+> [!IMPORTANT]

+> For comprehensive details about Microsoft's EU Data Boundary commitment, see [Microsoft's EU Data Boundary documentation](https://learn.microsoft.com/privacy/eudb/eu-data-boundary-learn).

+- [Create an Azure AD B2C tenant](tutorial-create-tenant.md).

+1. Change the NDES URL provided (via Microsoft Intune) to devices. This change could either be in Microsoft Configuration Manager or the Microsoft Intune admin center.

+An EAS profile can be configured and placed on the device through the utilization of Mobile device management (MDM) such as Microsoft Intune or by manually placing the certificate in the EAS profile on the device.

+The following expiration requirements apply to other providers that use Azure AD for identity and directory services, such as Microsoft Intune and Microsoft 365.

+- Use trusted devices via [Azure AD Hybrid Join](../devices/overview.md) or [Microsoft Intune](/intune/planning-guide). Trusted devices will improve user experience because the trusted device itself can satisfy the strong authentication requirements of policy without an MFA challenge to the user. MFA will then be required when enrolling a new device and when accessing apps or resources from untrusted devices.

+- [FIDO2 security key isn't supported on mobile devices](../develop/support-fido2-authentication.md#mobile). This issue might surface when system-preferred MFA is enabled. Until a fix is available, we recommend not using FIDO2 security keys on mobile devices.

+* [Enable credential provider with Microsoft Intune](howto-authentication-passwordless-security-key-windows.md)

+ * We recommend Microsoft Intune deployment.

+ * If Microsoft Intune deployment isn't possible, administrators must deploy a package on each machine to enable the credential provider functionality. The package installation can be carried out by one of the following options:

+| [Microsoft Intune](/intune/fundamentals/what-is-intune) (Optional) | X | X |

+- [Enable with Microsoft Intune](#enable-with-microsoft-intune)

+- [Targeted Microsoft Intune deployment](#targeted-intune-deployment)

+### Enable with Microsoft Intune

+To enable the use of security keys using Intune, complete the following steps:

+1. Sign in to the [Microsoft Intune admin center](https://endpoint.microsoft.com).

+### Targeted Intune deployment

+To target specific device groups to enable the credential provider, use the following custom settings via Intune:

+1. Sign in to the [Microsoft Intune admin center](https://endpoint.microsoft.com).

+1. The remainder of the policy settings include assigning to specific users, devices, or groups. For more information, see [Assign user and device profiles in Microsoft Intune](/intune/device-profile-assign).

+For devices not managed by Microsoft Intune, a provisioning package can be installed to enable the functionality. The Windows Configuration Designer app can be installed from the [Microsoft Store](https://www.microsoft.com/p/windows-configuration-designer/9nblggh4tx22). Complete the following steps to create a provisioning package:

+| User doesn't see a Reset Password link on a Windows 10 device| A user is trying to reset password from the Windows 10 lock screen, but the device is either not joined to Azure AD, or the Microsoft Intune device policy isn't enabled |

+### Enable for Windows 11 and 10 using Microsoft Intune

+Deploying the configuration change to enable SSPR from the login screen using Microsoft Intune is the most flexible method. Microsoft Intune allows you to deploy the configuration change to a specific group of machines you define. This method requires Microsoft Intune enrollment of the device.

+#### Create a device configuration policy in Microsoft Intune

+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).

+ For more information, see [Assign user and device profiles in Microsoft Microsoft Intune](/mem/intune/configuration/device-profile-assign).

+| On-demand provisioning| |ΓùÅ |

+[Continuous Access Evaluation](../conditional-access/concept-continuous-access-evaluation.md) (CAE) is an Azure AD feature that allows access tokens to be revoked based on [critical events](../conditional-access/concept-continuous-access-evaluation.md#critical-event-evaluation) and [policy evaluation](../conditional-access/concept-continuous-access-evaluation.md#conditional-access-policy-evaluation) rather than relying on token expiry based on lifetime. For some resource APIs, because risk and policy are evaluated in real time, this can increase token lifetime up to 28 hours. These long-lived tokens are proactively refreshed by the Microsoft Authentication Library (MSAL), increasing the resiliency of your applications.

+To use CAE, both your app and the resource API it's accessing must be CAE-enabled. However, preparing your code to use a CAE enabled resource won't prevent you from using APIs that aren't CAE enabled.

+If a resource API implements CAE and your application declares it can handle CAE, your app receives CAE tokens for that resource. For this reason, if you declare your app CAE ready, your application must handle the CAE claim challenge for all resource APIs that accept Microsoft Identity access tokens. If you don't handle CAE responses in these API calls, your app could end up in a loop retrying an API call with a token that is still in the returned lifespan of the token but has been revoked due to CAE.

+Your organization likely uses the Authenticator app for scenarios like multifactor authentication (MFA), passwordless authentication, and conditional access. By using an MDM provider, you can turn on the SSO plug-in for your applications. Microsoft has made it easy to configure the plug-in using Microsoft Intune. An allowlist is used to configure these applications to use the SSO plug-in.

+If you're using Group Policies, evaluate your GPO and MDM policy parity by using [Group Policy analytics](/mem/intune/configuration/group-policy-analytics) in Microsoft Intune.

+Device identities are a prerequisite for scenarios like [device-based Conditional Access policies](../conditional-access/require-managed-devices.md) and [Mobile Device Management with the Microsoft Intune family of products](/mem/endpoint-manager-overview).

+ Title: Self-service sign up for email-verified users - Azure AD | Microsoft Docs

+* **AllowEmailVerifiedUsers** controls whether users can join the tenant by email validation. To join, the user must have an email address in a domain that matches one of the verified domains in the tenant. This setting is applied company-wide for all domains in the tenant. If you set that parameter to $false, no email-verified user can join the tenant.

+* You use B2B collaboration from a different tenant to invite a user that doesn't already exist (userdoesnotexist@contoso.com) in the home tenant of contoso.com

+>[!NOTE]

+> Office 365 for Education users, are currently the only ones who are added to existing managed tenants even when this toggle is enabled

+These two parameters can be used in conjunction to define more precise control over self-service sign-up. For example, the following command allows users to perform self-service sign-up, but only if those users already have an account in Azure AD (in other words, users who would need an email-verified account to be created first can't perform self-service sign-up):

+This setting's details may be retrieved using the PowerShell cmdlet Get-MsolCompanyInformation. For more information on this, see [Get-MsolCompanyInformation](/powershell/module/msonline/get-msolcompanyinformation).

+Based on Service Principle Names, Kerberos Constrained Delegation (KCD) provides constrained delegation between resources. It requires domain administrators to create the delegations and is limited to a single domain. You can use resource-based KCD to provide Kerberos authentication for a web application that has users in multiple domains within an Active Directory forest.

+To enable SSO to your on-premises KCD applications that use integrated Windows authentication (IWA), give Application Proxy connectors permission to impersonate users in Active Directory. The Application Proxy connector uses this permission to send and receive tokens on the users' behalf.

+## When to use KCD

+Use KCD when there's a need to provide remote access, protect with pre-authentication, and provide SSO to on-premises IWA applications.

+* **User**: Accesses legacy application that Application Proxy serves.

+* **Application Proxy service**: Acts as reverse proxy to send requests from the user to the on-premises application. It sits in Azure AD. Application Proxy can enforce conditional access policies.

+* **Application Proxy connector**: Installed on Windows on premises servers to provide connectivity to the application. Returns the response to Azure AD. Performs KCD negotiation with Active Directory, impersonating the user to get a Kerberos token to the application.

+Explore the following resources to learn more about implementing Windows authentication (KCD) with Azure AD.

+* [Kerberos-based single sign-on (SSO) in Azure Active Directory with Application Proxy](../app-proxy/application-proxy-configure-single-sign-on-with-kcd.md) describes prerequisites and configuration steps.

+* The [Tutorial - Add an on-premises app - Application Proxy in Azure Active Directory](../app-proxy/application-proxy-add-on-premises-application.md) helps you to prepare your environment for use with Application Proxy.

+## Next steps

+* [Azure Active Directory authentication and synchronization protocol overview](auth-sync-overview.md) describes integration with authentication and synchronization protocols. Authentication integrations enable you to use Azure AD and its security and management features with little or no changes to your applications that use legacy authentication methods. Synchronization integrations enable you to sync user and group data to Azure AD and then user Azure AD management capabilities. Some sync patterns enable automated provisioning.

+* [Understand single sign-on with an on-premises app using Application Proxy](../app-proxy/application-proxy-config-sso-how-to.md) describes how SSO allows your users to access an application without authenticating multiple times. SSO occurs in the cloud against Azure AD and allows the service or Connector to impersonate the user to complete authentication challenges from the application.

+* [SAML single sign-on for on-premises apps with Azure Active Directory Application Proxy](../app-proxy/application-proxy-configure-single-sign-on-on-premises-apps.md) describes how you can provide remote access to on-premises applications that are secured with SAML authentication through Application Proxy.

+ Title: Passwordless authentication with Azure Active Directory

+description: Microsoft Azure Active Directory (Azure AD) enables integration with passwordless authentication protocols that include certificate-based authentication, passwordless security key sign-in, Windows Hello for Business, and passwordless sign-in with Microsoft Authenticator.

+# Passwordless authentication with Azure Active Directory

+Microsoft Azure Active Directory (Azure AD) enables integration with the following passwordless authentication protocols.

+- [Overview of Azure AD certificate-based authentication](../authentication/concept-certificate-based-authentication.md): Azure AD certificate-based authentication (CBA) enables customers to allow or require users to authenticate directly with X.509 certificates against their Azure AD for applications and browser sign-in. This feature enables customers to adopt phishing resistant authentication and authenticate with an X.509 certificate against their Public Key Infrastructure (PKI).

+- [Enable passwordless security key sign-in](../authentication/howto-authentication-passwordless-security-key.md): For enterprises that use passwords and have a shared PC environment, security keys provide a seamless way for workers to authenticate without entering a username or password. Security keys provide improved productivity for workers, and have better security. This article explains how to sign in to web-based applications with your Azure AD account using a FIDO2 security key.

+- [Windows Hello for Business Overview](/windows/security/identity-protection/hello-for-business/hello-overview.md): Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a type of user credential that is tied to a device and uses a biometric or PIN.

+- [Enable passwordless sign-in with Microsoft Authenticator](../authentication/howto-authentication-passwordless-phone.md): Microsoft Authenticator can be used to sign in to any Azure AD account without using a password. Microsoft Authenticator uses key-based authentication to enable a user credential that is tied to a device, where the device uses a PIN or biometric. Windows Hello for Business uses a similar technology. Microsoft Authenticator can be used on any device platform, including mobile. Microsoft Authenticator can be used with any app or website that integrates with Microsoft Authentication Libraries.

+A standard Remote Desktop Services (RDS) deployment includes various [Remote Desktop role services](/windows-server/remote/remote-desktop-services/Desktop-hosting-logical-architecture) running on Windows Server. The RDS deployment with Azure Active Directory (Azure AD) Application Proxy has a permanent outbound connection from the server that is running the connector service. Other deployments leave open inbound connections through a load balancer.

+This authentication pattern allows you to offer more types of applications by publishing on premises applications through Remote Desktop Services. It reduces the attack surface of their deployment by using Azure AD Application Proxy.

+## When to use Remote Desktop Gateway Services

+Use Remote Desktop Gateway Services when you need to provide remote access and protect your Remote Desktop Services deployment with pre-authentication.

+## System components

+* **Application Proxy service**: Acts as reverse proxy to forward request from the user to RDS. Application Proxy can also enforce any Conditional Access policies.

+* **Remote Desktop Services**: Acts as a platform for individual virtualized applications, providing secure mobile and remote desktop access. It provides end users with the ability to run their applications and desktops from the cloud.

+## Implement Remote Desktop Gateway services with Azure AD

+Explore the following resources to learn more about implementing Remote Desktop Gateway services with Azure AD.

+* [Publish Remote Desktop with Azure Active Directory Application Proxy](../app-proxy/application-proxy-integrate-with-remote-desktop-services.md) describes how Remote Desktop Service and Azure AD Application Proxy work together to improve productivity of workers who are away from the corporate network.

+* The [Tutorial - Add an on-premises app - Application Proxy in Azure Active Directory](../app-proxy/application-proxy-add-on-premises-application.md) helps you to prepare your environment for use with Application Proxy.

+## Next steps

+* [Azure Active Directory authentication and synchronization protocol overview](auth-sync-overview.md) describes integration with authentication and synchronization protocols. Authentication integrations enable you to use Azure AD and its security and management features with little or no changes to your applications that use legacy authentication methods. Synchronization integrations enable you to sync user and group data to Azure AD and then user Azure AD management capabilities. Some sync patterns enable automated provisioning.

+* [Remote Desktop Services architecture](/windows-server/remote/remote-desktop-services/Desktop-hosting-logical-architecture.md) describes configurations for deploying Remote Desktop Services to host Windows apps and desktops for end-users.

+ Title: Five steps to integrate your apps with Azure Active Directory

+description: Learn to integrate your applications with Azure AD by adding apps, discovery, and integration methods.

+# Five steps to integrate your apps with Azure Active Directory

+Learn to integrate your applications with Azure Active Directory (Azure AD), which is a cloud-based identity and access management service. Organizations use Azure AD for secure authentication and authorization so customers, partners, and employees can access applications. With Azure AD, features such as Conditional Access, Azure AD Multi-Factor Authentication (MFA), single sign-on, and application provisioning make identity and access management easier to manage and more secure.

+Learn more:

+* [What is Conditional Access?](../conditional-access/overview.md)

+* [How it works: Azure AD Multi-Factor Authentication](../authentication/concept-mfa-howitworks.md)

+* [Azure AD seamless single sign-on](../hybrid/how-to-connect-sso.md)

+* [What is app provisioning in Azure AD?](../app-provisioning/user-provisioning.md)

+If your company has a Microsoft 365 subscription, you likely use Azure AD. However, you can use Azure AD for applications. If you centralize application management, identity management features, tools, and policies for your app portfolio. The benefit is a unified solution that improves security, reduces costs, increases productivity, and enables compliance. In addition, there's remote access to on-premises apps.

+Learn more:

+* [Deploy your identity infrastructure for Microsoft 365](/microsoft-365/enterprise/deploy-identity-solution-overview?view=o365-worldwide&preserve-view=true)

+* [What is application management in Azure AD?](../manage-apps/what-is-application-management.md)

+## Azure AD for new applications

+When your business acquires new applications, add them to the Azure AD tenant. Establish a company policy of adding new apps to Azure AD.

+See, [Quickstart: Add an enterprise application](../manage-apps/add-application-portal.md)

+Azure AD has a gallery of integrated applications to make it easy to get started. Add a gallery app to your Azure AD organization (see, previous link) and learn about integrating software as a service (SaaS) tutorials.

+See, [Tutorials for integrating SaaS applications with Azure AD](../saas-apps/tutorial-list.md)

+### Integration tutorials

+Use the following tutorials to learn to integrate common tools with Azure AD single sign-on (SSO).

+* [Tutorial: Azure AD SSO integration with ServiceNow](../saas-apps/servicenow-tutorial.md)

+* [Tutorial: Azure AD SSO integration with Workday](../saas-apps/workday-tutorial.md)

+* [Tutorial: Azure AD SSO integration with Salesforce](../saas-apps/salesforce-tutorial.md)

+* [Tutorial: Azure AD SSO integration with AWS Single-Account Access](../saas-apps/amazon-web-service-tutorial.md)

+* [Tutorial: Azure AD SSO integration with Slack](../saas-apps/slack-tutorial.md)

+### Apps not in the gallery

+You can integrate applications that don't appear in the gallery, including applications in your organization, or third-party application from vendors. Submit a request to publish your app in the gallery. To learn about integrating apps you develop in-house, see **Integrate apps your developers build**.

+Learn more:

+* [Quickstart: View enterprise applications](../manage-apps/view-applications-portal.md)

+* [Submit a request to publish your application in Azure AD application gallery](../manage-apps/v2-howto-app-gallery-listing.md)

+## Determine application usage and prioritize integration

+Discover the applications employees use, and prioritize integrating the apps with Azure AD. Use the Microsoft Defender for Cloud Apps Cloud Discovery tools to discover and manage apps not managed by your IT team. Microsoft Defender for Endpoint (formerly known as Microsoft Defender Advanced Threat Protection) simplifies and extends the discovery process.

+Learn more:

+* [Set up Cloud Discovery](/defender-cloud-apps/set-up-cloud-discovery)

+* [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide&preserve-view=true)

+In addition, use the Active Directory Federation Services (AD FS) in the Azure portal to discover AD FS apps in your organization. Discover unique users that signed in to the apps, and see information about integration compatibility.

+See, [Review the application activity report](../manage-apps/migrate-adfs-application-activity.md)

+### Application migration

+After you discover apps in your environment, prioritize the apps to migrate and integrate. Consider the following parameters:

+- Apps used most frequently

+- Riskiest apps

+- Apps to be decommissioned, therefore not in migration

+- Apps that stay on-premises

+See, [Resources for migrating applications to Azure AD](../manage-apps/migration-resources.md)

+## Integrate apps and identity providers

+During discovery, there might be applications not tracked by the IT team, which can create vulnerabilities. Some applications use alternative identity solutions, including AD FS, or other identity providers (IdPs). We recommend you consolidate identity and access management. Benefits include:

+* Reduce on-premises user set-up, authentication, and IdP licensing fees

+* Lower administrative overhead with streamlined identity and access management process

+* Enable single sign-on (SSO) access to applications in the My Apps portal

+ * See, [Create collections on the My Apps portal](../manage-apps/access-panel-collections.md)

+* Use Identity Protection and Conditional Access to increase data from app usage, and extend benefits to recently added apps

+ * [What is Identity Protection?](../identity-protection/overview-identity-protection.md)

+ * [What is Conditional Access?](../conditional-access/overview.md)

+### App owner awareness

+To help manage app integration with Azure AD, use the following material for application owner awareness and interest. Modify the material with your branding.

+You can download:

+* Zip file, [Editable Azure AD App Integration One-Pager](https://aka.ms/AppOnePager)

+* Microsoft PowerPoint presentation, [Azure AD application integration guidelines](https://aka.ms/AppGuideline)

+### Active Directory Federation Services

+Evaluate use of AD FS for authentication with SaaS apps, line-of-business apps, also Microsoft 365 and Azure AD apps.

+ 

+Improve the configuration illustrated in the previous diagram by moving application authentication to Azure AD. Enable sign-on for apps and ease application discovery with the My Apps portal.

+Learn more:

+* [Move application authentication to Azure AD](../manage-apps/migrate-adfs-apps-to-azure.md)

+* [Sign in and start apps from the My Apps portal](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510)

+See the following diagram of app authentication simplified by Azure AD.

+ 

+After Azure AD is the central IdP, you might be able to discontinue ADFS.

+ 

+You can migrate apps that use a different cloud-based IdP. Your organization might have multiple Identity Access Management (IAM) solutions. Migrating to one Azure AD infrastructure can reduce dependencies on IAM licenses and infrastructure costs. If you paid for Azure AD with Microsoft 365 licenses, likely you don't have to purchase another IAM solution.

+## Integrate on-premises applications

+Traditionally, application security enabled access during a connection to a corporate network. However, organization grant access to apps for customers, partners, and/or employees, regardless of location. Application Proxy Service in Azure AD connects on-premises apps to Azure AD and doesn't require edge servers or more infrastructure.

+See, [Using Azure AD Application Proxy to publish on-premises apps for remote users](../app-proxy/what-is-application-proxy.md)

+The following diagram illustrates Application Proxy Service processing a user request.

+ 

+See, [Tutorial: Add an on-premises application for remote access through Application Proxy in Azure AD](../app-proxy/application-proxy-add-on-premises-application.md)

+In addition, integrate application delivery controllers like F5 BIG-IP APM, or Zscaler Private Access, with Azure AD. Benefits are modern authentication and identity management, traffic management, and security features. We call this solution secure hybrid access.

+See, [Secure hybrid access: Protect legacy apps with Azure AD](../manage-apps/secure-hybrid-access.md)

+For the following services, there are Azure AD integration tutorials.

+* [Tutorial: Azure AD SSO integration with Akamai](../saas-apps/akamai-tutorial.md)

+* [Tutorial: Azure AD SSO integration with Citrix ADC SAML Connector for Azure AD (Kerberos-based authentication)](../saas-apps/citrix-netscaler-tutorial.md)

+ * Formerly known as Citrix Netscaler

+* [Integrate F5 BIG-IP with Azure AD](../manage-apps/f5-aad-integration.md)

+* [Tutorial: Integrate Zscaler Private Access (ZPA) with Azure AD](../saas-apps/zscalerprivateaccess-tutorial.md)

+## Integrate apps your developers build

+For your developers' apps, use the Microsoft identity platform for authentication and authorization. Integrated applications are registered and managed like other apps in your portfolio.

+Learn more:

+* [Microsoft identity platform documentation](../develop/index.yml)

+* [Quickstart: Register an application with the Microsoft identity platform](../develop/quickstart-register-app.md)

+Developers can use the platform for internal and customer-facing apps. For instance, use Microsoft Authentication Libraries (MSAL) to enable multi-factor authentication and security to access apps.

+Learn more:

+* [Overview of the Microsoft Authentication Library (MSAL)](../develop/msal-overview.md)

+* [Microsoft identity platform code samples](../develop/sample-v2-code.md)

+* Video: [Overview of the Microsoft identity platform for developers](https://www.youtube.com/watch?v=zjezqZPPOfc&list=PLLasX02E8BPBxGouWlJV-u-XZWOc2RkiX) (33:54)

+## Next step

+[Resources for migrating applications to Azure AD](../manage-apps/migration-resources.md)

+Frontline managers can also use Managed Home Screen (MHS) application to allow workers to have access to a specific set of applications on their Intune-enrolled Android dedicated devices. The dedicated devices are enrolled with [Azure AD shared device mode](../develop/msal-shared-devices.md). When configured in multi-app kiosk mode in the Microsoft Intune admin center, MHS is automatically launched as the default home screen on the device and appears to the end user as the *only* home screen. To learn more, see how to [configure the Microsoft Managed Home Screen app for Android Enterprise](/mem/intune/apps/app-configuration-managed-home-screen-app).

+- **Use Microsoft Intune as the authority for all device management workloads.** See [Microsoft Intune](https://www.microsoft.com/security/business/endpoint-management/microsoft-intune).

+ Title: Increase the resilience of authentication and authorization applications you develop

+description: Resilience guidance for application development using Azure Active Directory and the Microsoft identity platform

+# Increase the resilience of authentication and authorization applications you develop

+The Microsoft identity platform helps you build applications your users and customers can sign in to using their Microsoft identities or social accounts. Microsoft identity platform uses token-based authentication and authorization. Client applications acquire tokens from an identity provider (IdP) to authenticate users and authorize applications to call protected APIs. A service validates tokens.

+Learn more:

+[What is the Microsoft identity platform?](../develop/v2-overview.md)

+[Security tokens](../develop/security-tokens.md)

+A token is valid for a length of time, and then the app must acquire a new one. Rarely, a call to retrieve a token fails due to network or infrastructure issues or an authentication service outage.

+The following articles have guidance for client and service applications for a signed in user and daemon applications. They contain best practices for using tokens and calling resources.

+- [Increase the resilience of authentication and authorization in client applications you develop](resilience-client-app.md)

+- [Increase the resilience of authentication and authorization in daemon applications you develop](resilience-daemon-app.md)

+- [Build resilience in your customer identity and access management with Azure AD B2C](resilience-b2c.md)

+- [Build services that are resilient to Azure AD's OpenID Connect metadata refresh](../develop/howto-build-services-resilient-to-metadata-refresh.md)

+A new tenant provides the ability to have a separate set of administrators. Organizations can choose to use corporate identities through [Azure AD B2B collaboration](../external-identities/what-is-b2b.md). Similarly, organizations can implement [Azure Lighthouse](../../lighthouse/overview.md) for cross-tenant management of Azure resources so that non-production Azure subscriptions can be managed by identities in the production counterpart. Azure Lighthouse can't be used to manage services outside of Azure, such as Microsoft Intune. For Managed Service Providers (MSPs), [Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-overview?view=o365-worldwide&preserve-view=true) is an admin portal that helps secure and manage devices, data, and users at scale for small- and medium-sized business (SMB) customers who are using Microsoft 365 Business Premium, Microsoft 365 E3, or Windows 365 Business.

+Many organizations have a hybrid infrastructure that encompasses both on-premises and cloud components. Synchronizing users' identities between local and cloud directories lets users access resources with a single set of credentials.

+* creating an object based on certain conditions,

+* keeping the object updated, and

+* removing the object when conditions are no longer met.

+On-premises provisioning involves provisioning from on-premises sources (such as Active Directory) to Azure Active Directory (Azure AD).

+## When to use directory synchronization

+Use directory synchronization when you need to synchronize identity data from your on premises Active Directory environments to Azure AD as illustrated in the following diagram.

+## System components

+* **Azure AD**: Synchronizes identity information from organization's on premises directory via Azure AD Connect.

+* **Azure AD Connect**: A tool for connecting on premises identity infrastructures to Microsoft Azure AD. The wizard and guided experiences help you to deploy and configure prerequisites and components required for the connection (including sync and sign on from Active Directories to Azure AD).

+* **Active Directory**: Active Directory is a directory service that is included in most Windows Server operating systems. Servers that run Active Directory Domain Services (AD DS) are called domain controllers. They authenticate and authorize all users and computers in the domain.

+Microsoft designed [Azure AD Connect cloud sync](../cloud-sync/what-is-cloud-sync.md) to meet and accomplish your hybrid identity goals for synchronization of users, groups, and contacts to Azure AD. Azure AD Connect cloud sync uses the Azure AD cloud provisioning agent instead of the Azure AD Connect application.

+Explore the following resources to learn more about directory synchronization with Azure AD.

+* [What is identity provisioning with Azure AD?](../cloud-sync/what-is-provisioning.md)Provisioning is the process of creating an object based on certain conditions, keeping the object up-to-date and deleting the object when conditions are no longer met. On-premises provisioning involves provisioning from on premises sources (like Active Directory) to Azure AD.

+* [Hybrid Identity: Directory integration tools comparison](../hybrid/plan-hybrid-identity-design-considerations-tools-comparison.md) describes differences between Azure AD Connect sync and Azure AD Connect cloud provisioning.

+* [Azure AD Connect and Azure AD Connect Health installation roadmap](../hybrid/how-to-connect-install-roadmap.md) provides detailed installation and configuration steps.

+## Next steps

+* [What is hybrid identity with Azure Active Directory?](../../active-directory/hybrid/whatis-hybrid-identity.md) Microsoft's identity solutions span on-premises and cloud-based capabilities. Hybrid identity solutions create a common user identity for authentication and authorization to all resources, regardless of location.

+* [Install the Azure AD Connect provisioning agent](../cloud-sync/how-to-install.md) walks you through the installation process for the Azure Active Directory (Azure AD) Connect provisioning agent and how to initially configure it in the Azure portal.

+* [Azure AD Connect cloud sync new agent configuration](../cloud-sync/how-to-configure.md) guides you through configuring Azure AD Connect cloud sync.

+* [Azure Active Directory authentication and synchronization protocol overview](auth-sync-overview.md) describes integration with authentication and synchronization protocols. Authentication integrations enable you to use Azure AD and its security and management features with little or no changes to your applications that use legacy authentication methods. Synchronization integrations enable you to sync user and group data to Azure AD and then user Azure AD management capabilities. Some sync patterns enable automated provisioning.

+Lightweight Directory Access Protocol (LDAP) is a directory service protocol that runs on the TCP/IP stack. It provides a mechanism that you can use to connect to, search, and modify internet directories. Based on a client-server model, the LDAP directory service enables access to an existing directory.

+Many companies depend on on-premises LDAP servers to store users and groups for their critical business apps.

+Azure Active Directory (Azure AD) can replace LDAP synchronization with Azure AD Connect. The Azure AD Connect synchronization service performs all operations related to synchronizing identity data between you're on premises environments and Azure AD.

+## When to use LDAP synchronization

+Use LDAP synchronization when you need to synchronize identity data between your on premises LDAP v3 directories and Azure AD as illustrated in the following diagram.

+

+## System components

+* **Azure AD**: Azure AD synchronizes identity information (users, groups) from organization's on-premises LDAP directories via Azure AD Connect.

+* **Azure AD Connect**: is a tool for connecting on premises identity infrastructures to Microsoft Azure AD. The wizard and guided experiences help to deploy and configure prerequisites and components required for the connection.

+* **Active Directory**: Active Directory is a directory service included in most Windows Server operating systems. Servers that run Active Directory Services, referred to as domain controllers, authenticate and authorize all users and computers in a Windows domain.

+Explore the following resources to learn more about LDAP synchronization with Azure AD.

+* [Hybrid Identity: Directory integration tools comparison](../hybrid/plan-hybrid-identity-design-considerations-tools-comparison.md) describes differences between Azure AD Connect sync and Azure AD Connect cloud provisioning.

+* [Azure AD Connect and Azure AD Connect Health installation roadmap](../hybrid/how-to-connect-install-roadmap.md) provides detailed installation and configuration steps.

+* The [Generic LDAP Connector](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-genericldap) enables you to integrate the synchronization service with an LDAP v3 server.

+ > Deploying the LDAP Connector requires an advanced configuration. Microsoft provides this connector with limited support. Configuring this connector requires familiarity with Microsoft Identity Manager and the specific LDAP directory.

+ > When you deploy this configuration in a production environment, collaborate with a partner such as Microsoft Consulting Services for help, guidance, and support.

+## Next steps

+* [What is hybrid identity with Azure Active Directory?](../../active-directory/hybrid/whatis-hybrid-identity.md) Microsoft's identity solutions span on-premises and cloud-based capabilities. Hybrid identity solutions create a common user identity for authentication and authorization to all resources, regardless of location.

+* [Azure Active Directory authentication and synchronization protocol overview](auth-sync-overview.md) describes integration with authentication and synchronization protocols. Authentication integrations enable you to use Azure AD and its security and management features with little or no changes to your applications that use legacy authentication methods. Synchronization integrations enable you to sync user and group data to Azure AD and then user Azure AD management capabilities. Some sync patterns enable automated provisioning.

+Azure AD and Microsoft Intune teams have combined to bring the capability to customize, scale, and secure your frontline worker devices.

+- Provision Android shared devices at scale with Microsoft Intune

+You can download the latest version of Azure AD Connect 2.0 from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=47594). See the [release notes for the latest V2.0 release](reference-connect-version-history.md#20280).\

+Get notified about when to revisit this page for updates by copying and pasting this URL: `https://aka.ms/aadconnectrss` into your  feed reader.

+Connect-MgGraph -Scopes "Application.ReadWrite.All", "Directory.ReadWrite.All", "DelegatedPermissionGrant.ReadWrite.All", "AppRoleAssignment.ReadWrite.All"

+$spApplicationPermissions = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $Sp.Id -All | Where-Object { $_.PrincipalType -eq "ServicePrincipal" }

+ - [Enroll the device in Microsoft Intune](#configure-device-compliance) and assign a compliance policy.

+Hybrid Azure AD join is a direct replacement for Okta device trust on Windows. Conditional Access policies can also look at device compliance for devices that have fully enrolled in Microsoft Intune:

+## February 2023

+### Updated articles

+[Manage custom security attributes for an application (Preview)](custom-security-attributes-apps.md)

+- [Manage app consent policies](manage-app-consent-policies.md)

+- [Configure permission classifications](configure-permission-classifications.md)

+- [Disable user sign-in for an application](disable-user-sign-in-portal.md)

+- [Configure Datawiza for Azure AD Multi-Factor Authentication and single sign-on to Oracle EBS](datawiza-azure-ad-sso-mfa-oracle-ebs.md)

+>[!NOTE]

+>As of March 2023, you may now activate your assignments and view your access directly from blades outside of PIM in the Azure portal. Read more [here](pim-resource-roles-activate-your-roles.md#activate-with-azure-portal).

+## Activate with Azure portal

+Privileged Identity Management role activation has been integrated into the Billing and Access Control (AD) extensions within the Azure portal. Shortcuts to Subscriptions (billing) and Access Control (AD) allow you to activate PIM roles directly from these blades.

+From the Subscriptions blade, select ΓÇ£View eligible subscriptionsΓÇ¥ in the horizontal command menu to check your eligible, active, and expired assignments. From there, you can activate an eligible assignment in the same pane.

+ 

+ 

+In Access control (IAM) for a resource, you can now select ΓÇ£View my accessΓÇ¥ to see your currently active and eligible role assignments and activate directly.

+ 

+By integrating PIM capabilities into different Azure portal blades, this new feature allows you to gain temporary access to view or edit subscriptions and resources more easily.

+- Write, publish, and delete organizational messages using Microsoft 365 admin center or Microsoft Intune

+- Manage organizational message delivery options using Microsoft 365 admin center or Microsoft Intune

+- Read organizational message delivery results using Microsoft 365 admin center or Microsoft Intune

+- Manage Windows 365 Cloud PCs in Microsoft Intune

+ Title: 'Tutorial: Configure Akamai Enterprise Application Access for automatic user provisioning with Azure Active Directory | Microsoft Docs'

+description: Learn how to automatically provision and de-provision user accounts from Azure AD to Akamai Enterprise Application Access.

+writer: twimmers

+ms.assetid: e4eb183a-192f-49e0-8724-549b2f360b8e

+# Tutorial: Configure Akamai Enterprise Application Access for automatic user provisioning

+This tutorial describes the steps you need to perform in both Akamai Enterprise Application Access and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Akamai Enterprise Application Access](https://www.akamai.com) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

+## Supported capabilities

+> [!div class="checklist"]

+> * Create users in Akamai Enterprise Application Access.

+> * Remove users in Akamai Enterprise Application Access when they do not require access anymore.

+> * Keep user attributes synchronized between Azure AD and Akamai Enterprise Application Access.

+> * Provision groups and group memberships in Akamai Enterprise Application Access

+> * [Single sign-on](akamai-tutorial.md) to Akamai Enterprise Application Access (recommended).

+## Prerequisites

+The scenario outlined in this tutorial assumes that you already have the following prerequisites:

+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)

+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (e.g. Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).

+* An administrator account with Akamai [Enterprise Application Access](https://www.akamai.com/products/enterprise-application-access).

+## Step 1. Plan your provisioning deployment

+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).

+1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. Determine what data to [map between Azure AD and Akamai Enterprise Application Access](../app-provisioning/customize-application-attributes.md).

+## Step 2. Configure Akamai Enterprise Application Access to support provisioning with Azure AD

+Configure a SCIM directory of type Azure in Akamai Enterprise Center and save the SCIM base URL and the Provisioning key.

+1. Sign in to [Akamai Enterprise Center](https://control.akamai.com/apps/zt-ui/#/identity/directories).

+1. In menu, navigate to **Application Access > Identity & Users > Directories**.

+1. Select **Add New Directory** (+).

+1. Enter a name and description for directory.

+1. In **Directory Type** select **SCIM**, and in **SCIM Schema** select **Azure**.

+1. Select **Add New Directory**.

+1. Open your new directory **Settings** > **General** and copy **SCIM base URL**. Save it for Azure SCIM provisioning in STEP 4.

+1. In **Settings** > **General** select **Create Provisioning Key**.

+1. Enter a name and description for the key.

+1. Copy **Provisioning key** by clicking on the copy to clipboard icon. Save it for Azure SCIM provisioning in STEP 5.

+1. In **Login preference Attributes** select either **User principal name** (default) or **Email** to choose for a user a way to log in.

+1. Select **Save**.

+ The new SCIM directory appears in the directories list in **Identity & Users** > **Directories**.

+## Step 3. Add Akamai Enterprise Application Access from the Azure AD application gallery

+Add Akamai Enterprise Application Access from the Azure AD application gallery to start managing provisioning to Akamai Enterprise Application Access. If you have previously setup Akamai Enterprise Application Access for SSO you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).

+## Step 4. Define who will be in scope for provisioning

+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* If you need additional roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles.

+## Step 5. Configure automatic user provisioning to Akamai Enterprise Application Access

+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in TestApp based on user and/or group assignments in Azure AD.

+### To configure automatic user provisioning for Akamai Enterprise Application Access in Azure AD:

+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.

+ 

+1. In the applications list, select **Akamai Enterprise Application Access**.

+ 

+1. Select the **Provisioning** tab.

+ 

+1. Set the **Provisioning Mode** to **Automatic**.

+ 

+1. Under the **Admin Credentials** section, input your Akamai Enterprise Application Access Tenant URL and Secret Token. Click **Test Connection** to ensure Azure AD can connect to Akamai Enterprise Application Access. If the connection fails, ensure your Akamai Enterprise Application Access account has Admin permissions and try again.

+ 

+1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.

+ 

+1. Select **Save**.

+1. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Akamai Enterprise Application Access**.

+1. Review the user attributes that are synchronized from Azure AD to Akamai Enterprise Application Access in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Akamai Enterprise Application Access for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the Akamai Enterprise Application Access API supports filtering users based on that attribute. Select the **Save** button to commit any changes.

+ |Attribute| Type |Supported for filtering|Required by Akamai Enterprise Application Access|

+ |||||

+ |userName| String |✓|✓

+ |active| Boolean |||

+ |displayName| String |||

+ |emails[type eq "work"].value| String ||✓

+ |name.givenName| String |||

+ |name.familyName| String |||

+ |phoneNumbers[type eq "mobile"].value| String|||

+ |externalId| String |||

+1. Under the **Mappings** section, select **Synchronize Azure Active Directory Groups to Akamai Enterprise Application Access**.

+1. Review the group attributes that are synchronized from Azure AD to Akamai Enterprise Application Access in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the groups in Akamai Enterprise Application Access for update operations. Select the **Save** button to commit any changes.

+ |Attribute|Type|Supported for filtering|Required by Akamai Enterprise Application Access|

+ |||||

+ |displayName|String|✓|✓

+ |externalId|String|||

+ |members|Reference|||

+

+1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. To enable the Azure AD provisioning service for Akamai Enterprise Application Access, change the **Provisioning Status** to **On** in the **Settings** section.

+ 

+1. Define the users and/or groups that you would like to provision to Akamai Enterprise Application Access by choosing the desired values in **Scope** in the **Settings** section.

+ 

+1. When you are ready to provision, click **Save**.

+ 

+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.

+## Step 6. Monitor your deployment

+Once you've configured provisioning, use the following resources to monitor your deployment:

+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully

+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion

+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).

+## More resources

+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)

+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Akamai Enterprise Application Access - Getting Started](https://techdocs.akamai.com/eaa/docs/welcome-guide)

+* [Configuring Custom Attributes in EAA](https://techdocs.akamai.com/eaa/docs/scim-provisioning-with-azure#step-7-optional-add-a-custom-attribute-in--and-map-it-to-the-scim-attribute-in-your--scim-directory)

+## Next steps

+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)

+ Title: Azure Active Directory SSO integration with Fleet Management System

+description: Learn how to configure single sign-on between Azure Active Directory and Fleet Management System.

+# Azure Active Directory SSO integration with Fleet Management System

+In this article, you learn how to integrate Fleet Management System with Azure Active Directory (Azure AD). Manages and monitors a fleet of surface level vehicles and subterranean tugs and carts that Microsoft utilizes. When you integrate Fleet Management System with Azure AD, you can:

+* Control in Azure AD who has access to Fleet Management System.

+* Enable your users to be automatically signed-in to Fleet Management System with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You'll configure and test Azure AD single sign-on for Fleet Management System in a test environment. Fleet Management System supports **IDP** initiated single sign-on.

+## Prerequisites

+To integrate Azure Active Directory with Fleet Management System, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Fleet Management System single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the Fleet Management System application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add Fleet Management System from the Azure AD gallery

+Add Fleet Management System from the Azure AD application gallery to configure single sign-on with Fleet Management System. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **Fleet Management System** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, the user doesn't have to perform any step as the app is already pre-integrated with Azure.

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Fleet Management System** section, copy the appropriate URL(s) based on your requirement.

+ 

+## Configure Fleet Management System SSO

+To configure single sign-on on **Fleet Management System** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Fleet Management System support team](mailto:fms-datashare@navagis.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Fleet Management System test user

+In this section, you create a user called Britta Simon at Fleet Management System. Work with [Fleet Management System support team](mailto:fms-datashare@navagis.com) to add the users in the Fleet Management System platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on Test this application in Azure portal and you should be automatically signed in to the Fleet Management System for which you set up the SSO.

+* You can use Microsoft My Apps. When you click the Fleet Management System tile in the My Apps, you should be automatically signed in to the Fleet Management System for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure Fleet Management System you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: Azure Active Directory SSO integration with Illumio SSO

+description: Learn how to configure single sign-on between Azure Active Directory and Illumio SSO.

+# Azure Active Directory SSO integration with Illumio SSO

+In this article, you learn how to integrate Illumio SSO with Azure Active Directory (Azure AD). Illumio SSO app provides a simple, convenient, and secure way for organizations to manage user access to illumio PCE. When you integrate Illumio SSO with Azure AD, you can:

+* Control in Azure AD who has access to Illumio SSO.

+* Enable your users to be automatically signed-in to Illumio SSO with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You'll configure and test Azure AD single sign-on for Illumio SSO in a test environment. Illumio SSO supports both **SP** and **IDP** initiated single sign-on.

+## Prerequisites

+To integrate Azure Active Directory with Illumio SSO, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Illumio SSO single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the Illumio SSO application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add Illumio SSO from the Azure AD gallery

+Add Illumio SSO from the Azure AD application gallery to configure single sign-on with Illumio SSO. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **Illumio SSO** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a URL using the following pattern:

+ `https://<DOMAIN>/login`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://<DOMAIN>/login/acs/<ID>`

+1. If you wish to configure the application in **SP** initiated mode, then perform the following step:

+ In the **Sign on URL** textbox, type a URL using the following pattern:

+ `https://<DOMAIN>/login`

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Illumio SSO Client support team](mailto:support@illumio.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. Your Illumio SSO application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows an example for this. The default value of **Unique User Identifier** is **user.userprincipalname** but Illumio SSO expects this to be mapped with the user's email address. For that you can use **user.mail** attribute from the list or use the appropriate attribute value based on your organization configuration.

+

+ 

+1. In addition to above, Illumio SSO application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.

+ | Name | Source Attribute|

+ | | |

+ | User.MemberOf | user.assignedroles |

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Illumio SSO** section, copy the appropriate URL(s) based on your requirement.

+ 

+## Configure Illumio SSO

+To configure single sign-on on **Illumio SSO** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Illumio SSO support team](mailto:support@illumio.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Illumio SSO test user

+In this section, you create a user called Britta Simon at Illumio SSO. Work with [Illumio SSO support team](mailto:support@illumio.com) to add the users in the Illumio SSO platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+1. Click on **Test this application** in Azure portal. This will redirect to Illumio SSO Sign-on URL where you can initiate the login flow.

+1. Go to Illumio SSO Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+1. Click on **Test this application** in Azure portal and you should be automatically signed in to the Illumio SSO for which you set up the SSO.

+1. You can also use Microsoft My Apps to test the application in any mode. When you click the Illumio SSO tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Illumio SSO for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure Illumio SSO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: Azure Active Directory SSO integration with Karlsgate Identity Exchange (KIE)

+description: Learn how to configure single sign-on between Azure Active Directory and Karlsgate Identity Exchange (KIE).

+# Azure Active Directory SSO integration with Karlsgate Identity Exchange (KIE)

+In this article, you learn how to integrate the Karlsgate Identity Exchange (KIE) with Azure Active Directory (Azure AD). Karlsgate provides Privacy Enhancing Technology for protecting data at rest, in transit, & in use. KarlsgateΓÇÖs zero-trust approach allows the free flow of insights while maintaining custody of sensitive data. When you integrate Karlsgate Identity Exchange (KIE) with Azure AD, you can:

+* Control in Azure AD who has access to Karlsgate Identity Exchange (KIE).

+* Enable your users to be automatically signed-in to Karlsgate Identity Exchange (KIE) with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You'll configure and test Azure AD single sign-on for Karlsgate Identity Exchange (KIE) in a test environment. Karlsgate Identity Exchange (KIE) supports **SP** and **IDP** initiated single sign-on.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Prerequisites

+To integrate Azure Active Directory with Karlsgate Identity Exchange (KIE), you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* An existing Karlsgate Identity Exchange (KIE) single sign-on (SSO) eligible account.

+* At least one (1) user created in your Karlsgate Identity Exchange (KIE) account.

+> [!NOTE]

+> To be eligible for single sign-on (SSO) access for your Karlsgate Identity Exchange (KIE) account, your KIE account must have an SSO eligible subscription. If you have questions, please contact the [Karlsgate Identity Exchange (KIE) support team](mailto:help@karlsgate.com).

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the Karlsgate Identity Exchange (KIE) application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add Karlsgate Identity Exchange (KIE) from the Azure AD gallery

+Add Karlsgate Identity Exchange (KIE) from the Azure AD application gallery to configure single sign-on with Karlsgate Identity Exchange (KIE). For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **Karlsgate Identity Exchange (KIE)** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, the user does not have to perform any step as the app is already pre-integrated with Azure.

+1. If you wish to configure the application in **SP** initiated mode, then perform the following step:

+ In the **Sign on URL** textbox, type the URL:

+ `https://portal.karlsgate.com/Identity/Account/Login`

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.

+ 

+## Configure Karlsgate Identity Exchange (KIE) SSO

+To configure single sign-on on the **Karlsgate Identity Exchange (KIE)** side, you must send the following information to the [Karlsgate Identity Exchange (KIE) support team](mailto:help@karlsgate.com).

+1. Your KIE accountΓÇÖs configured, non-blank **Public name plate** (as a secondary confirmation of your KIE account) this value is available at: `https://portal.karlsgate.com/Profile/Edit`.

+1. Your configured **Identifier (Entity ID)** (to confirm your configured value).

+1. Your configured **App Federation Metadata Url**.

+1. A list of one (or more) **email domain(s)** (min. 1) for users who will be accessing the Karlsgate Identity Exchange (KIE), e.g: northwind.com, de.contoso.com, fr.contoso.com, etc. (See note below.)

+ > [!NOTE]

+ > Many organizations have one (1) email domain configured for their users. For example, at the fictitious company Northwind, the user "jane.smith@northwind.com" has an email domain of "northwind.com". Some organizations have multiple (2+) email domains configured for their users. For example, at the fictitious company Contoso, the user "erika.mustermann@de.contoso.com" has an email domain of "de.contoso.com", while the user "jean.dupont@fr.contoso.com" has an email domain of "fr.contoso.com".

+1. The Karlsgate Identity Exchange (KIE) support team will use these settings to configure the Karlsgate Identity Exchange (KIE) application for SAML SSO access.

+> [!NOTE]

+> You must have an existing KIE account with an SSO eligible subscription to configure SAML SSO access. For SSO access, a KIE userΓÇÖs email address must match their Azure AD email address.

+If you have questions, please contact the [Karlsgate Identity Exchange (KIE) support team](mailto:help@karlsgate.com).

+### Create Karlsgate Identity Exchange (KIE) test user

+Work with [Karlsgate Identity Exchange (KIE) support team](mailto:help@karlsgate.com) to create a KIE account and add users to your KIE account.

+> [!NOTE]

+> For SSO access, a KIE userΓÇÖs email address must match their Azure AD email address.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+1. Click on **Test this application** in Azure portal. This will redirect to Karlsgate Identity Exchange (KIE) Sign-on URL where you can initiate the login flow.

+1. Go to Karlsgate Identity Exchange (KIE) Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+1. Click on **Test this application** in Azure portal and you should be automatically signed in to the Karlsgate Identity Exchange (KIE) for which you set up the SSO.

+1. You can also use Microsoft My Apps to test the application in any mode. When you click the Karlsgate Identity Exchange (KIE) tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Karlsgate Identity Exchange (KIE) for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure Karlsgate Identity Exchange (KIE) you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: Azure Active Directory SSO integration with Ledgy

+description: Learn how to configure single sign-on between Azure Active Directory and Ledgy.

+# Azure Active Directory SSO integration with Ledgy

+In this article, you learn how to integrate Ledgy with Azure Active Directory (Azure AD). Automate your equity. Grant shares and options to employees around the world, integrate equity into all your key systems, and help your team understand their ownership stakes. When you integrate Ledgy with Azure AD, you can:

+* Control in Azure AD who has access to Ledgy.

+* Enable your users to be automatically signed-in to Ledgy with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You configure and test Azure AD single sign-on for Ledgy in a test environment. Ledgy supports both **SP** and **IDP** initiated single sign-on and **Just In Time** user provisioning.

+## Prerequisites

+To integrate Azure Active Directory with Ledgy, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Ledgy single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the Ledgy application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add Ledgy from the Azure AD gallery

+Add Ledgy from the Azure AD application gallery to configure single sign-on with Ledgy. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **Ledgy** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+

+ a. In the **Identifier** textbox, type a URL using the following pattern:

+ `https://app.ledgy.com/auth/saml/<orgSlug>/metadata.xml`

+ b. In the Reply URL textbox, type a URL using the following pattern:

+ `https://app.ledgy.com/auth/saml/<orgSlug>/acs`

+1. If you wish to configure the application in SP initiated mode, then perform the following step:

+ In the **Sign on URL** textbox, type the URL:

+ `https://app.ledgy.com/login`

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Ledgy Client support team](mailto:support@ledgy.com) to get these values. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.

+1. Ledgy application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

+ 

+1. In addition to above, Ledgy application expects few more attributes to be passed back in SAML response, which are shown. These attributes are also pre populated but you can review them as per your requirements.

+ | Name | Source Attribute|

+ | | |

+ | email | user.mail |

+ | ID | user.userprincipalname |

+ | firstName | user.givenname |

+ | lastName | user.surname |

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.

+ 

+## Configure Ledgy SSO

+To configure single sign-on on **Ledgy** side, you need to send the **App Federation Metadata Url** to [Ledgy support team](mailto:support@ledgy.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Ledgy test user

+In this section, a user called B.Simon is created in Ledgy. Ledgy supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in Ledgy, a new one is commonly created after authentication.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated

+* Click on **Test this application** in Azure portal. This will redirect to Ledgy Sign-on URL where you can initiate the login flow.

+* Go to Ledgy Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Ledgy for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the Ledgy tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Ledgy for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure Ledgy you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: Azure Active Directory SSO integration with Testim

+description: Learn how to configure single sign-on between Azure Active Directory and Testim.

+# Azure Active Directory SSO integration with Testim

+In this article, you'll learn how to integrate Testim with Azure Active Directory (Azure AD). Testim is the fastest way to create your most resilient e2e tests. The AI- based platform fits your workflow and accelerates software releases. When you integrate Testim with Azure AD, you can:

+* Control in Azure AD who has access to Testim.

+* Enable your users to be automatically signed-in to Testim with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You'll configure and test Azure AD single sign-on for Testim in a test environment. Testim supports both **SP** and **IDP** initiated single sign-on.

+## Prerequisites

+To integrate Azure Active Directory with Testim, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Testim single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the Testim application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add Testim from the Azure AD gallery

+Add Testim from the Azure AD application gallery to configure single sign-on with Testim. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **Testim** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a URL using the following pattern:

+ `https://services.testim.io/auth/sso/<ID>/metadata`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://services.testim.io/auth/sso/<ID>/callback`

+1. If you wish to configure the application in **SP** initiated mode, then perform the following step:

+ In the **Sign on URL** textbox, type the URL:

+ `https://app.testim.io/#/azure-signin`

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Testim Client support team](mailto:support@testim.io) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Testim** section, copy the appropriate URL(s) based on your requirement.

+ 

+## Configure Testim SSO

+To configure single sign-on on **Testim** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Testim support team](mailto:support@testim.io). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Testim test user

+In this section, you create a user called Britta Simon at Testim. Work with [Testim support team](mailto:support@testim.io) to add the users in the Testim platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to Testim Sign-on URL where you can initiate the login flow.

+* Go to Testim Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Testim for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the Testim tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Testim for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure Testim you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+| AC.L2-3.1.10<br><br>**Practice statement:** Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.<br><br>**Objectives:**<br>Determine if:<br>[a.] the period of inactivity after which the system initiates a session lock is defined;<br>[b.] access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity; and<br>[c.] previously visible information is concealed via a pattern-hiding display after the defined period of inactivity. | Implement device lock by using a conditional access policy to restrict access to compliant or hybrid Azure AD joined devices. Configure policy settings on the device to enforce device lock at the OS level with MDM solutions such as Intune. Microsoft Intune, Configuration Manager, or group policy objects can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate.<br>[Require device to be marked as compliant](../conditional-access/require-managed-devices.md)<br>[Grant controls in Conditional Access policy - Require hybrid Azure AD joined device](../conditional-access/concept-conditional-access-grant.md)<br>[User sign-in frequency](../conditional-access/howto-conditional-access-session-lifetime.md)<br><br>Configure devices for maximum minutes of inactivity until the screen locks ([Android](/mem/intune/configuration/device-restrictions-android), [iOS](/mem/intune/configuration/device-restrictions-ios), [Windows 10](/mem/intune/configuration/device-restrictions-windows-10)).|

+| AC.L2-3.1.18<br><br>**Practice statement:** Control connection of mobile devices.<br><br>**Objectives:**<br>Determine if:<br>[a.] mobile devices that process, store, or transmit CUI are identified;<br>[b.] mobile device connections are authorized; and<br>[c.] mobile device connections are monitored and logged. | Configure device management policies via MDM (such as Microsoft Intune), Microsoft Intune, Configuration Manager, or group policy objects (GPO) to enforce mobile device configuration and connection profile. Configure Conditional Access policies to enforce device compliance.<br><br>**Conditional Access**<br>[Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br>[Require hybrid Azure AD joined device](../conditional-access/concept-conditional-access-grant.md)<br><br>**InTune**<br>[Device compliance policies in Microsoft Intune](/mem/intune/protect/device-compliance-get-started)<br>[What is app management in Microsoft Intune?](/mem/intune/apps/app-management) |

+| AC.L2-3.1.21<br><br>**Practice statement:** Limit use of portable storage devices on external systems.<br><br>**Objectives:**<br>Determine if:<br>[a.] the use of portable storage devices containing CUI on external systems is identified and documented;<br>[b.] limits on the use of portable storage devices containing CUI on external systems are defined; and<br>[c.] the use of portable storage devices containing CUI on external systems is limited as defined. | Configure device management policies via MDM (such as Microsoft Intune), Microsoft Intune, Configuration Manager, or group policy objects (GPO) to control the use of portable storage devices on systems. Configure policy settings on the Windows device to completely prohibit or restrict use of portable storage at the OS level. For all other devices where you may be unable to granularly control access to portable storage block download entirely with Microsoft Defender for Cloud Apps. Configure Conditional Access policies to enforce device compliance.<br><br>**Conditional Access**<br>[Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br>[Require hybrid Azure AD joined device](../conditional-access/concept-conditional-access-grant.md)<br>[Configure authentication session management - Azure Active Directory](../conditional-access/howto-conditional-access-session-lifetime.md)<br><br>**InTune**<br>[Device compliance policies in Microsoft Intune](/mem/intune/protect/device-compliance-get-started)<br>[Restrict USB devices using administrative templates in Microsoft Intune](/mem/intune/configuration/administrative-templates-restrict-usb)<br><br>**Microsoft Defender for Cloud Apps**<br>[Create session policies in Defender for Cloud Apps](/defender-cloud-apps/session-policy-aad)

+| CM.L2-3.4.2<br><br>**Practice statement:** Establish and enforce security configuration settings for information technology products employed in organizational systems.<br><br>**Objectives:**<br>Determine if:<br>[a.] security configuration settings for information technology products employed in the system are established and included in the baseline configuration; and<br>[b.] security configuration settings for information technology products employed in the system are enforced. | Adopt a zero-trust security posture. Use conditional access policies to restrict access to compliant devices. Configure policy settings on the device to enforce security configuration settings on the device with MDM solutions such as Microsoft Intune. Microsoft Configuration Manager or group policy objects can also be considered in hybrid deployments and combined with conditional access require hybrid Azure AD joined device.<br><br>**Zero-trust**<br>[Securing identity with Zero Trust](/security/zero-trust/identity)<br><br>**Conditional access**<br>[What is conditional access in Azure AD?](../conditional-access/overview.md)<br>[Grant controls in Conditional Access policy](../conditional-access/concept-conditional-access-grant.md)<br><br>**Device policies**<br>[What is Microsoft Intune?](/mem/intune/fundamentals/what-is-intune)<br>[What is Defender for Cloud Apps?](/cloud-app-security/what-is-cloud-app-security)<br>[What is app management in Microsoft Intune?](/mem/intune/apps/app-management)<br>[Microsoft endpoint management solutions](/mem/endpoint-manager-overview) |

+| MP.L2-3.8.7<br><br>**Practice statement:** Control the use of removable media on system components.<br><br>**Objectives:**<br>Determine if:<br>[a.] the use of removable media on system components is controlled. | Configure device management policies via MDM (such as Microsoft Intune), Microsoft Intune, Configuration Manager, or group policy objects (GPO) to control the use of removable media on systems. Deploy and manage Removable Storage Access Control using Intune, Configuration Manager, or Group Policy. Configure Conditional Access policies to enforce device compliance.<br><br>**Conditional Access**<br>[Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br>[Require hybrid Azure AD joined device](../conditional-access/concept-conditional-access-grant.md#require-hybrid-azure-ad-joined-device)<br><br>**Intune**<br>[Device compliance policies in Microsoft Intune](/mem/intune/protect/device-compliance-get-started)<br><br>**Removable storage access control**<br>[Deploy and manage Removable Storage Access Control using Intune](/microsoft-365/security/defender-endpoint/deploy-manage-removable-storage-intune?view=o365-worldwide&preserve-view=true)<br>[Deploy and manage Removable Storage Access Control using group policy](/microsoft-365/security/defender-endpoint/deploy-manage-removable-storage-group-policy?view=o365-worldwide&preserve-view=true) |

+| SC.L2-3.13.4<br><br>**Practice statement:** Prevent unauthorized and unintended information transfer via shared system resources.<br><br>**Objectives:**<br>Determine if:<br>[a.] unauthorized and unintended information transfer via shared system resources is prevented. | Configure device management policies via MDM (such as Microsoft Intune), Microsoft Intune, Configuration Manager, or group policy objects (GPO) to ensure devices are compliant with system hardening procedures. Include compliance with company policy regarding software patches to prevent attackers from exploiting flaws.<br><br>Configure Conditional Access policies to enforce device compliance.<br><br>**Conditional Access**<br>[Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br>[Require hybrid Azure AD joined device](../conditional-access/concept-conditional-access-grant.md)<br><br>**InTune**<br>[Device compliance policies in Microsoft Intune](/mem/intune/protect/device-compliance-get-started) |

+| SC.L2-3.13.13<br><br>**Practice statement:** Control and monitor the use of mobile code.<br><br>**Objectives:**<br>Determine if:<br>[a.] use of mobile code is controlled; and<br>[b.] use of mobile code is monitored. | Configure device management policies via MDM (such as Microsoft Intune), Microsoft Intune, Configuration Manager, or group policy objects (GPO) to disable the use of mobile code. Where use of mobile code is required monitor the use with endpoint security such as Microsoft Defender for Endpoint.<br><br>Configure Conditional Access policies to enforce device compliance.<br><br>**Conditional Access**<br>[Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br>[Require hybrid Azure AD joined device](../conditional-access/concept-conditional-access-grant.md)<br><br>**InTune**<br>[Device compliance policies in Microsoft Intune](/mem/intune/protect/device-compliance-get-started)<br><br>**Defender for Endpoint**<br>[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide&preserve-view=true) |

+| SI.L2-3.14.7<br><br>**Practice statement:**<br><br>**Objectives:** Identify unauthorized use of organizational systems.<br>Determine if:<br>[a.] authorized use of the system is defined; and<br>[b.] unauthorized use of the system is identified. | Consolidate telemetry: Azure AD logs to stream to SIEM, such as Azure Sentinel Configure device management policies via MDM (such as Microsoft Intune), Microsoft Intune, Configuration Manager, or group policy objects (GPO) to require Intrusion Detection/Protection (IDS/IPS) such as Microsoft Defender for Endpoint is installed and in use. Use telemetry provided by the IDS/IPS to identify unusual activities or conditions related to inbound and outbound communications traffic or unauthorized use.<br><br>Configure Conditional Access policies to enforce device compliance.<br><br>**Conditional Access**<br>[Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br>[Require hybrid Azure AD joined device](../conditional-access/concept-conditional-access-grant.md)<br><br>**InTune**<br>[Device compliance policies in Microsoft Intune](/mem/intune/protect/device-compliance-get-started)<br><br>**Defender for Endpoint**<br>[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide&preserve-view=true) |

+| AC-02(5)| **Implement device log-out after a 15-minute period of inactivity.**<p>Implement device lock by using a conditional access policy that restricts access to compliant devices. Configure policy settings on the device to enforce device lock at the OS level with mobile device management (MDM) solutions such as Intune. Microsoft Intune, Configuration Manager, or group policy objects can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate.<P>Conditional access<br><li>[Require device to be marked as compliant](../conditional-access/require-managed-devices.md)<br><li>[User sign-in frequency](../conditional-access/howto-conditional-access-session-lifetime.md)<p>MDM policy<br><li>Configure devices for maximum minutes of inactivity until the screen locks and requires a password to unlock ([Android](/mem/intune/configuration/device-restrictions-android), [iOS](/mem/intune/configuration/device-restrictions-ios), [Windows 10](/mem/intune/configuration/device-restrictions-windows-10)). |

+| AC-10|**Limit concurrent sessions to three sessions for privileged access and two for nonprivileged access.** <p>Nowadays, users connect from multiple devices, sometimes simultaneously. Limiting concurrent sessions leads to a degraded user experience and provides limited security value. A better approach to address the intent behind this control is to adopt a zero-trust security posture. Conditions are explicitly validated before a session is created and continually validated throughout the life of a session. <p>In addition, use the following compensating controls. <p>Use conditional access policies to restrict access to compliant devices. Configure policy settings on the device to enforce user sign-in restrictions at the OS level with MDM solutions such as Intune. Microsoft Intune, Configuration Manager, or group policy objects can also be considered in hybrid deployments.<p> Use Privileged Identity Management to further restrict and control privileged accounts. <p> Configure smart account lockout for invalid sign-in attempts.<p>**Implementation guidance** <p>Zero trust<br><li> [Securing identity with Zero Trust](/security/zero-trust/identity)<br><li>[Continuous access evaluation in Azure AD](../conditional-access/concept-continuous-access-evaluation.md)<p>Conditional access<br><li>[What is conditional access in Azure AD?](../conditional-access/overview.md)<br><li>[Require device to be marked as compliant](../conditional-access/require-managed-devices.md)<br><li>[User sign-in frequency](../conditional-access/howto-conditional-access-session-lifetime.md)<p>Device policies<br><li>[Use PowerShell scripts on Windows 10 devices in Intune](/mem/intune/apps/intune-management-extension)<br><li>[Other smart card Group Policy settings and registry keys](/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings)<br><li>[Microsoft Intune overview](/mem/endpoint-manager-overview)<p>Resources<br><li>[What is Azure AD Privileged Identity Management?](../privileged-identity-management/pim-configure.md)<br><li>[Protect user accounts from attacks with Azure Active Directory smart lockout](../authentication/howto-password-smart-lockout.md)<p>See AC-12 for more session reevaluation and risk mitigation guidance. |

+| AC-11<br>AC-11(1)| **Implement a session lock after a 15-minute period of inactivity or upon receiving a request from a user. Retain the session lock until the user reauthenticates. Conceal previously visible information when a session lock is initiated.**<p> Implement device lock by using a conditional access policy to restrict access to compliant devices. Configure policy settings on the device to enforce device lock at the OS level with MDM solutions such as Intune. Microsoft Intune, Configuration Manager, or group policy objects can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate.<p>Conditional access<br><li>[Require device to be marked as compliant](../conditional-access/require-managed-devices.md)<br><li>[User sign-in frequency](../conditional-access/howto-conditional-access-session-lifetime.md)<p>MDM policy<br><li>Configure devices for maximum minutes of inactivity until the screen locks ([Android](/mem/intune/configuration/device-restrictions-android), [iOS](/mem/intune/configuration/device-restrictions-ios), [Windows 10](/mem/intune/configuration/device-restrictions-windows-10)). |

+| IA-02(2)<br>IA-02(4)| **Implement multi-factor authentication for all access to non-privileged accounts**<p>Configure the following elements as an overall solution to ensure all access to non-privileged accounts requires MFA.<p> Configure Conditional Access policies to require MFA for all users.<br> Configure device management policies via MDM (such as Microsoft Intune), Microsoft Intune, Configuration Manager, or group policy objects (GPO) to enforce use of specific authentication methods.<br> Configure Conditional Access policies to enforce device compliance.<p>Microsoft recommends using a multi-factor cryptographic hardware authenticator (e.g., FIDO2 security keys, Windows Hello for Business (with hardware TPM), or smart card) to achieve AAL3. If your organization is completely cloud-based, we recommend using FIDO2 security keys or Windows Hello for Business.<p>Windows Hello for Business has not been validated at the required FIPS 140 Security Level and as such federal customers would need to conduct risk assessment and evaluation before accepting it as AAL3. For additional details regarding Windows Hello for Business FIPS 140 validation please refer to [Microsoft NIST AALs](nist-overview.md).<p>Guidance regarding MDM polices differ slightly based on authentication methods, they are broken out below. <p>Smart Card / Windows Hello for Business<br> [Passwordless Strategy - Require Windows Hello for Business or smart card](/windows/security/identity-protection/hello-for-business/passwordless-strategy)<br> [Require device to be marked as compliant](../conditional-access/require-managed-devices.md)<br> [Conditional Access - Require MFA for all users](../conditional-access/howto-conditional-access-policy-all-users-mfa.md)<p> Hybrid Only<br> [Passwordless Strategy - Configure user accounts to disallow password authentication](/windows/security/identity-protection/hello-for-business/passwordless-strategy)<p> Smart Card Only<br>[Create a Rule to Send an Authentication Method Claim](/windows-server/identity/ad-fs/operations/create-a-rule-to-send-an-authentication-method-claim)<br>[Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies)<p>FIDO2 Security Key<br> [Passwordless Strategy - Excluding the password credential provider](/windows/security/identity-protection/hello-for-business/passwordless-strategy)<br> [Require device to be marked as compliant](../conditional-access/require-managed-devices.md)<br> [Conditional Access - Require MFA for all users](../conditional-access/howto-conditional-access-policy-all-users-mfa.md)<p>Authentication Methods<br> [Azure Active Directory passwordless sign-in (preview) | FIDO2 security keys](../authentication/concept-authentication-passwordless.md)<br> [Passwordless security key sign-in Windows - Azure Active Directory](../authentication/howto-authentication-passwordless-security-key-windows.md)<br> [ADFS: Certificate Authentication with Azure AD & Office 365](/archive/blogs/samueld/adfs-certauth-aad-o365)<br> [How Smart Card Sign-in Works in Windows (Windows 10)](/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows)<br> [Windows Hello for Business Overview (Windows 10)](/windows/security/identity-protection/hello-for-business/hello-overview)<p>Additional Resources:<br> [Policy CSP - Windows Client Management](/windows/client-management/mdm/policy-configuration-service-provider)<br> [Use PowerShell scripts on Windows 10 devices in Intune](/mem/intune/apps/intune-management-extension)<br> [Plan a passwordless authentication deployment with Azure AD](../authentication/howto-authentication-passwordless-deployment.md)<br> |

+For AKS clusters on the [OS auto upgrade][aks-node-image-upgrade] channel, the unattended upgrade process is disabled, and the OS nodes will receive security updates through the weekly node image upgrade.

+In general, Microsoft doesn't broadly communicate the release of new patch versions for AKS. However, Microsoft constantly monitors and validates available CVE patches to support them in AKS in a timely manner. If a critical patch is found or user action is required, Microsoft [posts and updates CVE issue details on GitHub][aks-cve-feed].

+[aks-node-image-upgrade]: auto-upgrade-node-image.md

+[azure-bounty-program-overview]: https://www.microsoft.com/msrc/bounty-microsoft-azure

+## Troubleshooting

+If you experience issues, see the [troubleshooting checklist for failed deployments of a Kubernetes offer][marketplace-troubleshoot].

+[marketplace-troubleshoot]: /troubleshoot/azure/azure-kubernetes/troubleshoot-failed-kubernetes-deployment-offer

+When enabled, an `eraser-controller-manager` pod is deployed, which generates an `ImageList` CRD. The eraser pods running on each nodes will clean up the unreferenced and vulnerable images according to the ImageList. Vulnerability is determined based on a [trivy][trivy] scan, after which images with a `LOW`, `MEDIUM`, `HIGH`, or `CRITICAL` classification are flagged. An updated `ImageList` will be automatically generated by Image Cleaner based on a set time interval, and can also be supplied manually.

+- Snapshots must be created in the same region as the source node pool.

+ 5.15.80.mshv2-hvl1.m2

+ 5.15.48.1-8.cm2

+[register-the-katavmisolationpreview-feature-flag]: #register-the-katavmisolationpreview-feature-flag

+> When `WEBSITE_LOAD_CERTIFICATES` is set `*`, all previously added certificates are accessible to application code. If you add a certificate to your app later, restart the app to make the new certificate accessible to your app. For more information, see [When updating (renewing) a certificate](#when-updating-renewing-a-certificate).

+## When updating (renewing) a certificate

+When you renew a certificate and add it to your app, it gets a new thumbprint, which also needs to be [made accessible](#make-the-certificate-accessible). How it works depends on your certificate type.

+If you manually upload the [public](configure-ssl-certificate.md#upload-a-public-certificate) or [private](configure-ssl-certificate.md#upload-a-private-certificate) certificate:

+- If you list thumbprints explicitly in `WEBSITE_LOAD_CERTIFICATES`, add the new thumbprint to the app setting.

+- If `WEBSITE_LOAD_CERTIFICATES` is set to `*`, restart the app to make the new certificate accessible.

+If you renew a certificate [in Key Vault](configure-ssl-certificate.md#renew-a-certificate-imported-from-key-vault), such as with an [App Service certificate](configure-ssl-certificate.md#renew-app-service-certificate), the daily sync from Key Vault makes the necessary update automatically when synchronizing your app with the renewed certificate.

+- If `WEBSITE_LOAD_CERTIFICATES` contains the old thumbprint of your renewed certificate, the daily sync updates the old thumbprint to the new thumbprint automatically.

+- If `WEBSITE_LOAD_CERTIFICATES` is set to `*`, the daily sync makes the new certificate accessible automatically.

+Since the application gateway resource is deployed inside a virtual network, we also perform a check to verify the permission on the provided virtual network resource. This validation is performed during both creation and management operations. You should check your [Azure role-based access control](../role-based-access-control/role-assignments-list-portal.md) to verify the users or service principals that operate application gateways also have at least **Microsoft.Network/virtualNetworks/subnets/join/action** permission on the Virtual Network or Subnet.

+You may use the built-in roles, such as [Network contributor](../role-based-access-control/built-in-roles.md#network-contributor), which already support this permission. If a built-in role doesn't provide the right permission, you can [create and assign a custom role](../role-based-access-control/custom-roles-portal.md). Learn more about [managing subnet permissions](../virtual-network/virtual-network-manage-subnet.md#permissions). You may have to allow sufficient time for [Azure Resource Manager cache refresh](../role-based-access-control/troubleshooting.md?tabs=bicep#symptomrole-assignment-changes-are-not-being-detected) after role assignment changes.

+ Title: "Quickstart: Use Azure App Configuration in Azure Container Apps"

+description: Learn how to connect a containerized application to Azure App Configuration, using Service Connector.

+# Quickstart: Use Azure App Configuration in Azure Container Apps

+In this quickstart, you will use Azure App Configuration in an app running in Azure Container Apps. This way, you can centralize the storage and management of the configuration of your apps in Container Apps. This quickstart leverages the ASP.NET Core app created in [Quickstart: Create an ASP.NET Core app with App Configuration](./quickstart-aspnet-core-app.md). You will containerize the app and deploy it to Azure Container Apps. Complete the quickstart before you continue.

+> [!TIP]

+> While following this quickstart, preferably register all new resources within a single resource group, so that you can regroup them all in a single place and delete them faster later on if you don't need them anymore.

+## Prerequisites

+- An application using an App Configuration store. If you don't have one, create an instance using the [Quickstart: Create an ASP.NET Core app with App Configuration](./quickstart-aspnet-core-app.md).

+- An Azure Container Apps instance. If you don't have one, create an instance using the [Azure portal](/azure/container-apps/quickstart-portal) or [the CLI](/azure/container-apps/get-started).

+- [Docker Desktop](https://www.docker.com/products/docker-desktop)

+- The [Azure CLI](/cli/azure/install-azure-cli)

+## Connect Azure App Configuration to the container app

+In the Azure portal, navigate to your Container App instance. Follow the [Service Connector quickstart for Azure Container Apps](../service-connector/quickstart-portal-container-apps.md) to create a service connection with your App Configuration store using the settings below.

+- In the **Basics** tab:

+ - select **App Configuration** for **Service type**

+ - pick your App Configuration store for "**App Configuration**"

+ :::image type="content" border="true" source="media\connect-container-app\use-service-connector.png" alt-text="Screenshot the Azure platform showing a form in the Service Connector menu in a Container App." lightbox="media\connect-container-app\use-service-connector.png":::

+- In the **Authentication** tab:

+ - pick **Connection string** authentication type and **Read-Only** for "**Permissions for the connection string**

+ - expand the **Advanced** menu. In the Configuration information, there should be an environment variable already created called "AZURE_APPCONFIGURATION_CONNECTIONSTRING". Edit the environment variable by selecting the icon on the right and change the name to *ConnectionStrings__AppConfig*. We need to make this change as *ConnectionStrings__AppConfig* is the name of the environment variable the application built in the [ASP.NET Core quickstart](./quickstart-aspnet-core-app.md) will look for. This is the environment variable which contains the connection string for App Configuration. If you have used another application to follow this quickstart, please use the corresponding environment variable name. Then select **Done**.

+- Use default values for everything else.

+Once done, an environment variable named **ConnectionStrings__AppConfig** will be added to the container of your Container App. Its value is a reference of the Container App secret, the connection string of your App Configuration store.

+## Build a container

+1. Run the [dotnet publish](/dotnet/core/tools/dotnet-publish) command to build the app in release mode and create the assets in the *published* folder.

+ ```dotnet

+ dotnet publish -c Release -o published

+ ```

+1. Create a file named *Dockerfile* in the directory containing your .csproj file, open it in a text editor, and enter the following content. A Dockerfile is a text file that doesn't have an extension and that is used to create a container image.

+ ```docker

+ FROM mcr.microsoft.com/dotnet/aspnet:6.0 AS runtime

+ WORKDIR /app

+ COPY published/ ./

+ ENTRYPOINT ["dotnet", "TestAppConfig.dll"]

+ ```

+1. Build the container by running the following command.

+ ```docker

+ docker build --tag aspnetapp .

+ ```

+## Create an Azure Container Registry instance

+Create an Azure Container Registry (ACR). ACR enables you to build, store, and manage container images.

+#### [Portal](#tab/azure-portal)

+1. To create the container registry, follow the [Azure Container Registry quickstart](/azure/container-registry/container-registry-get-started-portal).

+1. Once the deployment is complete, open your ACR instance and from the left menu, select **Settings > Access keys**.

+1. Take note of the **Login server** value listed on this page. You'll use this information in a later step.

+1. Switch **Admin user** to *Enabled*. This option lets you connect the ACR to Azure Container Apps using admin user credentials. Alternatively, you can leave it disabled and configure the container app to [pull images from the registry with a managed identity](../container-apps/managed-identity-image-pull.md).

+#### [Azure CLI](#tab/azure-cli)

+1. Create an ACR instance using the following command. It creates a basic tier registry named *myregistry* with admin user enabled that allows the container app to connect to the registry using admin user credentials. For more information, see [Azure Container Registry quickstart](/azure/container-registry/container-registry-get-started-azure-cli).

+ ```azurecli

+ az acr create

+ --resource-group AppConfigTestResources \

+ --name myregistry \

+ --admin-enabled true \

+ --sku Basic

+ ```

+1. In the command output, take note of the ACR login server value listed after `loginServer`.

+1. Retrieve the ACR username and password by running `az acr credential show --name myregistry`. You'll need these values later.

+## Push the image to Azure Container Registry

+Push the Docker image to the ACR created earlier.

+1. Run the [az acr login](/cli/azure/acr#az-acr-login) command to log in to the registry.

+ ```azurecli

+ az acr login --name myregistry

+ ```

+ The command returns `Login Succeeded` once login is successful.

+1. Use [docker tag](https://docs.docker.com/engine/reference/commandline/tag/) to tag the image appropriate details.

+ ```docker

+ docker tag aspnetapp myregistry.azurecr.io/aspnetapp:v1

+ ```

+ > [!TIP]

+ > To review the list of your existing docker images and tags, run `docker image ls`. In this scenario, you should see at least two images: `aspnetapp` and `myregistry.azurecr.io/aspnetapp`.

+1. Use [docker push](https://docs.docker.com/engine/reference/commandline/push/) to push the image to the container registry. This example creates the *aspnetapp* repository in ACR containing the `aspnetapp` image. In the example below, replace the placeholders `<login-server`, `<image-name>` and `<tag>` by the ACR's log-in server value, the image name and the image tag.

+ Method:

+ ```docker

+ docker push <login-server>/<image-name>:<tag>

+ ```

+ Example:

+ ```docker

+ docker push myregistry.azurecr.io/aspnetapp:v1

+ ```

+1. Open your Azure Container Registry in the Azure portal and confirm that under **Repositories**, you can see your new repository.

+ :::image type="content" border="true" source="media\connect-container-app\container-registry-repository.png" alt-text="Screenshot of the Azure platform showing a repository in Azure Container Registries.":::

+## Add your container image to Azure Container Apps

+Update your Container App to load the container image from your ACR.

+1. In the Azure portal, open your Azure Container Apps instance.

+1. In the left menu, under **Application**, select **Containers**.

+1. Select **Edit and deploy**.

+1. Under **Container image**, click on the name of the existing container image.

+1. Update the following settings:

+ | Setting | Suggested value | Description |

+ |-|-|-|

+ | Image source | *Azure Container Registry* | Select Azure Container Registry as your image source. |

+ | Authentication | *Admin Credentials* | Use the admin user credential option that was enabled earlier in the container registry. If you didn't enable the admin user but configured to [use a managed identity](../container-apps/managed-identity-image-pull.md?tabs=azure-cli&pivots=azure-portal), you would need to manually enter the image and tag in the form. |

+ | Registry | *myregistry.azurecr.io* | Select the Azure Container Registry you created earlier. |

+ | Image | *aspnetapp* | Select the docker image you created and pushed to ACR earlier. |

+ | Image tag | *v1* | Select your image tag from the list. |

+1. Select **Save** and then **Create** to deploy the update to Azure Container App.

+## Browse to the URL of the Azure Container App

+In the Azure portal, in the Azure Container Apps instance, go to the **Overview** tab and open the **Application Url**.

+The web page looks like this:

+## Clean up resources

+## Next steps

+In this quickstart, you:

+- Connected Azure App Configuration to Azure Container Apps

+- Used Docker to build a container image from an ASP.NET Core app with App Configuration settings

+- Created an Azure Container Registry instance

+- Pushed the image to the Azure Container Registry instance

+- Added the container image to Azure Container Apps

+- Browsed to the URL of the Azure Container Apps instance updated with the settings you configured in your App Configuration store.

+The managed identity enables one Azure resource to access another without you maintaining secrets. You can streamline access from Container Apps to other Azure resources. For more information, see how to [access App Configuration using the managed identity](howto-integrate-azure-managed-service-identity.md) and how to [[access Container Registry using the managed identity](../container-registry/container-registry-authentication-managed-identity.md)].

+To learn how to configure your ASP.NET Core web app to dynamically refresh configuration settings, continue to the next tutorial.

+> [!div class="nextstepaction"]

+> [Enable dynamic configuration](./enable-dynamic-configuration-aspnet-core.md)

+|HPE Superdome Flex 280 | 1.23.5 | 1.15.0_2023-01-10 | 16.0.816.19223 | 14.5 (Ubuntu 20.04)|

+* East US2

+* West US2

+* West US3

+* South Central US

+* North Europe

+- You can store your managed application definition in a storage account that you provide when you create the application. Doing so allows you to manage its location and access for your regulatory needs, including [storage encryption with customer-managed keys](#storage-encryption-with-key-vault-managed-keys). For more information, see [Bring your own storage](../azure-resource-manager/managed-applications/publish-service-catalog-bring-your-own-storage.md).

+ :::image type="content" source="./media/alerts-logic-apps/configure-http-request-received.png" alt-text="Screenshot that shows the Parameters tab for the When an HTTP request is received pane.":::

+ |Short Resource ID|`concat(variables('AffectedResource')[7], '/', variables('AffectedResource')[8]`)|

+ |Client Api Version|Resource type's api version|

+

+ To find your resource type's api version, select the **JSON view** link on the top right-hand side of the resource overview page.

+ The **Resource JSON** page is displayed with the **ResourceID** and **API version** at the top of the page.

+ :::image type="content" source="./media/alerts-logic-apps/configure-http-request-received.png" alt-text="Screenshot that shows the parameters for When an HTTP request is received.":::

+Post general questions to the Microsoft Q&A [answers forum](/answers/topics/24223/azure-monitor.html).

+Post coding questions to [Stack Overflow](https://stackoverflow.com/questions/tagged/azure-application-insights) using an Application Insights tag.

+[Optimize cost in Azure Monitor](https://learn.microsoft.com/azure/azure-monitor/best-practices-cost)

+- [Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. It was designed with a primary focus on protecting Windows user devices. Defender for Endpoint monitors workstations, servers, tablets, and cellphones with various operating systems for security issues and vulnerabilities. Defender for Endpoint is closely aligned with Microsoft Intune to collect data and provide security assessments. Data collection is primarily based on ETW trace logs and is stored in an isolated workspace.

+### Option 5 - With Azure Monitor Private Link Scope (AMPLS) + Proxy

+If the cluster is configured with a forward proxy, then proxy settings are automatically applied to the extension. In the case of a cluster with AMPLS + proxy, proxy config should be ignored. Onboard the extension with the configuration setting `amalogs.ignoreExtensionProxySettings=true`.

+```azurecli

+az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers --configuration-settings amalogs.ignoreExtensionProxySettings=true

+```

+| Kubernetes service | Cluster-wide | `http://my-service-dns.my-namespace:9100/metrics` <br>`http://metrics-server.kube-system.svc.cluster.local/metrics`ΓÇï |

+| | `kubernetes_services` | String | Comma-separated array | An array of Kubernetes services to scrape metrics from kube-state-metrics. Fully qualified domain names must be used here. For example,`kubernetes_services = ["http://metrics-server.kube-system.svc.cluster.local/metrics",http://my-service-dns.my-namespace.svc.cluster.local:9100/metrics]`|

+| | `prometheus.io/scheme` | String | http | Defaults to scraping over HTTP. |

+Azure Monitor managed service for Prometheus allows you to collect and analyze metrics at scale using a Prometheus-compatible monitoring solution, based on the [Prometheus](https://aka.ms/azureprometheus-promio) project from the Cloud Native Compute Foundation. This fully managed service allows you to use the [Prometheus query language (PromQL)](https://aka.ms/azureprometheus-promio-promql) to analyze and alert on the performance of monitored infrastructure and workloads without having to operate the underlying infrastructure.

+Azure Monitor managed service for Prometheus is intended to be a replacement for self managed Prometheus so you don't need to manage a Prometheus server in your Kubernetes clusters. You may also choose to use the managed service to centralize data from self-managed Prometheus clusters for long term data retention and to create a centralized view across your clusters. In this case, you can use [remote_write](https://prometheus.io/docs/operating/integrations/#remote-endpoints-and-storage) to send data from your self-managed Prometheus into the Azure managed service.

+Azure Monitor provides a reverse proxy container (Azure Monitor [side car container](https://learn.microsoft.com/azure/architecture/patterns/sidecar)) that provides an abstraction for ingesting Prometheus remote write metrics and helps in authenticating packets. The Azure Monitor side car container currently supports User Assigned Identity and Azure Active Directory (Azure AD) based authentication to ingest Prometheus remote write metrics to Azure Monitor workspace.

+1. Sign in to [Microsoft Intune admin center](https://endpoint.microsoft.com/).

+ - Shorten suffix added to the snapshot name. The previous 26 character suffix of "YYYY-MM-DDThhhhss-nnnnnnnZ" was too long. The suffix is now an 11 character hex-decimal based on the ten-thousandths of a second since the Unix epoch to avoid naming collisions for example, F2D212540D5.

+ - Azure Backup now allows third party snapshot-based backups without impact to streaming backups (also known as 'backint'). Therefore, AzAcSnap 'backint' detection logic has been reordered to allow for future deprecation of this feature. By default this setting is disabled (`autoDisableEnableBackint=false`). For customers who have relied on this feature to take snapshots with AzAcSnap and use Azure Backup, keeping this value as true means AzAcSnap 7 continues to disable/enable backint. As this setting is no longer necessary for Azure Backup, we recommend testing AzAcSnap backups with the value of `autoDisableEnableBackint=false`, and then if successful make the same change in your production deployment.

+ - When doing a `--restore snaptovol` on ANF, then Volume Clone inherits the new 'NetworkFeatures' setting from the Source Volume.

+ - Can now do a restore if there are no Data Volumes configured. It will only restore the Other Volumes using the Other Volumes latest snapshot (the `--snapshotfilter` option only applies to Data Volumes).

+Since AzAcSnap v5.0 was released as GA in April 2021, there have been eight releases of AzAcSnap across two branches. Our goal with the new release model is to align with how Azure components are released. This change allows moving features from Preview to GA (without having to move an entire branch), and introduce new Preview features (without having to create a new branch). From AzAcSnap 6, we have a single branch with fully supported GA features and Preview features (which are subject to Microsoft's Preview Ts&Cs). ItΓÇÖs important to note customers can't accidentally use Preview features, and must enable them with the `--preview` command line option. Therefore the next release will be AzAcSnap 7, which could include; patches (if necessary) for GA features, current Preview features moving to GA, or new Preview features.

+- Fix the installer's check for the location of the hdbuserstore. The installer would search the filesystem for an incorrect source directory for the hdbuserstore location for the user running the install - the installer now searches for `~/.hdb`. This fix is applicable to systems (for example, Azure Large Instance) where the hdbuserstore was pre-configured for the `root` user before installing `azacsnap`.

+The following diagram demonstrates how customer-managed keys work with Azure NetApp Files:

+1. Azure NetApp Files grants permissions to encryption keys to a managed identity. The managed identity is either a user-assigned managed identity that you create and manage or a system-assigned managed identity associated with the NetApp account.

+2. You configure encryption with a customer-managed key for the NetApp account.

+3. You use the managed identity to which the Azure Key Vault admin granted permissions in step one to authenticate access to Azure Key Vault via Azure Active Directory.

+4. Azure NetApp Files wraps the account encryption key with the customer-managed key in Azure Key Vault.

+5. For read/write operations, Azure NetApp Files sends requests to Azure Key Vault to unwrap the account encryption key to perform encryption and decryption operations.

+* Existing regular volumes can't be resized over 100 TiB.

+ * You cannot convert regular Azure NetApp Files volumes to large volumes.

+* You can't resize a large volume to less than 100 TiB.

+ * You can only resize a large volume up to 30% of lowest provisioned size.

+* Large volumes aren't currently supported with Azure NetApp Files backup.

+* Large volumes aren't currently supported with cross-region replication.

+* Throughput ceilings for the three performance tiers (Standard, Premium, and Ultra) of large volumes are based on the existing 100-TiB maximum capacity targets. You're able to grow to 500 TiB with the throughput ceiling per the following table:

+ Title: Deploy a service catalog managed application

+description: Describes how to deploy a service catalog's managed application for an Azure Managed Application.

+# Quickstart: Deploy a service catalog managed application

+In this quickstart, you use the definition you created in the quickstarts to [publish an application definition](publish-service-catalog-app.md) or [publish a definition with bring your own storage](publish-service-catalog-bring-your-own-storage.md) to deploy a service catalog managed application. The deployment creates two resource groups. One resource group contains the managed application and the other is a managed resource group for the deployed resource. The managed application definition deploys an App Service plan, App Service, and storage account.

+To complete this quickstart, you need an Azure account with an active subscription. If you completed a quickstart to publish a definition, you should already have an account. Otherwise, [create a free account](https://azure.microsoft.com/free/) before you begin.

+ :::image type="content" source="./media/deploy-service-catalog-quickstart/create-resource.png" alt-text="Screenshot of Azure home page with Create a resource highlighted.":::

+ :::image type="content" source="./media/deploy-service-catalog-quickstart/create-service-catalog-managed-application.png" alt-text="Screenshot of search result for Service Catalog Managed Application with create button highlighted.":::

+1. Select **Sample managed application** and then select **Create**.

+ The portal displays the managed application definitions that you created with the quickstart articles to publish an application definition.

+ :::image type="content" source="./media/deploy-service-catalog-quickstart/select-service-catalog-managed-application.png" alt-text="Screenshot that shows managed application definitions that you can deploy.":::

+1. Provide values for the **Basics** tab and select **Next: Web App settings**.

+ :::image type="content" source="./media/deploy-service-catalog-quickstart/basics-info.png" alt-text="Screenshot that highlights the required information on the basics tab.":::

+ - **Application resources Resource group name**: The name of the managed resource group that contains the resources that are deployed for the managed application. The default name is in the format `rg-{definitionName}-{dateTime}` but you can change the name.

+1. Provide values for the **Web App settings** tab and select **Next: Storage settings**.

+ :::image type="content" source="./media/deploy-service-catalog-quickstart/web-app-settings.png" alt-text="Screenshot that highlights the required information on the Web App settings tab.":::

+ - **App Service plan name**: Create a plan name. Maximum of 40 alphanumeric characters and hyphens. For example, _demoAppServicePlan_. App Service plan names must be unique within a resource group in your subscription.

+ - **App Service name prefix**: Create a prefix for the plan name. Maximum of 47 alphanumeric characters or hyphens. For example, _demoApp_. During deployment, the prefix is concatenated with a unique string to create a name that's globally unique across Azure.

+ :::image type="content" source="./media/deploy-service-catalog-quickstart/storage-settings.png" alt-text="Screenshot that shows the information needed to create a storage account.":::

+ - **Storage account name prefix**: Use only lowercase letters and numbers and a maximum of 11 characters. For example, _demostg1234_. During deployment, the prefix is concatenated with a unique string to create a name globally unique across Azure. Although you're creating a prefix, the control checks for existing names in Azure and might post a validation message that the name already exists. If so, choose a different prefix.

+1. Review the summary of the values you selected and verify **Validation Passed** is displayed. Select **Create** to deploy the managed application.

+ :::image type="content" source="./media/deploy-service-catalog-quickstart/summary-validation.png" alt-text="Screenshot that summarizes the values you selected and shows the status of validation passed.":::

+Go to the resource group named **applicationGroup** and select **Overview**. The resource group contains your managed application named _demoManagedApplication_.

+Select the managed application's name to get more information like the link to the managed resource group.

+ :::image type="content" source="./media/deploy-service-catalog-quickstart/view-managed-application.png" alt-text="Screenshot that shows the managed application's details and highlights the link to the managed resource group.":::

+Go to the managed resource group with the name prefix **rg-sampleManagedApplication** and select **Overview** to display the resources that were deployed. The resource group contains an App Service, App Service plan, and storage account.

+ :::image type="content" source="./media/deploy-service-catalog-quickstart/view-managed-resource-group.png" alt-text="Screenshot that shows the managed resource group that contains the resources deployed by the managed application definition.":::

+The managed resource group and each resource created by the managed application has a role assignment. When you used a quickstart article to create the definition, you created an Azure Active Directory group. That group was used in the managed application definition. When you deployed the managed application, a role assignment for that group was added to the managed resources.

+1. Go to your **rg-sampleManagedApplication** resource group.

+When your finished with the managed application, you can delete the resource groups and that removes all the resources you created. For example, in this quickstart you created the resource groups _applicationGroup_ and a managed resource group with the prefix _rg-sampleManagedApplication_.

+When the resource group that contains the managed application is deleted, the managed resource group is also deleted. In this example, when _applicationGroup_ is deleted the _rg-sampleManagedApplication_ resource group is also deleted.

+If you want to delete the managed application definition, delete the resource groups you created in the quickstart articles.

+- **Publish application definition**: _packageStorageGroup_ and _appDefinitionGroup_.

+- **Publish definition with bring your own storage**: _packageStorageGroup_, _byosDefinitionStorageGroup_, and _byosAppDefinitionGroup_.

+- To learn how to create and publish the definition files for a managed application, go to [Quickstart: Create and publish an Azure Managed Application definition](publish-service-catalog-app.md).

+- To use your own storage to create and publish the definition files for a managed application, go to [Quickstart: Bring your own storage to create and publish an Azure Managed Application definition](publish-service-catalog-bring-your-own-storage.md).

+ Title: Create and publish Azure Managed Application in service catalog

+description: Describes how to create and publish an Azure Managed Application in your service catalog that's intended for members of your organization.

+This quickstart provides an introduction to working with [Azure Managed Applications](overview.md). You create and publish a managed application definition that's stored in your service catalog and is intended for members of your organization.

+- Create a _.zip_ package that contains the required JSON files. The _.zip_ package file has a 120-MB limit for a service catalog's managed application definition.

+- Deploy the managed application definition so it's available in your service catalog.

+If your managed application definition is more than 120 MB or if you want to use your own storage account for your organization's compliance reasons, go to [Quickstart: Bring your own storage to create and publish an Azure Managed Application definition](publish-service-catalog-bring-your-own-storage.md).

+> You can use Bicep to develop a managed application definition but it must be converted to ARM template JSON before you can publish the definition in Azure. To convert Bicep to JSON, use the Bicep [build](../bicep/bicep-cli.md#build) command. After the file is converted to JSON it's recommended to verify the code for accuracy.

+>

+> Bicep files can be used to deploy an existing managed application definition.

+- An Azure account with an active subscription and permissions to Azure Active Directory resources like users, groups, or service principals. If you don't have an account, [create a free account](https://azure.microsoft.com/free/) before you begin.

+- [Visual Studio Code](https://code.visualstudio.com/) with the latest [Azure Resource Manager Tools extension](https://marketplace.visualstudio.com/items?itemName=msazurermtools.azurerm-vscode-tools). For Bicep files, install the [Bicep extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-bicep).

+Add the following JSON and save the file. It defines the resources to deploy an App Service, App Service plan, and storage account for the application. This storage account isn't used to store the managed application definition.

+ "location": {

+ "type": "string",

+ "defaultValue": "[resourceGroup().location]"

+ },

+ "appServicePlanName": {

+ "type": "string",

+ "maxLength": 40,

+ "metadata": {

+ "description": "App Service plan name."

+ }

+ },

+ "appServiceNamePrefix": {

+ "type": "string",

+ "maxLength": 47,

+ "metadata": {

+ "description": "App Service name prefix."

+ }

+ },

+ "description": "Storage account name prefix."

+ "allowedValues": [

+ "Premium_LRS",

+ "Standard_LRS",

+ "Standard_GRS"

+ ],

+ "metadata": {

+ "description": "Storage account type allowed values"

+ }

+ "appServicePlanSku": "F1",

+ "appServicePlanCapacity": 1,

+ "appServiceName": "[format('{0}{1}', parameters('appServiceNamePrefix'), uniqueString(resourceGroup().id))]",

+ "storageAccountName": "[format('{0}{1}', parameters('storageAccountNamePrefix'), uniqueString(resourceGroup().id))]"

+ {

+ "type": "Microsoft.Web/serverfarms",

+ "apiVersion": "2022-03-01",

+ "name": "[parameters('appServicePlanName')]",

+ "location": "[parameters('location')]",

+ "sku": {

+ "name": "[variables('appServicePlanSku')]",

+ "capacity": "[variables('appServicePlanCapacity')]"

+ }

+ },

+ {

+ "type": "Microsoft.Web/sites",

+ "apiVersion": "2022-03-01",

+ "name": "[variables('appServiceName')]",

+ "location": "[parameters('location')]",

+ "properties": {

+ "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]",

+ "httpsOnly": true,

+ "siteConfig": {

+ "appSettings": [

+ {

+ "name": "AppServiceStorageConnectionString",

+ "value": "[format('DefaultEndpointsProtocol=https;AccountName={0};EndpointSuffix={1};Key={2}', variables('storageAccountName'), environment().suffixes.storage, listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2022-09-01').keys[0].value)]"

+ }

+ ]

+ }

+ },

+ "dependsOn": [

+ "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]",

+ "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"

+ ]

+ },

+ "apiVersion": "2022-09-01",

+ "properties": {

+ "accessTier": "Hot"

+ }

+ "appServicePlan": {

+ "type": "string",

+ "value": "[parameters('appServicePlanName')]"

+ },

+ "appServiceApp": {

+ "type": "string",

+ "value": "[reference(resourceId('Microsoft.Web/sites', variables('appServiceName')), '2022-03-01').defaultHostName]"

+ },

+ "storageAccount": {

+ "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2022-09-01').primaryEndpoints.blob]"

+## Define your portal experience

+As a publisher, you define the portal experience to create the managed application. The _createUiDefinition.json_ file generates the portal's user interface. You define how users provide input for each parameter using [control elements](create-uidefinition-elements.md) like drop-downs and text boxes.

+Open Visual Studio Code, create a file with the case-sensitive name _createUiDefinition.json_ and save it. The user interface allows the user to input the App Service name prefix, App Service plan's name, storage account prefix, and storage account type. During deployment, the variables in _mainTemplate.json_ use the `uniqueString` function to append a 13-character string to the name prefixes so the names are globally unique across Azure.

+ {

+ "name": "webAppSettings",

+ "label": "Web App settings",

+ "subLabel": {

+ "preValidation": "Configure the web app settings",

+ "postValidation": "Completed"

+ },

+ "elements": [

+ {

+ "name": "appServicePlanName",

+ "type": "Microsoft.Common.TextBox",

+ "label": "App Service plan name",

+ "placeholder": "App Service plan name",

+ "defaultValue": "",

+ "toolTip": "Use alphanumeric characters or hyphens with a maximum of 40 characters.",

+ "constraints": {

+ "required": true,

+ "regex": "^[a-z0-9A-Z-]{1,40}$",

+ "validationMessage": "Only alphanumeric characters or hyphens are allowed, with a maximum of 40 characters."

+ },

+ "visible": true

+ },

+ {

+ "name": "appServiceName",

+ "type": "Microsoft.Common.TextBox",

+ "label": "App Service name prefix",

+ "placeholder": "App Service name prefix",

+ "defaultValue": "",

+ "toolTip": "Use alphanumeric characters or hyphens with minimum of 2 characters and maximum of 47 characters.",

+ "constraints": {

+ "required": true,

+ "regex": "^[a-z0-9A-Z-]{2,47}$",

+ "validationMessage": "Only alphanumeric characters or hyphens are allowed, with a minimum of 2 characters and maximum of 47 characters."

+ },

+ "visible": true

+ }

+ ]

+ },

+ "preValidation": "Configure the storage settings",

+ "postValidation": "Completed"

+ "toolTip": {

+ "prefix": "Enter maximum of 11 lowercase letters or numbers.",

+ "type": "Available choices are Standard_LRS, Standard_GRS, and Premium_LRS."

+ },

+ },

+ "visible": true

+ "location": "[location()]",

+ "appServicePlanName": "[steps('webAppSettings').appServicePlanName]",

+ "appServiceNamePrefix": "[steps('webAppSettings').appServiceName]",

+ "storageAccountType": "[steps('storageConfig').storageAccounts.type]"

+Add the two files to a package file named _app.zip_. The two files must be at the root level of the _.zip_ file. If the files are in a folder, when you create the managed application definition, you receive an error that states the required files aren't present.

+Upload _app.zip_ to an Azure storage account so you can use it when you deploy the managed application's definition. The storage account name must be globally unique across Azure and the length must be 3-24 characters with only lowercase letters and numbers. In the `Name` parameter, replace the placeholder `demostorageaccount` with your unique storage account name.

+```azurepowershell

+New-AzResourceGroup -Name packageStorageGroup -Location westus3

+ -ResourceGroupName packageStorageGroup `

+ -Location westus3 `

+ -File "app.zip" `

+```azurecli

+az group create --name packageStorageGroup --location westus3

+ --resource-group packageStorageGroup \

+ --location westus3 \

+```azurecli

+ --file "app.zip"

+In this section you get identity information from Azure Active Directory, create a resource group, and create the managed application definition.

+### Get group ID and role definition ID

+The next step is to select a user, security group, or application for managing the resources for the customer. This identity has permissions on the managed resource group according to the assigned role. The role can be any Azure built-in role like Owner or Contributor.

+This example uses a security group, and your Azure Active Directory account should be a member of the group. To get the group's object ID, replace the placeholder `managedAppDemo` with your group's name. You use this variable's value when you deploy the managed application definition.

+To create a new Azure Active Directory group, go to [Manage Azure Active Directory groups and group membership](../../active-directory/fundamentals/how-to-manage-groups.md).

+```azurepowershell

+$principalid=(Get-AzADGroup -DisplayName managedAppDemo).Id

+```azurecli

+principalid=$(az ad group show --group managedAppDemo --query id --output tsv)

+Next, get the role definition ID of the Azure built-in role you want to grant access to the user, group, or application. You use this variable's value when you deploy the managed application definition.

+```azurepowershell

+```azurecli

+Create a resource group for your managed application definition.

+```azurepowershell

+New-AzResourceGroup -Name appDefinitionGroup -Location westus3

+```azurecli

+az group create --name appDefinitionGroup --location westus3

+Create the managed application definition in the resource group.

+```azurepowershell

+ -Name "sampleManagedApplication" `

+ -Location "westus3" `

+ -DisplayName "Sample managed application" `

+ -Description "Sample managed application that deploys web resources" `

+ -Authorization "${principalid}:$roleid" `

+In the `blob` command's `account-name` parameter, replace the placeholder `demostorageaccount` with your unique storage account name.

+```azurecli

+ --name "sampleManagedApplication" \

+ --location "westus3" \

+ --display-name "Sample managed application" \

+ --description "Sample managed application that deploys web resources" \

+ --authorizations "$principalid:$roleid" \

+- **lock level**: The `lockLevel` on the managed resource group prevents the customer from performing undesirable operations on this resource group. Currently, `ReadOnly` is the only supported lock level. `ReadOnly` specifies that the customer can only read the resources present in the managed resource group. The publisher identities that are granted access to the managed resource group are exempt from the lock level.

+ - **Azure PowerShell**: `"${principalid}:$roleid"` or you can use curly braces for each variable `"${principalid}:${roleid}"`. Use a comma to separate multiple values: `"${principalid1}:$roleid1", "${principalid2}:$roleid2"`.

+ - **Azure CLI**: `"$principalid:$roleid"` or you can use curly braces as shown in PowerShell. Use a space to separate multiple values: `"$principalid1:$roleid1" "$principalid2:$roleid2"`.

+> [Quickstart: Deploy a service catalog managed application](deploy-service-catalog-quickstart.md)

+ Title: Bring your own storage to create and publish an Azure Managed Application definition

+description: Describes how to bring your own storage to create and publish an Azure Managed Application definition in your service catalog.

+# Quickstart: Bring your own storage to create and publish an Azure Managed Application definition

+This quickstart provides an introduction to bring your own storage (BYOS) for an [Azure Managed Application](overview.md). You create and publish a managed application definition in your service catalog for members of your organization. When you use your own storage account, your managed application definition can exceed the service catalog's 120-MB limit.

+To publish a managed application definition to your service catalog, do the following tasks:

+- Create an Azure Resource Manager template (ARM template) that defines the Azure resources deployed by the managed application.

+- Define the user interface elements for the portal when deploying the managed application.

+- Create a _.zip_ package that contains the required JSON files.

+- Create a storage account where you store the managed application definition.

+- Deploy the managed application definition to your own storage account so it's available in your service catalog.

+If you're managed application definition is less than 120 MB and you don't want to use your own storage account, go to [Quickstart: Create and publish an Azure Managed Application definition](publish-service-catalog-app.md).

+> [!NOTE]

+> You can use Bicep to develop a managed application definition but it must be converted to ARM template JSON before you can publish the definition in Azure. To convert Bicep to JSON, use the Bicep [build](../bicep/bicep-cli.md#build) command. After the file is converted to JSON it's recommended to verify the code for accuracy.

+>

+> Bicep files can be used to deploy an existing managed application definition.

+## Prerequisites

+To complete this quickstart, you need the following items:

+- An Azure account with an active subscription and permissions to Azure Active Directory resources like users, groups, or service principals. If you don't have an account, [create a free account](https://azure.microsoft.com/free/) before you begin.

+- [Visual Studio Code](https://code.visualstudio.com/) with the latest [Azure Resource Manager Tools extension](https://marketplace.visualstudio.com/items?itemName=msazurermtools.azurerm-vscode-tools). For Bicep files, install the [Bicep extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-bicep).

+- Install the latest version of [Azure PowerShell](/powershell/azure/install-az-ps) or [Azure CLI](/cli/azure/install-azure-cli).

+## Create the ARM template

+Every managed application definition includes a file named _mainTemplate.json_. The template defines the Azure resources to deploy and is no different than a regular ARM template.

+Open Visual Studio Code, create a file with the case-sensitive name _mainTemplate.json_ and save it.

+Add the following JSON and save the file. It defines the managed application's resources to deploy an App Service, App Service plan, and a storage account.

+```json

+{

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "location": {

+ "type": "string",

+ "defaultValue": "[resourceGroup().location]"

+ },

+ "appServicePlanName": {

+ "type": "string",

+ "maxLength": 40,

+ "metadata": {

+ "description": "App Service plan name."

+ }

+ },

+ "appServiceNamePrefix": {

+ "type": "string",

+ "maxLength": 47,

+ "metadata": {

+ "description": "App Service name prefix."

+ }

+ },

+ "storageAccountNamePrefix": {

+ "type": "string",

+ "maxLength": 11,

+ "metadata": {

+ "description": "Storage account name prefix."

+ }

+ },

+ "storageAccountType": {

+ "type": "string",

+ "allowedValues": [

+ "Premium_LRS",

+ "Standard_LRS",

+ "Standard_GRS"

+ ],

+ "metadata": {

+ "description": "Storage account type allowed values"

+ }

+ }

+ },

+ "variables": {

+ "appServicePlanSku": "F1",

+ "appServicePlanCapacity": 1,

+ "appServiceName": "[format('{0}{1}', parameters('appServiceNamePrefix'), uniqueString(resourceGroup().id))]",

+ "storageAccountName": "[format('{0}{1}', parameters('storageAccountNamePrefix'), uniqueString(resourceGroup().id))]"

+ },

+ "resources": [

+ {

+ "type": "Microsoft.Web/serverfarms",

+ "apiVersion": "2022-03-01",

+ "name": "[parameters('appServicePlanName')]",

+ "location": "[parameters('location')]",

+ "sku": {

+ "name": "[variables('appServicePlanSku')]",

+ "capacity": "[variables('appServicePlanCapacity')]"

+ }

+ },

+ {

+ "type": "Microsoft.Web/sites",

+ "apiVersion": "2022-03-01",

+ "name": "[variables('appServiceName')]",

+ "location": "[parameters('location')]",

+ "properties": {

+ "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]",

+ "httpsOnly": true,

+ "siteConfig": {

+ "appSettings": [

+ {

+ "name": "AppServiceStorageConnectionString",

+ "value": "[format('DefaultEndpointsProtocol=https;AccountName={0};EndpointSuffix={1};Key={2}', variables('storageAccountName'), environment().suffixes.storage, listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2022-09-01').keys[0].value)]"

+ }

+ ]

+ }

+ },

+ "dependsOn": [

+ "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]",

+ "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"

+ ]

+ },

+ {

+ "type": "Microsoft.Storage/storageAccounts",

+ "apiVersion": "2022-09-01",

+ "name": "[variables('storageAccountName')]",

+ "location": "[parameters('location')]",

+ "sku": {

+ "name": "[parameters('storageAccountType')]"

+ },

+ "kind": "StorageV2",

+ "properties": {

+ "accessTier": "Hot"

+ }

+ }

+ ],

+ "outputs": {

+ "appServicePlan": {

+ "type": "string",

+ "value": "[parameters('appServicePlanName')]"

+ },

+ "appServiceApp": {

+ "type": "string",

+ "value": "[reference(resourceId('Microsoft.Web/sites', variables('appServiceName')), '2022-03-01').defaultHostName]"

+ },

+ "storageAccount": {

+ "type": "string",

+ "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2022-09-01').primaryEndpoints.blob]"

+ }

+ }

+}

+```

+## Define your portal experience

+As a publisher, you define the portal experience to create the managed application. The _createUiDefinition.json_ file generates the portal's user interface. You define how users provide input for each parameter using [control elements](create-uidefinition-elements.md) like drop-downs and text boxes.

+Open Visual Studio Code, create a file with the case-sensitive name _createUiDefinition.json_ and save it. The user interface allows the user to input the App Service name prefix, App Service plan's name, storage account prefix, and storage account type. During deployment, the variables in _mainTemplate.json_ use the `uniqueString` function to append a 13-character string to the name prefixes so the names are globally unique across Azure.

+Add the following JSON to the file and save it.

+```json

+{

+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",

+ "handler": "Microsoft.Azure.CreateUIDef",

+ "version": "0.1.2-preview",

+ "parameters": {

+ "basics": [

+ {}

+ ],

+ "steps": [

+ {

+ "name": "webAppSettings",

+ "label": "Web App settings",

+ "subLabel": {

+ "preValidation": "Configure the web app settings",

+ "postValidation": "Completed"

+ },

+ "elements": [

+ {

+ "name": "appServicePlanName",

+ "type": "Microsoft.Common.TextBox",

+ "label": "App Service plan name",

+ "placeholder": "App Service plan name",

+ "defaultValue": "",

+ "toolTip": "Use alphanumeric characters or hyphens with a maximum of 40 characters.",

+ "constraints": {

+ "required": true,

+ "regex": "^[a-z0-9A-Z-]{1,40}$",

+ "validationMessage": "Only alphanumeric characters or hyphens are allowed, with a maximum of 40 characters."

+ },

+ "visible": true

+ },

+ {

+ "name": "appServiceName",

+ "type": "Microsoft.Common.TextBox",

+ "label": "App Service name prefix",

+ "placeholder": "App Service name prefix",

+ "defaultValue": "",

+ "toolTip": "Use alphanumeric characters or hyphens with minimum of 2 characters and maximum of 47 characters.",

+ "constraints": {

+ "required": true,

+ "regex": "^[a-z0-9A-Z-]{2,47}$",

+ "validationMessage": "Only alphanumeric characters or hyphens are allowed, with a minimum of 2 characters and maximum of 47 characters."

+ },

+ "visible": true

+ }

+ ]

+ },

+ {

+ "name": "storageConfig",

+ "label": "Storage settings",

+ "subLabel": {

+ "preValidation": "Configure the storage settings",

+ "postValidation": "Completed"

+ },

+ "elements": [

+ {

+ "name": "storageAccounts",

+ "type": "Microsoft.Storage.MultiStorageAccountCombo",

+ "label": {

+ "prefix": "Storage account name prefix",

+ "type": "Storage account type"

+ },

+ "toolTip": {

+ "prefix": "Enter maximum of 11 lowercase letters or numbers.",

+ "type": "Available choices are Standard_LRS, Standard_GRS, and Premium_LRS."

+ },

+ "defaultValue": {

+ "type": "Standard_LRS"

+ },

+ "constraints": {

+ "allowedTypes": [

+ "Premium_LRS",

+ "Standard_LRS",

+ "Standard_GRS"

+ ]

+ },

+ "visible": true

+ }

+ ]

+ }

+ ],

+ "outputs": {

+ "location": "[location()]",

+ "appServicePlanName": "[steps('webAppSettings').appServicePlanName]",

+ "appServiceNamePrefix": "[steps('webAppSettings').appServiceName]",

+ "storageAccountNamePrefix": "[steps('storageConfig').storageAccounts.prefix]",

+ "storageAccountType": "[steps('storageConfig').storageAccounts.type]"

+ }

+ }

+}

+```

+To learn more, go to [Get started with CreateUiDefinition](create-uidefinition-overview.md).

+## Package the files

+Add the two files to a package file named _app.zip_. The two files must be at the root level of the _.zip_ file. If the files are in a folder, when you create the managed application definition, you receive an error that states the required files aren't present.

+Upload _app.zip_ to an Azure storage account so you can use it when you deploy the managed application's definition. The storage account name must be globally unique across Azure and the length must be 3-24 characters with only lowercase letters and numbers. In the `Name` parameter, replace the placeholder `demostorageaccount` with your unique storage account name.

+# [PowerShell](#tab/azure-powershell)

+```azurepowershell

+New-AzResourceGroup -Name packageStorageGroup -Location westus3

+$storageAccount = New-AzStorageAccount `

+ -ResourceGroupName packageStorageGroup `

+ -Name "demostorageaccount" `

+ -Location westus3 `

+ -SkuName Standard_LRS `

+ -Kind StorageV2

+$ctx = $storageAccount.Context

+New-AzStorageContainer -Name appcontainer -Context $ctx -Permission blob

+Set-AzStorageBlobContent `

+ -File "app.zip" `

+ -Container appcontainer `

+ -Blob "app.zip" `

+ -Context $ctx

+```

+Use the following command to store the package file's URI in a variable named `packageuri`. You use the variable's value when you deploy the managed application definition.

+```azurepowershell

+$packageuri=(Get-AzStorageBlob -Container appcontainer -Blob app.zip -Context $ctx).ICloudBlob.StorageUri.PrimaryUri.AbsoluteUri

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli

+az group create --name packageStorageGroup --location westus3

+az storage account create \

+ --name demostorageaccount \

+ --resource-group packageStorageGroup \

+ --location westus3 \

+ --sku Standard_LRS \

+ --kind StorageV2

+```

+After you create the storage account, add the role assignment _Storage Blob Data Contributor_ to the storage account scope. Assign access to your Azure Active Directory user account. Depending on your access level in Azure, you might need other permissions assigned by your administrator. For more information, go to [Assign an Azure role for access to blob data](../../storage/blobs/assign-azure-role-data-access.md).

+After you add the role to the storage account, it takes a few minutes to become active in Azure. You can then use the parameter `--auth-mode login` in the commands to create the container and upload the file.

+```azurecli

+az storage container create \

+ --account-name demostorageaccount \

+ --name appcontainer \

+ --auth-mode login \

+ --public-access blob

+az storage blob upload \

+ --account-name demostorageaccount \

+ --container-name appcontainer \

+ --auth-mode login \

+ --name "app.zip" \

+ --file "app.zip"

+```

+For more information about storage authentication, go to [Choose how to authorize access to blob data with Azure CLI](../../storage/blobs/authorize-data-operations-cli.md).

+Use the following command to store the package file's URI in a variable named `packageuri`. You use the variable's value when you deploy the managed application definition.

+```azurecli

+packageuri=$(az storage blob url \

+ --account-name demostorageaccount \

+ --container-name appcontainer \

+ --auth-mode login \

+ --name app.zip --output tsv)

+```

+## Bring your own storage for the managed application definition

+You store your managed application definition in your own storage account so that its location and access can be managed by you for your organization's regulatory needs. Using your own storage account allows you to have an application that exceeds the 120-MB limit for a service catalog's managed application definition.

+> [!NOTE]

+> Bring your own storage is only supported with ARM template or REST API deployments of the managed application definition.

+### Create the storage account

+Create the storage account for your managed application definition. The storage account name must be globally unique across Azure and the length must be 3-24 characters with only lowercase letters and numbers.

+This example creates a new resource group named `byosDefinitionStorageGroup`. In the `Name` parameter, replace the placeholder `definitionstorage` with your unique storage account name.

+# [PowerShell](#tab/azure-powershell)

+```azurepowershell

+New-AzResourceGroup -Name byosDefinitionStorageGroup -Location westus3

+New-AzStorageAccount `

+ -ResourceGroupName byosDefinitionStorageGroup `

+ -Name "definitionstorage" `

+ -Location westus3 `

+ -SkuName Standard_LRS `

+ -Kind StorageV2

+```

+Use the following command to store the storage account's resource ID in a variable named `storageid`. You use the variable's value when you deploy the managed application definition.

+```azurepowershell

+$storageid = (Get-AzStorageAccount -ResourceGroupName byosDefinitionStorageGroup -Name definitionstorage).Id

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli

+az group create --name byosDefinitionStorageGroup --location westus3

+az storage account create \

+ --name definitionstorage \

+ --resource-group byosDefinitionStorageGroup \

+ --location westus3 \

+ --sku Standard_LRS \

+ --kind StorageV2

+```

+Use the following command to store the storage account's resource ID in a variable named `storageid`. You use the variable's value to set up the storage account's role assignment and when you deploy the managed application definition.

+```azurecli

+storageid=$(az storage account show --resource-group byosDefinitionStorageGroup --name definitionstorage --query id --output tsv)

+```

+### Set the role assignment for your storage account

+Before you deploy your managed application definition to your storage account, assign the **Contributor** role to the **Appliance Resource Provider** user at the storage account scope. This assignment lets the identity write definition files to your storage account's container.

+# [PowerShell](#tab/azure-powershell)

+You can use variables to set up the role assignment. This example uses the `$storageid` variable you created in the previous step and creates the `$arpid` variable.

+```azurepowershell

+$arpid = (Get-AzADServicePrincipal -SearchString "Appliance Resource Provider").Id

+New-AzRoleAssignment -ObjectId $arpid `

+-RoleDefinitionName Contributor `

+-Scope $storageid

+```

+# [Azure CLI](#tab/azure-cli)

+You can use variables to set up the role assignment. This example uses the `$storageid` variable you created in the previous step and creates the `$arpid` variable.

+```azurecli

+arpid=$(az ad sp list --display-name "Appliance Resource Provider" --query [].id --output tsv)

+az role assignment create --assignee $arpid \

+--role "Contributor" \

+--scope $storageid

+```

+If you're running CLI commands with Git Bash for Windows, you might get an `InvalidSchema` error because of the `scope` parameter's string. To fix the error, run `export MSYS_NO_PATHCONV=1` and then rerun your command to create the role assignment.

+The _Appliance Resource Provider_ is a service principal in your Azure Active Directory's tenant. From the Azure portal, you can verify if it's registered by going to **Azure Active Directory** > **Enterprise applications** and change the search filter to **Microsoft Applications**. Search for _Appliance Resource Provider_. If it isn't found, [register](../troubleshooting/error-register-resource-provider.md) the `Microsoft.Solutions` resource provider.

+## Get group ID and role definition ID

+The next step is to select a user, security group, or application for managing the resources for the customer. This identity has permissions on the managed resource group according to the assigned role. The role can be any Azure built-in role like Owner or Contributor.

+This example uses a security group, and your Azure Active Directory account should be a member of the group. To get the group's object ID, replace the placeholder `managedAppDemo` with your group's name. You use the variable's value when you deploy the managed application definition.

+To create a new Azure Active Directory group, go to [Manage Azure Active Directory groups and group membership](../../active-directory/fundamentals/how-to-manage-groups.md).

+# [PowerShell](#tab/azure-powershell)

+```azurepowershell

+$principalid=(Get-AzADGroup -DisplayName managedAppDemo).Id

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli

+principalid=$(az ad group show --group managedAppDemo --query id --output tsv)

+```

+Next, get the role definition ID of the Azure built-in role you want to grant access to the user, group, or application. You use the variable's value when you deploy the managed application definition.

+# [PowerShell](#tab/azure-powershell)

+```azurepowershell

+$roleid=(Get-AzRoleDefinition -Name Owner).Id

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli

+roleid=$(az role definition list --name Owner --query [].name --output tsv)

+```

+## Create the definition deployment template

+Use a Bicep file to deploy the managed application definition in your service catalog. After the deployment, the definition files are stored in your own storage account.

+Open Visual Studio Code, create a file with the name _deployDefinition.bicep_ and save it.

+Add the following Bicep code and save the file.

+```bicep

+param location string = resourceGroup().location

+@description('Name of the managed application definition.')

+param managedApplicationDefinitionName string

+@description('Resource ID for the bring your own storage account where the definition is stored.')

+param definitionStorageResourceID string

+@description('The URI of the .zip package file.')

+param packageFileUri string

+@description('Publishers Principal ID that needs permissions to manage resources in the managed resource group.')

+param principalId string

+@description('Role ID for permissions to the managed resource group.')

+param roleId string

+var definitionLockLevel = 'ReadOnly'

+var definitionDisplayName = 'Sample BYOS managed application'

+var definitionDescription = 'Sample BYOS managed application that deploys web resources'

+resource managedApplicationDefinition 'Microsoft.Solutions/applicationDefinitions@2021-07-01' = {

+ name: managedApplicationDefinitionName

+ location: location

+ properties: {

+ lockLevel: definitionLockLevel

+ description: definitionDescription

+ displayName: definitionDisplayName

+ packageFileUri: packageFileUri

+ storageAccountId: definitionStorageResourceID

+ authorizations: [

+ {

+ principalId: principalId

+ roleDefinitionId: roleId

+ }

+ ]

+ }

+}

+```

+For more information about the template's properties, go to [Microsoft.Solutions/applicationDefinitions](/azure/templates/microsoft.solutions/applicationdefinitions).

+The `lockLevel` on the managed resource group prevents the customer from performing undesirable operations on this resource group. Currently, `ReadOnly` is the only supported lock level. `ReadOnly` specifies that the customer can only read the resources present in the managed resource group. The publisher identities that are granted access to the managed resource group are exempt from the lock level.

+## Create the parameter file

+The managed application definition's deployment template needs input for several parameters. The deployment command prompts you for the values or you can create a parameter file for the values. In this example, we use a parameter file to pass the parameter values to the deployment command.

+In Visual Studio Code, create a new file named _deployDefinition.parameters.json_ and save it.

+Add the following to your parameter file and save it. Then, replace the `{placeholder values}` including the curly braces, with your values.

+```json

+{

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "managedApplicationDefinitionName": {

+ "value": "{placeholder for managed application name}"

+ },

+ "definitionStorageResourceID": {

+ "value": "{placeholder for you storage account ID}"

+ },

+ "packageFileUri": {

+ "value": "{placeholder for the packageFileUri}"

+ },

+ "principalId": {

+ "value": "{placeholder for principalid value}"

+ },

+ "roleId": {

+ "value": "{placeholder for roleid value}"

+ }

+ }

+}

+```

+The following table describes the parameter values for the managed application definition.

+| Parameter | Value |

+| - | - |

+| `managedApplicationDefinitionName` | Name of the managed application definition. For this example, use _sampleByosManagedApplication_.|

+| `definitionStorageResourceID` | Resource ID for the storage account where the definition is stored. Use your `storageid` variable's value. |

+| `packageFileUri` | Enter the URI for your _.zip_ package file. Use your `packageuri` variable's value. The format is `https://yourStorageAccountName.blob.core.windows.net/appcontainer/app.zip`. |

+| `principalId` | The publishers Principal ID that needs permissions to manage resources in the managed resource group. Use your `principalid` variable's value. |

+| `roleId` | Role ID for permissions to the managed resource group. For example Owner, Contributor, Reader. Use your `roleid` variable's value. |

+To get your variable values from the command prompt:

+- Azure PowerShell: type `$variableName` to display the value.

+- Azure CLI: type `echo $variableName` to display the value.

+## Deploy the definition

+When you deploy the managed application's definition, it becomes available in your service catalog. This process doesn't deploy the managed application's resources.

+Create a resource group named _byosAppDefinitionGroup_ and deploy the managed application definition to your storage account.

+# [PowerShell](#tab/azure-powershell)

+```azurepowershell

+New-AzResourceGroup -Name byosAppDefinitionGroup -Location westus3

+New-AzResourceGroupDeployment `

+ -ResourceGroupName byosAppDefinitionGroup `

+ -TemplateFile deployDefinition.bicep `

+ -TemplateParameterFile deployDefinition.parameters.json

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli

+az group create --name byosAppDefinitionGroup --location westus3

+az deployment group create \

+ --resource-group byosAppDefinitionGroup \

+ --template-file deployDefinition.bicep \

+ --parameters @deployDefinition.parameters.json

+```

+## Verify definition files storage

+During deployment, the template's `storageAccountId` property uses your storage account's resource ID and creates a new container with the case-sensitive name `applicationdefinitions`. The files from the _.zip_ package you specified during the deployment are stored in the new container.

+You can use the following commands to verify that the managed application definition files are saved in your storage account's container. In the `Name` parameter, replace the placeholder `definitionstorage` with your unique storage account name.

+# [PowerShell](#tab/azure-powershell)

+```azurepowershell

+Get-AzStorageAccount -ResourceGroupName byosDefinitionStorageGroup -Name definitionstorage |

+Get-AzStorageContainer -Name applicationdefinitions |

+Get-AzStorageBlob | Select-Object -Property Name | Format-List

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli

+az storage blob list \

+ --container-name applicationdefinitions \

+ --account-name definitionstorage \

+ --query "[].{Name:name}"

+```

+When you run the Azure CLI command, a credentials warning message might be displayed similar to the CLI command in [package the files](#package-the-files). To clear the warning message, you can assign yourself _Storage Blob Data Contributor_ or _Storage Blob Data Reader_ to the storage account's scope, and then include the `--auth-mode login` parameter in the command.

+> [!NOTE]

+> For added security, you can create a managed applications definition and store it in an [Azure storage account blob where encryption is enabled](../../storage/common/storage-service-encryption.md). The definition contents are encrypted through the storage account's encryption options. Only users with permissions to the file can access the definition in your service catalog.

+## Make sure users can access your definition

+You have access to the managed application definition, but you want to make sure other users in your organization can access it. Grant them at least the Reader role on the definition. They may have inherited this level of access from the subscription or resource group. To check who has access to the definition and add users or groups, go to [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).

+## Next steps

+You've published the managed application definition. Now, learn how to deploy an instance of that definition.

+> [!div class="nextstepaction"]

+> [Quickstart: Deploy a service catalog managed application](deploy-service-catalog-quickstart.md)

+Resource providers apply their own throttling limits. Within each subscription, the resource provider throttles per region of the resource in the request. Because Resource Manager throttles by instance of Resource Manager, and there are several instances of Resource Manager in each region, the resource provider might receive more requests than the default limits in the previous section.