-For the next test scenario, configure the authentication policy where the Issuer subject rule satisfies multifactor authentication.

-> [!Note]

-> Sign up for the CloudKnox Permissions Management public preview by filling [this form](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR9AT7gfYe2NPtdIbYxQQX45UNEpIVjY4WUJNSUhMVjcyNzdYOFY2NFhISi4u).

-## Prerequisites

-> [!Note]

-> Sign up for the CloudKnox Permissions Management public preview by filling [this form](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR9AT7gfYe2NPtdIbYxQQX45UNEpIVjY4WUJNSUhMVjcyNzdYOFY2NFhISi4u).

-> [!Note]

-> Sign up for the CloudKnox Permissions Management public preview by filling [this form](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR9AT7gfYe2NPtdIbYxQQX45UNEpIVjY4WUJNSUhMVjcyNzdYOFY2NFhISi4u).

-> [!Note]

-> Sign up for the CloudKnox Permissions Management public preview by filling [this form](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR9AT7gfYe2NPtdIbYxQQX45UNEpIVjY4WUJNSUhMVjcyNzdYOFY2NFhISi4u).

-## Prerequisites

-> [!Note]

-> Sign up for the CloudKnox Permissions Management public preview by filling [this form](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR9AT7gfYe2NPtdIbYxQQX45UNEpIVjY4WUJNSUhMVjcyNzdYOFY2NFhISi4u).

-Once you've updated all your production applications that use this app registration and its client ID to MSAL 2.x and the authorization code flow, you should uncheck the implicit grant settings in the app registration.

-const myMSALObj = new UserAgentApplication(config);

-userAgentApplication

- .acquireTokenSilent(request)

-userAgentApplication.loginRedirect(request);

-For more information about **login_hint** and **domain_hint**, see [Implicit grant flow](v2-oauth2-implicit-grant-flow.md).

-userAgentApplication

- .acquireTokenSilent(request)

-const myMSALObj = new UserAgentApplication(config);

-[Loop Messenger Extension](https://loopworks.com/loop-flow-messenger/), [Silverfort Azure AD Adapter](http://www.silverfort.com/), [Interplay Learning](https://skilledtrades.interplaylearning.com/#login), [Nura Space](https://dashboard.nuraspace.com/login), [Yooz EU](https://eu1.getyooz.com/?kc_idp_hint=microsoft), [UXPressia](https://uxpressia.com/users/sign-in), [introDus Pre- and Onboarding Platform](http://app.introdus.dk/login), [Happybot](https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=34353e1e-dfe5-4d2f-bb09-2a5e376270c8&response_type=code&redirect_uri=https://api.happyteams.io/microsoft/integrate&response_mode=query&scope=offline_access%20User.Read%20User.Read.All), [LeaksID](https://app.leaksid.com/), [ShiftWizard](http://www.shiftwizard.com/), [PingFlow SSO](https://app.pingview.io/), [Swiftlane](https://admin.swiftlane.com/login), [Quasydoc SSO](https://www.quasydoc.eu/login), [Fenwick Gold Account](https://businesscentral.dynamics.com/), [SeamlessDesk](https://www.seamlessdesk.com/login), [Learnsoft LMS & TMS](http://www.learnsoft.com/), [P-TH+](https://p-th.jp/), [myViewBoard](https://api.myviewboard.com/auth/microsoft/), [Tartabit IoT Bridge](https://bridge-us.tartabit.com/), [AKASHI](../saas-apps/akashi-tutorial.md), [Rewatch](../saas-apps/rewatch-tutorial.md), [Zuddl](../saas-apps/zuddl-tutorial.md), [Parkalot - Car park management](../saas-apps/parkalot-car-park-management-tutorial.md), [HSB ThoughtSpot](../saas-apps/hsb-thoughtspot-tutorial.md), [IBMid](../saas-apps/ibmid-tutorial.md), [SharingCloud](../saas-apps/sharingcloud-tutorial.md), [PoolParty Semantic Suite](../saas-apps/poolparty-semantic-suite-tutorial.md), [GlobeSmart](../saas-apps/globesmart-tutorial.md), [Samsung Knox and Business Services](../saas-apps/samsung-knox-and-business-services-tutorial.md), [Penji](../saas-apps/penji-tutorial.md), [Kendis- Scaling Agile Platform](../saas-apps/kendis-scaling-agile-platform-tutorial.md), [Maptician](../saas-apps/maptician-tutorial.md), [Olfeo SAAS](../saas-apps/olfeo-saas-tutorial.md), [Sigma Computing](../saas-apps/sigma-computing-tutorial.md), [CloudKnox Permissions Management Platform](../saas-apps/cloudknox-permissions-management-platform-tutorial.md), [Klaxoon SAML](../saas-apps/klaxoon-saml-tutorial.md), [Enablon](../saas-apps/enablon-tutorial.md)

-[Jooto](../saas-apps/jooto-tutorial.md), [Proprli](https://app.proprli.com/), [Pace Scheduler](https://www.pacescheduler.com/accounts/login/), [DRTrack](../saas-apps/drtrack-tutorial.md), [Dining Sidekick](../saas-apps/dining-sidekick-tutorial.md), [Cryotos](https://app.cryotos.com/oauth2/authorization/azure-client), [Emergency Management Systems](https://secure.emsystems.com.au/), [Manifestly Checklists](../saas-apps/manifestly-checklists-tutorial.md), [eLearnPOSH](../saas-apps/elearnposh-tutorial.md), [Scuba Analytics](../saas-apps/scuba-analytics-tutorial.md), [Athena Systems Login Platform](../saas-apps/athena-systems-login-platform-tutorial.md), [TimeTrack](../saas-apps/timetrack-tutorial.md), [MiHCM](../saas-apps/mihcm-tutorial.md), [Health Note](https://auth.healthnote.works/oauth), [Active Directory SSO for DoubleYou](../saas-apps/active-directory-sso-for-doubleyou-tutorial.md), [Emplifi platform](../saas-apps/emplifi-platform-tutorial.md), [Flexera One](../saas-apps/flexera-one-tutorial.md), [Hypothesis](https://web.hypothes.is/help/authorizing-hypothesis-from-the-azure-ad-app-gallery/), [Recurly](../saas-apps/recurly-tutorial.md), [XpressDox AU Cloud](https://au.xpressdox.com/Authentication/Login.aspx), [Zoom for Intune](https://zoom.us/), [UPWARD AGENT](https://app.upward.jp/login/), [Linux Foundation ID](https://openprofile.dev/), [Asset Planner](../saas-apps/asset-planner-tutorial.md), [Kiho](https://v3.kiho.fi/index/sso), [chezie](https://app.chezie.co/), [Excelity HCM](../saas-apps/excelity-hcm-tutorial.md), [yuccaHR](https://app.yuccahr.com/), [Blue Ocean Brain](../saas-apps/blue-ocean-brain-tutorial.md), [EchoSpan](../saas-apps/echospan-tutorial.md), [Archie](../saas-apps/archie-tutorial.md), [Equifax Workforce Solutions](../saas-apps/equifax-workforce-solutions-tutorial.md), [Palantir Foundry](../saas-apps/palantir-foundry-tutorial.md), [ATP SpotLight and ChronicX](../saas-apps/atp-spotlight-and-chronicx-tutorial.md), [DigiSign](https://app.digisign.org/selfcare/sso), [mConnect](https://mconnect.skooler.com/), [BrightHR](https://login.brighthr.com/), [Mural Identity](../saas-apps/mural-identity-tutorial.md), [NordPass SSO](https://app.nordpass.com/login%20use%20%22Log%20in%20to%20business%22%20option), [CloudClarity](https://portal.cloudclarity.app/dashboard), [Twic](../saas-apps/twic-tutorial.md), [Eduhouse Online](https://app.eduhouse.fi/palvelu/kirjaudu/microsoft), [Bealink](../saas-apps/bealink-tutorial.md), [Time Intelligence Bot](https://teams.microsoft.com/), [SentinelOne](https://sentinelone.com/)

-| Exchange mail public folders | The Exchange mail public folders feature allows you to synchronize mail-enabled public-folder objects from your on-premises instance of Active Directory to Azure AD. |

-1. Create a cloud-only global administrator account on your Azure AD tenant. This way, you can manage the configuration of your tenant should your on-premises services fail or become unavailable. Learn about [adding a cloud-only global administrator account](../fundamentals/add-users-azure-active-directory.md). Completing this step is critical to ensure that you don't get locked out of your tenant.

-Only global administrators can install an Authentication Agent (by using Azure AD Connect or standalone) on an on-premises server. Installation adds two new entries to the **Control Panel** > **Programs** > **Programs and Features** list:

-1. Azure AD first requests that a global administrator sign in to Azure AD with their credentials. During sign-in, the Authentication Agent acquires an access token that it can use on behalf of the global administrator.

-4. Azure AD validates the access token in the registration request and verifies that the request came from a global administrator.

-6. If the existing certificate has expired, Azure AD deletes the Authentication Agent from your tenantΓÇÖs list of registered Authentication Agents. Then a global administrator needs to manually install and register a new Authentication Agent.

- - Because the trust renewal procedure happens non-interactively (without the presence of the global administrator), the Authentication Agent no longer has access to update the existing certificate in the CERT_SYSTEM_STORE_LOCAL_MACHINE location.

-1. Sign in to the [Azure Active Directory administrative center](https://aad.portal.azure.com) with the global administrator credentials for your tenant.

-> If you are facing user sign-in issues with Pass-through Authentication, don't disable the feature or uninstall Pass-through Authentication Agents without having a cloud-only Global Administrator account to fall back on. Learn about [adding a cloud-only Global Administrator account](../fundamentals/add-users-azure-active-directory.md). Doing this step is critical and ensures that you don't get locked out of your tenant.

-Ensure that you use a cloud-only Global Administrator account for all Azure AD Connect or standalone Authentication Agent installation and registration operations. There is a known issue with MFA-enabled Global Administrator accounts; turn off MFA temporarily (only to complete the operations) as a workaround.

-1. Run PowerShell as an administrator. In PowerShell, call `New-AzureADSSOAuthenticationContext`. When prompted, enter your tenant's global administrator credentials.

-4. Enter the username and password for your global administrator. This account was created [here](tutorial-federation.md#create-a-global-administrator-in-azure-ad) in the previous tutorial.

-4. Enter the username and password for your global administrator. This account was created [here](tutorial-federation.md#create-a-global-administrator-in-azure-ad) in the previous tutorial.

-4. Enter the username and password for your global administrator. This is the account that was created [here](tutorial-federation.md#create-a-global-administrator-in-azure-ad) in the previous tutorial.

-5. On the **Connect to Azure AD** screen enter the username and password for your global administrator.

-> [!NOTE]

-> B2C-related audit and sign-in activity logs are not supported at this time.

->

-description: Learn how to configure single sign-on between Azure Active Directory and BetterWorks.

-# Tutorial: Azure AD SSO integration with BetterWorks

-In this tutorial, you'll learn how to integrate BetterWorks with Azure Active Directory (Azure AD). When you integrate BetterWorks with Azure AD, you can:

-* Control in Azure AD who has access to BetterWorks.

-* Enable your users to be automatically signed-in to BetterWorks with their Azure AD accounts.

-* BetterWorks single sign-on (SSO) enabled subscription.

-* BetterWorks supports **SP and IDP** initiated SSO.

-## Add BetterWorks from the gallery

-To configure the integration of BetterWorks into Azure AD, you need to add BetterWorks from the gallery to your list of managed SaaS apps.

-1. In the **Add from the gallery** section, type **BetterWorks** in the search box.

-1. Select **BetterWorks** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

-## Configure and test Azure AD SSO for BetterWorks

-Configure and test Azure AD SSO with BetterWorks using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in BetterWorks.

-To configure and test Azure AD SSO with BetterWorks, perform the following steps:

-1. **[Configure BetterWorks SSO](#configure-betterworks-sso)** - to configure the single sign-on settings on application side.

- 1. **[Create BetterWorks test user](#create-betterworks-test-user)** - to have a counterpart of B.Simon in BetterWorks that is linked to the Azure AD representation of user.

-1. In the Azure portal, on the **BetterWorks** application integration page, find the **Manage** section and select **single sign-on**.

- > If you're a European Union customer of BetterWorks, please use `eu.betterworks.com` as the domain name instead of `app.betterworks.com` in these URLs.

-1. On the **Set up BetterWorks** section, copy the appropriate URL(s) based on your requirement.

-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to BetterWorks.

-1. In the applications list, select **BetterWorks**.

-## Configure BetterWorks SSO

-To configure single sign-on on **BetterWorks** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [BetterWorks support team](mailto:support@betterworks.com). They set this setting to have the SAML SSO connection set properly on both sides.

-### Create BetterWorks test user

-In this section, you create a user called Britta Simon in BetterWorks. Work with [BetterWorks support team](mailto:support@betterworks.com) to add the users in the BetterWorks platform. Users must be created and activated before you use single sign-on.

-* Click on **Test this application** in Azure portal. This will redirect to BetterWorks Sign on URL where you can initiate the login flow.

-* Go to BetterWorks Sign-on URL directly and initiate the login flow from there.

-* Click on **Test this application** in Azure portal and you should be automatically signed in to the BetterWorks for which you set up the SSO.

-You can also use Microsoft My Apps to test the application in any mode. When you click the BetterWorks tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the BetterWorks for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-Once you configure BetterWorks you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).

-1. Create a new role assignment by subscription and object. By default, the role assignment will be tied to your default subscription. Replace `$subscriptionId` with your subscription ID and `$assigneeObjectId` with the generated `assignee-object-id`. Learn [how to manage Azure subscriptions with the Azure CLI](/cli/azure/manage-azure-subscriptions-azure-cli).

- az role assignment create --role contributor --subscription $subscriptionId --assignee-object-id $assigneeObjectId --assignee-principal-type ServicePrincipal

-1. Create a new role assignment by subscription and object. By default, the role assignment will be tied to your default subscription. Replace `$subscriptionId` with your subscription ID and `$assigneeObjectId` with the generated `assignee-object-id`. Learn [how to manage Azure subscriptions with the Azure CLI](/cli/azure/manage-azure-subscriptions-azure-cli).

- az role assignment create --role contributor --subscription $subscriptionId --assignee-object-id $assigneeObjectId --assignee-principal-type ServicePrincipal

-All the items shown in the following outbound rules are needed, except for the last item. They enable network access to the App Service Environment dependencies that were noted earlier in this article. If you block any of them, your App Service Environment stops working. The last item in the list enables your App Service Environment to communicate with other resources in your virtual network.

-If you're using your own authentication system, the Health check path must allow anonymous access. To secure the Health check endpoint, you should first use features such as [IP restrictions](app-service-ip-restrictions.md#set-an-ip-address-based-rule), [client certificates](app-service-ip-restrictions.md#set-an-ip-address-based-rule), or a Virtual Network to restrict application access. You can secure the Health check endpoint by requiring the `User-Agent` of the incoming request matches `HealthCheck/1.0`. The User-Agent can't be spoofed since the request would already secured by prior security features.

-|`WEBSITE_OVERRIDE_STICKY_EXTENSION_VERSIONS`| By default, the versions for site extensions are specific to each slot. This prevents unanticipated application behavior due to changing extension versions after a swap. If you want the extension versions to swap as well, set to `1` on *all slots*. ||

- e. In the **Inbound Rules** section, add an inbound rule to allow destination port range 65503-65534 for v1 SKU or 65200-65535 v2 SKU with the **Source** set as **Any** or **Internet**.

-***Sample business card processed with Form Recognizer Studio***

-You will need a business card document. You can use our [sample business card document](https://raw.githubusercontent.com/Azure-Samples/cognitive-services-REST-api-samples/master/curl/form-recognizer/businessCard.png).

-* Image dimensions must be between 50 x 50 pixels and 10000 x 10000 pixels.

-***Sample U.S. Driver's License processed with Form Recognizer Studio***

-***Sample form processed with [Form Recognizer Sample Labeling tool](https://fott-2-1.azurewebsites.net/) layout feature***

-* Image dimensions must be between 50 x 50 pixels and 10000 x 10000 pixels.

- Form Recognizer preview version introduces additional language support for the layout model. *See* our [Language Support](language-support.md) for a complete list of supported handwritten and printed languages.

-Layout API extracts tables in the `pageResults` section of the JSON output. Documents can be scanned, photographed, or digitized. Tables can be complex with merged cells or columns, with or without borders, and with odd angles. Extracted table information includes the number of columns and rows, row span, and column span. Each cell with its bounding box is output along with information whether it's recognized as part of a header or not. The model predicted header cells can span multiple rows and are not necessarily the first rows in a table. They also work with rotated tables. Each table cell also includes the full text with references to the individual words in the `readResults` section.

-Layout API extracts text from documents and images with multiple text angles and colors. It accepts photos of documents, faxes, printed and/or handwritten (English only) text, and mixed modes. Text is extracted with information provided on lines, words, bounding boxes, confidence scores, and style (handwritten or other). All the text information is included in the `readResults` section of the JSON output.

-In Form Recognizer v3.0, the natural reading order output is used by the service in all cases. Therefore, there is no `readingOrder` parameter provided in this version.

-***Sample receipt processed with [Form Recognizer Sample Labeling tool](https://fott-2-1.azurewebsites.net/)***:

-There are two types of managed identity: **system-assigned** and **user-assigned**. Currently, Form Recognizer supports system-assigned managed identity:

-> After you disable the Private Link in your Automation account, it might take up to 60 minutes to remove the Hybrid Runbook worker.

- az role assignment create --role "App Configuration Data Reader" --assignee-object-id <objectId-of-your-service-principal> --resource-group <your-resource-group>

-If you installed the Azure Arc data controller in the past on the same cluster and deleted the Azure Arc data controller, there may be some cluster level objects that would still need to be deleted. Run the following commands to delete the Azure Arc data controller cluster level objects:

-When a new pod is created in a namespace monitored by the add-on, OSM will inject an [envoy proxy sidecar](https://docs.openservicemesh.io/docs/guides/app_onboarding/sidecar_injection/) in that pod. If the envoy version needs to be updated, steps to do so can be found in the [Upgrade Guide](https://docs.openservicemesh.io/docs/getting_started/upgrade/#envoy) on the OSM docs site.

-* [Kustomize project](https://kubernetes-sigs.github.io/kustomize/)

-# Managed identity with Azure Cache for Redis (Preview)

-## Managed identity with storage accounts

-Azure Cache for Redis can use a managed identity to connect with a storage account, useful in two scenarios:

-PowerShell is a _single threaded_ scripting language by default. However, concurrency can be added by using multiple PowerShell runspaces in the same process. The amount of runspaces created will match the ```PSWorkerInProcConcurrencyUpperBound``` application setting. The throughput will be impacted by the amount of CPU and memory available in the selected plan.

-| TypeHandlerVersion | 1.0 | 1.5 |

-> Use this **shortcut** to create syntactically correct XPath queries: [Extract XPath queries from Windows Event Viewer](https://azurecloudai.blog/2021/08/10/shortcut-way-to-create-your-xpath-queries-for-azure-sentinel-dcrs/)

->

-> Alternatively you can use the PowerShell cmdlet `Get-WinEvent` with the `FilterXPath` parameter to test the validity of an XPathQuery. The following script shows an example.

-Download the [applicationinsights-agent-3.2.7.jar](https://github.com/microsoft/ApplicationInsights-Java/releases/download/3.2.7/applicationinsights-agent-3.2.7.jar) file.

-Add `-javaagent:path/to/applicationinsights-agent-3.2.7.jar` to your application's JVM args.

- - Or you can create a configuration file named `applicationinsights.json`. Place it in the same directory as `applicationinsights-agent-3.2.7.jar` with the following content:

-Add the JVM arg `-javaagent:path/to/applicationinsights-agent-3.2.7.jar` somewhere before `-jar`, for example:

-java -javaagent:path/to/applicationinsights-agent-3.2.7.jar -jar <myapp.jar>

-If you're using the *exec* form, add the parameter `"-javaagent:path/to/applicationinsights-agent-3.2.7.jar"` to the parameter list somewhere before the `"-jar"` parameter, for example:

-ENTRYPOINT ["java", "-javaagent:path/to/applicationinsights-agent-3.2.7.jar", "-jar", "<myapp.jar>"]

-If you're using the *shell* form, add the JVM arg `-javaagent:path/to/applicationinsights-agent-3.2.7.jar` somewhere before `-jar`, for example:

-ENTRYPOINT java -javaagent:path/to/applicationinsights-agent-3.2.7.jar -jar <myapp.jar>

-JAVA_OPTS="$JAVA_OPTS -javaagent:path/to/applicationinsights-agent-3.2.7.jar"

-CATALINA_OPTS="$CATALINA_OPTS -javaagent:path/to/applicationinsights-agent-3.2.7.jar"

-If the file `<tomcat>/bin/setenv.sh` already exists, then modify that file and add `-javaagent:path/to/applicationinsights-agent-3.2.7.jar` to `CATALINA_OPTS`.

-set CATALINA_OPTS=%CATALINA_OPTS% -javaagent:path/to/applicationinsights-agent-3.2.7.jar

-set "CATALINA_OPTS=%CATALINA_OPTS% -javaagent:path/to/applicationinsights-agent-3.2.7.jar"

-If the file `<tomcat>/bin/setenv.bat` already exists, just modify that file and add `-javaagent:path/to/applicationinsights-agent-3.2.7.jar` to `CATALINA_OPTS`.

-Locate the file `<tomcat>/bin/tomcat8w.exe`. Run that executable and add `-javaagent:path/to/applicationinsights-agent-3.2.7.jar` to the `Java Options` under the `Java` tab.

-Add `-javaagent:path/to/applicationinsights-agent-3.2.7.jar` to the existing `JAVA_OPTS` environment variable in the file `JBOSS_HOME/bin/standalone.conf` (Linux) or `JBOSS_HOME/bin/standalone.conf.bat` (Windows):

- JAVA_OPTS="-javaagent:path/to/applicationinsights-agent-3.2.7.jar -Xms1303m -Xmx1303m ..."

-Add `-javaagent:path/to/applicationinsights-agent-3.2.7.jar` to the existing `jvm-options` in `JBOSS_HOME/domain/configuration/host.xml`:

- <option value="-javaagent:path/to/applicationinsights-agent-3.2.7.jar"/>

-Add `-javaagent:path/to/applicationinsights-agent-3.2.7.jar` to the existing `jvm-options` in `glassfish/domains/domain1/config/domain.xml`:

- -javaagent:path/to/applicationinsights-agent-3.2.7.jar>

-By default, Application Insights Java 3.x expects the configuration file to be named `applicationinsights.json`, and to be located in the same directory as `applicationinsights-agent-3.2.7.jar`.

-If you specify a relative path, it will be resolved relative to the directory where `applicationinsights-agent-3.2.7.jar` is located.

-If you specify a relative path, it will be resolved relative to the directory where `applicationinsights-agent-3.2.7.jar` is located.

-Starting from 3.2.7, you can capture request and response headers on your server (request) telemetry:

-Starting from version 3.2.7, you can change this behavior to capture them as success if you prefer:

-> Vertx HTTP Library instrumentation is available starting from version 3.2.7

-`applicationinsights-agent-3.2.7.jar` is located.

-Starting from version 3.0.2, you can also set the self-diagnostics `level` using the environment variable `APPLICATIONINSIGHTS_SELF_DIAGNOSTICS_LEVEL`

-that holds the `applicationinsights-agent-3.2.7.jar` file.

-`applicationinsights-agent-3.2.7.jar` file.

- :::image type="content" source="media/autoscale-predictive/message-no-data-to-show-11.png" alt-text="Screenshot of message No data to show":::

-`max (arg1)`

-`min (arg1)`

-`base64tojson`

-`contains (container, itemToFind)`

-`last (arg1)`

-The following example shows how to use the indexOf and lastIndexOf functions:

-`trim (stringToTrim)`

-`uniqueString (baseString, ...)`

-`uri (baseUri, relativeUri)`

-> For an improved authoring experience, you can use Bicep rather than JSON to develop templates. For more information about Bicep syntax, see [child resources](../bicep/child-resource-name-type.md).

-> For an improved authoring experience, you can use Bicep rather than JSON to develop templates. For more information about Bicep syntax, see [conditional deployments](../bicep/conditional-resource-deployment.md).

-> For an improved authoring experience, you can use Bicep rather than JSON to develop templates. For more information about Bicep syntax, see [management group deployments](../bicep/deploy-to-management-group.md).

-> For an improved authoring experience, you can use Bicep rather than JSON to develop templates. For more information about Bicep syntax, see [resource group deployments](../bicep/deploy-to-resource-group.md).

-> For an improved authoring experience, you can use Bicep rather than JSON to develop templates. For more information about Bicep syntax, see [subscription deployments](../bicep/deploy-to-subscription.md).

-> For an improved authoring experience, you can use Bicep rather than JSON to develop templates. For more information about Bicep syntax, see [tenant deployments](../bicep/deploy-to-tenant.md).

-> For an improved authoring experience, you can use Bicep rather than JSON to develop templates. For more information about Bicep syntax, see [outputs](../bicep/outputs.md).

-> For an improved authoring experience, you can use Bicep rather than JSON to develop templates. For more information about Bicep syntax, see [parameters](../bicep/parameters.md).

-> For an improved authoring experience, you can use Bicep rather than JSON to develop templates. For more information about Bicep syntax, see [resource declaration](../bicep/resource-declaration.md).

-`createArray (arg1, arg2, arg3, ...)`

-`last (arg1)`

-In Bicep, directly reference parameters by using their symbolic names.

-In Bicep, directly reference variables by using their symbolic names.

-The `and` function isn't supported in Bicep, use the [&& operator](../bicep/operators-logical.md#and-) instead.

-The `false` function isn't available in Bicep. Use the `false` keyword instead.

-The `not` function isn't supported in Bicep, use the [! operator](../bicep/operators-logical.md#not-) instead.

-The `or` function isn't supported in Bicep, use the [|| operator](../bicep/operators-logical.md#or-) instead.

-The `true` function isn't available in Bicep. Use the `true` keyword instead.

-The `add` function in not supported in Bicep. Use the [`+` operator](../bicep/operators-numeric.md#add-) instead.

-The `div` function in not supported in Bicep. Use the [`/` operator](../bicep/operators-numeric.md#divide-) instead.

-`max (arg1)`

-`min (arg1)`

-The `createObject` function isn't supported by Bicep. Construct an object by using `{}`. See [Objects](../bicep/data-types.md#objects).

-`base64tojson`

-`concat (arg1, arg2, arg3, ...)`

-`contains (container, itemToFind)`

-`last (arg1)`

-`trim (stringToTrim)`

-`uniqueString (baseString, ...)`

-`uri (baseUri, relativeUri)`

-> For an improved authoring experience, you can use Bicep rather than JSON to develop templates. For more information about Bicep syntax, see [variables](../bicep/variables.md).

-Microsoft Azure SignalR Service provides two modes for gracefully shutdown a server.

-$roleassignment = az role assignment create --role "Contributor" --assignee $azureAdApplication.ApplicationId.Guid

-| **Resource type** | SQL Database / SQL Managed Instance | Single database | SQL Database / SQL Managed Instance |

-|||

-|||

-| **GA for maintenance window, preview for advance notifications** | The [maintenance window](../database/maintenance-window.md) feature allows you to configure a maintenance schedule for your Azure SQL Managed Instance and receive advance notifications of maintenance windows. [Maintenance window advance notifications](../database/advance-notifications.md) (preview) are available for databases configured to use a non-default [maintenance window](../database/maintenance-window.md). |

-|**Windows Auth for Azure Active Directory principals preview** | Windows Authentication for managed instances empowers customers to move existing services to the cloud while maintaining a seamless user experience, and provides the basis for infrastructure modernization. Learn more in [Windows Authentication for Azure Active Directory principals on Azure SQL Managed Instance](winauth-azuread-overview.md). |

-| **Data virtualization preview** | It's now possible to query data in external sources such as Azure Data Lake Storage Gen2 or Azure Blob Storage, joining it with locally stored relational data. This feature is currently in preview. To learn more, see [Data virtualization](data-virtualization-overview.md). |

-|||

-|||

-| | |

-The link feature replicates data using the [Distributed availability groups](/sql/database-engine/availability-groups/windows/distributed-availability-groups) concept based the Always On availability groups technology stack. Data replication with distributed availability groups is based on replicating transaction log records. No transaction log records can be truncated from the database on the primary instance until they're replicated to the database on the secondary instance. If transaction log record replication is slow or blocked due to network connection issues, the log file keeps growing on the primary instance. Growth speed depends on the intensity of workload and the network speed. If there's a prolonged network connection outage and heavy workload on primary instance, the log file may take all available storage space.

-To minimize the risk of running out of space on your primary instance due to log file growth, make sure to take database log backups regularly. By taking log backups regularly, you make your database more resilient to unplanned log growth events. Consider scheduling daily log backup tasks using SQL Server Agent job.

-In this example, the database has used 76% of the available log, with an absolute log file size of approximately 27 GB (27,971 MB). The thresholds for action may vary based on your workload, but it's typically an indication that you should take a log backup to truncate log file and free up some space.

-There's no need to have an existing availability group or multiple nodes. The link supports single node SQL Server instances without existing availability groups, and also multiple-node SQL Server instances with existing availability groups. Through the link, you can leverage the modern benefits of Azure without migrating your entire SQL Server data estate to the cloud.

-Data replicated through the link feature from SQL Server to Azure SQL Managed Instance can be used with a number of scenarios, such as:

-You can also use the link feature to offload workloads to Azure. For example, an application could use SQL Server for read / write workloads, while offloading read-only workloads to SQL Managed Instance in any of Azure's 60+ regions worldwide. Once the link is established, the primary database on SQL Server is read/write accessible, while replicated data to SQL Managed Instance in Azure is read-only accessible. This allows for various scenarios where replicated databases on SQL Managed Instance can be used for read scale-out and offloading read-only workloads to Azure. SQL Managed Instance, in parallel, can also host independent read/write databases. This allows for copying the replicated database to another read/write database on the same managed instance for further data processing.

-If you are interested in using Link feature for Azure SQL Managed Instance with versions and editions that are currently not supported, sign-up [here](https://aka.ms/mi-link-signup).

-This article teaches you to prepare your environment for the [Managed Instance link feature](link-feature.md) so that you can replicate your databases from your instance of SQL Server to your instance of Azure SQL Managed Instance.

-To prepare your SQL Server instance, you need to validate you're on the minimum supported version, you've enabled the availability group feature, and you've added the proper trace flags at startup. You will need to restart SQL Server for these changes to take effect.

-If your SQL Server version is lower than CU15 (15.0.4198.2), either install the minimally supported [CU15](https://support.microsoft.com/topic/kb5008996-cumulative-update-15-for-sql-server-2019-4b6a8ee9-1c61-482d-914f-36e429901fb6), or the current latest cumulative update. Your SQL Server instance will be restarted during the update.

-The link feature for SQL Managed Instance relies on the Always On availability groups feature, which is not enabled by default. To learn more, review [enabling the Always On availability groups feature](/sql/database-engine/availability-groups/windows/enable-and-disable-always-on-availability-groups-sql-server).

-If the availability groups feature is not enabled, follow these steps to enable it:

-After the restart, use Transact-SQL to validate the configuration of your SQL Server. Your SQL Server version should be 15.0.4198.2 or greater, the Always On availability groups feature should be enabled, and you should have the Trace flags -T1800 and -T9567 enabled.

-Port 5022 needs to allow inbound and outbound traffic between SQL Server and SQL Managed Instance. Port 5022 is the standard port used for availability groups, and cannot be changed or customized.

-To check if SQL Server can reach your SQL Managed Instance use the `tnc` command in PowerShell from the SQL Server host machine. Replace `<ManagedInstanceFQDN>` with the fully qualified domain name of the Azure SQL Managed Instance.

-If the response is unsuccessful, verify the following:

-If the connection is unsuccessful, verify the following:

-3. On the **Log in to Azure** page, select **Sign-in** to provide your credentials and sign into your Azure account. Select the subscription that is hosting the your SQL Managed Instance from the drop-down and then select **Next**:

-1. In **Object Explorer**, right-click your database, hover over **Azure SQL Managed Instance link** and select **Replicate database** to open the **New Managed Instance link** wizard:

-1. Expand **Windows Server Failover Cluster credentials** to provide [credentials](/rest/api/sqlvm/sqlvirtualmachinegroups/createorupdate#wsfcdomainprofile) for the SQL Server service account, as well as the cluster operator and bootstrap accounts if they're different than the account used for the SQL Server service.

-To learn more, watch this video on [SQL best practices assessment](/shows/Data-Exposed/?WT.mc_id=dataexposed-c9-niner):

-> For eg, if the generated password is *ContosoVM_wcus_GUID*, then then geo-name is wcus and the URL would be: <https://pod01-rec2.wcus.backup.windowsazure.com><br><br>

-> So for example, if the script filename is *ContosoVM_wcus_12345678*, the **geo-name** is *wcus* and the URL would be: <https://pod01-rec2.wcus.backup.windowsazure.com><br><br>

- az role assignment create --assignee "{enter-your-homepage}" --role "Contributor"

- az role assignment create --assignee {service-principal-name} --role "Contributor"

-1. **The host:** A host is an application instance that uses the change feed processor to listen for changes. Multiple instances with the same lease configuration can run in parallel, but each instance should have a different **instance name**.

-There are two host instances and the change feed processor is assigning different ranges of partition key values to each instance to maximize compute distribution.

-Finally you define a name for this processor instance with `WithInstanceName` and which is the container to maintain the lease state with `WithLeaseContainer`.

-A single change feed processor deployment unit consists of one or more instances with the same `processorName` and lease container configuration. You can have many deployment units where each one has a different business flow for the changes and each deployment unit consisting of one or more instances.

-As mentioned before, within a deployment unit you can have one or more instances. To take advantage of the compute distribution within the deployment unit, the only key requirements are:

-description: Find the C# .NET V3 SDK examples on GitHub for common tasks using the Azure Cosmos DB SQL API.

-# Azure Cosmos DB.NET V3 SDK (Microsoft.Azure.Cosmos) examples for the SQL API

-> * [.NET V3 SDK Examples](sql-api-dotnet-v3sdk-samples.md)

-> * [Java V4 SDK Examples](sql-api-java-sdk-samples.md)

-> * [Spring Data V3 SDK Examples](sql-api-spring-data-sdk-samples.md)

-> * [.NET V2 SDK Examples (Legacy)](sql-api-dotnet-v2sdk-samples.md)

-The [azure-cosmos-dotnet-v3](https://github.com/Azure/azure-cosmos-dotnet-v3/tree/master/Microsoft.Azure.Cosmos.Samples/Usage) GitHub repository includes the latest .NET sample solutions to perform CRUD and other common operations on Azure Cosmos DB resources. If you're familiar with the previous version of the .NET SDK, you may be used to the terms collection and document. Because Azure Cosmos DB supports multiple API models, version 3.0 of the .NET SDK uses the generic terms "container" and "item". A container can be a collection, graph, or table. An item can be a document, edge/vertex, or row, and is the content inside a container. This article provides:

-Visual Studio 2019 with the Azure development workflow installed

- The [Microsoft.Azure.cosmos NuGet package](https://www.nuget.org/packages/Microsoft.Azure.cosmos/)

-An Azure subscription or free Cosmos DB trial account

-The [RunDatabaseDemo](https://github.com/Azure/azure-cosmos-dotnet-v3/blob/master/Microsoft.Azure.Cosmos.Samples/Usage/DatabaseManagement/Program.cs#L65-L91) method of the sample *DatabaseManagement* project shows how to do the following tasks. To learn about Azure Cosmos databases before you run the following samples, see [Work with databases, containers, and items](../account-databases-containers-items.md).

-The [RunContainerDemo](https://github.com/Azure/azure-cosmos-dotnet-v3/blob/master/Microsoft.Azure.Cosmos.Samples/Usage/ContainerManagement/Program.cs#L69-L89) method of the sample *ContainerManagement* project shows how to do the following tasks. To learn about Azure Cosmos containers before you run the following samples, see [Work with databases, containers, and items](../account-databases-containers-items.md).

-The [RunItemsDemo](https://github.com/Azure/azure-cosmos-dotnet-v3/blob/master/Microsoft.Azure.Cosmos.Samples/Usage/ItemManagement/Program.cs#L119-L130) method of the sample *ItemManagement* project shows how to do the following tasks. To learn about Azure Cosmos items before you run the following samples, see [Work with databases, containers, and items](../account-databases-containers-items.md).

-The [RunDemoAsync](https://github.com/Azure/azure-cosmos-dotnet-v3/blob/master/Microsoft.Azure.Cosmos.Samples/Usage/Queries/Program.cs#L76-L96) method of the sample *Queries* project shows how to do the following tasks using the SQL query grammar, the LINQ provider with query, and Lambda. To learn about the SQL query reference in Azure Cosmos DB before you run the following samples, see [SQL query examples for Azure Cosmos DB](./sql-query-getting-started.md).

-| [Migrate from change feed processor to change feed in V3 SDK](https://github.com/Azure/azure-cosmos-dotnet-v3/blob/master/Microsoft.Azure.Cosmos.Samples/Usage/ChangeFeed/Program.cs#L256-L333) |[Container.GetChangeFeedProcessorBuilder](/dotnet/api/microsoft.azure.cosmos.container.getchangefeedprocessorbuilder) |

-## Custom Serialization

-The [SystemTextJson](https://github.com/Azure/azure-cosmos-dotnet-v3/blob/master/Microsoft.Azure.Cosmos.Samples/Usage/SystemTextJson/Program.cs) sample project shows how to use a custom serializer when initializing a new `CosmosClient` object. The sample also includes [a custom `CosmosSerializer` class](https://github.com/Azure/azure-cosmos-dotnet-v3/blob/master/Microsoft.Azure.Cosmos.Samples/Usage/SystemTextJson/CosmosSystemTextJsonSerializer.cs) which leverages `System.Text.Json` for serialization and deserialization.

-* If all you know is the number of vcores and servers in your existing database cluster, read about [estimating request units using vCores or vCPUs](../convert-vcore-to-request-unit.md)

-* If you know typical request rates for your current database workload, read about [estimating request units using Azure Cosmos DB capacity planner](estimate-ru-with-capacity-planner.md)

-description: Learn how to diagnose and fix slow requests when using Azure Cosmos DB .NET SDK.

-# Diagnose and troubleshoot Azure Cosmos DB .NET SDK slow requests

-Azure Cosmos DB slow requests can happen for multiple reasons such as request throttling or the way your application is designed. This article explains the different root causes for this issue.

-## Request rate too large (429 throttles)

-Request throttling is the most common reason for slow requests. Azure Cosmos DB will throttle requests if they exceed the allocated RUs for the database or container. The SDK has built-in logic to retry these requests. The [request rate too large](troubleshoot-request-rate-too-large.md#how-to-investigate) troubleshooting article explains how to check if the requests are being throttled and how to scale your account to avoid these issues in the future.

-If your application doesn't follow the SDK best practices, it can result in different issues that will cause slow or failed requests. Follow the [.NET SDK best practices](performance-tips-dotnet-sdk-v3-sql.md) for the best performance.

-* Application should be in the same region as your Azure Cosmos DB account.

-* Singleton instance of the SDK instance. The SDK has several caches that have to be initialized which may slow down the first few requests.

-* Use Direct + TCP connectivity mode

-* Avoid High CPU. Make sure to look at Max CPU and not average, which is the default for most logging systems. Anything above roughly 40% can increase the latency.

-Do not verify a Database and/or Container exists by calling `Create...IfNotExistsAsync` and/or `Read...Async` in the hot path and/or before doing an item operation. The validation should only be done on application startup when it is necessary, if you expect them to be deleted (otherwise it's not needed). These metadata operations will generate extra end-to-end latency, have no SLA, and their own separate [limitations](https://aka.ms/CosmosDB/sql/errors/metadata-429) that do not scale like data operations.

-All the responses in the SDK including `CosmosException` have a Diagnostics property. This property records all the information related to the single request including if there were retries or any transient failures.

-The Diagnostics are returned as a string. The string changes with each version as it is improved to better troubleshooting different scenarios. With each version of the SDK, the string will have breaking changes to the formatting. Do not parse the string to avoid breaking changes. The following code sample shows how to read diagnostic logs using the .NET SDK:

-## Diagnostics in version 3.19 and higher

-The JSON structure has breaking changes with each version of the SDK. This makes it unsafe to be parsed. The JSON represents a tree structure of the request going through the SDK. This covers a few key things to look at:

-High CPU utilization is the most common cause for slow requests. For optimal latency, CPU usage should be roughly 40 percent. Use 10 seconds as the interval to monitor maximum (not average) CPU utilization. CPU spikes are more common with cross-partition queries where the requests might do multiple connections for a single query.

-# [3.21 or greater SDK](#tab/cpu-new)

-The timeouts will contain *Diagnostics*, which contain:

-* If the `cpu` values are over 70%, the timeout is likely to be caused by CPU exhaustion. In this case, the solution is to investigate the source of the high CPU utilization and reduce it, or scale the machine to a larger resource size.

-* If the `threadInfo/isThreadStarving` nodes have `True` values, the cause is thread starvation. In this case the solution is to investigate the source/s of the thread starvation (potentially locked threads), or scale the machine/s to a larger resource size.

-* If the `dateUtc` time in-between measurements is not approximately 10 seconds, it also would indicate contention on the thread pool. CPU is measured as an independent Task that is enqueued in the thread pool every 10 seconds, if the time in-between measurement is longer, it would indicate that the async Tasks are not able to be processed in a timely fashion. Most common scenarios are when doing [blocking calls over async code](https://github.com/davidfowl/AspNetCoreDiagnosticScenarios/blob/master/AsyncGuidance.md#avoid-using-taskresult-and-taskwait) in the application code.

-If the error contains `TransportException` information, it might contain also `CPU History`:

-* If the CPU measurements are over 70%, the timeout is likely to be caused by CPU exhaustion. In this case, the solution is to investigate the source of the high CPU utilization and reduce it, or scale the machine to a larger resource size.

-* If the CPU measurements are not happening every 10 seconds (e.g., gaps or measurement times indicate larger times in between measurements), the cause is thread starvation. In this case the solution is to investigate the source/s of the thread starvation (potentially locked threads), or scale the machine/s to a larger resource size.

-#### Solution:

-The client application that uses the SDK should be scaled up or out.

-HttpResponseStats are request going to [gateway](sql-sdk-connection-modes.md). Even in Direct mode the SDK gets all the meta data information from the gateway.

-If the request is slow, first verify all the suggestions above don't yield results.

-If it is still slow different patterns point to different issues:

-Single store result for a single request

-| Single to all | Request Timeout or HttpRequestExceptions | Points to [SNAT Port exhaustion](troubleshoot-dot-net-sdk.md#snat) or lack of resources on the machine to process request in time. |

-| Single or small percentage (SLA is not violated) | All | A single or small percentage of slow requests can be caused by several different transient issues and should be expected. |

-| All | All | Points to an issue with the infrastructure or networking. |

-| SLA Violated | No changes to application and SLA dropped | Points to an issue with the Azure Cosmos DB service. |

-StoreResult represents a single request to Azure Cosmos DB using Direct mode with TCP protocol.

-If it is still slow different patterns point to different issues:

-Single store result for a single request

-| Single to all | StoreResult contains TransportException | Points to [SNAT Port exhaustion](troubleshoot-dot-net-sdk.md#snat) or lack of resources on the machine to process request in time. |

-| Single or small percentage (SLA is not violated) | All | A single or small percentage of slow requests can be caused by several different transient issues and should be expected. |

-| All | All | An issue with the infrastructure or networking. |

-| SLA Violated | Requests contain multiple failure error codes like 410 and IsValid is true | Points to an issue with the Cosmos DB service |

-| SLA Violated | Requests contain multiple failure error codes like 410 and IsValid is false | Points to an issue with the machine |

-| SLA Violated | StorePhysicalAddress is the same with no failure status code | Likely an issue with Cosmos DB service |

-| SLA Violated | StorePhysicalAddress have the same partition ID but different replica IDs with no failure status code | Likely an issue with the Cosmos DB service |

-| SLA Violated | StorePhysicalAddress are random with no failure status code | Points to an issue with the machine |

-Multiple StoreResults for single request:

-* Strong and bounded staleness consistency will always have at least two store results

-* Check the status code of each StoreResult. The SDK retries automatically on multiple different [transient failures](troubleshoot-dot-net-sdk-request-timeout.md). The SDK is constantly being improved to cover more scenarios.

-* ChannelAcquisitionStarted: The time to get or create a new connection. New connections can be created for numerous different regions. For example, a connection was unexpectedly closed or too many requests were getting sent through the existing connections so a new connection is being created.

-* Pipelined time is large points to possibly a large request.

-* Transit time is large, which leads to a networking issue. Compare this number to the `BELatencyInMs`. If the BELatencyInMs is small, then the time was spent on the network and not on the Azure Cosmos DB service.

-* Received time is large this points to a thread starvation issue. This the time between having the response and returning the result.

-Contact [Azure Support](https://aka.ms/azure-support).

-* [Diagnose and troubleshoot](troubleshoot-dot-net-sdk.md) issues when you use the Azure Cosmos DB .NET SDK.

- 

-Besides the standard Python libraries, several commonly used python libraries are included:

-3. In the **Activate** pane, enter the **Activation key** that you got in [Get the activation key for Azure Stack Edge Pro](azure-stack-edge-gpu-deploy-prep.md#get-the-activation-key).

-> [Configure compute to deploy IoT Edge and Kubernetes workloads on Azure Stack Edge](./azure-stack-edge-pro-2-deploy-configure-compute.md)

- 

- At any time, you can select a certificate and view the details to ensure that these match with the certificate that you uploaded.

- 

- The certificate page should update to reflect the newly added certificates.

- 

-To learn how to activate your Azure Stack Edge Pro GPU device, see:

-> [Activate Azure Stack Edge Pro GPU device](./azure-stack-edge-gpu-deploy-activate.md)

-az role assignment create --roleName "DevTest Labs User" --signInName <email@company.com> -ΓÇôresource-name "<Lab Name>" --resource-type "Microsoft.DevTestLab/labs" --resource-group "<Resource Group Name>"

-This article explains Azure Digital Twins security best practices. It covers roles and permissions, managed identity, private network access with Azure Private Link (preview), service tags, encryption of data at rest, and Cross-Origin Resource Sharing (CORS).

-## Private network access with Azure Private Link (preview)

-For instructions on how to set up Private Link for Azure Digital Twins, see [Enable private access with Private Link (preview)](./how-to-enable-private-link.md).

-# Enable private access with Private Link (preview)

-This article describes the different ways to [enable Private Link with a private endpoint for an Azure Digital Twins instance](concepts-security.md#private-network-access-with-azure-private-link-preview) (currently in preview). Configuring a private endpoint for your Azure Digital Twins instance enables you to secure your Azure Digital Twins instance and eliminate public exposure. Additionally, it helps avoid data exfiltration from your [Azure Virtual Network (VNet)](../virtual-network/virtual-networks-overview.md).

-1. Select **Networking (preview)** in the left-hand menu.

-Once a private endpoint has been created for your Azure Digital Twins instance, you can view it in the **Networking (preview)** tab for your Azure Digital Twins instance. This page will show all the private endpoint connections associated with the instance.

-1. Select **Networking (preview)** in the left-hand menu.

-Enter the query you want to run and select the **Run Query** button. Doing so will load the query results in the **Twin Graph** panel.

-Doing so will bring up the **Create Relationship** dialog, which shows the source twin and target twin of the relationship, followed by a **Relationship** dropdown menu that contains the types of relationship that the source twin can have (defined in its DTDL model). Select an option for the relationship type, and **Save** the new relationship.

- - Owner or Contributor role for the Azure Resource Groups containing the target Azure SQL Managed Instance or the Azure storage account.

- - Owner or Contributor role for the Azure Resource Groups containing the target Azure SQL Managed Instance or the Azure storage account.

-1. If you picked the first option for network share, provide details of your source SQL Server, source backup location, target database name and Azure storage account for the backup files to be uploaded to.

-1. If you picked the second option for backups stored in an Azure Blob Container specify the **Target database name**, **Resource group**, **Azure storage account**, **Blob container** and **Last backup file** from the corresponding drop-down lists. This Azure storage account will be used by DMS to upload the database backups from network share. You do not need to create a container as DMS will automatically create a blob container in the specified storage account during the upload process.

- - Owner or Contributor role for the Azure Resource Groups containing the target Azure SQL Managed Instance or the Azure storage account.

-4. After selecting the backup location, provide details of your source SQL Server and source backup location.

-5. Specify the **Azure storage account** by selecting the **Subscription**, **Location**, and **Resource Group** from the corresponding drop-down lists. This Azure storage account will be used by DMS to upload the database backups from network share. You don't need to create a container as DMS will automatically create a blob container in the specified storage account during the upload process.

- - Owner or Contributor role for the Azure Resource Groups containing the target Azure SQL Managed Instance or the Azure storage account.

-4. After selecting the backup location, provide details of your source SQL Server and source backup location.

-5. Specify the **Azure storage account** by selecting the **Subscription**, **Location**, and **Resource Group** from the corresponding drop-down lists. This Azure storage account will be used by DMS to upload the database backups from network share. You don't need to create a container as DMS will automatically create a blob container in the specified storage account during the upload process.

-Therefore, the premium tier is often a more cost effective option for mid-range (<120MB/sec) throughput requirements, especially with changing loads throughout the day or week, when compared to the dedicated tier.

-How much you can ingest and stream with a processing unit depends on various factors such as your producers, consumers, the rate at which you're ingesting and processing, and much more. One processing unit can approximately offer core capacity of ~5-10 MB/s ingress and 10-20 MB/s egress, given that we have sufficient partitions so that storage is not a throttling factor.

-In this article, you uploaded a BAM file into Azure Storage and submitted a workflow to the Microsoft Genomics service through the `msgen` python client. For additional information regarding workflow submission and other commands you can use with the Microsoft Genomics service, see our [FAQ](frequently-asked-questions-genomics.yml).

-In this article, you uploaded multiple BAM files or paired FASTQ files into Azure Storage and submitted a workflow to the Microsoft Genomics service through the `msgen` python client. For more information regarding workflow submission and other commands you can use with the Microsoft Genomics service, see the [FAQ](frequently-asked-questions-genomics.yml).

-In this article, you uploaded a pair of FASTQ files into Azure Storage and submitted a workflow to the Microsoft Genomics service through the `msgen` python client. To learn more about workflow submission and other commands you can use with the Microsoft Genomics service, see our [FAQ](frequently-asked-questions-genomics.yml).

-description: Overview of the CIS Microsoft Azure Foundations Benchmark v1.1.0 blueprint sample. This blueprint sample helps customers assess specific controls.

-# CIS Microsoft Azure Foundations Benchmark v1.1.0 blueprint sample

-The CIS Microsoft Azure Foundations Benchmark v1.1.0 blueprint sample provides governance guardrails

-using [Azure Policy](../../policy/overview.md) that help you assess specific CIS Microsoft Azure

-Foundations Benchmark recommendations. This blueprint helps customers deploy a core set of policies

-for any Azure-deployed architecture that must implement CIS Microsoft Azure Foundations Benchmark

-v1.1.0 recommendations.

-## Recommendation mapping

-The [Azure Policy recommendation mapping](../../policy/samples/cis-azure-1-1-0.md) provides details

-on policy definitions included within this blueprint and how these policy definitions map to the

-**recommendations** in CIS Microsoft Azure Foundations Benchmark v1.1.0. When assigned to an

-architecture, resources are evaluated by Azure Policy for non-compliance with assigned policy

-definitions. For more information, see [Azure Policy](../../policy/overview.md).

-## Deploy

-To deploy the Azure Blueprints CIS Microsoft Azure Foundations Benchmark v1.1.0 blueprint sample,

-the following steps must be taken:

-> [!div class="checklist"]

-> - Create a new blueprint from the sample

-> - Mark your copy of the sample as **Published**

-> - Assign your copy of the blueprint to an existing subscription

-If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free)

-before you begin.

-### Create blueprint from sample

-First, implement the blueprint sample by creating a new blueprint in your environment using the

-sample as a starter.

-1. Select **All services** in the left pane. Search for and select **Blueprints**.

-1. From the **Getting started** page on the left, select the **Create** button under _Create a

- blueprint_.

-1. Find the **CIS Microsoft Azure Foundations Benchmark v1.1.0** blueprint sample under _Other

- Samples_ and select **Use this sample**.

-1. Enter the _Basics_ of the blueprint sample:

- - **Blueprint name**: Provide a name for your copy of the CIS Microsoft Azure Foundations

- Benchmark blueprint sample.

- - **Definition location**: Use the ellipsis and select the management group to save your copy of

- the sample to.

-1. Select the _Artifacts_ tab at the top of the page or **Next: Artifacts** at the bottom of the

- page.

-1. Review the list of artifacts that are included in the blueprint sample. Many of the artifacts

- have parameters that we'll define later. Select **Save Draft** when you've finished reviewing the

- blueprint sample.

-### Publish the sample copy

-Your copy of the blueprint sample has now been created in your environment. It's created in

-**Draft** mode and must be **Published** before it can be assigned and deployed. The copy of the

-blueprint sample can be customized to your environment and needs, but that modification may move it

-away from alignment with CIS Microsoft Azure Foundations Benchmark v1.1.0 recommendations.

-1. Select **All services** in the left pane. Search for and select **Blueprints**.

-1. Select the **Blueprint definitions** page on the left. Use the filters to find your copy of the

- blueprint sample and then select it.

-1. Select **Publish blueprint** at the top of the page. In the new page on the right, provide a

- **Version** for your copy of the blueprint sample. This property is useful for if you make a

- modification later. Provide **Change notes** such as "First version published from the CIS

- Microsoft Azure Foundations Benchmark blueprint sample." Then select **Publish** at the bottom of

- the page.

-### Assign the sample copy

-Once the copy of the blueprint sample has been successfully **Published**, it can be assigned to a

-subscription within the management group it was saved to. This step is where parameters are provided

-to make each deployment of the copy of the blueprint sample unique.

-1. Select **All services** in the left pane. Search for and select **Blueprints**.

-1. Select the **Blueprint definitions** page on the left. Use the filters to find your copy of the

- blueprint sample and then select it.

-1. Select **Assign blueprint** at the top of the blueprint definition page.

-1. Provide the parameter values for the blueprint assignment:

- - Basics

- - **Subscriptions**: Select one or more of the subscriptions that are in the management group

- you saved your copy of the blueprint sample to. If you select more than one subscription, an

- assignment will be created for each using the parameters entered.

- - **Assignment name**: The name is pre-populated for you based on the name of the blueprint.

- Change as needed or leave as is.

- - **Location**: Select a region for the managed identity to be created in. Azure Blueprints uses

- this managed identity to deploy all artifacts in the assigned blueprint. To learn more, see

- [managed identities for Azure resources](../../../active-directory/managed-identities-azure-resources/overview.md).

- - **Blueprint definition version**: Pick a **Published** version of your copy of the blueprint

- sample.

- - Lock Assignment

- Select the blueprint lock setting for your environment. For more information, see

- [blueprints resource locking](../concepts/resource-locking.md).

- - Managed Identity

- Leave the default _system assigned_ managed identity option.

- - Artifact parameters

- The parameters defined in this section apply to the artifact under which it's defined. These

- parameters are [dynamic parameters](../concepts/parameters.md#dynamic-parameters) since

- they're defined during the assignment of the blueprint. For a full list or artifact parameters

- and their descriptions, see [Artifact parameters table](#artifact-parameters-table).

-1. Once all parameters have been entered, select **Assign** at the bottom of the page. The blueprint

- assignment is created and artifact deployment begins. Deployment takes roughly an hour. To check

- on the status of deployment, open the blueprint assignment.

-> [!WARNING]

-> The Azure Blueprints service and the built-in blueprint samples are **free of cost**. Azure

-> resources are [priced by product](https://azure.microsoft.com/pricing/). Use the

-> [pricing calculator](https://azure.microsoft.com/pricing/calculator/) to estimate the cost of

-> running resources deployed by this blueprint sample.

-### Artifact parameters table

-The following table provides a list of the blueprint artifact parameters:

-|Artifact name|Artifact type|Parameter name|Description|

-|-|-|-|-|

-|Audit CIS Microsoft Azure Foundations Benchmark v1.1.0 recommendations and deploy specific supporting VM Extensions|Policy assignment|List of regions where Network Watcher should be enabled|A semicolon-separated list of regions. To see a complete list of regions use Get-AzLocation. Ex: eastus; eastus2|

-|Audit CIS Microsoft Azure Foundations Benchmark v1.1.0 recommendations and deploy specific supporting VM Extensions|Policy assignment|List of virtual machine extensions that are approved for use|A semicolon-separated list of extensions. To see a complete list of virtual machine extensions, use Get-AzVMExtensionImage. Ex: AzureDiskEncryption; IaaSAntimalware|

-## Next steps

-Additional articles about blueprints and how to use them:

-description: Overview of the CIS Microsoft Azure Foundations Benchmark v1.3.0 blueprint sample. This blueprint sample helps customers assess specific controls.

-# CIS Microsoft Azure Foundations Benchmark v1.3.0 blueprint sample

-The CIS Microsoft Azure Foundations Benchmark v1.3.0 blueprint sample provides governance guardrails

-using [Azure Policy](../../policy/overview.md) that help you assess specific CIS Microsoft Azure

-Foundations Benchmark v1.3.0 recommendations. This blueprint helps customers deploy a core set of

-policies for any Azure-deployed architecture that must implement CIS Microsoft Azure Foundations

-Benchmark v1.3.0 recommendations.

-## Recommendation mapping

-The [Azure Policy recommendation mapping](../../policy/samples/cis-azure-1-3-0.md) provides details

-on policy definitions included within this blueprint and how these policy definitions map to the

-**recommendations** in CIS Microsoft Azure Foundations Benchmark v1.3.0. When assigned to an

-architecture, resources are evaluated by Azure Policy for non-compliance with assigned policy

-definitions. For more information, see [Azure Policy](../../policy/overview.md).

-## Deploy

-To deploy the Azure Blueprints CIS Microsoft Azure Foundations Benchmark v1.3.0 blueprint sample,

-the following steps must be taken:

-> [!div class="checklist"]

-> - Create a new blueprint from the sample

-> - Mark your copy of the sample as **Published**

-> - Assign your copy of the blueprint to an existing subscription

-If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free)

-before you begin.

-### Create blueprint from sample

-First, implement the blueprint sample by creating a new blueprint in your environment using the

-sample as a starter.

-1. Select **All services** in the left pane. Search for and select **Blueprints**.

-1. From the **Getting started** page on the left, select the **Create** button under _Create a

- blueprint_.

-1. Find the **CIS Microsoft Azure Foundations Benchmark v1.3.0** blueprint sample under _Other

- Samples_ and select **Use this sample**.

-1. Enter the _Basics_ of the blueprint sample:

- - **Blueprint name**: Provide a name for your copy of the CIS Microsoft Azure Foundations

- Benchmark blueprint sample.

- - **Definition location**: Use the ellipsis and select the management group to save your copy of

- the sample to.

-1. Select the _Artifacts_ tab at the top of the page or **Next: Artifacts** at the bottom of the

- page.

-1. Review the list of artifacts that are included in the blueprint sample. Many of the artifacts

- have parameters that we'll define later. Select **Save Draft** when you've finished reviewing the

- blueprint sample.

-### Publish the sample copy

-Your copy of the blueprint sample has now been created in your environment. It's created in

-**Draft** mode and must be **Published** before it can be assigned and deployed. The copy of the

-blueprint sample can be customized to your environment and needs, but that modification may move it

-away from alignment with CIS Microsoft Azure Foundations Benchmark v1.3.0 recommendations.

-1. Select **All services** in the left pane. Search for and select **Blueprints**.

-1. Select the **Blueprint definitions** page on the left. Use the filters to find your copy of the

- blueprint sample and then select it.

-1. Select **Publish blueprint** at the top of the page. In the new page on the right, provide a

- **Version** for your copy of the blueprint sample. This property is useful for if you make a

- modification later. Provide **Change notes** such as "First version published from the CIS

- Microsoft Azure Foundations Benchmark blueprint sample." Then select **Publish** at the bottom of

- the page.

-### Assign the sample copy

-Once the copy of the blueprint sample has been successfully **Published**, it can be assigned to a

-subscription within the management group it was saved to. This step is where parameters are provided

-to make each deployment of the copy of the blueprint sample unique.

-1. Select **All services** in the left pane. Search for and select **Blueprints**.

-1. Select the **Blueprint definitions** page on the left. Use the filters to find your copy of the

- blueprint sample and then select it.

-1. Select **Assign blueprint** at the top of the blueprint definition page.

-1. Provide the parameter values for the blueprint assignment:

- - Basics

- - **Subscriptions**: Select one or more of the subscriptions that are in the management group

- you saved your copy of the blueprint sample to. If you select more than one subscription, an

- assignment will be created for each using the parameters entered.

- - **Assignment name**: The name is pre-populated for you based on the name of the blueprint.

- Change as needed or leave as is.

- - **Location**: Select a region for the managed identity to be created in. Azure Blueprints uses

- this managed identity to deploy all artifacts in the assigned blueprint. To learn more, see

- [managed identities for Azure resources](../../../active-directory/managed-identities-azure-resources/overview.md).

- - **Blueprint definition version**: Pick a **Published** version of your copy of the blueprint

- sample.

- - Lock Assignment

- Select the blueprint lock setting for your environment. For more information, see

- [blueprints resource locking](../concepts/resource-locking.md).

- - Managed Identity

- Leave the default _system assigned_ managed identity option.

- - Artifact parameters

- The parameters defined in this section apply to the artifact under which it's defined. These

- parameters are [dynamic parameters](../concepts/parameters.md#dynamic-parameters) since

- they're defined during the assignment of the blueprint. For a full list or artifact parameters

- and their descriptions, see [Artifact parameters table](#artifact-parameters-table).

-1. Once all parameters have been entered, select **Assign** at the bottom of the page. The blueprint

- assignment is created and artifact deployment begins. Deployment takes roughly an hour. To check

- on the status of deployment, open the blueprint assignment.

-> [!WARNING]

-> The Azure Blueprints service and the built-in blueprint samples are **free of cost**. Azure

-> resources are [priced by product](https://azure.microsoft.com/pricing/). Use the

-> [pricing calculator](https://azure.microsoft.com/pricing/calculator/) to estimate the cost of

-> running resources deployed by this blueprint sample.

-### Artifact parameters table

-The following table provides a list of the blueprint artifact parameters:

-|Artifact name|Artifact type|Parameter name|Description|

-|-|-|-|-|

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|List of virtual machine extensions that are approved for use|A semicolon-separated list of virtual machine extensions; to see a complete list of extensions, use the Azure PowerShell command Get-AzVMExtensionImage|

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: SQL managed instances should use customer-managed keys to encrypt data at rest|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Diagnostic logs in Azure Data Lake Store should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Disk encryption should be applied on virtual machines|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Key vault should have purge protection enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On'|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: SQL servers should use customer-managed keys to encrypt data at rest|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Managed identity should be used in your Function App|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Azure Defender for Key Vault should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Custom subscription owner roles should not exist|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Keys should have expiration dates set|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Transparent Data Encryption on SQL databases should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Vulnerability assessment should be enabled on SQL Managed Instance|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Ensure that 'PHP version' is the latest, if used as a part of the API app|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: An Azure Active Directory administrator should be provisioned for SQL servers|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Azure Defender for App Service should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Storage accounts should restrict network access using virtual network rules|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Managed identity should be used in your Web App|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: SSH access from the Internet should be blocked|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Unattached disks should be encrypted|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Azure Defender for Storage should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Storage accounts should restrict network access|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Diagnostic logs in Logic Apps should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Diagnostic logs in IoT Hub should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: FTPS only should be required in your Function App|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: An activity log alert should exist for specific Security operations (Microsoft.Security/securitySolutions/delete)|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: An activity log alert should exist for specific Security operations (Microsoft.Security/securitySolutions/write)|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Secure transfer to storage accounts should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Diagnostic logs in Batch accounts should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Auto provisioning of the Log Analytics agent should be enabled on your subscription|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Ensure that 'Java version' is the latest, if used as a part of the Web app|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: FTPS should be required in your Web App|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Azure Defender for servers should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Subscriptions should have a contact email address for security issues|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Storage account public access should be disallowed|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Azure Defender for Kubernetes should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Connection throttling should be enabled for PostgreSQL database servers|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: External accounts with write permissions should be removed from your subscription|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: External accounts with read permissions should be removed from your subscription|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Azure Defender for SQL servers on machines should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Email notification for high severity alerts should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Storage account should use customer-managed key for encryption|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Ensure that 'Python version' is the latest, if used as a part of the Web app|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Ensure that 'Python version' is the latest, if used as a part of the Function app|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Ensure that 'PHP version' is the latest, if used as a part of the WEB app|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Ensure that 'Python version' is the latest, if used as a part of the API app|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Diagnostic logs in Virtual Machine Scale Sets should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Azure Defender for Azure SQL Database servers should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Diagnostic logs in Event Hub should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: System updates should be installed on your machines|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Ensure that 'Java version' is the latest, if used as a part of the API app|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: SQL servers should be configured with 90 days auditing retention or higher.|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Ensure that 'HTTP Version' is the latest, if used to run the Web app|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Latest TLS version should be used in your API App|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: MFA should be enabled accounts with write permissions on your subscription|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Authentication should be enabled on your web app|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Secrets should have expiration dates set|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Ensure that 'HTTP Version' is the latest, if used to run the API app|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: FTPS only should be required in your API App|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Ensure that 'Java version' is the latest, if used as a part of the Function app|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Web Application should only be accessible over HTTPS|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Auditing on SQL server should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: MFA should be enabled on accounts with owner permissions on your subscription|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Advanced data security should be enabled on your SQL servers|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Advanced data security should be enabled on SQL Managed Instance|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Role-Based Access Control (RBAC) should be used on Kubernetes Services|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Monitor missing Endpoint Protection in Azure Security Center|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Diagnostic logs in Search services should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Diagnostic logs in App Services should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: An activity log alert should exist for specific Administrative operations (Microsoft.Network/networkSecurityGroups/delete) |For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: An activity log alert should exist for specific Administrative operations (Microsoft.Network/networkSecurityGroups/securityRules/delete) |For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: An activity log alert should exist for specific Administrative operations (Microsoft.Network/networkSecurityGroups/securityRules/write) |For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: An activity log alert should exist for specific Administrative operations (Microsoft.Network/networkSecurityGroups/write) |For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: An activity log alert should exist for specific Administrative operations (Microsoft.Sql/servers/firewallRules/delete) |For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: An activity log alert should exist for specific Administrative operations (Microsoft.Sql/servers/firewallRules/write) |For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Only approved VM extensions should be installed|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Azure Defender for container registries should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Managed identity should be used in your API App|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Authentication should be enabled on your API app|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: An activity log alert should exist for specific Policy operations (Microsoft.Authorization/policyAssignments/delete) |For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: An activity log alert should exist for specific Policy operations (Microsoft.Authorization/policyAssignments/write) |For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Authentication should be enabled on your Function app|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Diagnostic logs in Data Lake Analytics should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Storage accounts should allow access from trusted Microsoft services|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Diagnostic logs in Key Vault should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Enforce SSL connection should be enabled for PostgreSQL database servers|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Ensure that 'HTTP Version' is the latest, if used to run the Function app|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: MFA should be enabled on accounts with read permissions on your subscription|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: RDP access from the Internet should be blocked|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Enforce SSL connection should be enabled for MySQL database servers|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Ensure Function app has 'Client Certificates (Incoming client certificates)' set to 'On'|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Log checkpoints should be enabled for PostgreSQL database servers|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Log connections should be enabled for PostgreSQL database servers|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Disconnections should be logged for PostgreSQL database servers.|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Vulnerability assessment should be enabled on your SQL servers|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Latest TLS version should be used in your Web App|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: External accounts with owner permissions should be removed from your subscription|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Diagnostic logs in Service Bus should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Diagnostic logs in Azure Stream Analytics should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Latest TLS version should be used in your Function App|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Effect for policy: Storage account containing the container with activity logs must be encrypted with BYOK|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Include AKS clusters when auditing if virtual machine scale set diagnostic logs are enabled||

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Latest Java version for App Services|Latest supported Java version for App Services|

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Latest Python version for Linux for App Services|Latest supported Python version for App Services|

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|List of regions where Network Watcher should be enabled|To see a complete list of regions, run the PowerShell command Get-AzLocation|

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Latest PHP version for App Services|Latest supported PHP version for App Services|

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Required retention period (days) for resource logs|For more information about resource logs, visit [https://aka.ms/resourcelogs](../../../azure-monitor/essentials/resource-logs.md) |

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Name of the resource group for Network Watcher|Name of the resource group where Network Watchers are located|

-|CIS Microsoft Azure Foundations Benchmark v1.3.0|Policy Assignment|Required auditing setting for SQL servers||

-## Next steps

-Additional articles about blueprints and how to use them:

-description: Overview of the CMMC Level 3 blueprint sample. This blueprint sample helps customers assess specific controls.

-# CMMC Level 3 blueprint sample

-The CMMC Level 3 blueprint sample provides governance guardrails using

-[Azure Policy](../../policy/overview.md) that help you assess specific

-[Cybersecurity Maturity Model Certification (CMMC) framework](https://www.acq.osd.mil/cmmc/https://docsupdatetracker.net/index.html)

-controls. This blueprint helps customers deploy a core set of policies for any Azure-deployed

-architecture that must implement controls for CMMC Level 3.

-## Control mapping

-The [Azure Policy control mapping](../../policy/samples/cmmc-l3.md) provides details on policy

-definitions included within this blueprint and how these policy definitions map to the **controls**

-in the CMMC framework. When assigned to an architecture, resources are evaluated by Azure Policy for

-non-compliance with assigned policy definitions. For more information, see

-[Azure Policy](../../policy/overview.md).

-## Deploy

-To deploy the Azure Blueprints CMMC Level 3 blueprint sample,

-the following steps must be taken:

-> [!div class="checklist"]

-> - Create a new blueprint from the sample

-> - Mark your copy of the sample as **Published**

-> - Assign your copy of the blueprint to an existing subscription

-If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free)

-before you begin.

-### Create blueprint from sample

-First, implement the blueprint sample by creating a new blueprint in your environment using the

-sample as a starter.

-1. Select **All services** in the left pane. Search for and select **Blueprints**.

-1. From the **Getting started** page on the left, select the **Create** button under _Create a

- blueprint_.

-1. Find the **CMMC Level 3** blueprint sample under _Other

- Samples_ and select **Use this sample**.

-1. Enter the _Basics_ of the blueprint sample:

- - **Blueprint name**: Provide a name for your copy of the CMMC Level 3 blueprint

- sample.

- - **Definition location**: Use the ellipsis and select the management group to save your copy of

- the sample to.

-1. Select the _Artifacts_ tab at the top of the page or **Next: Artifacts** at the bottom of the

- page.

-1. Review the list of artifacts that are included in the blueprint sample. Many of the artifacts

- have parameters that we'll define later. Select **Save Draft** when you've finished reviewing the

- blueprint sample.

-### Publish the sample copy

-Your copy of the blueprint sample has now been created in your environment. It's created in

-**Draft** mode and must be **Published** before it can be assigned and deployed. The copy of the

-blueprint sample can be customized to your environment and needs, but that modification may move it

-away from alignment with CMMC Level 3 controls.

-1. Select **All services** in the left pane. Search for and select **Blueprints**.

-1. Select the **Blueprint definitions** page on the left. Use the filters to find your copy of the

- blueprint sample and then select it.

-1. Select **Publish blueprint** at the top of the page. In the new page on the right, provide a

- **Version** for your copy of the blueprint sample. This property is useful for if you make a

- modification later. Provide **Change notes** such as "First version published from the CMMC Level

- 3 blueprint sample." Then select **Publish** at the bottom of the page.

-### Assign the sample copy

-Once the copy of the blueprint sample has been successfully **Published**, it can be assigned to a

-subscription within the management group it was saved to. This step is where parameters are provided

-to make each deployment of the copy of the blueprint sample unique.

-1. Select **All services** in the left pane. Search for and select **Blueprints**.

-1. Select the **Blueprint definitions** page on the left. Use the filters to find your copy of the

- blueprint sample and then select it.

-1. Select **Assign blueprint** at the top of the blueprint definition page.

-1. Provide the parameter values for the blueprint assignment:

- - Basics

- - **Subscriptions**: Select one or more of the subscriptions that are in the management group

- you saved your copy of the blueprint sample to. If you select more than one subscription, an

- assignment will be created for each using the parameters entered.

- - **Assignment name**: The name is pre-populated for you based on the name of the blueprint.

- Change as needed or leave as is.

- - **Location**: Select a region for the managed identity to be created in. Azure Blueprints uses

- this managed identity to deploy all artifacts in the assigned blueprint. To learn more, see

- [managed identities for Azure resources](../../../active-directory/managed-identities-azure-resources/overview.md).

- - **Blueprint definition version**: Pick a **Published** version of your copy of the blueprint

- sample.

- - Lock Assignment

- Select the blueprint lock setting for your environment. For more information, see

- [blueprints resource locking](../concepts/resource-locking.md).

- - Managed Identity

- Leave the default _system assigned_ managed identity option.

- - Artifact parameters

- The parameters defined in this section apply to the artifact under which it's defined. These

- parameters are [dynamic parameters](../concepts/parameters.md#dynamic-parameters) since

- they're defined during the assignment of the blueprint. For a full list or artifact parameters

- and their descriptions, see [Artifact parameters table](#artifact-parameters-table).

-1. Once all parameters have been entered, select **Assign** at the bottom of the page. The blueprint

- assignment is created and artifact deployment begins. Deployment takes roughly an hour. To check

- on the status of deployment, open the blueprint assignment.

-> [!WARNING]

-> The Azure Blueprints service and the built-in blueprint samples are **free of cost**. Azure

-> resources are [priced by product](https://azure.microsoft.com/pricing/). Use the

-> [pricing calculator](https://azure.microsoft.com/pricing/calculator/) to estimate the cost of

-> running resources deployed by this blueprint sample.

-### Artifact parameters table

-The following table provides a list of the blueprint artifact parameters:

-|Artifact name|Artifact type|Parameter name|Description|

-|-|-|-|-|

-|CMMC Level 3|Policy Assignment|Include Arc-connected servers when evaluating guest configuration policies|By selecting 'true', you agree to be charged monthly per Arc connected machine; for more information, visit https://aka.ms/policy-pricing|

-|CMMC Level 3|Policy Assignment|List of users that must be excluded from Windows VM Administrators group|A semicolon-separated list of users that should be excluded in the Administrators local group; Ex: Administrator; myUser1; myUser2|

-|CMMC Level 3|Policy Assignment|List of users that must be included in Windows VM Administrators group|A semicolon-separated list of users that should be included in the Administrators local group; Ex: Administrator; myUser1; myUser2|

-|CMMC Level 3|Policy Assignment|Log Analytics workspace ID for VM agent reporting|ID (GUID) of the Log Analytics workspace where VMs agents should report|

-|CMMC Level 3|Policy Assignment|Allowed elliptic curve names|The list of allowed curve names for elliptic curve cryptography certificates.|

-|CMMC Level 3|Policy Assignment|Allowed key types|The list of allowed key types|

-|CMMC Level 3|Policy Assignment|Allow host network usage for Kubernetes cluster pods|Set this value to true if pod is allowed to use host network otherwise false.|

-|CMMC Level 3|Policy Assignment|Audit Authentication Policy Change|Specifies whether audit events are generated when changes are made to authentication policy. This setting is useful for tracking changes in domain-level and forest-level trust and privileges that are granted to user accounts or groups.|

-|CMMC Level 3|Policy Assignment|Audit Authorization Policy Change|Specifies whether audit events are generated for assignment and removal of user rights in user right policies, changes in security token object permission, resource attributes changes and Central Access Policy changes for file system objects.|

-|CMMC Level 3|Policy Assignment|Effect for policy: Azure Backup should be enabled for Virtual Machines|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Cognitive Services accounts should restrict network access|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: SQL managed instances should use customer-managed keys to encrypt data at rest|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Web Application Firewall (WAF) should be enabled for Azure Front Door Service|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Public network access should be disabled for Cognitive Services accounts|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: CORS should not allow every resource to access your Function Apps|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Adaptive network hardening recommendations should be applied on internet facing virtual machines|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: There should be more than one owner assigned to your subscription|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Disk encryption should be applied on virtual machines|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Email notification to subscription owner for high severity alerts should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Key vault should have purge protection enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: SQL servers should use customer-managed keys to encrypt data at rest|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Remote debugging should be turned off for Function Apps|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Azure Defender for Key Vault should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Geo-redundant backup should be enabled for Azure Database for MariaDB|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: CORS should not allow every domain to access your API for FHIR|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Windows machines should meet requirements for 'Security Options - Network Security'|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Allowlist rules in your adaptive application control policy should be updated|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Web Application Firewall (WAF) should use the specified mode for Application Gateway|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Keys should have expiration dates set|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Transparent Data Encryption on SQL databases should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action'|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Vulnerability assessment should be enabled on SQL Managed Instance|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Ensure that 'PHP version' is the latest, if used as a part of the API app|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Key vault should have soft delete enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: An Azure Active Directory administrator should be provisioned for SQL servers|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Only secure connections to your Azure Cache for Redis should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Endpoint protection solution should be installed on virtual machine scale sets|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Azure Defender for App Service should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Windows machines should meet requirements for 'System Audit Policies - Policy Change'|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Cognitive Services accounts should enable data encryption|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: SSH access from the Internet should be blocked|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Unattached disks should be encrypted|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Azure Defender for Storage should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Storage accounts should restrict network access|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: CORS should not allow every resource to access your API App|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Deploy Advanced Threat Protection on Storage Accounts|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Automation account variables should be encrypted|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Diagnostic logs in IoT Hub should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Infrastructure encryption should be enabled for Azure Database for MySQL servers|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: An activity log alert should exist for specific Security operations (Microsoft.Security/securitySolutions/delete)|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Vulnerabilities in security configuration on your virtual machine scale sets should be remediated|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Windows machines should meet requirements for 'Security Options - Network Access'|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Secure transfer to storage accounts should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Azure Monitor should collect activity logs from all regions|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Storage accounts should have infrastructure encryption|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Adaptive application controls for defining safe applications should be enabled on your machines|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Geo-redundant backup should be enabled for Azure Database for PostgreSQL|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Windows machines should meet requirements for 'Security Options - User Account Control'|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Ensure that 'Java version' is the latest, if used as a part of the Web app|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Azure Defender for servers should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: A maximum of 3 owners should be designated for your subscription|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Subscriptions should have a contact email address for security issues|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Storage account public access should be disallowed|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: A vulnerability assessment solution should be enabled on your virtual machines|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Azure Defender for Kubernetes should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Firewall should be enabled on Key Vault|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Web Application Firewall (WAF) should be enabled for Application Gateway|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: CORS should not allow every resource to access your Web Applications|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Audit Windows machines that allow re-use of the previous 24 passwords|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Container registries should be encrypted with a customer-managed key (CMK)|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: External accounts with write permissions should be removed from your subscription|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Public network access should be disabled for PostgreSQL flexible servers|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Vulnerabilities in Azure Container Registry images should be remediated|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: External accounts with read permissions should be removed from your subscription|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Azure Defender for SQL servers on machines should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Cognitive Services accounts should enable data encryption with customer-managed key|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Deprecated accounts should be removed from your subscription|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Function App should only be accessible over HTTPS|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Email notification for high severity alerts should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Storage account should use customer-managed key for encryption|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Ensure that 'Python version' is the latest, if used as a part of the Web app|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Ensure that 'Python version' is the latest, if used as a part of the Function app|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Ensure that 'PHP version' is the latest, if used as a part of the WEB app|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Ensure that 'Python version' is the latest, if used as a part of the API app|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Keys should be the specified cryptographic type RSA or EC|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Azure subscriptions should have a log profile for Activity Log|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Azure Defender for Azure SQL Database servers should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Azure Data Explorer encryption at rest should use a customer-managed key|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Keys using RSA cryptography should have a specified minimum key size|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Geo-redundant backup should be enabled for Azure Database for MySQL|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Kubernetes cluster pods should only use approved host network and port range|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: System updates should be installed on your machines|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Windows machines should meet requirements for 'System Audit Policies - Privilege Use'|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Azure Stream Analytics jobs should use customer-managed keys to encrypt data|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Ensure that 'Java version' is the latest, if used as a part of the API app|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Ensure that 'HTTP Version' is the latest, if used to run the Web app|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Latest TLS version should be used in your API App|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: MFA should be enabled accounts with write permissions on your subscription|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Ensure that 'HTTP Version' is the latest, if used to run the API app|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Microsoft IaaSAntimalware extension should be deployed on Windows servers|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Ensure that 'Java version' is the latest, if used as a part of the Function app|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: All network ports should be restricted on network security groups associated to your virtual machine|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Security Center standard pricing tier should be selected|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Audit Windows machines that do not restrict the minimum password length to 14 characters|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Audit usage of custom RBAC rules|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Web Application should only be accessible over HTTPS|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Auditing on SQL server should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: The Log Analytics agent should be installed on virtual machines|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: MFA should be enabled on accounts with owner permissions on your subscription|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Advanced data security should be enabled on your SQL servers|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Advanced data security should be enabled on SQL Managed Instance|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Role-Based Access Control (RBAC) should be used on Kubernetes Services|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Virtual machines should have the Guest Configuration extension|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Monitor missing Endpoint Protection in Azure Security Center|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Activity log should be retained for at least one year|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Management ports of virtual machines should be protected with just-in-time network access control|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Public network access should be disabled for PostgreSQL servers|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Deploy Advanced Threat Protection for Cosmos DB Accounts|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Diagnostic logs in App Services should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: API App should only be accessible over HTTPS|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: An activity log alert should exist for specific Administrative operations (Microsoft.ClassicNetwork/networkSecurityGroups/delete)|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: An activity log alert should exist for specific Administrative operations (Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/delete)|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: An activity log alert should exist for specific Administrative operations (Microsoft.Network/networkSecurityGroups/delete)|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: An activity log alert should exist for specific Administrative operations (Microsoft.Network/networkSecurityGroups/securityRules/delete)|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: An activity log alert should exist for specific Administrative operations (Microsoft.Sql/servers/firewallRules/delete)|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Non-internet-facing virtual machines should be protected with network security groups|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Audit Windows machines that do not have the password complexity setting enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Azure Defender for container registries should be enabled|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Azure Data Box jobs should enable double encryption for data at rest on the device|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: System updates on virtual machine scale sets should be installed|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Microsoft Antimalware for Azure should be configured to automatically update protection signatures|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: An activity log alert should exist for specific Policy operations (Microsoft.Authorization/policyAssignments/delete)|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Public network access should be disabled for MySQL flexible servers|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Storage accounts should allow access from trusted Microsoft services|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Remote debugging should be turned off for Web Applications|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Certificates using RSA cryptography should have the specified minimum key size|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Container registries should not allow unrestricted network access|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Enforce SSL connection should be enabled for PostgreSQL database servers|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Guest Configuration extension should be deployed to Azure virtual machines with system assigned managed identity|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Long-term geo-redundant backup should be enabled for Azure SQL Databases|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Public network access should be disabled for MySQL servers|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Audit Windows machines that do not store passwords using reversible encryption|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Windows machines should meet requirements for 'User Rights Assignment'|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Vulnerabilities in security configuration on your machines should be remediated|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Ensure that 'HTTP Version' is the latest, if used to run the Function app|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: MFA should be enabled on accounts with read permissions on your subscription|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: RDP access from the Internet should be blocked|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Audit Linux machines that do not have the passwd file permissions set to 0644|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Subnets should be associated with a Network Security Group|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Enforce SSL connection should be enabled for MySQL database servers|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Vulnerabilities in container security configurations should be remediated|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Remote debugging should be turned off for API Apps|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Audit Linux machines that allow remote connections from accounts without passwords|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Deprecated accounts with owner permissions should be removed from your subscription|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Double encryption should be enabled on Azure Data Explorer|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Vulnerability assessment should be enabled on your SQL servers|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: The Log Analytics agent should be installed on Virtual Machine Scale Sets|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Latest TLS version should be used in your Web App|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Disk encryption should be enabled on Azure Data Explorer|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Internet-facing virtual machines should be protected with network security groups|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Audit Linux machines that have accounts without passwords|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Azure Synapse workspaces should use customer-managed keys to encrypt data at rest|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: External accounts with owner permissions should be removed from your subscription|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Latest TLS version should be used in your Function App|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: All Internet traffic should be routed via your deployed Azure Firewall|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Linux machines should meet requirements for the Azure security baseline|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Public network access should be disabled for MariaDB servers|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Vulnerabilities on your SQL databases should be remediated|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Effect for policy: Keys using elliptic curve cryptography should have the specified curve names|For more information about effects, visit [https://aka.ms/policyeffects](../../policy/concepts/effects.md)|

-|CMMC Level 3|Policy Assignment|Namespaces excluded from evaluation of policy: Kubernetes cluster pods should only use approved host network and port range|List of Kubernetes namespaces to exclude from policy evaluation.|

-|CMMC Level 3|Policy Assignment|Latest Java version for App Services|Latest supported Java version for App Services|

-|CMMC Level 3|Policy Assignment|Latest Python version for Linux for App Services|Latest supported Python version for App Services|

-|CMMC Level 3|Policy Assignment|Optional: List of VM images that have supported Linux OS to add to scope when auditing Log Analytics agent deployment|Example value: `/subscriptions/<subscriptionId>/resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage`|

-|CMMC Level 3|Policy Assignment|Optional: List of VM images that have supported Windows OS to add to scope when auditing Log Analytics agent deployment|Example value: `/subscriptions/<subscriptionId>/resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage`|

-|CMMC Level 3|Policy Assignment|List of regions where Network Watcher should be enabled|Audit if Network Watcher is not enabled for region(s).|

-|CMMC Level 3|Policy Assignment|List of resource types that should have diagnostic logs enabled||

-|CMMC Level 3|Policy Assignment|Maximum value in the allowable host port range that pods can use in the host network namespace|The maximum value in the allowable host port range that pods can use in the host network namespace.|

-|CMMC Level 3|Policy Assignment|Minimum RSA key size for keys|The minimum key size for RSA keys.|

-|CMMC Level 3|Policy Assignment|Minimum RSA key size certificates|The minimum key size for RSA certificates.|

-|CMMC Level 3|Policy Assignment|Minimum TLS version for Windows web servers|Windows web servers with lower TLS versions will be assessed as non-compliant|

-|CMMC Level 3|Policy Assignment|Minimum value in the allowable host port range that pods can use in the host network namespace|The minimum value in the allowable host port range that pods can use in the host network namespace.|

-|CMMC Level 3|Policy Assignment|Mode Requirement|Mode required for all WAF policies|

-|CMMC Level 3|Policy Assignment|Mode Requirement|Mode required for all WAF policies|

-|CMMC Level 3|Policy Assignment|Allowed host paths for pod hostPath volumes to use|The host paths allowed for pod hostPath volumes to use. Provide an empty paths list to block all host paths.|

-|CMMC Level 3|Policy Assignment|Network access: Remotely accessible registry paths|Specifies which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key.|

-|CMMC Level 3|Policy Assignment|Network access: Remotely accessible registry paths and sub-paths|Specifies which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key.|

-|CMMC Level 3|Policy Assignment|Network access: Shares that can be accessed anonymously|Specifies which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server.|

-|CMMC Level 3|Policy Assignment|Network Security: Configure encryption types allowed for Kerberos|Specifies the encryption types that Kerberos is allowed to use.|

-|CMMC Level 3|Policy Assignment|Network security: LAN Manager authentication level|Specify which challenge-response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers.|

-|CMMC Level 3|Policy Assignment|Network security: LDAP client signing requirements|Specify the level of data signing that is requested on behalf of clients that issue LDAP BIND requests.|

-|CMMC Level 3|Policy Assignment|Network security: Minimum session security for NTLM SSP based (including secure RPC) clients|Specifies which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. See [https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers](/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers) for more information.|

-|CMMC Level 3|Policy Assignment|Network security: Minimum session security for NTLM SSP based (including secure RPC) servers|Specifies which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services.|

-|CMMC Level 3|Policy Assignment|Latest PHP version for App Services|Latest supported PHP version for App Services|

-|CMMC Level 3|Policy Assignment|Required retention period (days) for IoT Hub diagnostic logs||

-|CMMC Level 3|Policy Assignment|Name of the resource group for Network Watcher|Name of the resource group of NetworkWatcher, such as NetworkWatcherRG. This is the resource group where the Network Watchers are located.|

-|CMMC Level 3|Policy Assignment|Required auditing setting for SQL servers||

-|CMMC Level 3|Policy Assignment|Azure Data Box SKUs that support software-based double encryption|The list of Azure Data Box SKUs that support software-based double encryption|

-|CMMC Level 3|Policy Assignment|UAC: Admin Approval Mode for the Built-in Administrator account|Specifies the behavior of Admin Approval Mode for the built-in Administrator account.|

-|CMMC Level 3|Policy Assignment|UAC: Behavior of the elevation prompt for administrators in Admin Approval Mode|Specifies the behavior of the elevation prompt for administrators.|

-|CMMC Level 3|Policy Assignment|UAC: Detect application installations and prompt for elevation|Specifies the behavior of application installation detection for the computer.|

-|CMMC Level 3|Policy Assignment|UAC: Run all administrators in Admin Approval Mode|Specifies the behavior of all User Account Control (UAC) policy settings for the computer.|

-|CMMC Level 3|Policy Assignment|User and groups that may force shutdown from a remote system|Specifies which users and groups are permitted to shut down the computer from a remote location on the network.|

-|CMMC Level 3|Policy Assignment|Users and groups that are denied access to this computer from the network|Specifies which users or groups are explicitly prohibited from connecting to the computer across the network.|

-|CMMC Level 3|Policy Assignment|Users and groups that are denied local logon|Specifies which users and groups are explicitly not permitted to log on to the computer.|

-|CMMC Level 3|Policy Assignment|Users and groups that are denied logging on as a batch job|Specifies which users and groups are explicitly not permitted to log on to the computer as a batch job (i.e. scheduled task).|

-|CMMC Level 3|Policy Assignment|Users and groups that are denied logging on as a service|Specifies which service accounts are explicitly not permitted to register a process as a service.|

-|CMMC Level 3|Policy Assignment|Users and groups that are denied log on through Remote Desktop Services|Specifies which users and groups are explicitly not permitted to log on to the computer via Terminal Services/Remote Desktop Client.|

-|CMMC Level 3|Policy Assignment|Users and groups that may restore files and directories|Specifies which users and groups are permitted to bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories.|

-|CMMC Level 3|Policy Assignment|Users and groups that may shut down the system|Specifies which users and groups who are logged on locally to the computers in your environment are permitted to shut down the operating system with the Shut Down command.|

-|CMMC Level 3|Policy Assignment|Users or groups that may log on locally|Specifies which remote users on the network are permitted to connect to the computer. This does not include Remote Desktop Connection.|

-|CMMC Level 3|Policy Assignment|Users or groups that may back up files and directories|Specifies users and groups allowed to circumvent file and directory permissions to back up the system.|

-|CMMC Level 3|Policy Assignment|Users or groups that may change the system time|Specifies which users and groups are permitted to change the time and date on the internal clock of the computer.|

-|CMMC Level 3|Policy Assignment|Users or groups that may change the time zone|Specifies which users and groups are permitted to change the time zone of the computer.|

-|CMMC Level 3|Policy Assignment|Users or groups that may create a token object|Specifies which users and groups are permitted to create an access token, which may provide elevated rights to access sensitive data.|

-|CMMC Level 3|Policy Assignment|Users or groups that may log on locally|Specifies which users or groups can interactively log on to the computer. Users who attempt to log on via Remote Desktop Connection or IIS also require this user right.|

-|CMMC Level 3|Policy Assignment|Remote Desktop Users|Users or groups that may log on through Remote Desktop Services|

-|CMMC Level 3|Policy Assignment|Users or groups that may manage auditing and security log|Specifies users and groups permitted to change the auditing options for files and directories and clear the Security log.|

-|CMMC Level 3|Policy Assignment|Users or groups that may take ownership of files or other objects|Specifies which users and groups are permitted to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions that are in place to protect objects to give ownership to the specified user.|

-## Next steps

-Additional articles about blueprints and how to use them:

-description: Overview of the HIPAA HITRUST 9.2 blueprint sample. This blueprint sample helps customers assess specific HIPAA HITRUST 9.2 controls.

-# HIPAA HITRUST 9.2 blueprint sample

-The HIPAA HITRUST 9.2 blueprint sample provides governance guardrails using

-[Azure Policy](../../policy/overview.md) that help you assess specific HIPAA HITRUST 9.2 controls.

-This blueprint helps customers deploy a core set of policies for any Azure-deployed architecture

-that must implement HIPAA HITRUST 9.2 controls.

-## Control mapping

-The [Azure Policy control mapping](../../policy/samples/hipaa-hitrust-9-2.md) provides details on

-policy definitions included within this blueprint and how these policy definitions map to the

-**compliance domains** and **controls** in HIPAA HITRUST 9.2. When assigned to an architecture,

-resources are evaluated by Azure Policy for non-compliance with assigned policy definitions. For

-more information, see [Azure Policy](../../policy/overview.md).

-## Deploy

-To deploy the Azure Blueprints HIPAA HITRUST 9.2 blueprint sample, the following steps must

-be taken:

-> [!div class="checklist"]

-> - Create a new blueprint from the sample

-> - Mark your copy of the sample as **Published**

-> - Assign your copy of the blueprint to an existing subscription

-If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free)

-before you begin.

-### Create blueprint from sample

-First, implement the blueprint sample by creating a new blueprint in your environment using the

-sample as a starter.

-1. Select **All services** in the left pane. Search for and select **Blueprints**.

-1. From the **Getting started** page on the left, select the **Create** button under _Create a

- blueprint_.

-1. Find the **HIPAA HITRUST** blueprint sample under _Other Samples_ and select **Use

- this sample**.

-1. Enter the _Basics_ of the blueprint sample:

- - **Blueprint name**: Provide a name for your copy of the HIPAA HITRUST 9.2 blueprint sample.

- - **Definition location**: Use the ellipsis and select the management group to save your copy of

- the sample to.

-1. Select the _Artifacts_ tab at the top of the page or **Next: Artifacts** at the bottom of the

- page.

-1. Review the list of artifacts that make up the blueprint sample. Many of the artifacts have

- parameters that we'll define later. Select **Save Draft** when you've finished reviewing the

- blueprint sample.

-### Publish the sample copy

-Your copy of the blueprint sample has now been created in your environment. It's created in

-**Draft** mode and must be **Published** before it can be assigned and deployed. The copy of the

-blueprint sample can be customized to your environment and needs, but that modification may move it

-away from alignment with HIPAA HITRUST 9.2 controls.

-1. Select **All services** in the left pane. Search for and select **Blueprints**.

-1. Select the **Blueprint definitions** page on the left. Use the filters to find your copy of the

- blueprint sample and then select it.

-1. Select **Publish blueprint** at the top of the page. In the new page on the right, provide a

- **Version** for your copy of the blueprint sample. This property is useful for if you make a

- modification later. Provide **Change notes** such as "First version published from the HIPAA

- HITRUST 9.2 blueprint sample." Then select **Publish** at the bottom of the page.

-### Assign the sample copy

-Once the copy of the blueprint sample has been successfully **Published**, it can be assigned to a

-subscription within the management group it was saved to. This step is where parameters are provided

-to make each deployment of the copy of the blueprint sample unique.

-1. Select **All services** in the left pane. Search for and select **Blueprints**.

-1. Select the **Blueprint definitions** page on the left. Use the filters to find your copy of the

- blueprint sample and then select it.

-1. Select **Assign blueprint** at the top of the blueprint definition page.

-1. Provide the parameter values for the blueprint assignment:

- - Basics

- - **Subscriptions**: Select one or more of the subscriptions that are in the management group

- you saved your copy of the blueprint sample to. If you select more than one subscription, an

- assignment will be created for each using the parameters entered.

- - **Assignment name**: The name is pre-populated for you based on the name of the blueprint.

- Change as needed or leave as is.

- - **Location**: Select a region for the managed identity to be created in. Azure Blueprints uses

- this managed identity to deploy all artifacts in the assigned blueprint. To learn more, see

- [managed identities for Azure resources](../../../active-directory/managed-identities-azure-resources/overview.md).

- - **Blueprint definition version**: Pick a **Published** version of your copy of the blueprint

- sample.

- - Lock Assignment

- Select the blueprint lock setting for your environment. For more information, see

- [blueprints resource locking](../concepts/resource-locking.md).

- - Managed Identity

- Leave the default _system assigned_ managed identity option.

- - Artifact parameters

- The parameters defined in this section apply to the artifact under which it's defined. These

- parameters are [dynamic parameters](../concepts/parameters.md#dynamic-parameters) since they're

- defined during the assignment of the blueprint. For a full list or artifact parameters and

- their descriptions, see [Artifact parameters table](#artifact-parameters-table).

-1. Once all parameters have been entered, select **Assign** at the bottom of the page. The blueprint

- assignment is created and artifact deployment begins. Deployment takes roughly an hour. To check

- on the status of deployment, open the blueprint assignment.

-> [!WARNING]

-> The Azure Blueprints service and the built-in blueprint samples are **free of cost**. Azure

-> resources are [priced by product](https://azure.microsoft.com/pricing/). Use the

-> [pricing calculator](https://azure.microsoft.com/pricing/calculator/) to estimate the cost of

-> running resources deployed by this blueprint sample.

-### Artifact parameters table

-The following table provides a list of the blueprint artifact parameters:

-|Artifact name |Parameter name |Description |

-||||

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Access through Internet facing endpoint should be restricted |Enable or disable overly permissive inbound NSG rules monitoring |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Accounts: Guest account status |Specifies whether the local Guest account is disabled. |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Adaptive Application Controls should be enabled on virtual machines |Enable or disable the monitoring of application whitelisting in Azure Security Center |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Allow simultaneous connections to the Internet or a Windows Domain |Specify whether to prevent computers from connecting to both a domain based network and a non-domain based network at the same time. A value of 0 allows simultaneous connections, and a value of 1 blocks them. |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |API App should only be accessible over HTTPS V2 |Enable or disable the monitoring of the use of HTTPS in API App V2 |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Application names (supports wildcards) |A semicolon-separated list of the names of the applications that should be installed. e.g. 'Microsoft SQL Server 2014 (64-bit); Microsoft Visual Studio Code' or 'Microsoft SQL Server 2014*' (to match any application starting with 'Microsoft SQL Server 2014') |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Audit Process Termination |Specifies whether audit events are generated when a process has exited. Recommended for monitoring termination of critical processes. |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Audit unrestricted network access to storage accounts |Enable or disable the monitoring of network access to storage account |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Audit: Shut down system immediately if unable to log security audits |Audits if the system will shut down when unable to log Security events. |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Certificate thumbprints |A semicolon-separated list of certificate thumbprints that should exist under the Trusted Root certificate store (Cert:\LocalMachine\Root). e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3 |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Diagnostic logs in Batch accounts should be enabled |Enable or disable the monitoring of diagnostic logs in Batch accounts |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Diagnostic logs in Event Hub should be enabled |Enable or disable the monitoring of diagnostic logs in Event Hub accounts |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Diagnostic logs in Search services should be enabled |Enable or disable the monitoring of diagnostic logs in Azure Search service |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Diagnostic logs in Virtual Machine Scale Sets should be enabled |Enable or disable the monitoring of diagnostic logs in Service Fabric |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Disk encryption should be applied on virtual machines |Enable or disable the monitoring for VM disk encryption |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Enable insecure guest logons |Specifies whether the SMB client will allow insecure guest logons to an SMB server. |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Just-In-Time network access control should be applied on virtual machines |Enable or disable the monitoring of network just In time access |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Management ports should be closed on your virtual machines |Enable or disable the monitoring of open management ports on Virtual Machines |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |MFA should be enabled accounts with write permissions on your subscription |Enable or disable the monitoring of MFA for accounts with write permissions in subscription |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |MFA should be enabled on accounts with owner permissions on your subscription |Enable or disable the monitoring of MFA for accounts with owner permissions in subscription |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Network access: Remotely accessible registry paths |Specifies which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key. |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Network access: Remotely accessible registry paths and sub-paths |Specifies which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key. |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Network access: Shares that can be accessed anonymously |Specifies which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Recovery console: Allow floppy copy and access to all drives and all folders |Specifies whether to make the Recovery Console SET command available, which allows setting of recovery console environment variables. |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Remote debugging should be turned off for API App |Enable or disable the monitoring of remote debugging for API App |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Remote debugging should be turned off for Web Application |Enable or disable the monitoring of remote debugging for Web App |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Required retention (in days) for logs in Batch accounts |The required diagnostic logs retention period in days |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Required retention (in days) of logs in Azure Search service |The required diagnostic logs retention period in days |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Required retention (in days) of logs in Event Hub accounts |The required diagnostic logs retention period in days |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Resource Group Name for Storage Account (must exist) to deploy diagnostic settings for Network Security Groups |The resource group that the storage account will be created in. This resource group must already exist. |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Role-Based Access Control (RBAC) should be used on Kubernetes Services |Enable or disable the monitoring of Kubernetes Services without RBAC enabled |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |SQL managed instance TDE protector should be encrypted with your own key |Enable or disable the monitoring of Transparent Data Encryption (TDE) with your own key support. TDE with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |SQL server TDE protector should be encrypted with your own key |Enable or disable the monitoring of Transparent Data Encryption (TDE) with your own key support. TDE with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Storage Account Prefix for Regional Storage Account to deploy diagnostic settings for Network Security Groups |This prefix will be combined with the network security group location to form the created storage account name. |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |System updates on virtual machine scale sets should be installed |Enable or disable virtual machine scale sets reporting of system updates |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |System updates on virtual machine scale sets should be installed |Enable or disable virtual machine scale sets reporting of system updates |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Turn off multicast name resolution |Specifies whether LLMNR, a secondary name resolution protocol that transmits using multicast over a local subnet link on a single subnet, is enabled. |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Virtual machines should be migrated to new Azure Resource Manager resources |Enable or disable the monitoring of classic compute VMs |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |Enable or disable virtual machine scale sets OS vulnerabilities monitoring |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Vulnerabilities should be remediated by a Vulnerability Assessment solution |Enable or disable the detection of VM vulnerabilities by a vulnerability assessment solution |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Vulnerability assessment should be enabled on your SQL managed instances |Audit SQL managed instances which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Windows Firewall (Domain): Apply local firewall rules |Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Domain profile. |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Windows Firewall (Domain): Behavior for outbound connections |Specifies the behavior for outbound connections for the Domain profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections. |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Windows Firewall (Domain): Behavior for outbound connections |Specifies the behavior for outbound connections for the Domain profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections. |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Windows Firewall (Domain): Display notifications |Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Domain profile. |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Windows Firewall (Domain): Use profile settings |Specifies whether Windows Firewall with Advanced Security uses the settings for the Domain profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Windows Firewall (Private): Apply local connection security rules |Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Private profile. |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Windows Firewall (Private): Apply local firewall rules |Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Private profile. |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Windows Firewall (Private): Behavior for outbound connections |Specifies the behavior for outbound connections for the Private profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections. |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Windows Firewall (Private): Display notifications |Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Private profile. |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Windows Firewall (Private): Use profile settings |Specifies whether Windows Firewall with Advanced Security uses the settings for the Private profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Windows Firewall (Public): Apply local connection security rules |Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Public profile. |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Windows Firewall (Public): Apply local firewall rules |Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Public profile. |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Windows Firewall (Public): Behavior for outbound connections |Specifies the behavior for outbound connections for the Public profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections. |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Windows Firewall (Public): Display notifications |Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Public profile. |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Windows Firewall (Public): Use profile settings |Specifies whether Windows Firewall with Advanced Security uses the settings for the Public profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Windows Firewall: Domain: Allow unicast response |Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Domain profile. |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Windows Firewall: Private: Allow unicast response |Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Private profile. |

-|Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements |Windows Firewall: Public: Allow unicast response |Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Public profile. |

-## Next steps

-Additional articles about blueprints and how to use them:

-| [CIS Microsoft Azure Foundations Benchmark v1.3.0](./cis-azure-1-3-0.md) | Provides a set of policies to help comply with CIS Microsoft Azure Foundations Benchmark v1.3.0 recommendations. |

-| [CIS Microsoft Azure Foundations Benchmark v1.1.0](./cis-azure-1-1-0.md) | Provides a set of policies to help comply with CIS Microsoft Azure Foundations Benchmark v1.1.0 recommendations. |

-| [CMMC Level 3](./cmmc-l3.md) | Provides guardrails for compliance with CMMC Level 3. |

-| [HIPAA HITRUST 9.2](./hipaa-hitrust-9-2.md) | Provides a set of policies to help comply with HIPAA HITRUST. |

-| [IRS 1075 September 2016](./irs-1075-sept2016.md) | Provides guardrails for compliance with IRS 1075.|

-| [Media](./medi) | Provides a set of policies to help comply with Media MPAA. |

-| [NIST SP 800-171 R2](./nist-sp-800-171-r2.md) | Provides guardrails for compliance with NIST SP 800-171 R2. |

-| [PCI-DSS v3.2.1](./pci-dss-3.2.1/index.md) | Provides a set of policies to aide in PCI-DSS v3.2.1 compliance. |

-description: Overview of the IRS 1075 September 2016 blueprint sample. This blueprint sample helps customers assess specific controls.

-# IRS 1075 September 2016 blueprint sample

-The IRS 1075 September 2016 blueprint sample provides governance guardrails using

-[Azure Policy](../../policy/overview.md) that help you assess specific

-IRS 1075 September 2016 controls. This blueprint helps

-customers deploy a core set of policies for any Azure-deployed architecture that must implement

-controls for IRS 1075 September 2016.

-## Control mapping

-The [Azure Policy control mapping](../../policy/samples/irs-1075-sept2016.md) provides details on

-policy definitions included within this blueprint and how these policy definitions map to the

-**controls** in the IRS 1075 September 2016 framework. When assigned to an architecture, resources

-are evaluated by Azure Policy for non-compliance with assigned policy definitions. For more

-information, see [Azure Policy](../../policy/overview.md).

-## Deploy

-To deploy the Azure Blueprints IRS 1075 September 2016 blueprint sample,

-the following steps must be taken:

-> [!div class="checklist"]

-> - Create a new blueprint from the sample

-> - Mark your copy of the sample as **Published**

-> - Assign your copy of the blueprint to an existing subscription

-If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free)

-before you begin.

-### Create blueprint from sample

-First, implement the blueprint sample by creating a new blueprint in your environment using the

-sample as a starter.

-1. Select **All services** in the left pane. Search for and select **Blueprints**.

-1. From the **Getting started** page on the left, select the **Create** button under _Create a

- blueprint_.

-1. Find the **IRS 1075 September 2016** blueprint sample under _Other Samples_ and select **Use this

- sample**.

-1. Enter the _Basics_ of the blueprint sample:

- - **Blueprint name**: Provide a name for your copy of the IRS 1075 September 2016 blueprint sample.

- - **Definition location**: Use the ellipsis and select the management group to save your copy of

- the sample to.

-1. Select the _Artifacts_ tab at the top of the page or **Next: Artifacts** at the bottom of the

- page.

-1. Review the list of artifacts that are included in the blueprint sample. Many of the artifacts

- have parameters that we'll define later. Select **Save Draft** when you've finished reviewing the

- blueprint sample.

-### Publish the sample copy

-Your copy of the blueprint sample has now been created in your environment. It's created in

-**Draft** mode and must be **Published** before it can be assigned and deployed. The copy of the

-blueprint sample can be customized to your environment and needs, but that modification may move it

-away from alignment with IRS 1075 September 2016 controls.

-1. Select **All services** in the left pane. Search for and select **Blueprints**.

-1. Select the **Blueprint definitions** page on the left. Use the filters to find your copy of the

- blueprint sample and then select it.

-1. Select **Publish blueprint** at the top of the page. In the new page on the right, provide a

- **Version** for your copy of the blueprint sample. This property is useful for if you make a

- modification later. Provide **Change notes** such as "First version published from the IRS 1075

- September 2016 blueprint sample." Then select **Publish** at the bottom of the page.

-### Assign the sample copy

-Once the copy of the blueprint sample has been successfully **Published**, it can be assigned to a

-subscription within the management group it was saved to. This step is where parameters are provided

-to make each deployment of the copy of the blueprint sample unique.

-1. Select **All services** in the left pane. Search for and select **Blueprints**.

-1. Select the **Blueprint definitions** page on the left. Use the filters to find your copy of the

- blueprint sample and then select it.

-1. Select **Assign blueprint** at the top of the blueprint definition page.

-1. Provide the parameter values for the blueprint assignment:

- - Basics

- - **Subscriptions**: Select one or more of the subscriptions that are in the management group

- you saved your copy of the blueprint sample to. If you select more than one subscription, an

- assignment will be created for each using the parameters entered.

- - **Assignment name**: The name is pre-populated for you based on the name of the blueprint.

- Change as needed or leave as is.

- - **Location**: Select a region for the managed identity to be created in. Azure Blueprints uses

- this managed identity to deploy all artifacts in the assigned blueprint. To learn more, see

- [managed identities for Azure resources](../../../active-directory/managed-identities-azure-resources/overview.md).

- - **Blueprint definition version**: Pick a **Published** version of your copy of the blueprint

- sample.

- - Lock Assignment

- Select the blueprint lock setting for your environment. For more information, see

- [blueprints resource locking](../concepts/resource-locking.md).

- - Managed Identity

- Leave the default _system assigned_ managed identity option.

- - Artifact parameters

- The parameters defined in this section apply to the artifact under which it's defined. These

- parameters are [dynamic parameters](../concepts/parameters.md#dynamic-parameters) since they're

- defined during the assignment of the blueprint. For a full list or artifact parameters and

- their descriptions, see [Artifact parameters table](#artifact-parameters-table).

-1. Once all parameters have been entered, select **Assign** at the bottom of the page. The blueprint

- assignment is created and artifact deployment begins. Deployment takes roughly an hour. To check

- on the status of deployment, open the blueprint assignment.

-> [!WARNING]

-> The Azure Blueprints service and the built-in blueprint samples are **free of cost**. Azure

-> resources are [priced by product](https://azure.microsoft.com/pricing/). Use the

-> [pricing calculator](https://azure.microsoft.com/pricing/calculator/) to estimate the cost of

-> running resources deployed by this blueprint sample.

-### Artifact parameters table

-The following table provides a list of the blueprint artifact parameters:

-|Artifact name|Artifact type|Parameter name|Description|

-|-|-|-|-|

-|Audit IRS 1075 (Rev.11-2016) controls and deploy specific VM Extensions to support audit requirements|Policy assignment|Log Analytics workspace ID that VMs should be configured for|This is the ID (GUID) of the Log Analytics workspace that the VMs should be configured for.|

-|Audit IRS 1075 (Rev.11-2016) controls and deploy specific VM Extensions to support audit requirements|Policy assignment|List of resource types that should have diagnostic logs enabled|List of resource types to audit if diagnostic log setting is not enabled. Acceptable values can be found at [Azure Monitor diagnostic logs schemas](../../../azure-monitor/essentials/resource-logs-schema.md#service-specific-schemas).|

-|Audit IRS 1075 (Rev.11-2016) controls and deploy specific VM Extensions to support audit requirements|Policy assignment|List of users that should be excluded from Windows VM Administrators group|A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; myUser2|

-|Audit IRS 1075 (Rev.11-2016) controls and deploy specific VM Extensions to support audit requirements|Policy assignment|List of users that should be included in Windows VM Administrators group|A semicolon-separated list of members that should be included in the Administrators local group. Ex: Administrator; myUser1; myUser2|

-|Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS)|Policy assignment|Log Analytics workspace for Linux VM Scale Sets (VMSS)|If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.|

-|Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS)|Policy assignment|Optional: List of VM images that have supported Linux OS to add to scope|An empty array may be used to indicate no optional parameters: \[\]|

-|Deploy Log Analytics Agent for Linux VMs|Policy assignment|Log Analytics workspace for Linux VMs|If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.|

-|Deploy Log Analytics Agent for Linux VMs|Policy assignment|Optional: List of VM images that have supported Linux OS to add to scope|An empty array may be used to indicate no optional parameters: \[\]|

-|Deploy Log Analytics Agent for Windows VM Scale Sets (VMSS)|Policy assignment|Log Analytics workspace for Windows VM Scale Sets (VMSS)|If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.|

-|Deploy Log Analytics Agent for Windows VM Scale Sets (VMSS)|Policy assignment|Optional: List of VM images that have supported Windows OS to add to scope|An empty array may be used to indicate no optional parameters: \[\]|

-|Deploy Log Analytics Agent for Windows VMs|Policy assignment|Log Analytics workspace for Windows VMs|If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.|

-|Deploy Log Analytics Agent for Windows VMs|Policy assignment|Optional: List of VM images that have supported Windows OS to add to scope|An empty array may be used to indicate no optional parameters: \[\]|

-|Deploy Advanced Threat Protection on Storage Accounts|Policy assignment|Effect|Information about policy effects can be found at [Understand Azure Policy Effects](../../policy/concepts/effects.md) |

-|Deploy Auditing on SQL servers|Policy assignment|The value in days of the retention period (0 indicates unlimited retention) |Retention days (optional, 180 days if unspecified) |

-|Deploy Auditing on SQL servers|Policy assignment|Resource group name for storage account for SQL server auditing|Auditing writes database events to an audit log in your Azure Storage account (a storage account will be created in each region where a SQL Server is created that will be shared by all servers in that region). Important - for proper operation of Auditing do not delete or rename the resource group or the storage accounts.|

-|Deploy diagnostic settings for Network Security Groups|Policy assignment|Storage account prefix for network security group diagnostics|This prefix will be combined with the network security group location to form the created storage account name.|

-|Deploy diagnostic settings for Network Security Groups|Policy assignment|Resource group name for storage account for network security group diagnostics (must exist) |The resource group that the storage account will be created in. This resource group must already exist.|

-## Next steps

-Additional articles about blueprints and how to use them:

-description: Control mapping of the Media blueprint samples. Each control is mapped to one or more Azure Policy definitions that assist with assessment.

-# Control mapping of the Media blueprint sample

-The following article details how the Azure Blueprints Media blueprint sample maps to the Media

-controls. For more information about the controls, see

-[Media](https://www.motionpictures.org/best-practices).

-The following mappings are to the **Media** controls. Use the navigation on the right to jump

-directly to a specific control mapping. Many of the mapped controls are implemented with an

-[Azure Policy](../../../policy/overview.md) initiative. To review the complete initiative, open

-**Policy** in the Azure portal and select the **Definitions** page. Then, find and select the

-**\[Preview\]: Audit Media controls** built-in policy initiative.

-> [!IMPORTANT]

-> Each control below is associated with one or more [Azure Policy](../../../policy/overview.md)

-> definitions. These policies may help you

-> [assess compliance](../../../policy/how-to/get-compliance-data.md) with the control; however,

-> there often is not a one-to-one or complete match between a control and one or more policies. As

-> such, **Compliant** in Azure Policy refers only to the policies themselves; this doesn't ensure

-> you're fully compliant with all requirements of a control. In addition, the compliance standard

-> includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore,

-> compliance in Azure Policy is only a partial view of your overall compliance status. The

-> associations between controls and Azure Policy definitions for this compliance blueprint sample

-> may change over time. To view the change history, see the

-> [GitHub Commit History](https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/governance/blueprints/samples/medi).

-## Access Control

-### AC-1.1- Ensure no root access key exists

- certificates in Trusted Root

-### AC-1.2 - Passwords, PINs, and Tokens must be protected

- length to 14 characters

-### AC-1.8 - Shared account access is prohibited

- namespace

-### AC-1.9 -System must restrict access to authorized users.

-### AC- 1.14 -System must enforce access rights.

-### AC- 1.15 -Prevent unauthorized access to security relevant information or functions.

- settings'

-### AC-1-21 - Separation of duties must be enforced through appropriate assignment of role.

-### AC-1.40- Ensure that systems are not connecting trusted network and untrusted networks at the same time.

- Network Access'

-### AC-1.42 & AC- 1.43 - Remote access for non-employees must be restricted to allow access only to specifically approved information systems

- passwords

-### AC-1.50- Log security related events for all information system components.

-### AC-1.54- Ensure multi-factor authentication (MFA) is enabled for all cloud console users.

- privileges to prevent a breach of accounts or resources.

-## Auditing & Logging

-### AL-2.1- Successful and unsuccessful events must be logged.

-### AL -2.16 - Network devices/instances must log any event classified as a critical security event by that network device/instance (ELBs, web application firewalls, etc.)

-### AL-2.17- Servers/instances must log any event classified as a critical security event by that server/instance

-### AL-2.19 - Domain events must log any event classified as a critical or high security event by the domain management software

- Microsoft Network Client'

-### AL-2.20- Domain events must log any event classified as a critical security event by domain security controls

-### AL-2.21- Domain events must log any access or changes to the domain log

- console'

-## Cryptographic Controls

-### CC-4.2- Applications and systems must use current cryptographic solutions for protecting data.

- requirements

-### CC-4.5- Digital Certificates must be signed by an approved Certificate Authority.

- specified number of days

-### CC-4.6- Digital Certificates must be uniquely assigned to a user or device.

- the specified number of days

-### CC-4.7- Cryptographic material must be stored to enable decryption of the records for the length of time the records are retained.

- recommendations

-### CC-4.8- Secret and private keys must be stored securely.

- requirements

-## Change & Config Management

-### CM-5.2- Only authorized users may implement approved changes on the system.

- recommendations

-### CM-5.12- Maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.

- recommendations

-### CM-5.13- Employ automated tools to maintain a baseline configuration of the information system.

- recommendations

-### CM-5.14- Identify and disable unnecessary and/or non-secure functions, ports, protocols and services.

-### CM-5.19- Monitor changes to the security configuration settings.

-### CM-5.22- Ensure that only authorized software and updates are installed on Company systems.

- recommendations

-## Identity & Authentication

-### IA-7.1- User accounts must be uniquely assigned to individuals for access to information that is not classified as Public. Account IDs must be constructed using a standardized logical format.

- prevent unmonitored access.

-## Network Security

-### NS-9.2- Access to network device management functionality is restricted to authorized users.

- Network Access'

-### NS-9.3- All network devices must be configured using their most secure configurations.

- Network Access'

-### NS-9.5- All network connections to a system through a firewall must be approved and audited on a regular basis.

-### NS-9.7- Appropriate controls must be present at any boundary between a trusted network and any untrusted or public network.

- Properties'

-## Security Planning

-### SP-11.3- Threats must be identified that could negatively impact the confidentiality, integrity, or availability of Company information and content along with the likelihood of their occurrence.

- Security settings

-### Security Continuity

-## SC-12.5- Data in long-term storage must be accessible throughout the retention period and protected against media degradation and technology changes.

-## System Integrity

-### SI-14.3- Only authorized personnel may monitor network and user activities.

- vulnerabilities.

-### SI-14.4- Internet facing systems must have intrusion detection.

-### SI-14.13- Standardized centrally managed anti-malware software should be implemented across the company.

-### SI-14.14- Anti-malware software must scan computers and media weekly at a minimum.

-## Vulnerability Management

-### VM-15.4- Ensure that applications are scanned for vulnerabilities on a monthly basis.

-### VM-15.5- Ensure that vulnerabilities are identified, paired to threats, and evaluated for risk.

-### VM-15.6- Ensure that identified vulnerabilities have been remediated within a mutually agreed upon timeline.

-### VM-15.7- Access to and use of vulnerability management systems must be restricted to authorized personnel.

-> [!NOTE]

-> Availability of specific Azure Policy definitions may vary in Azure Government and other national

-> clouds.

-## Next steps

-You've reviewed the control mapping of the Media blueprint sample. Next, visit the following

-articles to learn about the overview and how to deploy this sample:

-> [!div class="nextstepaction"]

-> [Media blueprint - Overview](./control-mapping.md)

-> [Media blueprint - Deploy steps](./deploy.md)

-Additional articles about blueprints and how to use them:

-description: Deploy steps for the Media blueprint sample including blueprint artifact parameter details.

-# Deploy the Media blueprint sample

-To deploy the Media blueprint sample, the following steps must be taken:

-> [!div class="checklist"]

-> - Create a new blueprint from the sample

-> - Mark your copy of the sample as **Published**

-> - Assign your copy of the blueprint to an existing subscription

-If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free)

-before you begin.

-## Create blueprint from sample

-First, implement the blueprint sample by creating a new blueprint in your environment using the

-sample as a starter.

-1. Select **All services** and search for and select **Policy** in the left pane. On the **Policy**

- page, select **Blueprints**.

-1. From the **Getting started** page on the left, select the **Create** button under _Create a

- blueprint_.

-1. Find the **Media** blueprint sample under _Other Samples_ and select **Use this

- sample**.

-1. Enter the _Basics_ of the blueprint sample:

- - **Blueprint name**: Provide a name for your copy of the blueprint sample.

- - **Definition location**: Use the ellipsis and select the management group to save your copy of

- the sample to.

-1. Select the _Artifacts_ tab at the top of the page or **Next: Artifacts** at the bottom of the

- page.

-1. Review the list of artifacts that make up the blueprint sample. Many of the artifacts have

- parameters that we'll define later. Select **Save Draft** when you've finished reviewing the

- blueprint sample.

-## Publish the sample copy

-Your copy of the blueprint sample has now been created in your environment. It's created in

-**Draft** mode and must be **Published** before it can be assigned and deployed. The copy of the

-blueprint sample can be customized to your environment and needs, but that modification may move

-it away from the standard.

-1. Select **All services** and search for and select **Policy** in the left pane. On the **Policy**

- page, select **Blueprints**.

-1. Select the **Blueprint definitions** page on the left. Use the filters to find your copy of the

- blueprint sample and then select it.

-1. Select **Publish blueprint** at the top of the page. In the new page on the right, provide a

- **Version** for your copy of the blueprint sample. This property is useful for if you make a

- modification later. Provide **Change notes** such as "First version published from the Media blueprint sample." Then select **Publish** at the bottom of the page.

-## Assign the sample copy

-Once the copy of the blueprint sample has been successfully **Published**, it can be assigned to a

-subscription within the management group it was saved to. This step is where parameters are

-provided to make each deployment of the copy of the blueprint sample unique.

-1. Select **All services** and search for and select **Policy** in the left pane. On the **Policy**

- page, select **Blueprints**.

-1. Select the **Blueprint definitions** page on the left. Use the filters to find your copy of the

- blueprint sample and then select it.

-1. Select **Assign blueprint** at the top of the blueprint definition page.

-1. Provide the parameter values for the blueprint assignment:

- - Basics

- - **Subscriptions**: Select one or more of the subscriptions that are in the management group

- you saved your copy of the blueprint sample to. If you select more than one subscription, an

- assignment will be created for each using the parameters entered.

- - **Assignment name**: The name is pre-populated for you based on the name of the blueprint.

- Change as needed or leave as is.

- - **Location**: Select a region for the managed identity to be created in. Azure Blueprints uses

- this managed identity to deploy all artifacts in the assigned blueprint. To learn more, see

- [managed identities for Azure resources](../../../../active-directory/managed-identities-azure-resources/overview.md).

- - **Blueprint definition version**: Pick a **Published** version of your copy of the blueprint

- sample.

- - Lock Assignment

- Select the blueprint lock setting for your environment. For more information, see [blueprints resource locking](../../concepts/resource-locking.md).

- - Managed Identity

- Leave the default _system assigned_ managed identity option.

- - Artifact parameters

- The parameters defined in this section apply to the artifact under which it's defined. These

- parameters are [dynamic parameters](../../concepts/parameters.md#dynamic-parameters) since

- they're defined during the assignment of the blueprint. For a full list or artifact parameters

- and their descriptions, see [Artifact parameters table](#artifact-parameters-table).

-1. Once all parameters have been entered, select **Assign** at the bottom of the page. The blueprint

- assignment is created and artifact deployment begins. Deployment takes roughly an hour. To check

- on the status of deployment, open the blueprint assignment.

-> [!WARNING]

-> The Azure Blueprints service and the built-in blueprint samples are **free of cost**. Azure

-> resources are [priced by product](https://azure.microsoft.com/pricing/). Use the [pricing calculator](https://azure.microsoft.com/pricing/calculator/)

-> to estimate the cost of running resources deployed by this blueprint sample.

-## Artifact parameters table

-The following table provides a list of the blueprint artifact parameters:

-Artifact name|Artifact type|Parameter name|Description|

-|-|-|-|-|

-|\[Preview\]: Deploy Log Analytics Agent for Linux VMs |Policy assignment |Log Analytics workspace for Linux VMs |For more information, see [Create a Log Analytics workspace in the Azure portal](../../../../azure-monitor/logs/quick-create-workspace.md). |

-|\[Preview\]: Deploy Log Analytics Agent for Linux VMs |Policy assignment |Optional: List of VM images that have supported Linux OS to add to scope |An empty array may be used to indicate no optional parameters: `[]` |

-|\[Preview\]: Deploy Log Analytics Agent for Windows VMs |Policy assignment |Optional: List of VM images that have supported Windows OS to add to scope |An empty array may be used to indicate no optional parameters: `[]` |

-|\[Preview\]: Deploy Log Analytics Agent for Windows VMs |Policy assignment |Log Analytics workspace for Windows VMs |For more information, see [Create a Log Analytics workspace in the Azure portal](../../../../azure-monitor/logs/quick-create-workspace.md). |

-|\[Preview\]: Audit Media controls and deploy specific VM Extensions to support audit requirements |Policy assignment |Log Analytics workspace ID that VMs should be configured for |This is the ID (GUID) of the Log Analytics workspace that the VMs should be configured for. |

-|\[Preview\]: Audit Media controls and deploy specific VM Extensions to support audit requirements |Policy assignment |List of resource types that should have diagnostic logs enabled |List of resource types to audit if diagnostic log setting isn't enabled. Acceptable values can be found at [Azure Monitor diagnostic logs schemas](../../../../azure-monitor/essentials/resource-logs-schema.md#service-specific-schemas). |

-|\[Preview\]: Audit Media controls and deploy specific VM Extensions to support audit requirements |Policy assignment |Administrators group |Group. Example: `Administrator; myUser1; myUser2` |

-|\[Preview\]: Audit Media controls and deploy specific VM Extensions to support audit requirements |Policy assignment |List of users that should be included in Windows VM Administrators group |A semicolon-separated list of members that should be included in the Administrators local group. Example: `Administrator; myUser1; myUser2` |

-|Deploy Advanced Threat Protection on Storage Accounts |Policy assignment |Effect |Information about policy effects can be found at [Understand Azure Policy Effects](../../../policy/concepts/effects.md). |

-|Deploy Auditing on SQL servers |Policy assignment |The value in days of the retention period (0 indicates unlimited retention) |Retention days (optional, _180_ days if unspecified) |

-|Deploy Auditing on SQL servers |Policy assignment |Resource group name for storage account for SQL server auditing |Auditing writes database events to an audit log in your Azure Storage account (a storage account is created in each region where a SQL Server is created that is shared by all servers in that region). Important - for proper operation of Auditing don't delete or rename the resource group or the storage accounts. |

-|Deploy diagnostic settings for Network Security Groups |Policy assignment |Storage account prefix for network security group diagnostics |This prefix is combined with the network security group location to form the created storage account name. |

-|Deploy diagnostic settings for Network Security Groups |Policy assignment |Resource group name for storage account for network security group diagnostics (must exist) |The resource group that the storage account is created in. This resource group must already exist. |

-## Next steps

-Now that you've reviewed the steps to deploy the Media sample, visit the following

-articles to learn about the overview and control mapping:

-> [!div class="nextstepaction"]

-> [Media blueprints - Overview](./index.md)

-> [Media blueprints - Control mapping](./control-mapping.md)

-Additional articles about blueprints and how to use them:

-description: Overview of the Media blueprint sample. This blueprint sample helps customers assess specific Media controls.

-# Overview of the Media blueprint sample

-Media blueprint sample provides a set of governance guardrails using

-[Azure Policy](../../../policy/overview.md) that help toward

-[Media](https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/https://docsupdatetracker.net/index.html)

-attestation.

-## Blueprint sample

-The blueprint sample helps customers deploy a core set of policies for any Azure-deployed

-architecture requiring accreditation or compliance with the Media framework. The

-[control mapping](./control-mapping.md) section provides details on policies included within this

-initiative and how these policies help meet various controls defined by Media framework. When

-assigned to an architecture, resources are evaluated by Azure Policy for compliance with assigned

-policies.

-## Next steps

-You've reviewed the overview of the Media blueprint sample. Next, visit the following

-articles to learn about the control mapping and how to deploy this sample:

-> [!div class="nextstepaction"]

-> [Media blueprint - Control mapping](./control-mapping.md)

-> [Media blueprint - Deploy steps](./deploy.md)

-Additional articles about blueprints and how to use them:

-description: Overview of the NIST SP 800-171 R2 blueprint sample. This blueprint sample helps customers assess specific NIST SP 800-171 R2 requirements or controls.

-# NIST SP 800-171 R2 blueprint sample

-The NIST SP 800-171 R2 blueprint sample provides governance guardrails using

-[Azure Policy](../../policy/overview.md) that help you assess specific NIST SP 800-171 R2

-requirements or controls. This blueprint helps customers deploy a core set of policies for any

-Azure-deployed architecture that must implement NIST SP 800-171 R2 requirements or controls.

-## Control mapping

-The [Azure Policy control mapping](../../policy/samples/nist-sp-800-171-r2.md) provides details on

-policy definitions included within this blueprint and how these policy definitions map to the

-**compliance domains** and **requirements** in NIST SP 800-171 R2. When assigned to an architecture,

-resources are evaluated by Azure Policy for non-compliance with assigned policy definitions. For

-more information, see [Azure Policy](../../policy/overview.md).

-## Deploy

-To deploy the Azure Blueprints NIST SP 800-171 R2 blueprint sample, the following steps must

-be taken:

-> [!div class="checklist"]

-> - Create a new blueprint from the sample

-> - Mark your copy of the sample as **Published**

-> - Assign your copy of the blueprint to an existing subscription

-If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free)

-before you begin.

-### Create blueprint from sample

-First, implement the blueprint sample by creating a new blueprint in your environment using the

-sample as a starter.

-1. Select **All services** in the left pane. Search for and select **Blueprints**.

-1. From the **Getting started** page on the left, select the **Create** button under _Create a

- blueprint_.

-1. Find the **NIST SP 800-171 R2** blueprint sample under _Other Samples_ and select **Use

- this sample**.

-1. Enter the _Basics_ of the blueprint sample:

- - **Blueprint name**: Provide a name for your copy of the NIST SP 800-171 R2 blueprint sample.

- - **Definition location**: Use the ellipsis and select the management group to save your copy of

- the sample to.

-1. Select the _Artifacts_ tab at the top of the page or **Next: Artifacts** at the bottom of the

- page.

-1. Review the list of artifacts that are included in the blueprint sample. Many of the artifacts

- have parameters that we'll define later. Select **Save Draft** when you've finished reviewing the

- blueprint sample.

-### Publish the sample copy

-Your copy of the blueprint sample has now been created in your environment. It's created in

-**Draft** mode and must be **Published** before it can be assigned and deployed. The copy of the

-blueprint sample can be customized to your environment and needs, but that modification may move it

-away from alignment with NIST SP 800-171 requirements.

-1. Select **All services** in the left pane. Search for and select **Blueprints**.

-1. Select the **Blueprint definitions** page on the left. Use the filters to find your copy of the

- blueprint sample and then select it.

-1. Select **Publish blueprint** at the top of the page. In the new page on the right, provide a

- **Version** for your copy of the blueprint sample. This property is useful for if you make a

- modification later. Provide **Change notes** such as "First version published from the NIST SP

- 800-171 R2 blueprint sample." Then select **Publish** at the bottom of the page.

-### Assign the sample copy

-Once the copy of the blueprint sample has been successfully **Published**, it can be assigned to a

-subscription within the management group it was saved to. This step is where parameters are provided

-to make each deployment of the copy of the blueprint sample unique.

-1. Select **All services** in the left pane. Search for and select **Blueprints**.

-1. Select the **Blueprint definitions** page on the left. Use the filters to find your copy of the

- blueprint sample and then select it.

-1. Select **Assign blueprint** at the top of the blueprint definition page.

-1. Provide the parameter values for the blueprint assignment:

- - Basics

- - **Subscriptions**: Select one or more of the subscriptions that are in the management group

- you saved your copy of the blueprint sample to. If you select more than one subscription, an

- assignment will be created for each using the parameters entered.

- - **Assignment name**: The name is pre-populated for you based on the name of the blueprint.

- Change as needed or leave as is.

- - **Location**: Select a region for the managed identity to be created in. Azure Blueprints uses

- this managed identity to deploy all artifacts in the assigned blueprint. To learn more, see

- [managed identities for Azure resources](../../../active-directory/managed-identities-azure-resources/overview.md).

- - **Blueprint definition version**: Pick a **Published** version of your copy of the blueprint

- sample.

- - Lock Assignment

- Select the blueprint lock setting for your environment. For more information, see

- [blueprints resource locking](../concepts/resource-locking.md).

- - Managed Identity

- Leave the default _system assigned_ managed identity option.

- - Artifact parameters

- The parameters defined in this section apply to the artifact under which it's defined. These

- parameters are [dynamic parameters](../concepts/parameters.md#dynamic-parameters) since they're

- defined during the assignment of the blueprint. For a full list or artifact parameters and

- their descriptions, see [Artifact parameters table](#artifact-parameters-table).

-1. Once all parameters have been entered, select **Assign** at the bottom of the page. The blueprint

- assignment is created and artifact deployment begins. Deployment takes roughly an hour. To check

- on the status of deployment, open the blueprint assignment.

-> [!WARNING]

-> The Azure Blueprints service and the built-in blueprint samples are **free of cost**. Azure

-> resources are [priced by product](https://azure.microsoft.com/pricing/). Use the

-> [pricing calculator](https://azure.microsoft.com/pricing/calculator/) to estimate the cost of

-> running resources deployed by this blueprint sample.

-### Artifact parameters table

-The following table provides a list of the blueprint artifact parameters:

-|Artifact name|Artifact type|Parameter name|Description|

-|-|-|-|-|

-|\[Preview\]: NIST SP 800-171 R2|Policy assignment|List of users that should be excluded from Windows VM Administrators group|A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; myUser2|

-|\[Preview\]: NIST SP 800-171 R2|Policy assignment|List of users that should be included in Windows VM Administrators group|A semicolon-separated list of members that should be included in the Administrators local group. Ex: Administrator; myUser1; myUser2|

-|\[Preview\]: NIST SP 800-171 R2|Policy assignment|List of regions where Network Watcher should be enabled|A semicolon-separated list of regions. To see a complete list of regions use Get-AzLocation. Ex: East US; East US2|

-|\[Preview\]: NIST SP 800-171 R2|Policy assignment|Log Analytics workspace ID that VMs should be configured for|This is the ID (GUID) of the Log Analytics workspace that the VMs should be configured for.|

-|\[Preview\]: NIST SP 800-171 R2|Policy assignment|Optional: List of Windows VM images that support Log Analytics agent to add to audit scope|A semicolon-separated list of images|

-|\[Preview\]: NIST SP 800-171 R2|Policy assignment|Optional: List of Linux VM images that support Log Analytics agent to add to audit scope|A semicolon-separated list of images|

-|\[Preview\]: NIST SP 800-171 R2|Policy assignment|Latest PHP version|Latest supported PHP version for App Services|

-|\[Preview\]: NIST SP 800-171 R2|Policy assignment|Latest Java version|Latest supported Java version for App Services|

-|\[Preview\]: NIST SP 800-171 R2|Policy assignment|Latest Windows Python version|Latest supported Python version for App Services|

-|\[Preview\]: NIST SP 800-171 R2|Policy assignment|Latest Linux Python version|Latest supported Python version for App Services|

-|\[Preview\]: NIST SP 800-171 R2|Policy assignment|List of resource types that should have diagnostic logs enabled|List of resource types to audit if diagnostic log setting is not enabled. Acceptable values can be found at [Azure Monitor diagnostic logs schemas](../../../azure-monitor/essentials/resource-logs-schema.md).|

-|\[Preview\]: NIST SP 800-171 R2|Policy assignment|Minimum TLS version for Windows Web servers|The minimum TLS protocol version that should be enabled on Windows web servers.|

-## Next steps

-Additional articles about blueprints and how to use them:

-description: Control mapping of the Payment Card Industry Data Security Standard v3.2.1 blueprint sample to Azure Policy and Azure RBAC.

-# Control mapping of the PCI-DSS v3.2.1 blueprint sample

-The following article details how the Azure Blueprints PCI-DSS v3.2.1 blueprint sample maps to the

-PCI-DSS v3.2.1 controls. For more information about the controls, see

-[PCI-DSS v3.2.1](https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf).

-The following mappings are to the **PCI-DSS v3.2.1:2018** controls. Use the navigation on the right

-to jump directly to a specific control mapping. Many of the mapped controls are implemented with an

-[Azure Policy](../../../policy/overview.md) initiative. To review the complete initiative, open

-**Policy** in the Azure portal and select the **Definitions** page. Then, find and select the **PCI

-v3.2.1:2018** built-in policy initiative.

-> [!IMPORTANT]

-> Each control below is associated with one or more [Azure Policy](../../../policy/overview.md)

-> definitions. These policies may help you

-> [assess compliance](../../../policy/how-to/get-compliance-data.md) with the control; however,

-> there often is not a one-to-one or complete match between a control and one or more policies. As

-> such, **Compliant** in Azure Policy refers only to the policies themselves; this doesn't ensure

-> you're fully compliant with all requirements of a control. In addition, the compliance standard

-> includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore,

-> compliance in Azure Policy is only a partial view of your overall compliance status. The

-> associations between controls and Azure Policy definitions for this compliance blueprint sample

-> may change over time. To view the change history, see the

-> [GitHub Commit History](https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/governance/blueprints/samples/pci-dss-3.2.1/control-mapping.md).

-## 1.3.2 and 1.3.4 Boundary Protection

-This blueprint helps you manage and control networks by assigning [Azure

-Policy](../../../policy/overview.md) definitions that monitors network security groups with

-permissive rules. Rules that are too permissive may allow unintended network access and should be

-reviewed. This blueprint assigns one Azure Policy definitions that monitor unprotected endpoints,

-applications, and storage accounts. Endpoints and applications that aren't protected by a firewall,

-and storage accounts with unrestricted access can allow unintended access to information contained

-within the information system.

-## 3.4.a, 4.1, 4.1.g, 4.1.h and 6.5.3 Cryptographic Protection

-This blueprint helps you enforce your policy with the use of cryptograph controls by assigning

-[Azure Policy](../../../policy/overview.md) definitions which enforce specific cryptograph controls

-and audit use of weak cryptographic settings. Understanding where your Azure resources may have

-non-optimal cryptographic configurations can help you take corrective actions to ensure resources

-are configured in accordance with your information security policy. Specifically, the policies

-assigned by this blueprint require transparent data encryption on SQL databases; audit missing

-encryption on storage accounts, and automation account variables. There are also policies which

-address audit insecure connections to storage accounts, Function Apps, WebApp, API Apps, and Redis

-Cache, and audit unencrypted Service Fabric communication.

-## 5.1, 6.2, 6.6 and 11.2.1 Vulnerability Scanning and System Updates

-This blueprint helps you manage information system vulnerabilities by assigning [Azure

-Policy](../../../policy/overview.md) definitions that monitor missing system updates, operating

-system vulnerabilities, SQL vulnerabilities, and virtual machine vulnerabilities in Azure Security

-Center. Azure Security Center provides reporting capabilities that enable you to have real-time

-insight into the security state of deployed Azure resources.

-## 7.1.1. 7.1.2 and 7.1.3 Separation of Duties

-Having only one Azure subscription owner doesn't allow for administrative redundancy. Conversely,

-having too many Azure subscription owners can increase the potential for a breach via a compromised

-owner account. This blueprint helps you maintain an appropriate number of Azure subscription owners

-by assigning [Azure Policy](../../../policy/overview.md) definitions which audit the number of

-owners for Azure subscriptions. Managing subscription owner permissions can help you implement

-appropriate separation of duties.

-## 3.2, 7.2.1, 8.3.1.a and 8.3.1.b Management of Privileged Access Rights

-This blueprint helps you restrict and control privileged access rights by assigning [Azure

-Policy](../../../policy/overview.md) definitions to audit external accounts with owner, write and/or

-read permissions and employee accounts with owner and/or write permissions that don't have

-multi-factor authentication enabled. Azure role-based access control (Azure RBAC) helps to manage

-who has access to Azure resources. Understanding where custom Azure RBAC rules are implement can

-help you verify need and proper implementation, as custom Azure RBAC rules are error prone. This

-blueprint also assigns [Azure Policy](../../../policy/overview.md) definitions to audit use of Azure

-Active Directory authentication for SQL Servers. Using Azure Active Directory authentication

-simplifies permission management and centralizes identity management of database users and other

-Microsoft services.

-## 8.1.2 and 8.1.5 Least Privilege and Review of User Access Rights

-Azure role-based access control (Azure RBAC) helps you manage who has access to resources in

-Azure. Using the Azure portal, you can review who has access to Azure resources and their

-permissions. This blueprint assigns [Azure Policy](../../../policy/overview.md) definitions to audit

-accounts that should be prioritized for review, including depreciated accounts and external accounts

-with elevated permissions.

-## 8.1.3 Removal or Adjustment of Access Rights

-Azure role-based access control (Azure RBAC) helps you manage who has access to resources in Azure.

-Using Azure Active Directory and Azure RBAC, you can update user roles to reflect organizational

-changes. When needed, accounts can be blocked from signing in (or removed), which immediately

-removes access rights to Azure resources. This blueprint assigns [Azure

-Policy](../../../policy/overview.md) definitions to audit depreciated account that should be

-considered for removal.

-## 8.2.3.a,b, 8.2.4.a,b and 8.2.5 Password-based Authentication

-This blueprint helps you enforce strong passwords by assigning [Azure

-Policy](../../../policy/overview.md) definitions that audit Windows VMs that don't enforce minimum

-strength and other password requirements. Awareness of VMs in violation of the password strength

-policy helps you take corrective actions to ensure passwords for all VM user accounts are compliant

-with policy.

- 70 days

- length to 14 characters

- passwords

-## 10.3 and 10.5.4 Audit Generation

-This blueprint helps you ensure system events are logged by assigning [Azure

-Policy](../../../policy/overview.md) definitions that audit log settings on Azure resources.

-Diagnostic logs provide insight into operations that were performed within Azure resources. Azure

-logs rely on synchronized internal clocks to create a time-correlated record of events across

-resources.

-## 12.3.6 and 12.3.7 Information Security

-This blueprint helps you manage and control your network by assigning [Azure

-Policy](../../../policy/overview.md) definitions that audit the acceptable network locations and the

-approved company products allowed for the environment. These are customizable by each company

-through the policy parameters within each of these policies.

-## Next steps

-Now that you've reviewed the control mapping of the PCI-DSS v3.2.1 blueprint, visit the following

-articles to learn about the overview and how to deploy this sample:

-> [!div class="nextstepaction"]

-> [PCI-DSS v3.2.1 blueprint - Overview](./index.md)

-> [PCI-DSS v3.2.1 blueprint - Deploy steps](./deploy.md)

-Additional articles about blueprints and how to use them:

-description: Deploy steps for the Payment Card Industry Data Security Standard v3.2.1 blueprint sample including blueprint artifact parameter details.

-# Deploy the PCI-DSS v3.2.1 blueprint sample

-To deploy the Azure Blueprints PCI-DSS v3.2.1 blueprint sample, the following steps must be taken:

-> [!div class="checklist"]

-> - Create a new blueprint from the sample

-> - Mark your copy of the sample as **Published**

-> - Assign your copy of the blueprint to an existing subscription

-If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free)

-before you begin.

-## Create blueprint from sample

-First, implement the blueprint sample by creating a new blueprint in your environment using the

-sample as a starter.

-1. Select **All services** in the left pane. Search for and select **Blueprints**.

-1. From the **Getting started** page on the left, select the **Create** button under _Create a

- blueprint_.

-1. Find the **PCI-DSS v3.2.1** blueprint sample under _Other Samples_ and select **Use

- this sample**.

-1. Enter the _Basics_ of the blueprint sample:

- - **Blueprint name**: Provide a name for your copy of the PCI-DSS v3.2.1 blueprint

- sample.

- - **Definition location**: Use the ellipsis and select the management group to save your copy of

- the sample to.

-1. Select the _Artifacts_ tab at the top of the page or **Next: Artifacts** at the bottom of the

- page.

-1. Review the list of artifacts that make up the blueprint sample. Many of the artifacts have

- parameters that we'll define later. Select **Save Draft** when you've finished reviewing the

- blueprint sample.

-## Publish the sample copy

-Your copy of the blueprint sample has now been created in your environment. It's created in

-**Draft** mode and must be **Published** before it can be assigned and deployed. The copy of the

-blueprint sample can be customized to your environment and needs, but that modification may move

-it away from the PCI-DSS v3.2.1 standard.

-1. Select **All services** in the left pane. Search for and select **Blueprints**.

-1. Select the **Blueprint definitions** page on the left. Use the filters to find your copy of the

- blueprint sample and then select it.

-1. Select **Publish blueprint** at the top of the page. In the new page on the right, provide a

- **Version** for your copy of the blueprint sample. This property is useful for if you make a

- modification later. Provide **Change notes** such as "First version published from the PCI-DSS

- v3.2.1 blueprint sample." Then select **Publish** at the bottom of the page.

-## Assign the sample copy

-Once the copy of the blueprint sample has been successfully **Published**, it can be assigned to a

-subscription within the management group it was saved to. This step is where parameters are

-provided to make each deployment of the copy of the blueprint sample unique.

-1. Select **All services** in the left pane. Search for and select **Blueprints**.

-1. Select the **Blueprint definitions** page on the left. Use the filters to find your copy of the

- blueprint sample and then select it.

-1. Select **Assign blueprint** at the top of the blueprint definition page.

-1. Provide the parameter values for the blueprint assignment:

- - Basics

- - **Subscriptions**: Select one or more of the subscriptions that are in the management group

- you saved your copy of the blueprint sample to. If you select more than one subscription, an

- assignment will be created for each using the parameters entered.

- - **Assignment name**: The name is pre-populated for you based on the name of the blueprint.

- Change as needed or leave as is.

- - **Location**: Select a region for the managed identity to be created in. Azure Blueprints uses

- this managed identity to deploy all artifacts in the assigned blueprint. To learn more, see

- [managed identities for Azure resources](../../../../active-directory/managed-identities-azure-resources/overview.md).

- - **Blueprint definition version**: Pick a **Published** version of your copy of the blueprint

- sample.

- - Lock Assignment

- Select the blueprint lock setting for your environment. For more information, see

- [blueprints resource locking](../../concepts/resource-locking.md).

- - Managed Identity

- Leave the default _system assigned_ managed identity option.

- - Artifact parameters

- The parameters defined in this section apply to the artifact under which it's defined. These

- parameters are [dynamic parameters](../../concepts/parameters.md#dynamic-parameters) since

- they're defined during the assignment of the blueprint. For a full list or artifact parameters

- and their descriptions, see [Artifact parameters table](#artifact-parameters-table).

-1. Once all parameters have been entered, select **Assign** at the bottom of the page. The blueprint

- assignment is created and artifact deployment begins. Deployment takes roughly an hour. To check

- on the status of deployment, open the blueprint assignment.

-> [!WARNING]

-> The Azure Blueprints service and the built-in blueprint samples are **free of cost**. Azure

-> resources are [priced by product](https://azure.microsoft.com/pricing/). Use the

-> [pricing calculator](https://azure.microsoft.com/pricing/calculator/) to estimate the cost of

-> running resources deployed by this blueprint sample.

-## Artifact parameters table

-The following table provides a list of the blueprint artifact parameters:

-|Artifact name|Artifact type|Parameter name|Description|

-|-|-|-|-|

-|PCI v3.2.1:2018|Policy Assignment|List of Resource Types | Audit diagnostic setting for selected resource types. Default value is all resources are selected|

-|Allowed locations|Policy Assignment|List Of Allowed Locations|List of data center locations allowed for any resource to be deployed into. This list is customizable to the desired Azure locations globally. Select locations you wish to allow.|

-|Allowed Locations for resource groups|Policy Assignment |Allowed Location |This policy enables you to restrict the locations your organization can create resource groups in. Use to enforce your geo-compliance requirements.|

-|Deploy Auditing on SQL servers|Policy Assignment|Retention days|Data retention in number of days. Default value is 180 but PCI requires 365.|

-|Deploy Auditing on SQL servers|Policy Assignment|Resource group name for storage account|Auditing writes database events to an audit log in your Azure Storage account (a storage account will be created in each region where a SQL Server is created that will be shared by all servers in that region).|

-## Next steps

-Now that you've reviewed the steps to deploy the PCI-DSS v3.2.1 blueprint sample, visit the

-following articles to learn about the overview and control mapping:

-> [!div class="nextstepaction"]

-> [PCI-DSS v3.2.1 blueprint - Overview](./index.md)

-> [PCI-DSS v3.2.1 blueprint - Control mapping](./control-mapping.md)

-Additional articles about blueprints and how to use them:

-description: Overview of the Payment Card Industry Data Security Standard v3.2.1 blueprint sample. This blueprint sample helps customers assess specific controls.

-# Overview of the PCI-DSS v3.2.1 blueprint sample

-The PCI-DSS v3.2.1 blueprint sample is a set of policies which aides in achieving PCI-DSS v3.2.1

-compliance. This blueprint helps customers govern cloud-based environments with PCI-DSS workloads.

-The PCI-DSS blueprint deploys a core set of policies for any Azure-deployed architecture requiring

-this accreditation.

-## Control mapping

-The control mapping section provides details on policies included within this initiative and how

-these policies help meet various controls defined by PCI-DSS v3.2.1. When assigned to an

-architecture, resources are evaluated by Azure Policy for non-compliance with assigned policies.

-After assigning this blueprint, view your Azure environments level of compliance in the Azure Policy

-Compliance Dashboard.

-## Next steps

-You've reviewed the overview of the PCI-DSS v3.2.1 blueprint sample. Next, visit the following

-articles to learn about the control mapping and how to deploy this sample:

-> [!div class="nextstepaction"]

-> [PCI-DSS v3.2.1 blueprint - Control mapping](./control-mapping.md)

-> [PCI-DSS v3.2.1 blueprint - Deploy steps](./deploy.md)

-Additional articles about blueprints and how to use them:

-This built-in initiative is deployed as part of the

-[IRS 1075 September 2016 blueprint sample](../../blueprints/samples/irs-1075-sept2016.md).

-This built-in initiative is deployed as part of the

-[IRS 1075 September 2016 blueprint sample](../../blueprints/samples/irs-1075-sept2016.md).

- - Sample query: [Count of subscriptions per management group](../samples/samples-by-category.md#count-of-subscriptions-per-management-group)

- - Sample query: [Key vaults with subscription name](../samples/samples-by-category.md#key-vaults-with-subscription-name)

- - Sample query: [List all management group ancestors for a specified subscription](../samples/samples-by-category.md#list-all-management-group-ancestors-for-a-specified-subscription)

- - Sample query: [List all subscriptions under a specified management group](../samples/samples-by-category.md#list-all-subscriptions-under-a-specified-management-group)

- - Sample query: [Remove columns from results](../samples/samples-by-category.md#remove-columns-from-results)

- - Sample query: [Secure score per management group](../samples/samples-by-category.md#secure-score-per-management-group)

- - Sample query: [List Azure Security Center recommendations](../samples/samples-by-category.md#list-azure-security-center-recommendations)

- - Sample query: [Show Azure Defender pricing tier per subscription](../samples/samples-by-category.md#show-azure-defender-pricing-tier-per-subscription)

-## Azure Security Center

-# Set $original_file to the python file path

-3. From the SSH session, add the python files uploaded previously to the storage for the cluster.

-3. From the SSH session, add the python files uploaded previously to the storage for the cluster.

-1. From a web browser, sign in to [https://developer.twitter.com/apps/](https://developer.twitter.com/apps/). Select the **Sign-up now** link if you don't have a Twitter account.

-* [Analyze flight delay data using HDInsight](./interactive-query/interactive-query-tutorial-analyze-flight-data.md)

-8. Select the python option below.

-* [blobxfer.py](https://github.com/Azure/blobxfer): A python script for working with blobs in Azure Storage.

-| BUG-95193 | [SLIDER-1252](https://issues.apache.org/jira/browse/SLIDER-1252) | Slider agent fails with SSL validation errors with python 2.7.5-58 |

-You can use the python code below to interact with the REST proxy on your Kafka cluster. To use the code sample, follow these steps:

-1. Install required python dependencies by executing `pip3 install msal`.

-1. From the command line, execute the python file by executing `sudo python3 <filename.py>`

-#Required python packages

-* [Use external python packages with Jupyter Notebooks in Apache Spark clusters on HDInsight Linux](apache-spark-python-package-installation.md)

-description: Step-by-step instructions on how to use script action to configure Jupyter Notebooks available with HDInsight Spark clusters to use external python packages.

-1. Create Python virtual environment using conda. A virtual environment provides an isolated space for your projects without breaking others. When creating the Python virtual environment, you can specify python version that you want to use. You still need to create virtual environment even though you would like to use Python 2.7 and 3.5. This requirement is to make sure the cluster's default environment not getting broke. Run script actions on your cluster for all nodes with below script to create a Python virtual environment.

-|Anaconda|A python package manager.|

-**Azure RTOS**: Azure RTOS TLS provides support for mutual certificate authentication in both TLS Server and Client applications. For more information, see the [Azure RTOS NetX Secure TLS documentation](/netx-secure-tls/chapter1#netx-secure-unique-features).

-Depending on the scenario, a device usually sends a request to a provisioning service instance on reboot. It also supports a method to manually trigger provisioning on demand. The reprovisioning policy on an enrollment entry determines how the device provisioning service instance handles these provisioning requests. The policy also determines whether device state data should be migrated during reprovisioning. The same policies are available for individual enrollments and enrollment groups:

-How often a device submits a provisioning request depends on the scenario. However, it is advised to program your devices to send a provisioning request to a provisioning service instance on reboot, and support a [method](../iot-hub/iot-hub-devguide-direct-methods.md) to manually trigger provisioning on demand. Provisioning could also be triggered by setting a [desired property](../iot-hub/iot-hub-devguide-device-twins.md#desired-property-example).

-The reprovisioning policy on an enrollment entry determines how the device provisioning service instance handles these provisioning requests, and if device state data should be migrated during reprovisioning. The same policies are available for individual enrollments and enrollment groups:

-For example code of sending provisioning requests from a device during a boot sequence, see [Auto-provisioning a simulated device](quick-create-simulated-device-tpm.md).

-6. Run the python sample code in *_provision_symmetric_key.py_*.

-2. Using your Python IDE, edit the python script named **provisioning\_device\_client\_sample.py** (replace `{globalServiceEndpoint}` and `{idScope}` to the values that you previously copied). Also, make sure *SECURITY\_DEVICE\_TYPE* is set to `ProvisioningSecurityDeviceType.TPM`.

- This command should output that one certificate was added to /etc/ssl/certs.

-> If you have multiple Python including pre-installed python 2.7 (for example, on Ubuntu or macOS), make sure you are using the correct `pip` or `pip3` to install **iotedgehubdev**

-* Azure Notebooks as our main front end for data preparation and machine learning experimentation. Running python code in a notebook on a subset of the sample data is a great way to get fast iterative and interactive turnaround during data preparation. Jupyter notebooks can also be used to prepare scripts to run at scale in a compute backend.

-The python code snippet below, demonstrates the twin reported properties update process over MQTT (using Paho MQTT client):

-Sign in to the Azure portal at https://portal.azure.com.

-Regardless whether you run the CLI locally or in the Cloud Shell, keep the portal open in your browser. You use it later in this quickstart.

-1. Select the **Cloud Shell** button on the top-right menu bar in the Azure portal.

- > If this is the first time you've used the Cloud Shell, it prompts you to create storage, which is required to use the Cloud Shell. Select a subscription to create a storage account and Microsoft Azure Files share.

-2. Select your preferred CLI environment in the **Select environment** dropdown. This quickstart uses the **Bash** environment. All the following CLI commands work in the PowerShell environment too.

-* Run the [az extension add](/cli/azure/extension#az_extension_add) command to add the Microsoft Azure IoT Extension for Azure CLI to your CLI shell. The IOT Extension adds IoT Hub, IoT Edge, and IoT Device Provisioning Service (DPS) specific commands to Azure CLI.

-

- After you install the Azure IOT extension, you don't need to install it again in any Cloud Shell session.

-* Open a second CLI session. If you're using the Cloud Shell, select **Open new session**. If you're using the CLI locally, open a second instance.

-## Create an IoT Hub

-In this section, you use the Azure CLI to create a resource group and an IoT Hub. An Azure resource group is a logical container into which Azure resources are deployed and managed. An IoT Hub acts as a central message hub for bi-directional communication between your IoT application and the devices.

-> Optionally, you can create an Azure resource group, an IoT Hub, and other resources by using the [Azure portal](iot-hub-create-through-portal.md), [Visual Studio Code](iot-hub-create-use-iot-toolkit.md), or other programmatic methods.

-1. Run the [az group create](/cli/azure/group#az_group_create) command to create a resource group. The following command creates a resource group named *MyResourceGroup* in the *eastus* location.

-1. Run the [az iot hub create](/cli/azure/iot/hub#az_iot_hub_create) command to create an IoT hub. It might take a few minutes to create an IoT hub.

- *YourIotHubName*. Replace this placeholder name and the curly brackets with the name you chose for your IoT hub. An IoT hub name must be globally unique in Azure. This placeholder is used in the rest of this quickstart to represent your IoT hub name.

-1. Run the [az iot hub device-identity create](/cli/azure/iot/hub/device-identity#az_iot_hub_device_identity_create) command in the first CLI session. This creates the simulated device identity.

- *YourIotHubName*. Replace this placeholder below with the name you chose for your IoT hub.

- *simDevice*. You can use this name directly for the simulated device in the rest of this quickstart. Optionally, use a different name.

- *YourIotHubName*. Replace this placeholder below with the name you chose for your IoT hub.

- *YourIotHubName*. Replace this placeholder below with the name you chose for your IoT hub.

-1. After you monitor the simulated device in the second CLI session, press Ctrl+C to stop monitoring.

- *YourIotHubName*. Replace this placeholder below with the name you chose for your IoT hub.

- *YourIotHubName*. Replace this placeholder below with the name you chose for your IoT hub.

- Optionally, you can send cloud-to-device messages by using the Azure portal. To do this, browse to the overview page for your IoT Hub, select **IoT Devices**, select the simulated device, and select **Message to Device**.

-1. In the first CLI session, confirm that the simulated device received the message.

-The Azure portal enables you to manage all aspects of your IoT Hub and devices. In a typical IoT Hub application that ingests telemetry from devices, you might want to monitor devices or view metrics on device telemetry.

-1. In the left navigation menu on the portal, select **All Resources**. This lists all resources in your subscription, including the IoT hub you created.

-1. Select **Metrics** in the left pane of your IoT Hub.

-1. Enter your IoT hub name in **Scope**.

-2. Select *Iot Hub Standard Metrics* in **Metric Namespace**.

-3. Select *Total number of messages used* in **Metric**.

-4. Hover your mouse pointer over the area of the timeline in which your device sent messages. The total number of messages at a point in time appears in the lower left corner of the timeline.

-5. Optionally, use the **Metric** dropdown to display other metrics on your simulated device. For example, *C2d message deliveries completed* or *Total devices (preview)*.

-If you continue to the next recommended article, you can keep the resources you've already created and reuse them.

-> Deleting a resource group is irreversible. The resource group and all the resources contained in it are permanently deleted. Make sure that you do not accidentally delete the wrong resource group or resources.

-> [!NOTE]

-> The number of key vaults with private endpoints enabled per subscription is an adjustable limit. The limit shown below is the default limit. If you would like to request a limit increase for your service, please send an email to azurekeyvault@microsoft.com. We will approve these requests on a case by case basis.

-**Pricing**: For pricing information, see [Azure Private Link pricing](https://azure.microsoft.com/pricing/details/private-link/).

-**Limitations**: Private Endpoint for Azure Key Vault is only available in Azure public regions.

-**Maximum Number of Private Endpoints per Key Vault**: 64.

-**Default Number of Key Vaults with Private Endpoints per Subscription**: 400.

-For more, see [Azure Private Link service: Limitations](../../private-link/private-link-service-overview.md#limitations)

-* A python script named **verifykeypackage.py.**

-[!code-azurecli-interactive[main](../../../cli_scripts/load-balancer/load-balance-multiple-web-sites-vm/load-balance-multiple-web-sites-vm.sh "Load balance multiple web sites")]

-## Clean up deployment

-Run the following command to remove the resource group, VM, and all related resources.

-az group delete --name myResourceGroup --yes

-## Script explanation

-Additional networking CLI script samples can be found in the [Azure Networking Overview documentation](../cli-samples.md?toc=%2fazure%2fnetworking%2ftoc.json).

-This Azure CLI script example creates everything needed to run several Ubuntu virtual machines configured in a highly available and load balanced configuration. After running the script, you will have three virtual machines, joined to an Azure Availability Set, and accessible through an Azure Load Balancer.

-## Clean up deployment

-Run the following command to remove the resource group, VM, and all related resources.

-az group delete --name myResourceGroup

-## Script explanation

-Additional Azure Networking CLI script samples can be found in the [Azure Networking documentation](../cli-samples.md).

-This Azure CLI script example creates everything needed to run several Ubuntu virtual machines configured in a highly available and load balanced configuration within a specific availability zone. After running the script, you will have three virtual machines in a single availability zones within a region that are accessible through an Azure Standard Load Balancer.

-```azurecli-interactive

- #!/bin/bash

- # Create a resource group.

- az group create \

- --name myResourceGroup \

- --location westeurope

- # Create a virtual network.

- az network vnet create \

- --resource-group myResourceGroup \

- --location westeurope \

- --name myVnet \

- --subnet-name mySubnet

- # Create a zonal Standard public IP address.

- az network public-ip create \

- --resource-group myResourceGroup \

- --name myPublicIP \

- --sku Standard

- --zone 1

- # Create an Azure Load Balancer.

- az network lb create \

- --resource-group myResourceGroup \

- --name myLoadBalancer \

- --public-ip-address myPublicIP \

- --frontend-ip-name myFrontEndPool \

- --backend-pool-name myBackEndPool \

- --sku Standard

- # Creates an LB probe on port 80.

- az network lb probe create \

- --resource-group myResourceGroup \

- --lb-name myLoadBalancer \

- --name myHealthProbe \

- --protocol tcp \

- --port 80

- # Creates an LB rule for port 80.

- az network lb rule create \

- --resource-group myResourceGroup \

- --lb-name myLoadBalancer \

- --name myLoadBalancerRuleWeb \

- --protocol tcp \

- --frontend-port 80 \

- --backend-port 80 \

- --frontend-ip-name myFrontEndPool \

- --backend-pool-name myBackEndPool \

- --probe-name myHealthProbe

- # Create three NAT rules for port 22.

- for i in `seq 1 3`; do

- az network lb inbound-nat-rule create \

- --resource-group myResourceGroup \

- --lb-name myLoadBalancer \

- --name myLoadBalancerRuleSSH$i \

- --protocol tcp \

- --frontend-port 422$i \

- --backend-port 22 \

- --frontend-ip-name myFrontEndPool

- done

- # Create a network security group

- az network nsg create \

- --resource-group myResourceGroup \

- --name myNetworkSecurityGroup

- # Create a network security group rule for port 22.

- az network nsg rule create \

- --resource-group myResourceGroup \

- --nsg-name myNetworkSecurityGroup \

- --name myNetworkSecurityGroupRuleSSH \

- --protocol tcp \

- --direction inbound \

- --source-address-prefix '*' \

- --source-port-range '*' \

- --destination-address-prefix '*' \

- --destination-port-range 22 \

- --access allow \

- --priority 1000

- # Create a network security group rule for port 80.

- az network nsg rule create \

- --resource-group myResourceGroup \

- --nsg-name myNetworkSecurityGroup \

- --name myNetworkSecurityGroupRuleHTTP \

- --protocol tcp \

- --direction inbound \

- --source-address-prefix '*' \

- --source-port-range '*' \

- --destination-address-prefix '*' \

- --destination-port-range 80 \

- --access allow \

- --priority 2000

- # Create three virtual network cards and associate with public IP address and NSG.

- for i in `seq 1 3`; do

- az network nic create \

- --resource-group myResourceGroup \

- --name myNic$i \

- --vnet-name myVnet \

- --subnet mySubnet \

- --network-security-group myNetworkSecurityGroup \

- --lb-name myLoadBalancer \

- --lb-address-pools myBackEndPool \

- --lb-inbound-nat-rules myLoadBalancerRuleSSH$i

- done

-# Create three virtual machines, this creates SSH keys if not present.

-for i in `seq 1 3`; do

- az vm create \

- --resource-group myResourceGroup \

- --name myVM$i \

- --zone 1 \

- --nics myNic$i \

- --image UbuntuLTS \

- --generate-ssh-keys \

- --no-wait

-done

-```

-## Clean up deployment

-Run the following command to remove the resource group, VM, and all related resources.

-az group delete --name myResourceGroup

-## Script explanation

-Additional Azure Networking CLI script samples can be found in the [Azure Networking documentation](../cli-samples.md).

-This Azure CLI script example creates everything needed to run several Ubuntu virtual machines configured in a highly available and load balanced configuration. After running the script, you will have three virtual machines across all availability zones within a region that are accessible through an Azure Standard Load Balancer.

-```azurecli-interactive

- #!/bin/bash

- # Create a resource group.

- az group create \

- --name myResourceGroup \

- --location westeurope

- # Create a virtual network.

- az network vnet create \

- --resource-group myResourceGroup \

- --location westeurope \

- --name myVnet \

- --subnet-name mySubnet

- # Create a zonal Standard public IP address.

- az network public-ip create \

- --resource-group myResourceGroup \

- --name myPublicIP \

- --sku Standard

- # Create an Azure Load Balancer.

- az network lb create \

- --resource-group myResourceGroup \

- --name myLoadBalancer \

- --public-ip-address myPublicIP \

- --frontend-ip-name myFrontEndPool \

- --backend-pool-name myBackEndPool \

- --sku Standard

- # Creates an LB probe on port 80.

- az network lb probe create \

- --resource-group myResourceGroup \

- --lb-name myLoadBalancer \

- --name myHealthProbe \

- --protocol tcp \

- --port 80

- # Creates an LB rule for port 80.

- az network lb rule create \

- --resource-group myResourceGroup \

- --lb-name myLoadBalancer \

- --name myLoadBalancerRuleWeb \

- --protocol tcp \

- --frontend-port 80 \

- --backend-port 80 \

- --frontend-ip-name myFrontEndPool \

- --backend-pool-name myBackEndPool \

- --probe-name myHealthProbe

- # Create three NAT rules for port 22.

- for i in `seq 1 3`; do

- az network lb inbound-nat-rule create \

- --resource-group myResourceGroup \

- --lb-name myLoadBalancer \

- --name myLoadBalancerRuleSSH$i \

- --protocol tcp \

- --frontend-port 422$i \

- --backend-port 22 \

- --frontend-ip-name myFrontEndPool

- done

- # Create a network security group

- az network nsg create \

- --resource-group myResourceGroup \

- --name myNetworkSecurityGroup

- # Create a network security group rule for port 22.

- az network nsg rule create \

- --resource-group myResourceGroup \

- --nsg-name myNetworkSecurityGroup \

- --name myNetworkSecurityGroupRuleSSH \

- --protocol tcp \

- --direction inbound \

- --source-address-prefix '*' \

- --source-port-range '*' \

- --destination-address-prefix '*' \

- --destination-port-range 22 \

- --access allow \

- --priority 1000

- # Create a network security group rule for port 80.

- az network nsg rule create \

- --resource-group myResourceGroup \

- --nsg-name myNetworkSecurityGroup \

- --name myNetworkSecurityGroupRuleHTTP \

- --protocol tcp \

- --direction inbound \

- --source-address-prefix '*' \

- --source-port-range '*' \

- --destination-address-prefix '*' \

- --destination-port-range 80 \

- --access allow \

- --priority 2000

- # Create three virtual network cards and associate with load balancer and NSG.

- for i in `seq 1 3`; do

- az network nic create \

- --resource-group myResourceGroup \

- --name myNic$i \

- --vnet-name myVnet \

- --subnet mySubnet \

- --network-security-group myNetworkSecurityGroup \

- --lb-name myLoadBalancer \

- --lb-address-pools myBackEndPool \

- --lb-inbound-nat-rules myLoadBalancerRuleSSH$i

- done

-# Create three virtual machines, this creates SSH keys if not present.

-for i in `seq 1 3`; do

- az vm create \

- --resource-group myResourceGroup \

- --name myVM$i \

- --zone $i \

- --nics myNic$i \

- --image UbuntuLTS \

- --generate-ssh-keys \

- --no-wait

-done

-```

-## Clean up deployment

-Run the following command to remove the resource group, VM, and all related resources.

-az group delete --name myResourceGroup

-## Script explanation

-Additional Azure Networking CLI script samples can be found in the [Azure Networking documentation](../cli-samples.md).

-* Creates a Standard Internal SKU Load Balancer in the location that you specify. Note that no [outbound connection](./load-balancer-outbound-connections.md) will not be provided by the Standard Internal Load Balancer.

-When there's a performance issue, you can use the server-side metrics to analyze what the root cause of the problem is. Azure Load Testing can [capture server-side resource metrics](./how-to-update-rerun-test.md) for Azure-hosted applications.

-1. On the **Edit test** page, select the **Load** tab. In the **Engine instances** box, enter the number of test engines required to run your test.

-To learn how to configure your load test, see [Monitor server-side application metrics](./how-to-update-rerun-test.md).

-* Learn how to [Monitor server-side application metrics](./how-to-update-rerun-test.md).

-This tutorial describes how to automate performance regression testing by using Azure Load Testing Preview and Azure Pipelines. You'll configure an Azure Pipelines continuous integration and continuous delivery (CI/CD) workflow to run a load test for a sample web application. You'll then use the test results to identify performance regressions.

-## Set up your repository

-In this section, you'll set up an Azure Pipelines workflow that triggers the load test. The sample application repository contains a pipelines definition file. The pipeline first deploys the sample web application to Azure App Service, and then invokes the load test. The pipeline uses an environment variable to pass the URL of the web application to the Apache JMeter script.

-First, you'll install the Azure Load Testing extension from the Azure DevOps Marketplace, create a new pipeline, and then connect it to the sample application's forked repository.

-1. Install the Azure Load Testing task extension from the Azure DevOps Marketplace.

- The repository contains an *azure-pipeline.yml* pipeline definition file. You'll now modify this definition to connect to your Azure Load Testing service.

-## Configure and use the Azure Load Testing task

-This section describes the Azure Load Testing task for Azure Pipelines. The task is cross-platform and runs on Windows, Linux, or Mac agents.

-You can use the following parameters to configure the Azure Load Testing task:

-|Parameter |Description |

-|||

-|`azureSubscription` | *Required*. Name of the Azure Resource Manager service connection. |

-|`loadTestConfigFile` | *Required*. Path to the YAML configuration file for the load test. The path is fully qualified or relative to the default working directory. |

-|`resourceGroup` | *Required*. Name of the resource group that contains the Azure Load Testing resource. |

-|`loadTestResource` | *Required*. Name of an existing Azure Load Testing resource. |

-|`secrets` | Array of JSON objects that consist of the name and value for each secret. The name should match the secret name used in the Apache JMeter test script. |

-|`env` | Array of JSON objects that consist of the name and value for each environment variable. The name should match the variable name used in the Apache JMeter test script. |

-The following YAML code snippet describes how to use the task in an Azure Pipelines CI/CD workflow:

-```yaml

- inputs:

- azureSubscription: '<Azure service connection>'

- loadTestConfigFile: '< YAML File path>'

- loadTestResource: '<name of the load test resource>'

- resourceGroup: '<name of the resource group of your load test resource>'

- secrets: |

- [

- {

- "name": "<Name of the secret>",

- "value": "$(mySecret1)"

- },

- {

- "name": "<Name of the secret>",

- "value": "$(mySecret1)"

- }

- ]

- env: |

- [

- {

- "name": "<Name of the variable>",

- "value": "<Value of the variable>"

- },

- {

- "name": "<Name of the variable>",

- "value": "<Value of the variable>"

- }

- ]

-```

-* For more information about parameterizing load tests, see [Parameterize a load test](./how-to-parameterize-load-tests.md).

-* For more information about defining test pass/fail criteria, see [Define test criteria](./how-to-define-test-criteria.md).

- + Updating AutoML dependencies to support python 3.8. This change will break compatibility with models trained with SDK 1.37 or below due to newer Pandas interfaces being saved in the model.

- + Update matplotlib version from 3.0.2 to 3.2.1 to support python 3.8.

- + Improve handling of write restricted python environments when ensuring .NET Dependencies required for data delivery.

- + Drop support for python 2.7

- + Last version to support python 2.7

- + Dataset: usages for file dataset no longer depend on numpy and pandas to be installed in the python env.

- + Fixed warning printed to console when "packaging" python package is not installed: "Using older than supported version of lightgbm, please upgrade to version greater than 2.2.1"

- + Created feature to install specific versions of gpu-capable pytorch v1.1.0, :::no-loc text="cuda"::: toolkit 9.0, pytorch-transformers, which is required to enable BERT/ XLNet in the remote python runtime environment.

- + Supported importing HTTP csv/tsv files in dataset python SDK.

- + Added Environment.add_private_pip_wheel(), which enables uploading private custom python packages `whl`to the workspace and securely using them to build/materialize the environment.

-Search **in azureml_main** in **70_driver_logs** of **Execute Python Script component** and you could find which line occurred error. For example, "File "/tmp/tmp01_ID/user_script.py", line 17, in azureml_main" indicates that the error occurred in the 17 line of your python script.

- Following is a script bundle example, which contains a python script file and a txt file:

- # Test the custom defined python function

- If the component is failed, you need to do some troubleshooting. Select the component, and open **Outputs+logs** in the right pane. Open **70_driver_log.txt** and search **in azureml_main**, then you could find which line caused the error. For example, "File "/tmp/tmp01_ID/user_script.py", line 17, in azureml_main" indicates that the error occurred in the 17 line of your python script.

-For FileDatasets, you can either **mount** or **download** your dataset, and apply the python libraries you'd normally use for data exploration. [Learn more about mount vs download](how-to-train-with-datasets.md#mount-vs-download).

-| Update local python environment, **without** Docker image rebuild | Yes | No |

-# Initialize python logger

-# Plain python logging statements

- # The python interpreter version.

- The right input port is reserved for zipped python libraries.

-To verify that the packages are installed, launch a python prompt and type:

-1. A python CLI wrapper sits around the server's network stack and is used to start the server.

-For a high-level overview of how environments work in Azure Machine Learning, see [What are ML environments?](concept-environments.md) For information about managing environments in the Azure ML studio, see [Manage environments in the studio](how-to-manage-environments-in-studio.md). For information about configuring development environments, see [here](how-to-configure-environment.md).

-Azure Storage block blog limits apply to storage accounts used with Media Services. See [Azure Blob Storage limits](/azure/azure-resource-manager/management/azure-subscription-service-limits.md#azure-blob-storage-limits).

-**Boot type** | Azure supports VMs with a boot type of BIOS, not UEFI. | Conditionally ready if the boot type is UEFI

-Unsupported boot type | Azure doesn't support VMs with an EFI boot type. Convert the boot type to BIOS before you run a migration. <br/><br/>You can use Azure Migrate Server Migration to handle the migration of such VMs. It will convert the boot type of the VM to BIOS during the migration.

-> [!IMPORTANT]

-> Read replicas in Azure Database for MySQL - Flexible Server is in preview.

-> [!IMPORTANT]

-> Read replicas in Azure Database for MySQL - Flexible Server is in preview.

-# Commonly encountered errors during or post migration to Azure Database for MySQL

-description: Learn how to use EXPLAIN to troubleshoot query performance in Azure Database for MySQL.

-# How to use EXPLAIN to profile query performance in Azure Database for MySQL

-As can be seen from this example, the value of *key* is NULL. This output means MySQL cannot find any indexes optimized for the query and it performs a full table scan. Let's optimize this query by adding an index on the **ID** column.

-As can be seen from the output, MySQL does not use any indexes because no proper indexes are available. It also shows *Using temporary; Using file sort*, which means MySQL creates a temporary table to satisfy the **GROUP BY** clause.

-The EXPLAIN now shows that MySQL is able to use combined index to avoid additional sorting since the index is already sorted.

-Using EXPLAIN and different type of Indexes can increase performance significantly. Having an index on the table does not necessarily mean MySQL would be able to use it for your queries. Always validate your assumptions using EXPLAIN and optimize your queries using indexes.

-description: Learn how to use sys_schema to find performance issues and maintain database in Azure Database for MySQL.

-# How to use sys_schema for performance tuning and database maintenance in Azure Database for MySQL

-The MySQL performance_schema, first available in MySQL 5.5, provides instrumentation for many vital server resources such as memory allocation, stored programs, metadata locking, etc. However, the performance_schema contains more than 80 tables, and getting the necessary information often requires joining tables within the performance_schema, as well as tables from the information_schema. Building on both performance_schema and information_schema, the sys_schema provides a powerful collection of [user-friendly views](https://dev.mysql.com/doc/refman/5.7/en/sys-schema-views.html) in a read-only database and is fully enabled in Azure Database for MySQL version 5.7.

-In this example Azure Database for MySQL spent 53 minutes flushing the slog query log 44579 times. That's a long time and many IOs. You can reduce this activity by either disable your slow query log or decrease the frequency of slow query login Azure portal.

-The InnoDB buffer pool resides in memory and is the main cache mechanism between the DBMS and storage. The size of the InnoDB buffer pool is tied to the performance tier and cannot be changed unless a different product SKU is chosen. As with memory in your operating system, old pages are swapped out to make room for fresher data. To find out which tables consume most of the InnoDB buffer pool memory, you can query the *sys.innodb_buffer_stats_by_table* view.

-In the graphic above, it is apparent that other than system tables and views, each table in the mysqldatabase033 database, which hosts one of my WordPress sites, occupies 16 KB, or 1 page, of data in memory.

-az role assignment create --role Contributor --assignee $ARO_SERVICE_PRINCIPAL_ID -g $AZURE_FILES_RESOURCE_GROUP

- Metadata collected in Azure Purview from enterprise data systems are stitched across to show an end to end data lineage. Data systems that collect lineage into Azure Purview are broadly categorized into following three types.

-### Data processing system

-### Data analytics & reporting systems

-If the Spark cluster version is below 2.4.0, Stream query lineage and most of the query lineage will not be captured.

- > We now support scanning Azure SQL Database Managed Instances that are configured with private endpoints using Azure Purview ingestion private endpoints and a self-hosted integration runtime VM.

-You can follow the instructions in [CREATE LOGIN](/sql/t-sql/statements/create-login-transact-sql?view=azuresqldb-current&preserve-view=true#examples-1) to create a sign in for Azure SQL Database. You'll' need **username** and **password** for the next steps.

-1. Navigate to your key vault in the Azure portal

-1. Enter the **Name** and **Value** as the *password* from your Azure SQL Database

-1. Finally, [create a new credential](manage-credentials.md#create-a-new-credential) using the key to set up your scan

-* [Demo of data owner access policies for Azure Storage](https://docs.microsoft.com/video/media/8ce7c554-0d48-430f-8f63-edf94946947c/purview-policy-storage-dataowner-scenario_mid.mp4)

- "Microsoft.KeyVault/managedHSMs/*"

- "Microsoft.AlertsManagement/smartGroups/*"

-az role assignment create --role "Storage Blob Data Reader" --assignee "user1@contoso.com" --resource-group {resourceGroup} \

-> | Microsoft.Network/virtualHubs/migrateRouteService/action | Migrate the route service of a virtual hub from traditional CloudService To Virtual Machine Scale Set |

-> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/migrateToManualThroughput/action | Migrate a SQL database throughput offer to manual throughput. |

-> | Microsoft.Sql/locations/networkSecurityPerimeterProxies/read | Get NSP Proxy |

-> | Microsoft.Sql/locations/networkSecurityPerimeterProxies/write | Create or Update NSP Proxy |

-> | Microsoft.Sql/locations/networkSecurityPerimeterProxies/delete | Delete NSP Proxy |

-> | Microsoft.Sql/locations/networkSecurityPerimeterProxies/profileProxies/read | Get NSP Profile Proxy |

-> | Microsoft.Sql/locations/networkSecurityPerimeterProxies/profileProxies/write | Create or Update NSP Profile Proxy |

-> | Microsoft.Sql/locations/networkSecurityPerimeterProxies/profileProxies/delete | Delete NSP Proxy |

-> | Microsoft.Sql/locations/networkSecurityPerimeterProxies/profileProxies/accessRuleProxies/read | Get NSP Access Rule Proxy |

-> | Microsoft.Sql/locations/networkSecurityPerimeterProxies/profileProxies/accessRuleProxies/write | Create or Update NSP Access Rule Proxy |

-> | Microsoft.Sql/locations/networkSecurityPerimeterProxies/profileProxies/accessRuleProxies/delete | Delete NSP Access Rule Proxy |

-> | Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/read | List sensitivity labels of a given database |

-> | Microsoft.Sql/managedInstances/startStopSchedule/write | Creates Azure SQL Managed Instance's Start/Stop schedule with the specified parameters or updates the properties of the schedule for the specified instance. |

-> | Microsoft.Sql/managedInstances/startStopSchedule/delete | Deletes Azure SQL Managed Instance's Start/Stop schedule. |

-> | Microsoft.Sql/managedInstances/startStopSchedule/read | Gets Azure SQL Managed Instance's Start/Stop schedule. |

-> | Microsoft.Sql/managedInstances/startStopSchedules/read | Lists Azure SQL Managed Instance's Start/Stop schedules. |

-> | Microsoft.Sql/servers/databases/recommendedSensitivityLabels/read | List sensitivity labels of a given database |

-> | Microsoft.CognitiveServices/locations/commitmentTiers/read | Reads available SKUs commitment tiers |

-> | Microsoft.CognitiveServices/accounts/OpenAI/deployments/completions/action | Create a completion from a chosen model |

-> | Microsoft.NotificationHubs/Namespaces/Delete | Delete Namespace Resource |

-> | Microsoft.NotificationHubs/Namespaces/authorizationRules/delete | Delete Namespace Authorization Rule. The Default Namespace Authorization Rule cannot be deleted. |

-> | Microsoft.NotificationHubs/namespaces/diagnosticSettings/read | Get list of Namespace diagnostic settings Resource Descriptions |

-> | Microsoft.NotificationHubs/namespaces/diagnosticSettings/write | Get list of Namespace diagnostic settings Resource Descriptions |

-> | Microsoft.NotificationHubs/namespaces/logDefinitions/read | Get list of Namespace logs Resource Descriptions |

-> | Microsoft.NotificationHubs/Namespaces/NotificationHubs/Delete | Delete Notification Hub Resource |

-> | Microsoft.NotificationHubs/Namespaces/NotificationHubs/debugSend/action | Send a test push notification. |

-> | Microsoft.OperationalInsights/workspaces/query/AADDomainServicesLogonLogoff/read | Read data from the AADDomainServicesLogonLogoff table |

-> | Microsoft.OperationalInsights/workspaces/query/BaiClusterEvent/read | Read data from the BaiClusterEvent table |

-> | microsoft.recoveryservices/Locations/backupCrossRegionRestore/action | Trigger Cross region restore. |

-> | microsoft.recoveryservices/Locations/backupCrrJob/action | Get Cross Region Restore Job Details in the secondary region for Recovery Services Vault. |

-> | microsoft.recoveryservices/Locations/backupCrrJobs/action | List Cross Region Restore Jobs in the secondary region for Recovery Services Vault. |

-> | microsoft.recoveryservices/Locations/backupPreValidateProtection/action | |

-> | microsoft.recoveryservices/Locations/backupStatus/action | Check Backup Status for Recovery Services Vaults |

-> | microsoft.recoveryservices/Locations/backupValidateFeatures/action | Validate Features |

-> | microsoft.recoveryservices/Locations/backupAadProperties/read | Get AAD Properties for authentication in the third region for Cross Region Restore. |

-> | microsoft.recoveryservices/Locations/backupCrrOperationResults/read | Returns CRR Operation Result for Recovery Services Vault. |

-> | microsoft.recoveryservices/Locations/backupCrrOperationsStatus/read | Returns CRR Operation Status for Recovery Services Vault. |

-> | microsoft.recoveryservices/Locations/backupProtectedItem/write | Create a backup Protected Item |

-> | microsoft.recoveryservices/Locations/backupProtectedItems/read | Returns the list of all Protected Items. |

-> | microsoft.recoveryservices/Vaults/backupJobsExport/action | Export Jobs |

-> | microsoft.recoveryservices/Vaults/backupSecurityPIN/action | Returns Security PIN Information for Recovery Services Vault. |

-> | microsoft.recoveryservices/Vaults/backupTriggerValidateOperation/action | Validate Operation on Protected Item |

-> | microsoft.recoveryservices/Vaults/backupValidateOperation/action | Validate Operation on Protected Item |

-> | microsoft.recoveryservices/Vaults/backupconfig/read | Returns Configuration for Recovery Services Vault. |

-> | microsoft.recoveryservices/Vaults/backupconfig/write | Updates Configuration for Recovery Services Vault. |

-> | microsoft.recoveryservices/Vaults/backupEncryptionConfigs/read | Gets Backup Resource Encryption Configuration. |

-> | microsoft.recoveryservices/Vaults/backupEncryptionConfigs/write | Updates Backup Resource Encryption Configuration |

-> | microsoft.recoveryservices/Vaults/backupEngines/read | Returns all the backup management servers registered with vault. |

-> | microsoft.recoveryservices/Vaults/backupFabrics/refreshContainers/action | Refreshes the container list |

-> | microsoft.recoveryservices/Vaults/backupFabrics/backupProtectionIntent/delete | Delete a backup Protection Intent |

-> | microsoft.recoveryservices/Vaults/backupFabrics/backupProtectionIntent/read | Get a backup Protection Intent |

-> | microsoft.recoveryservices/Vaults/backupFabrics/backupProtectionIntent/write | Create a backup Protection Intent |

-> | microsoft.recoveryservices/Vaults/backupFabrics/operationResults/read | Returns status of the operation |

-> | microsoft.recoveryservices/Vaults/backupFabrics/operationsStatus/read | Returns status of the operation |

-> | microsoft.recoveryservices/Vaults/backupFabrics/protectableContainers/read | Get all protectable containers |

-> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/delete | Deletes the registered Container |

-> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/inquire/action | Do inquiry for workloads within a container |

-> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/read | Returns all registered containers |

-> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/write | Creates a registered container |

-> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/items/read | Get all items in a container |

-> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/operationResults/read | Gets result of Operation performed on Protection Container. |

-> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/operationsStatus/read | Gets status of Operation performed on Protection Container. |

-> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action | Performs Backup for Protected Item. |

-> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/delete | Deletes Protected Item |

-> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/read | Returns object details of the Protected Item |

-> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPointsRecommendedForMove/action | Get Recovery points recommended for move to another tier |

-> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/write | Create a backup Protected Item |

-> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read | Gets Result of Operation Performed on Protected Items. |

-> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read | Returns the status of Operation performed on Protected Items. |

-> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action | Get AccessToken for Cross Region Restore. |

-> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/move/action | Move Recovery point to another tier |

-> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action | Provision Instant Item Recovery for Protected Item |

-> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read | Get Recovery Points for Protected Items. |

-> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action | Restore Recovery Points for Protected Items. |

-> | microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action | Revoke Instant Item Recovery for Protected Item |

-> | microsoft.recoveryservices/Vaults/backupJobs/cancel/action | Cancel the Job |

-> | microsoft.recoveryservices/Vaults/backupJobs/read | Returns all Job Objects |

-> | microsoft.recoveryservices/Vaults/backupJobs/operationResults/read | Returns the Result of Job Operation. |

-> | microsoft.recoveryservices/Vaults/backupJobs/operationsStatus/read | Returns the status of Job Operation. |

-> | microsoft.recoveryservices/Vaults/backupOperationResults/read | Returns Backup Operation Result for Recovery Services Vault. |

-> | microsoft.recoveryservices/Vaults/backupOperations/read | Returns Backup Operation Status for Recovery Services Vault. |

-> | microsoft.recoveryservices/Vaults/backupPolicies/delete | Delete a Protection Policy |

-> | microsoft.recoveryservices/Vaults/backupPolicies/read | Returns all Protection Policies |

-> | microsoft.recoveryservices/Vaults/backupPolicies/write | Creates Protection Policy |

-> | microsoft.recoveryservices/Vaults/backupPolicies/operationResults/read | Get Results of Policy Operation. |

-> | microsoft.recoveryservices/Vaults/backupPolicies/operations/read | Get Status of Policy Operation. |

-> | microsoft.recoveryservices/Vaults/backupProtectableItems/read | Returns list of all Protectable Items. |

-> | microsoft.recoveryservices/Vaults/backupProtectedItems/read | Returns the list of all Protected Items. |

-> | microsoft.recoveryservices/Vaults/backupProtectionContainers/read | Returns all containers belonging to the subscription |

-> | microsoft.recoveryservices/Vaults/backupProtectionIntents/read | List all backup Protection Intents |

-> | microsoft.recoveryservices/Vaults/backupResourceGuardProxies/delete | The Delete ResourceGuard proxy operation deletes the specified Azure resource of type 'ResourceGuard proxy' |

-> | microsoft.recoveryservices/Vaults/backupResourceGuardProxies/read | Get the list of ResourceGuard proxies for a resource |

-> | microsoft.recoveryservices/Vaults/backupResourceGuardProxies/read | Get ResourceGuard proxy operation gets an object representing the Azure resource of type 'ResourceGuard proxy' |

-> | microsoft.recoveryservices/Vaults/backupResourceGuardProxies/unlockDelete/action | Unlock delete ResourceGuard proxy operation unlocks the next delete critical operation |

-> | microsoft.recoveryservices/Vaults/backupResourceGuardProxies/write | Create ResourceGuard proxy operation creates an Azure resource of type 'ResourceGuard Proxy' |

-> | microsoft.recoveryservices/Vaults/backupstorageconfig/read | Returns Storage Configuration for Recovery Services Vault. |

-> | microsoft.recoveryservices/Vaults/backupstorageconfig/write | Updates Storage Configuration for Recovery Services Vault. |

-> | microsoft.recoveryservices/Vaults/backupUsageSummaries/read | Returns summaries for Protected Items and Protected Servers for a Recovery Services . |

-> | microsoft.recoveryservices/Vaults/backupValidateOperationResults/read | Validate Operation on Protected Item |

-> | microsoft.recoveryservices/Vaults/backupValidateOperationsStatuses/read | Validate Operation on Protected Item |

-> | microsoft.recoveryservices/Vaults/privateEndpointConnectionProxies/delete | Wait for a few minutes and then try the operation again. If the issue persists, please contact Microsoft support. |

-> | microsoft.recoveryservices/Vaults/privateEndpointConnectionProxies/read | Get all protectable containers |

-> | microsoft.recoveryservices/Vaults/privateEndpointConnectionProxies/validate/action | Get all protectable containers |

-> | microsoft.recoveryservices/Vaults/privateEndpointConnectionProxies/write | Get all protectable containers |

-> | microsoft.recoveryservices/Vaults/privateEndpointConnectionProxies/operationsStatus/read | Get all protectable containers |

-> | microsoft.recoveryservices/Vaults/privateEndpointConnections/delete | Delete Private Endpoint requests. This call is made by Backup Admin. |

-> | microsoft.recoveryservices/Vaults/privateEndpointConnections/write | Approve or Reject Private Endpoint requests. This call is made by Backup Admin. |

-> | microsoft.recoveryservices/Vaults/privateEndpointConnections/operationsStatus/read | Returns the operation status for a private endpoint connection. |

-> | microsoft.recoveryservices/Vaults/usages/read | Returns usage details for a Recovery Services Vault. |

-This section describes the [functions](/azure-monitor/logs/functions.md) that are available in your workspace after you've deployed the Continuous Threat Monitoring for SAP solution. Find these functions in the Microsoft Sentinel **Logs** page to use in your KQL queries, listed under **Workspace functions**.

-imWebSession (hurl_has_any = torProxies)

-* Use of the strongest sandboxing technology applicable (e.g., appropriate [isolation modes](/virtualization/windowscontainers/manage-containers/hyperv-container.md) for container workloads).

-description: Learn how to enable Policy Support to protect your VMs using Azure Site Recovery.

-# Using Policy with Azure Site Recovery

-This article describes how to set up [Azure Site Recovery](./site-recovery-overview.md) for your resources, using Azure Policy. [Azure Policy](../governance/policy/overview.md) helps to enforce certain business rules on your Azure resources and assess compliance of said resources.

-## Disaster Recovery with Azure Policy

-With the built-in Azure Policy, you have a way to enable Site Recovery en masse on specific subscriptions or resource groups through the portal. Once you have a disaster recovery policy created for a subscription or resource group(s), then all the new virtual machines that are added to that/those subscription or resource group(s) will get Site Recovery enabled for them automatically. Moreover, for all the virtual machines already present in the resource group, Site Recovery can be enabled through a process called _remediation_(details below).

->The _Scope_ of this policy can be at a subscription level or resource group level.

-**Scenario** | **Support Statement**

- |

-Managed Disks | Supported <br/>OS disk should be at least 1GB and at most 4TB in size.<br/>Data disk(s) should be at least 1GB and at most 32TB in size.<br/>

-Unmanaged Disks | Not supported

-Multiple Disks | Supported for up to 100 disks per VM.

-Ephemeral Disks | Not supported

-Ultra Disks | Not supported

-Availability Sets | Supported

-Availability Zones | Supported

-Azure Disk Encryption (ADE) enabled VMs | Not supported

-Proximity Placement Groups (PPG) | Supported. If the source VM is inside a PPG, then the Policy will create a PPG by appending ΓÇÿ-asrΓÇÖ on the source PPG and use it for the DR/secondary region failover.

-VMs in both PPG and availability set | Not supported

-Customer-managed keys (CMK) enabled disks | Not supported

-Storage spaces direct (S2D) clusters | Not supported

-Virtual machine scale set VMs | Not supported

-VM with image as Azure Site Recovery Configuration Server | Not supported

-Powered off VMs | Not supported. VM must be powered on for the Policy to work on it.

-Azure Resource Manager Deployment Model | Supported

-Classic Deployment Model | Not supported

-Zone to Zone DR | Supported

-Interoperability with other policies applied as default by Azure (if any) | Supported

->[!NOTE]

->In the following cases, Site Recovery will not be enabled:

->1. If a not-supported VM is created within the scope of policy.

->1. If a VM is a part of both an Availability Set as well as PPG.

-## Create a Policy Assignment

-To create a policy assignment of the built-in Azure Site Recovery Policy that enables replication for all newly created VMs in a subscription or resource group(s), perform the following:

-1. Go to the **Azure portal** and navigate to **Azure Policy**

-1. Select **Assignments** on the left side of the Azure Policy page. An assignment is a policy that

- has been assigned to execute on a specific scope.

-1. Select **Assign Policy** from the top of the **Policy - Assignments** page.

-1. On the **Assign Policy** page, set the **Scope** by selecting the ellipsis and then selecting a subscription and then optionally a resource group. A scope determines what resources or grouping of resources the policy assignment gets enforced on. Then use the **Select** button at the bottom of the **Scope** page. Please note that you can also choose to exclude a few resource groups from assignment of the Policy by selecting them under ΓÇÿExclusionsΓÇÖ. This is particularly useful when you want to assign the Policy to all but a few resource groups in a given subscription.

-1. Launch the _Policy Definition Picker_ by selecting the ellipses next to **Policy Definition**. Search for _'disaster recovery'_ or _'site recovery'_. You will find a built-in Policy titled _"Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery"_. Select it and click _'Select'_.

-1. The **Assignment name** is automatically populated with the policy name you selected, but you can change it. It may be helpful if you plan to assign multiple Azure Site Recovery Policies to the same scope.

-1. Select **Next** to configure Azure Site Recovery Properties for the Policy.

-## Configure Target Settings and Properties

-You are on the way to create a Policy to enable Azure Site Recovery. Let us now configure the Target Settings and Properties:

-1. Go to the **Parameters** section of the **Assign Policy** workflow. Unselect _Only show parameters that need input or review_. The parameters look as follows:

- - **Source Region**: The Source Region of the Virtual Machines for which the Policy will be applicable.

- >[!NOTE]

- >The policy will apply to all the Virtual Machines belonging to the Source Region in the scope of the Policy. Virtual Machines not present in the Source Region will not be included.

- - **Target Region**: The location where your source virtual machine data will be replicated. Site Recovery provides the list of target regions that the customer can replicate to. If you want to enable zone to zone replication within a given region, select the same region as Source Region.

- - **Target Resource Group**: The resource group to which all your replicated virtual machines belong. By default, Site Recovery creates a new resource group in the target region.

- - **Vault Resource Group**: The resource group in which Recovery Services Vault exists.

- - **Recovery Services Vault**: The Vault in which all the VMs of the Scope will get protected. Policy can create a new vault on your behalf, if required.

- - **Recovery Virtual Network** **(optional parameter)**: Pick an existing virtual network in the target region to be used for recovery virtual machine. Policy can create a new virtual network for you as well, if required.

- - **Target Availability Zone** **(optional)**: Enter the Availability Zone of the Target Region where the Virtual Machine will failover. If some of the virtual machines in your resource group are already in the target availability zone, then the policy will not be applied to them in case you are setting up Zone to Zone DR.

- - **Cache Storage Account** **(optional)**: Azure Site Recovery makes use of a storage account for caching replicated data in the source region. Please select an account of your choice. You can choose to select the default cache storage account if you do not need to take care of any special considerations.

- > [!NOTE]

- > Please check cache storage account limits in the [Support Matrix](../site-recovery/azure-to-azure-support-matrix.md#cache-storage) before choosing a cache storage account.

- - **Tag name** **(optional)**: You can apply tags to your replicated VMs to logically organize them into a taxonomy. Each tag consists of a name and a value pair. You can use this field to enter the tag name. For example, *Environment*.

- - **Tag values** **(optional)**: You can use this field to enter the tag value. For example, *Production*.

- - **Tag type** **(optional)**: You can use tags to include VMs as part of the Policy assignment by selecting ΓÇÿTag type = InclusionΓÇÖ. This ensures that only the VMs that have the tag (provided via ΓÇÿTag nameΓÇÖ and ΓÇÿTag valuesΓÇÖ fields) are included in the Policy assignment. Alternatively, you can choose ΓÇÿTag type = ExclusionΓÇÖ. This ensures that the VMs that have the tag (provided via ΓÇÿTag nameΓÇÖ and ΓÇÿTag valuesΓÇÖ fields) are excluded from Policy assignment. If no tags are selected, the entire resource group and/or subscription (as the case may be) gets selected for the Policy assignment.

- - **Effect**: Enable or disable the execution of the policy. Select _DeployIfNotExists_ to enable the policy as soon as it gets created.

-1. Select **Next** to decide on Remediation Task.

-## Remediation and other properties

-1. The Target Properties for Azure Site Recovery have been configured. However, this policy will take effect only for newly created virtual machines in the scope of the Policy. Pre-existing VMs in the scope of the Policy do not see replication being enabled on them automatically. This can be solved via a Remediation Task after the policy is assigned. You can create a Remediation Task here by checking _Create a Remediation Task_ checkbox.

-1. Azure Policy will create a [Managed Identity](../governance/policy/how-to/remediate-resources.md), which will have owner permissions to enable Azure Site Recovery for the resources in the scope.

-1. You can configure a custom Non-Compliance message for the policy on the _Non-compliance messages_ tab.

-1. Select Next at the bottom of the page or the _Review + Create_ tab at the top of the page to move to the next segment of the assignment wizard.

-1. Review the selected options, then select _Create_ at the bottom of the page.

-## Checking protection status of VMs after assignment of Policy

-After the Policy is assigned, please wait for up to 1 hour for replication to be enabled. Subsequently, please go to the Recovery Services Vault chosen during Policy assignment and look for replication jobs. You should be able to locate all VMs for which Site Recovery was enabled via Policy in this vault.

-If the VMs do not show up in the vault as protected, you can go back to the Policy assignment and attempt to remediate.

-If the VMs show up as non-compliant, it may be because Policy evaluation may have taken place before the VM was up and running completely. You can choose to either remediate or wait for up to 24 hours for the Policy to evaluate the subscription/resource group and remediate automatically.

-## Next Steps

-[Rollup 56](https://support.microsoft.com/topic/update-rollup-56-for-azure-site-recovery-kb5005376-33f27950-1a07-43e5-bf40-4b380a270ef6) | 9.43.6040.1 | 5.1.6853.0 | 9.43.6040.1| 5.1.6853.0 | 2.0.9226.0

-| <ul><li>Triggers are limited to [HTTP](../azure-functions/functions-bindings-http-webhook.md).</li><li>The Azure Functions app must either be in Node.js 12, Node.js 14, Node.js 16 (preview), .NET Core 3.1, .NET 6.0, Python 3.8, or Python 3.9.</li><li>Some application settings are managed by the service, therefore the following prefixes are reserved by the runtime:<ul><li>*APPSETTING\_, AZUREBLOBSTORAGE\_, AZUREFILESSTORAGE\_, AZURE_FUNCTION\_, CONTAINER\_, DIAGNOSTICS\_, DOCKER\_, FUNCTIONS\_, IDENTITY\_, MACHINEKEY\_, MAINSITE\_, MSDEPLOY\_, SCMSITE\_, SCM\_, WEBSITES\_, WEBSITE\_, WEBSOCKET\_, AzureWeb*</li></ul></li></ul> | <ul><li>You are responsible to manage the Functions app deployment.</li></ul> |

-[Reference](/powershell/module/Az.Storage/) | [Recursive ACL Samples](https://recursiveaclpr.blob.core.windows.net/privatedrop/samplePS.ps1?sv=2019-02-02&st=2020-08-24T17%3A04%3A44Z&se=2021-08-25T17%3A04%3A00Z&sr=b&sp=r&sig=dNNKS%2BZcp%2F1gl6yOx6QLZ6OpmXkN88ZjBeBtym1Mejo%3D) | [Give feedback](https://github.com/Azure/azure-powershell/issues)

-> [!NOTE]

-> Static websites is an example of a partially supported feature because the configuration page for static websites does not yet appear in the Azure Portal for accounts that have NFS 3.0 support enabled. You can enable static websites only by using PowerShell or Azure CLI.

-# Known issues with SSH File Transfer Protocol (SFTP) support for Azure Blob Storage (preview)

-1. Create a new role assignment by subscription and object. By default, the role assignment will be tied to your default subscription. Replace `$subscriptionId` with your subscription ID and `$assigneeObjectId` with the generated `assignee-object-id`. Learn [how to manage Azure subscriptions with the Azure CLI](/cli/azure/manage-azure-subscriptions-azure-cli).

- az role assignment create --role contributor --subscription $subscriptionId --assignee-object-id $assigneeObjectId --assignee-principal-type ServicePrincipal

-### Trusted access based on system-assigned managed identity

-If your account does not have the hierarchical namespace feature enabled on it, you can grant permission, by explicitly assigning an Azure role to the [system-assigned managed identity](../../active-directory/managed-identities-azure-resources/overview.md) for each resource instance. In this case, the scope of access for the instance corresponds to the Azure role assigned to the managed identity.

-You can use the same technique for an account that has the hierarchical namespace feature enable on it. However, you don't have to assign an Azure role if you add the system-assigned managed identity to the access control list (ACL) of any directory or blob contained in the storage account. In that case, the scope of access for the instance corresponds to the directory or file to which the system-assigned managed identity has been granted access. You can also combine Azure roles and ACLs together. To learn more about how to combine them together to grant access, see [Access control model in Azure Data Lake Storage Gen2](../blobs/data-lake-storage-access-control-model.md).

- [Delete messages](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/storage/storage-queue/samp#L5)