure Arc VM](create-virtual-machine.md)

-* Create a [Python app that uses Azure Cache for Redis](./cache-python-get-started.md)

-```

-1. Optionally, specify a file pattern to identify the directory where the log files are located.

-## Enable recommended alert rules in the Azure portal (preview)

-> The alert rule recommendations feature is currently in preview and is only enabled for:

-## Out-of-the-box alert rules (preview)

-If you don't have alert rules defined for the selected resource, you can [enable recommended out-of-the-box alert rules in the Azure portal](alerts-manage-alert-rules.md#enable-recommended-alert-rules-in-the-azure-portal-preview).

-Learn more about [Change Analysis](./change-analysis.md).

-| `[agent_settings.proxy_config] ignore_proxy_settings =` | Boolean | True or false | Set this value to true to ignore proxy settings. On both AKS & Arc K8s enviornments, if your cluster is configured with forward proxy, then proxy settings are automatically applied and used for the agent. For certain configurations, such as, with AMPLS + Proxy, you may with for the proxy config to be ignored. . By default, this setting is set to `false`. |

-These handpicked alerts come from the Prometheus community. Source code for these mixin alerts can be found in [GitHub](https://aka.ms/azureprometheus-mixins):

-Run the following command to verify that the daemon set was deployed properly:

-The output should resemble the following:

-Run the following command to which verify that the replica set was deployed properly:

- cluster: <CLUSTER-NAME>

-Other than the billing aspects, configuration of linked workspace remain, including data retention settings.

-Linking a workspace can be performed only after the completion of the Log Analytics cluster provisioning.

-> [!WARNING]

-> Linking a workspace to a cluster requires syncing multiple backend components and assuring cache hydration. Since this operation may take up to two hours to complete, you should you run it asynchronously.

-The cluster's billing stops when deleted, regardless the 30 days commitment tier.

-|Infrastructure|**- Container.** Data about containers, such as Azure Kubernetes, and about the applications running inside containers.<br>**- Operating system.** Data about the guest operating system on which your application is running.|

-|[Azure Monitor Metrics](essentials/data-platform-metrics.md)|Metrics are numerical values that describe an aspect of a system at a particular point in time. [Azure Monitor Metrics](./essentials/data-platform-metrics.md) is a time-series database, optimized for analyzing time-stamped data. Azure Monitor collects metrics at regular intervals. Metrics are identified with a timestamp, a name, a value, and one or more defining labels. They can be aggregated using algorithms, compared to other metrics, and analyzed for trends over time. It supports native Azure Monitor metrics and [Prometheus based metrics](essentials/prometheus-metrics-overview.md).|

-> [Application resilience FAQs for Azure NetApp Files](faq-application-resilience.md)

-* Configuring volume replication for source volumes created from snapshot isn't supported at this time.

-* At this time, you can't configure volume replication for source volumes created from snapshot with cross-zone replication.

-* To create a resource management private links, see [Use portal to create private link for managing Azure resources](create-private-link-access-portal.md) or [Use REST API to create private link for managing Azure resources](create-private-link-access-rest.md).

-* To learn about viewing the deployment history, see [View deployment history with Azure Resource Manager](deployment-history.md).

-* For more information about template files, see [Understand the structure and syntax of ARM templates](./syntax.md).

-* For information about deploying a template that requires a SAS token, see [Deploy private ARM template with SAS token](secure-template-with-sas-token.md).

-* For more information about template files, see [Understand the structure and syntax of ARM templates](./syntax.md).

-* Learn how to [manage a backed-up SQL database running on Azure VM using the Azure portal](manage-monitor-sql-database-backup.md).

-[Restore Azure Blobs using Azure CLI](restore-blobs-storage-account-cli.md)

-The vaulted backup is currently in preview in the following regions: France Central, Canada Central, Canada East, US East, US South.

- * Connect using SSH or RDP.

-This section helps you connect to your virtual machine from native clients on *non*-Windows local computers (example: a Linux PC) using the **az network bastion tunnel** command. You can also connect using this method from a Windows computer. This is helpful when you require an SSH connection and want to upload files to your VM.

-The background removal feature is available through the [Image Analysis - Segment](https://aka.ms/vision-4-0-ref) API (`imageanalysis:segment`). You can call this API through REST calls. See the [Background removal how-to guide](./how-to/background-removal.md) for more information.

-description: Learn how to call the Image Analysis - Segment API to isolate and remove the background from images.

-When calling the **Image Analysis - Segment** API, you specify the image's URL by formatting the request body like this: `{"url":"https://learn.microsoft.com/azure/cognitive-services/computer-vision/images/windows-kitchen.jpg"}`.

-Image Analysis 4.0 is now available through client library SDKs in C#, C++, and Python. This update also includes the Florence-powered image captioning model that achieved human parity performance.

-"Caption" replaces "Describe" in V4.0 as the significantly improved image captioning feature rich with details and sematic understanding. Dense Captions provides more detail by generating one sentence descriptions of up to 10 regions of the image in addition to describing the whole image. Dense Captions also returns bounding box coordinates of the described image regions. There's also a new gender-neutral parameter to allow customers to choose whether to enable probabilistic gender inference for alt-text and Seeing AI applications. Automatically deliver rich captions, accessible alt-text, SEO optimization, and intelligent photo curation to support digital content. [Image captions](./concept-describe-images-40.md).

-### Computer Vision Image Analysis 4.0 public preview

-|[Text-to-speech](text-to-speech.md) | Textual responses from your assistant are synthesized through [text-to-speech](text-to-speech.md) from the Speech service. This synthesis is then made available to your client application as an audio stream. Microsoft offers the ability to build your own custom, high-quality Neural Text to Speech (Neural TTS) voice that gives a voice to your brand. To learn more, [contact us](mailto:mstts@microsoft.com).

-| Arabic | `ar` | &check; | &check; | &check; | | &check; | &check; | &check; | | | | &check; | &check; | &check; | | | |

-| Chinese (Traditional) | `zh-hant` | &check; | &check; | &check; | | &check; | &check; | &check; | | | | &check; | &check; | &check; | | | |

-| Czech | `cs` | &check; | &check; | &check; | | &check; | &check; | &check; | | | | &check; | &check; | &check; | | | |

-| Danish | `da` | &check; | &check; | &check; | | &check; | &check; | &check; | | | | &check; | &check; | &check; | | | |

-| Dutch | `nl` | &check; | &check; | &check; | | &check; | &check; | &check; | | | | &check; | &check; | &check; | | | |

-| Finnish | `fi` | &check; | &check; | &check; | | &check; | &check; | &check; | | | | &check; | &check; | &check; | | | |

-| Hebrew | `he` | &check; | &check; | &check; | | &check; | &check; | &check; | | | | &check; | &check; | &check; | &check; | | |

-| Hindi | `hi` | &check; | &check; | &check; | | &check; | &check; | &check; | | | | &check; | &check; | &check; | | | |

-| Hungarian | `hu` | &check; | &check; | &check; | | &check; | &check; | &check; | | | | &check; | &check; | &check; | | | |

-| Norwegian (Bokmal) | `nb` | &check; | &check; | &check; | | &check; | &check; | &check; | | | | &check; | | | | | |

-| Polish | `pl` | &check; | &check; | &check; | | &check; | &check; | &check; | | | | &check; | &check; | &check; | | | |

-| Russian | `ru` | &check; | &check; | &check; | | &check; | &check; | &check; | | | | &check; | &check; | &check; | | | |

-| Swedish | `sv` | &check; | &check; | &check; | | &check; | &check; | &check; | | | | &check; | &check; | &check; | | | |

-| Turkish | `tr` | &check; | &check; | &check; | | &check; | &check; | &check; | | | | &check; | &check; | &check; | | | |

-|:-|:-:|:-:|::|

-| Chinese-Simplified | `zh-hans` | 2021-01-15 | `zh` also accepted |

-| English | `en` | 2020-07-01 | |

-| French | `fr` | 2021-01-15 | |

-| German | `de` | 2021-01-15 | |

-| Italian | `it` | 2021-01-15 | |

-| Japanese | `ja` | 2021-01-15 | |

-| Korean | `ko` | 2021-01-15 | |

-| Portuguese (Brazil) | `pt-BR` | 2021-01-15 | |

-| Portuguese (Portugal) | `pt-PT` | 2021-01-15 | `pt` also accepted |

-| Spanish | `es` | 2020-04-01 | |

-* Conversational language understanding and Orchestration workflow is now available in the following regions in the sovereign cloud for China:

- ### [Java](#tab/java)

-

- [**Package (Maven)**](https://mvnrepository.com/artifact/com.azure/azure-ai-textanalytics/5.3.0-beta.1)

-

- [**Changelog/Release History**](https://github.com/Azure/azure-sdk-for-jav)

-

- [**ReadMe**](https://github.com/Azure/azure-sdk-for-jav)

-

- [**Samples**](https://github.com/Azure/azure-sdk-for-java/tree/azure-ai-textanalytics_5.3.0-beta.1/sdk/textanalytics/azure-ai-textanalytics/src/samples)

-

- ### [JavaScript](#tab/javascript)

- [**Package (npm)**](https://www.npmjs.com/package/@azure/ai-language-text/v/1.1.0-beta.1)

-

- [**Changelog/Release History**](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cognitivelanguage/ai-language-text/CHANGELOG.md)

-

- [**ReadMe**](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cognitivelanguage/ai-language-text/README.md)

- [**Samples**](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/cognitivelanguage/ai-language-text/samples/v1)

- ### [Python](#tab/python)

-

- [**Package (PyPi)**](https://pypi.org/project/azure-ai-textanalytics/5.3.0b1/)

-

- [**Changelog/Release History**](https://github.com/Azure/azure-sdk-for-python/blob/azure-ai-textanalytics_5.3.0b1/sdk/textanalytics/azure-ai-textanalytics/CHANGELOG.md)

-

- [**ReadMe**](https://github.com/Azure/azure-sdk-for-python/blob/azure-ai-textanalytics_5.3.0b1/sdk/textanalytics/azure-ai-textanalytics/README.md)

-

- [**Samples**](https://github.com/Azure/azure-sdk-for-python/tree/azure-ai-textanalytics_5.3.0b1/sdk/textanalytics/azure-ai-textanalytics/samples)

-

-

-| [GPT-3](#gpt-3-models) | A series of models that can understand and generate natural language. |

-| Model ID | Supports Completions | Supports Embeddings | Base model Regions | Fine-Tuning Regions |

-| | | | | |

-| ada | Yes | No | N/A | East US², South Central US, West Europe |

-| text-ada-001 | Yes | No | East US², South Central US, West Europe | N/A |

-| babbage | Yes | No | N/A | East US², South Central US, West Europe |

-| text-babbage-001 | Yes | No | East US², South Central US, West Europe | N/A |

-| curie | Yes | No | N/A | East US², South Central US, West Europe |

-| text-curie-001 | Yes | No | East US², South Central US, West Europe | N/A |

-| davinci¹ | Yes | No | N/A | East US², South Central US, West Europe |

-| text-davinci-001 | Yes | No | South Central US, West Europe | N/A |

-| text-davinci-002 | Yes | No | East US, South Central US, West Europe | N/A |

-| text-davinci-003 | Yes | No | East US | N/A |

-| text-davinci-fine-tune-002¹ | Yes | No | N/A | East US, West Europe |

-| Model ID | Supports Completions | Supports Embeddings | Base model Regions | Fine-Tuning Regions |

-| | | | | |

-| code-cushman-001¹ | Yes | No | South Central US, West Europe | East US² , South Central US, West Europe |

-| code-davinci-002 | Yes | No | East US, West Europe | N/A |

-| code-davinci-fine-tune-002¹ | Yes | No | N/A | East US² , West Europe |

-| Model ID | Supports Completions | Supports Embeddings | Base model Regions | Fine-Tuning Regions |

-| | | | | |

-| text-ada-embeddings-002 | No | Yes | East US, South Central US, West Europe | N/A |

-| text-similarity-ada-001 | No | Yes | East US, South Central US, West Europe | N/A |

-| text-similarity-babbage-001 | No | Yes | South Central US, West Europe | N/A |

-| text-similarity-curie-001 | No | Yes | East US, South Central US, West Europe | N/A |

-| text-similarity-davinci-001 | No | Yes | South Central US, West Europe | N/A |

-| text-search-ada-doc-001 | No | Yes | South Central US, West Europe | N/A |

-| text-search-ada-query-001 | No | Yes | South Central US, West Europe | N/A |

-| text-search-babbage-doc-001 | No | Yes | South Central US, West Europe | N/A |

-| text-search-babbage-query-001 | No | Yes | South Central US, West Europe | N/A |

-| text-search-curie-doc-001 | No | Yes | South Central US, West Europe | N/A |

-| text-search-curie-query-001 | No | Yes | South Central US, West Europe | N/A |

-| text-search-davinci-doc-001 | No | Yes | South Central US, West Europe | N/A |

-| text-search-davinci-query-001 | No | Yes | South Central US, West Europe | N/A |

-| code-search-ada-code-001 | No | Yes | South Central US, West Europe | N/A |

-| code-search-ada-text-001 | No | Yes | South Central US, West Europe | N/A |

-| code-search-babbage-code-001 | No | Yes | South Central US, West Europe | N/A |

-| code-search-babbage-text-001 | No | Yes | South Central US, West Europe | N/A |

-

-Learn more about using Azure OpenAI and embeddings to perform document search with our [embeddings tutorial](../tutorials/embeddings.md).

-| Requests per minute per model* | Davinci-models (002 and later): 120 <br> All other models: 300 |

-| Tokens per minute per model* | Davinci-models (002 and later): 40,000 <br> All other models: 120,000 |

-| ```logprobs``` | integer | Optional | null | Include the log probabilities on the logprobs most likely tokens, as well the chosen tokens. For example, if logprobs is 10, the API will return a list of the 10 most likely tokens. the API will always return the logprob of the sampled token, so there may be up to logprobs+1 elements in the response. |

-| ```echo``` | boolean | Optional | False | Echo back the prompt in addition to the completion |

-| ```best_of``` | integer | Optional | 1 | Generates best_of completions server-side and returns the "best" (the one with the lowest log probability per token). Results can't be streamed. When used with n, best_of controls the number of candidate completions and n specifies how many to return ΓÇô best_of must be greater than n. Note: Because this parameter generates many completions, it can quickly consume your token quota. Use carefully and ensure that you have reasonable settings for max_tokens and stop. |

-This article will guide you through creating an Azure Communications Gateway resource in Azure. You must configure this resource before you can deploy Azure Communications Gateway.

-You now need to wait for your resource to be provisioned and connected to the Microsoft Teams environment. When your resource has been provisioned and connected, your onboarding team will reach out to you and the Provisioning Status filed on the resource overview will show as "Complete". We recommend you check in periodically to see if your resource has been provisioned. This process can take up to two weeks, because updating ACLs in the Azure and Teams environments is done on a periodic basis.

-Once your resource has been provisioned, a message will appear saying **Your deployment is complete**. Select **Go to resource group**, and then check that your resource group contains the correct Azure Communications Gateway resource.

-Your onboarding team will require additional information to complete your Operator Connect onboarding. If you're being onboarded to Operator Connect/Teams Phone Mobile by Microsoft, the onboarding team will reach out to you.

-## 9. Get access to Azure Communications Gateway for your Azure subscription

- az acr manifest list-metadata --name myregistry --repository acr-helloworld

-An Azure subscription might have one or more Azure Data Factory instances (or data factories). Azure Data Factory is composed of below key components.

-description: Learn about the technical specifications for your Azure Stack Edge Pro FPGA power cords.

-# Azure Stack Edge Pro FPGA power cord specifications

-Your Azure Stack Edge Pro FPGA device will need a power cord that will vary depending on your Azure region.

-You can use the following table to find the correct cord specifications for your region:

-[Azure Stack Edge Pro FPGA technical specifications](./azure-stack-edge-technical-specifications-compliance.md)

-# What are the cloud security graph, attack path analysis, and the cloud security explorer?

-The optional Defender CSPM plan, provides advanced posture management capabilities such as [Attack path analysis](#attack-path-analysis), [Cloud security explorer](#cloud-security-explorer), advanced threat hunting, [security governance capabilities](#security-governance-and-regulatory-compliance), and also tools to assess your [security compliance](#security-governance-and-regulatory-compliance) with a wide range of benchmarks, regulatory standards, and any custom security policies required in your organization, industry, or region.

-| [Secure score](secure-score-access-and-track.md) | :::image type="icon" source="./media/icons/yes-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS, GCP, on-premises |

-| [Governance](#security-governance-and-regulatory-compliance) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS, GCP, on-premises |

-| [Regulatory compliance](#security-governance-and-regulatory-compliance) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS, GCP, on-premises |

-| [Cloud security explorer](#cloud-security-explorer) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS |

-| [Attack path analysis](#attack-path-analysis) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS |

-| [Agentless scanning for machines](#agentless-scanning-for-machines) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS |

-## Security governance and regulatory compliance

-Security governance and regulatory compliance refer to the policies and processes which organizations have in place. These policies ensure that they comply with laws, rules and regulations put in place by external bodies (government) which control activity in a given jurisdiction. Defender for Cloud allows you to view your regulatory compliance through the regulatory compliance dashboard.

-Defender for Cloud continuously assesses your hybrid cloud environment to analyze the risk factors according to the controls and best practices in the standards that you've applied to your subscriptions. The dashboard reflects the status of your compliance with these standards.

-Learn more about [security and regulatory compliance in Defender for Cloud](concept-regulatory-compliance.md).

-## Cloud security explorer

-The cloud security graph is a graph-based context engine that exists within Defender for Cloud. The cloud security graph collects data from your multicloud environment and other data sources. For example, the cloud assets inventory, connections and lateral movement possibilities between resources, exposure to internet, permissions, network connections, vulnerabilities and more. The data collected builds a graph representing your multicloud environment.

-Defender for Cloud then uses the generated graph to perform an attack path analysis and find the issues with the highest risk that exist within your environment. You can also query the graph using the cloud security explorer.

-Learn more about [cloud security explorer](concept-attack-path.md#what-is-cloud-security-explorer)

-## Attack path analysis

-Attack path analysis is a graph-based algorithm that scans the cloud security graph. The scans:

-When you take your environment's contextual information into account, attack path analysis identifies issues that may lead to a breach on your environment, and helps you to remediate the highest risk ones first. For example its exposure to the internet, permissions, lateral movement, and more.

-Learn more about [attack path analysis](concept-attack-path.md#what-is-attack-path-analysis).

-## Agentless scanning for machines

-With agentless scanning for VMs, you can get visibility on actionable OS posture issues without installed agents, network connectivity, or machine performance.

-Learn more about [agentless scanning](concept-agentless-data-collection.md).

-Security standards contain comprehensive sets of security recommendations to help secure your cloud environments. Security teams can use the readily available standards such as AWS CIS 1.2.0, AWS CIS 1.5.0, AWS Foundational Security Best Practices, and AWS PCI DSS 3.2.1, or create custom standards to meet specific internal requirements.

-There are three types of resources that are needed to create and manage assessments:

- - assessment details such as name, description, severity, remediation logic, etc.

- - assessment logic in KQL

- - the standard it belongs to

-You can either use the built-in regulatory compliance standards or create your own custom standards.

-## Assign a built-in compliance standard to your AWS account

-**To assign a built-in compliance standard to your AWS account**:

-1. Select **Standards** > **Add** > **Standard**.

-1. Select a built-in standard from the drop-down menu.

-1. Select **Save**.

-## Create a new custom standard for your AWS account

-**To create a new custom standard for your AWS account**:

-1. Select **Standards** > **Create** > **Standard**.

-1. Select **New standard**.

- :::image type="content" source="media/how-to-manage-assessments-standards/new-aws-standard.png" alt-text="Screenshot that shows you where to select a new AWS standard." lightbox="media/how-to-manage-assessments-standards/new-aws-standard.png":::

-1. Enter a name, description and select which assessments you want to add.

-1. Select **Save**.

-## Assign a built-in assessment to your AWS account

-**To assign a built-in assessment to your AWS account**:

-1. Sign in to the [Azure portal](https://portal.azure.com/).

-1. Navigate to **Microsoft Defender for Cloud** > **Environment settings**.

-1. Select the relevant AWS account.

-1. Select **Standards** > **Add** > **Assessment**.

- :::image type="content" source="media/how-to-manage-assessments-standards/aws-assessment.png" alt-text="Screenshot that shows where to navigate to, to select an AWS assessment." lightbox="media/how-to-manage-assessments-standards/aws-assessment.png":::

-1. Select **Existing assessment**.

-1. Select all relevant assessments from the drop-down menu.

-1. Select the standards from the drop-down menu.

-1. Select **Save**.

-## How to build a query

-The last row of the query should return all the original columns (donΓÇÖt use ΓÇÿprojectΓÇÖ, ΓÇÿproject-away'). End the query with an iff statement that defines the healthy or unhealthy conditions: `| extend HealthStatus = iff([boolean-logic-here], 'UNHEALTHY','HEALTHY')`.

-### Sample KQL queries

-When building a KQL query, you should use the following table structure:

-```kusto

- 2021-10-07T10:30:21.403732Z

- - SdksInfo

- {

- "AWSSDK.EC2": "3.7.5.2"

- }

- - RecordProviderInfo

- {

- "CloudName": "AWS",

- "CspmDiscoveryCloudRoleArn": "arn:aws:iam::123456789123:role/CSPMMonitoring",

- "Type": "MultiCloudDiscoveryServiceDataCollector",

- "HierarchyIdentifier": "123456789123",

- "ConnectorId": "b3113210-63f9-43c5-a6a7-f14a2a5b3cd0"

- }

- - RecordOrganizationInfo

- {

- "Type": "MyOrganization",

- "TenantId": "bda8bc53-d9f8-4248-b9a9-3a6c7fe0b92f",

- "SubscriptionId": "69444886-de6b-40c5-8b43-065f739fffb9",

- "ResourceGroupName": "MyResourceGroupName"

- }

- - CorrelationId

- 4f5e50e1d92c400caf507036a1237c72

- - RecordRegionalInfo

- {

- "Type": "MultiCloudRegion",

- "RegionUniqueName": "eu-west-2",

- "RegionDisplayName": "EU West (London)",

- "IsGlobalForRecord": false

- }

- - RecordIdentifierInfo

- {

- "Type": "MultiCloudDiscoveryServiceDataCollector",

- "RecordNativeCloudUniqueIdentifier": "arn:aws:ec2:eu-west-2:123456789123:elastic-ip/eipalloc-1234abcd5678efef9",

- "RecordAzureUniqueIdentifier": "/subscriptions/69444886-de6b-40c5-8b43-065f739fffb9/resourcegroups/MyResourceGroupName/providers/Microsoft.Security/securityconnectors/b3113210-63f9-43c5-a6a7-f14a2a5b3cd0/securityentitydata/aws-ec2-elastic-ip-eipalloc-1234abcd5678efef9-eu-west-2",

- "RecordIdentifier": "eipalloc-1234abcd5678efef9-eu-west-2",

- "ResourceProvider": "EC2",

- "ResourceType": "elastic-ip"

- }

- - Record

- {

- "AllocationId": "eipalloc-1234abcd5678efef9",

- "AssociationId": "eipassoc-234abcd5678efef90",

- "CarrierIp": null,

- "CustomerOwnedIp": null,

- "CustomerOwnedIpv4Pool": null,

- "Domain": {

- "Value": "vpc"

- },

- "InstanceId": "i-0a8fcc00493c4625d",

- "NetworkBorderGroup": "eu-west-2",

- "NetworkInterfaceId": "eni-34abcd5678efef901",

- "NetworkInterfaceOwnerId": "123456789123",

- "PrivateIpAddress": "172.31.21.88",

- "PublicIp": "19.218.211.431",

- "PublicIpv4Pool": "amazon",

- "Tags": [

- {

- "Value": "arn:aws:cloudformation:eu-west-2:123456789123:stack/awseb-e-sjuh4tkr7a-stack/4ff15da0-2512-11ec-ab59-023b28e97f64",

- "Key": "aws:cloudformation:stack-id"

- },

- {

- "Value": "e-sjuh4tkr7a",

- "Key": "elasticbeanstalk:environment-id"

- },

- {

- "Value": "AWSEBEIP",

- "Key": "aws:cloudformation:logical-id"

- },

- {

- "Value": "awseb-e-sjuh4tkr7a-stack",

- "Key": "aws:cloudformation:stack-name"

- },

- {

- "Value": "Mebrennetest3-env",

- "Key": "elasticbeanstalk:environment-name"

- },

- {

- "Value": "Mebrennetest3-env",

- "Key": "Name"

- }

- ]

- }

-```

-> [!NOTE]

-> The `Record` field contains the data structure as it is returned from the AWS API. Use this field to define conditions which will determine if the resource is healthy or unhealthy.

->

-> You can access internal properties of `Record` filed using a dot notation. For example: `| extend EncryptionType = Record.Encryption.Type`.

-**Stopped EC2 instances should be removed after a specified time period**

-

-```kusto

-EC2_Instance

-| extend State = tolower(tostring(Record.State.Name.Value))

-| extend StoppedTime = todatetime(tostring(Record.StateTransitionReason))

-| extend HealthStatus = iff(not(State == 'stopped' and StoppedTime < ago(30d)), 'HEALTHY', 'UNHEALTHY')

-```

-**EC2 subnets should not automatically assign public IP addresses**

-

-```kusto

-EC2_Subnet

-| extend MapPublicIpOnLaunch = tolower(tostring(Record.MapPublicIpOnLaunch))

-| extend HealthStatus = iff(MapPublicIpOnLaunch == 'false' ,'HEALTHY', 'UNHEALTHY')

-```

-**EC2 instances should not use multiple ENIs**

-

-```kusto

-EC2_Instance

-| extend NetworkInterfaces = parse_json(Record)['NetworkInterfaces']

-| extend NetworkInterfaceCount = array_length(parse_json(NetworkInterfaces))

-| extend HealthStatus = iff(NetworkInterfaceCount == 1 ,'HEALTHY', 'UNHEALTHY')

-```

-You can use the following links to learn more about Kusto queries:

-# Cloud security explorer

-description: Learn how to create custom security assessments and standards for your GCP environment.

-There are three types of resources that are needed to create and manage assessments:

- - assessment details such as name, description, severity, remediation logic, etc.

- - assessment logic in KQL

- - the standard it belongs to

-You can either use the built-in compliance standards or create your own custom standards or built-in assessments.

-## Assign a built-in compliance standard to your GCP project

-**To assign a built-in compliance standard to your GCP project**:

-1. Select **Standards** > **Add** > **Standard**.

-1. Select a built-in standard from the drop-down menu.

-1. Select **Save**.

-## Create a new custom standard for your GCP project

-**To create a new custom standard for your GCP project**:

-1. Sign in to the [Azure portal](https://portal.azure.com/).

-1. Navigate to **Microsoft Defender for Cloud** > **Environment settings**.

-1. Select the relevant GCP project.

-1. Select **Standards** > **Add** > **Standard**.

-1. Select **New standard**.

-1. Enter a name, description and select which assessments you want to add.

-1. Select **Save**.

-## Assign a built-in assessment to your GCP project

-**To assign a built-in assessment to your GCP project**:

-1. Select **Standards** > **Add** > **Assessment**.

- :::image type="content" source="media/how-to-manage-assessments-standards/gcp-assessment.png" alt-text="Screenshot that shows where to navigate to, to select GCP assessment." lightbox="media/how-to-manage-assessments-standards/gcp-assessment.png":::

-1. Select **Existing assessment**.

-1. Select all relevant assessments from the drop-down menu.

-1. Select the standards from the drop-down menu.

-1. Select **Save**.

-## How to build a query

-The last row of the query should return all the original columns (donΓÇÖt use ΓÇÿprojectΓÇÖ, ΓÇÿproject-away). End the query with an iff statement that defines the healthy or unhealthy conditions: `| extend HealthStatus = iff([boolean-logic-here], 'UNHEALTHY','HEALTHY')`.

-### Sample KQL queries

-**Ensure that Cloud Storage buckets have uniform bucket-level access enabled**

-```kusto

-let UnhealthyBuckets = Storage_Bucket

-| extend RetentionPolicy = Record.retentionPolicy

-| where isnull(RetentionPolicy) or isnull(RetentionPolicy.isLocked) or tobool(RetentionPolicy.isLocked)==false

-| project BucketName = RecordIdentifierInfo.CloudNativeResourceName; Logging_LogSink

-| extend Destination = split(Record.destination,'/')[0]

-| where Destination == 'storage.googleapis.com'

-| extend LogBucketName = split(Record.destination,'/')[1]

-| extend HealthStatus = iff(LogBucketName in(UnhealthyBuckets), 'UNHEALTHY', 'HEALTHY')"

-```

-**Ensure VM disks for critical VMs are encrypted**

-```kusto

-Compute_Disk

-| extend DiskEncryptionKey = Record.diskEncryptionKey

-| extend IsVmNotEncrypted = isempty(tostring(DiskEncryptionKey.sha256))

-| extend HealthStatus = iff(IsVmNotEncrypted ,'UNHEALTHY' ,'HEALTHY')"

-```

-**Ensure Compute instances are launched with Shielded VM enabled**

-```kusto

-Compute_Instance

-| extend InstanceName = tostring(Record.id)

-| extend ShieldedVmExist = tostring(Record.shieldedInstanceConfig.enableIntegrityMonitoring) =~ 'true' and tostring(Record.shieldedInstanceConfig.enableVtpm) =~ 'true'

-| extend HealthStatus = iff(ShieldedVmExist, 'HEALTHY', 'UNHEALTHY')"

-```

-You can use the following links to learn more about Kusto queries:

-# Security posture for Microsoft Defender for Cloud

-description: Learn about the Azure cloud environments where Defender for Cloud can be used and the Azure services that Defender for Cloud protects.

-# Microsoft Defender for Cloud interoperability with Azure services and Azure clouds

-This article indicates the Azure clouds and Azure services that are supported by Microsoft Defender for Cloud.

-This article provides a reference of the [alerts](how-to-manage-cloud-alerts.md) that are generated by Microsoft Defender for IoT network sensors, inclduing a list of all alert types and descriptions. You might use this reference to [map alerts into playbooks](iot-advanced-threat-monitoring.md#automate-response-to-defender-for-iot-alerts), [define forwarding rules](how-to-forward-alert-information-to-partners.md) on an OT network sensor, or other custom activity.

-The following legacy notifications were removed in version 22.3.6. If you have an earlier OT sensor version installed, you may still have these notifications to resolve:

-| Type | Description | Available responses |

-|--|--|--|

-| **Inactive devices** | Traffic wasn't detected on a specific device for more than 60 days. | We recommend removing the device from your network if it's no longer needed. <br><br>**Dismiss**: If the device is part of your network but currently inactive, such as if it's mistakenly disconnected from the network, dismiss the notification and reconnect the device. |

-| **New OT devices** | A subnet includes an OT device that's not defined in an ICS subnet. <br><br> Each subnet that contains at least one OT device can be defined as an ICS subnet. This helps differentiate between OT and IT devices on the map. | **Set as ICS Subnet** <br><br>**Dismiss**: Remove the notification if the device isn't part of the subnet.

-This article provides an introduction to the Microsoft Defender for IoT command line interface (CLI). The CLI is a text-based user interface that allows you to access your OT and Enterprise IoT sensors, and the on-premises management console, for advanced configuration, troubleshooting, and support.

- ```azurecli

- ```azurecli

-* Azure Digital Twins instance, with a [system-assigned managed identity](concepts-security.md#managed-identity-for-accessing-other-resources) enabled

-* [Event Hubs](../event-hubs/event-hubs-about.md) namespace containing an event hub

-* [Azure Data Explorer](/azure/data-explorer/data-explorer-overview) cluster containing a database

-Digital twin data can be sent to most Azure services using *endpoints*. If your destination is [Azure Data Explorer](/azure/data-explorer/data-explorer-overview), you can use *data history* instead to automatically send graph updates to an Azure Data Explorer cluster, where they are stored as historical data and can be queried as such. The rest of this section describes these capabilities in more detail.

->[!NOTE]

->Azure Digital Twins implements *at least once* delivery for data emitted to egress services.

->[!NOTE]

-> If you encounter the error "Could not create Azure Digital Twins instance connection. Unable to create table and mapping rule in database. Check your permissions for the Azure Database Explorer and run `az login` to refresh your credentials," resolve the error by adding yourself as an *AllDatabasesAdmin* under Permissions in your Azure Data Explorer cluster.

->

->If you're using the Cloud Shell and encounter the error "Failed to connect to MSI. Please make sure MSI is configured correctly," try running the command with a local Azure CLI installation instead.

-You can manage users' access to your Microsoft Energy Data Services instance or data partitions. As a prerequisite for this step, you need to find the 'object-id' (OID) of the user(s) first. If you are managing an application's access to your instance or data partition, then you must find and use the application ID (or client ID) instead of the OID.

-You'll need to input the `object-id` (OID) of the users (or the application or client ID if managing access for an application) as parameters in the calls to the Entitlements API of your Microsoft Energy Data Services Preview Instance. `object-id` (OID) is the Azure Active Directory User Object ID.

-# Azure Event Hubs ΓÇö A big data streaming platform and event ingestion service

-Azure Event Hubs is a big data streaming platform and event ingestion service. It can receive and process millions of events per second. Data sent to an event hub can be transformed and stored by using any real-time analytics provider or batching/storage adapters.

-The following scenarios are some of the scenarios where you can use Event Hubs:

-Event Hubs represents the "front door" for an event pipeline, often called an *event ingestor* in solution architectures. An event ingestor is a component or service that sits between event publishers and event consumers to decouple the production of an event stream from the consumption of those events. Event Hubs provides a unified streaming platform with time retention buffer, decoupling event producers from event consumers.

-With a broad ecosystem based on the industry-standard AMQP 1.0 protocol and available in various languages [.NET](https://github.com/Azure/azure-sdk-for-net/), [Java](https://github.com/Azure/azure-sdk-for-java/), [Python](https://github.com/Azure/azure-sdk-for-python/), [JavaScript](https://github.com/Azure/azure-sdk-for-js/), you can easily start processing your streams from Event Hubs. All supported client languages provide low-level integration. The ecosystem also provides you with seamless integration with Azure services like Azure Stream Analytics and Azure Functions and thus enables you to build serverless architectures.

-See [comparison between Event Hubs tiers](event-hubs-quotas.md) for more details.

-Event Hubs on Azure Stack Hub allows you to realize hybrid cloud scenarios. Streaming and event-based solutions are supported, for both on-premises and Azure cloud processing. Whether your scenario is hybrid (connected), or disconnected, your solution can support processing of events/streams at large scale. Your scenario is only bound by the Event Hubs cluster size, which you can provision according to your needs.

-Event Hubs contains the following [key components](event-hubs-features.md):

-1. Select ΓÇ£Create a resourceΓÇ¥ in the Azure portal.

- 

-2. In the search box, type **Microsoft Defender EASM**, and then press Enter.

-3. Select the **Create** button to create an EASM resource.

-4. Select or enter the following property values:

-5. Select **Review + Create**.

-6. Review the values, and then select **Create**.

-7. Select **Refresh** to see the status of the resource creation. Once finished, you can go to the Resource to get started.

-|FHIR STU3 | FHIR R4 **(new!)**|

-| templateCollectionReference | Reference to an [OCI image ](https://github.com/opencontainers/image-spec) template collection on [Azure Container Registry (ACR)](https://azure.microsoft.com/services/container-registry/). It's the image containing Liquid templates to use for conversion. It can be a reference either to the default templates or a custom template image that is registered within the FHIR service. See below to learn about customizing the templates, hosting those on ACR, and registering to the FHIR service. | For ***default/sample*** templates: <br> **HL7v2** templates: <br>```microsofthealth/fhirconverter:default``` <br>``microsofthealth/hl7v2templates:default``<br> **C-CDA** templates: <br> ``microsofthealth/ccdatemplates:default`` <br> **JSON** templates: <br> ``microsofthealth/jsontemplates:default`` <br> **FHIR-STU3** templates: <br> ``microsofthealth/stu3tor4templates:default`` <br><br> For ***custom*** templates: <br> \<RegistryServer\>/\<imageName\>@\<imageDigest\>, \<RegistryServer\>/\<imageName\>:\<imageTag\> |

-| rootTemplate | The root template to use while transforming the data. | For **HL7v2**:<br> "ADT_A01", "ADT_A02", "ADT_A03", "ADT_A04", "ADT_A05", "ADT_A08", "ADT_A11", "ADT_A13", "ADT_A14", "ADT_A15", "ADT_A16", "ADT_A25", "ADT_A26", "ADT_A27", "ADT_A28", "ADT_A29", "ADT_A31", "ADT_A47", "ADT_A60", "OML_O21", "ORU_R01", "ORM_O01", "VXU_V04", "SIU_S12", "SIU_S13", "SIU_S14", "SIU_S15", "SIU_S16", "SIU_S17", "SIU_S26", "MDM_T01", "MDM_T02"<br><br> For **C-CDA**:<br> "CCD", "ConsultationNote", "DischargeSummary", "HistoryandPhysical", "OperativeNote", "ProcedureNote", "ProgressNote", "ReferralNote", "TransferSummary" <br><br> For **JSON**: <br> "ExamplePatient", "Stu3ChargeItem" <br><br> **For FHIR STU3 to R4**": <br>Name of the root template that is the same as the STU3 resource name e.g., "Patient", "Observation", "Organization". |

-| Australia East | 20.53.44.80 |

-| Canada Central | 20.48.192.84 |

-| Central US | 52.182.208.31 |

-| East US | 20.62.128.148 |

-| East US 2 | 20.49.102.228 |

-| East US 2 EUAP | 20.39.26.254 |

-| Germany North | 51.116.51.33 |

-| Germany West Central | 51.116.146.216 |

-| Japan East | 20.191.160.26 |

-| Korea Central | 20.41.69.51 |

-| North Central US | 20.49.114.188 |

-| North Europe | 52.146.131.52 |

-| South Africa North | 102.133.220.197 |

-| South Central US | 13.73.254.220 |

-| Southeast Asia | 23.98.108.42 |

-| Switzerland North | 51.107.60.95 |

-| UK South | 51.104.30.170 |

-| UK West | 51.137.164.94 |

-| West Central US | 52.150.156.44 |

-| West Europe | 20.61.98.66 |

-| West US 2 | 40.64.135.77 |

-| Australia East | 20.53.44.80 |

-| Canada Central | 20.48.192.84 |

-| Central US | 52.182.208.31 |

-| East US | 20.62.128.148 |

-| East US 2 | 20.49.102.228 |

-| East US 2 EUAP | 20.39.26.254 |

-| Germany North | 51.116.51.33 |

-| Germany West Central | 51.116.146.216 |

-| Japan East | 20.191.160.26 |

-| Korea Central | 20.41.69.51 |

-| North Central US | 20.49.114.188 |

-| North Europe | 52.146.131.52 |

-| South Africa North | 102.133.220.197 |

-| South Central US | 13.73.254.220 |

-| Southeast Asia | 23.98.108.42 |

-| Switzerland North | 51.107.60.95 |

-| UK South | 51.104.30.170 |

-| UK West | 51.137.164.94 |

-| West Central US | 52.150.156.44 |

-| West Europe | 20.61.98.66 |

-| West US 2 | 40.64.135.77 |

-| | Linux containers on Linux hosts |

-|--| -- |

-| **Manual provisioning (single device)** | [X.509 certificates](how-to-provision-single-device-linux-x509.md)<br><br>[Symmetric keys](how-to-provision-single-device-linux-symmetric.md) |

-| **Autoprovisioning (devices at scale)** | [X.509 certificates](how-to-provision-devices-at-scale-linux-x509.md)<br><br>[TPM](how-to-provision-devices-at-scale-linux-tpm.md)<br><br>[Symmetric keys](how-to-provision-devices-at-scale-linux-symmetric.md) |

- We provide sample images in the [Assets here](https://github.com/Azure/iot-hub-device-update/releases) repository. The swUpdate file is the base image that you can flash onto a Raspberry Pi B3+ board. The .gz file is the update you would import through Device Update for IoT Hub. For an example, see [How to flash the image to your IoT Hub device](./device-update-raspberry-pi.md#flash-an-sd-card-with-the-image).

- Change the connectionType to "AIS" for agents who will be using the IoT Identity Service for provisioning. The ConnectionData field must be a empty string. Please note that all values with the 'Place value here' tag must be set. See [Configuring a DU agent](./device-update-configuration-file.md#example-du-configjson-file-contents).

-3. Finally install the Device Update agent. We provide sample images in [Assets here](https://github.com/Azure/iot-hub-device-update/releases), the swUpdate file is the base image that you can flash onto a Raspberry Pi B3+ board, and the .gz file is the update you would import through Device Update for IoT Hub. See example of [how to flash the image to your IoT Hub device](./device-update-raspberry-pi.md#flash-an-sd-card-with-the-image).

- Change the connectionType to "AIS" for agents who will be using the IoT Identity Service for provisioning. The ConnectionData field must be a empty string. Please note that all values with the 'Place value here' tag must be set. See [Configuring a DU agent](./device-update-configuration-file.md#example-du-configjson-file-contents).

-1. We provide sample images in the [Assets here](https://github.com/Azure/iot-hub-device-update/releases) repository. The swUpdate file is the base image that you can flash onto a Raspberry Pi B3+ board. The .gz file is the update you would import through Device Update for IoT Hub. For an example, see [How to flash the image to your IoT Hub device](./device-update-raspberry-pi.md#flash-an-sd-card-with-the-image).

-1. Log into the machine or device that has the Device Update agent installed.

-You can also build and modify your own customer Device Update agent.

-Follow the instructions to [build](https://github.com/Azure/iot-hub-device-update/blob/main/docs/agent-reference/how-to-build-agent-code.md) the Device Update Agent

-from source.

-the agent.

-Now, make the changes needed to incorporate the agent into your image. Look at how to

-## Download the image

-We provide sample images in **Assets** on the [Device Update GitHub releases page](https://github.com/Azure/iot-hub-device-update/releases). The .gz file is the base image that you can flash on to a Raspberry Pi 3 B+ board. The swUpdate file is the update you would import through Device Update for IoT Hub.

-## Flash an SD card with the image

-Use your favorite OS flashing tool to install the Device Update base image (adu-base-image) on the SD card that will be used in the Raspberry Pi 3 B+ device.

-## Create a device or module in IoT Hub and get a connection string

-Now, add the device to IoT Hub. From within IoT Hub, a connection string is generated for the device.

-1. From the [Azure portal](https://portal.azure.com), navigate to your IoT hub.

-1. On the left pane, select **Devices**. Then select **New**.

-1. Under **Device ID**, enter a name for the device. Ensure that the **Autogenerate keys** checkbox is selected.

-1. Select **Save**. On the **Devices** page, the device you created should be in the list.

-1. Get the device connection string by using one of two options:

- * Option 1: Use the Device Update agent with a module identity: On the same **Devices** page, select **Add Module Identity** at the top. Create a new Device Update module with the name **IoTHubDeviceUpdate**. Choose other options as they apply to your use case and then select **Save**. Select the newly created module. In the module view, select the **Copy** icon next to **Primary Connection String**.

- * Option 2: Use the Device Update agent with the device identity: In the device view, select the **Copy** icon next to **Primary Connection String**.

-1. Paste the copied characters somewhere for later use in the following steps:

- **This copied string is your device connection string**.

-## Add a tag to your device

-1. In the Azure portal, navigate to your IoT hub.

-1. On the left pane, under **Devices**, find your IoT device and go to the device twin or module twin.

-1. In the module twin of the Device Update agent module, delete any existing Device Update tag values by setting them to null. If you're using the device identity with the Device Update agent, make these changes on the device twin.

-1. Add a new Device Update tag value, as shown:

- ```JSON

- "tags": {

- "ADUGroup": "<CustomTagValue>"

- }

- ```

-Here are two examples for the `du-config.json` and the `du-diagnostics-config.json` files:

-### Example du-config.json

-```JSON

-{

- "schemaVersion": "1.0",

- "aduShellTrustedUsers": [

- "adu",

- "do"

- ],

- "manufacturer": "fabrikam",

- "model": "vacuum",

- "agents": [

- {

- "name": "main",

- "runas": "adu",

- "connectionSource": {

- "connectionType": "string",

- "connectionData": "HostName=example-connection-string.azure-devices.net;DeviceId=example-device;SharedAccessKey=M5oK/rOP12aB5678YMWv5vFWHFGJFwE8YU6u0uTnrmU="

- },

- "manufacturer": "fabrikam",

- "model": "vacuum"

- }

- ]

-}

-```

-### Example du-diagnostics-config.json

-```JSON

-{

- "logComponents":[

- {

- "componentName":"adu",

- "logPath":"/adu/logs/"

- },

- {

- "componentName":"do",

- "logPath":"/var/log/deliveryoptimization-agent/"

- }

- ],

- "maxKilobytesToUploadPerLogPath":50

-}

-```

-1. Follow these instructions to add the configuration details:

- 1. First, SSH in to the machine by using the following command in the PowerShell window:

- ```shell

- ssh raspberrypi3 -l root

- ```

- 1. Create or open the `du-config.json` file for editing by using:

- nano /adu/du-config.json

- 1. After you run the command, you should see an open editor with the file. If you've never created the file, it will be empty. Now copy the preceding example du-config.json contents, and substitute the configurations required for your device. Then replace the example connection string with the one for the device you created in the preceding steps.

-

- 1. After you finish your changes, select `Ctrl+X` to exit the editor. Then enter `y` to save the changes.

- 1. Now you need to create the `du-diagnostics-config.json` file by using similar commands. Start by creating or opening the `du-diagnostics-config.json` file for editing by using:

- nano /adu/du-diagnostics-config.json

- 1. Copy the preceding example du-diagnostics-config.json contents, and substitute any configurations that differ from the default build. The example du-diagnostics-config.json file represents the default log locations for Device Update for IoT Hub. You only need to change these default values if your implementation differs.

- 1. After you finish your changes, select `Ctrl+X` to exit the editor. Then enter `y` to save the changes.

- 1. Use the following command to show the files located in the `/adu/` directory. You should see both of your configuration files.du-diagnostics-config.json files for editing by using: