+Azure Active Directory B2C (Azure AD B2C) pricing is based on monthly active users (MAU), which is the count of unique users with authentication activity within a calendar month. This billing model applies to both Azure AD B2C tenants and [Azure AD guest user collaboration (B2B)](../active-directory/external-identities/external-identities-pricing.md). MAU billing helps you reduce costs by offering a free tier and flexible, predictable pricing.

+In this article, learn about MAU and Go Local billing, linking Azure AD B2C tenants to a subscription, and changing the pricing tier.

+A monthly active user (MAU) is a unique user that performs an authentication within a given month. A user that authenticates multiple times within a given month is counted as one MAU. Customers aren't charged for a MAUΓÇÖs subsequent authentications during the month, nor for inactive users. Authentications may include:

+- Active, interactive sign in by the user. For example, [sign-up or sign in](add-sign-up-and-sign-in-policy.md), [self-service password reset](add-password-reset-policy.md), or any type of [user flow](user-flow-overview.md) or [custom policy](custom-policy-overview.md).

+- Passive, non-interactive sign in such as [single sign-on (SSO)](session-behavior.md), or any type of token acquisition. For example, authorization code flow, token refresh, or [resource owner password credentials flow](add-ropc-policy.md).

+If Azure AD B2C [Go-Local add-on](data-residency.md#go-local-add-on) is available in your country/region, and you enable it, you'll be charged per MAU, which is an added charge to your Azure AD B2C [Premium P1 or P2 pricing](https://azure.microsoft.com/pricing/details/active-directory-b2c/) license. Learn more [About Local Data Residency add-on](#about-go-local-add-on)

+Also, if you choose to provide higher levels of assurance by using Multi-factor Authentication (MFA) for Voice and SMS, you'll be charged a worldwide flat fee for each MFA attempt that month, whether the sign in is successful or unsuccessful.

+

+> [!NOTE]

+> Your first 50,000 MAUs per month are free for both Premium P1 and Premium P2 features, but the **free tier doesnΓÇÖt apply to free trial, credit-based, or sponsorship subscriptions**. Once the free trial period or credits expire for these types of subscriptions, you'll begin to be charged for Azure AD B2C MAUs. To determine the total number of MAUs, we combine MAUs from all your tenants (both Azure AD and Azure AD B2C) that are linked to the same subscription.

+## About Go-Local add-on

+Azure AD B2C's [Go-Local add-on](data-residency.md#go-local-add-on) enables you to create Azure AD B2C tenant within the country you choose when you [create your Azure AD B2C](tutorial-create-tenant.md). *Go-Local* refers to MicrosoftΓÇÖs commitment to allow some customers to configure some services to store their data at rest in the Geo of the customerΓÇÖs choice, typically a country. This feature isn't available in all countries.

+> If you enable Go-Local add-on , the 50,000 free MAUs per month given by your AD B2C subscription doesn't apply for Go-Local add-on . You'll incur a charge per MAU, on the Go-Local add-on from the first MAU. However, you'll continue to enjoy free 50,000 MAUs per month on the other features available on your Azure AD B2C [Premium P1 or P2 pricing](https://azure.microsoft.com/pricing/details/active-directory-b2c/).

+Usage charges for Azure AD B2C are billed to an Azure subscription. You need to explicitly link an Azure AD B2C tenant to an Azure subscription by creating an Azure AD B2C *resource* within the target Azure subscription. Several Azure AD B2C resources can be created in a single Azure subscription, along with other Azure resources like virtual machines, and storage accounts. You can see all of the resources within a subscription by going to the Azure Active Directory (Azure AD) tenant that the subscription is associated with.

+1. Select an **Azure AD B2C Tenant** from the dropdown. Only tenants for which you're a global administrator and that aren't already linked to a subscription are shown. The **Azure AD B2C Resource name** field is populated with the domain name of the Azure AD B2C tenant you select.

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Make sure you're using the Azure AD directory that contains the subscription your Azure B2C tenant and not the Azure AD B2C tenant itself:

+ 1. In the Azure portal toolbar, select the **Directories + subscriptions** (:::image type="icon" source="./../active-directory/develop/media/common/portal-directory-subscription-filter.png" border="false":::) icon.

+ 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD directory in the **Directory name** list, and then select **Switch** button next to it.

+The management of Azure AD B2C using role-based access control isn't affected by the association between the Azure AD B2C tenant and an Azure CSP subscription. Role-based access control is achieved by using tenant-based roles, not subscription-based roles.

+1. Select the **Delete** button on the **Overview** page. This action *doesn't* delete the related Azure AD B2C tenant's users or applications. It merely removes the billing link from the source subscription.

+## Other features

+| Feature | Status | Notes |

+| - | :--: | -- |

+| [Go-Local add-on](data-residency.md#go-local-add-on) | Preview | Azure AD B2C's [Go-Local add-on](data-residency.md#go-local-add-on) enables you to create Azure AD B2C tenant within the country you choose when you [create your Azure AD B2C](tutorial-create-tenant.md). |

+ Title: "Azure AD B2C: Region availability & data residency"

+Region availability and data residency are two different concepts that apply to Azure AD B2C. This article explains the differences between these two concepts, and compares how they apply to Azure versus Azure AD B2C. [Region availability](#region-availability) refers to where a service is available for use whereas [Data residency](#data-residency) refers to where user data is stored.

+

+If you enable [Go-Local add-on](#go-local-add-on), you can store your data exclusively in a specific country.

+Azure AD B2C service is available worldwide via the Azure public cloud. You can see availability of this service in both Azure's [Products Available By Region](https://azure.microsoft.com/regions/services/) page and the [Active Directory B2C pricing calculator](https://azure.microsoft.com/pricing/details/active-directory-b2c/). Also, Azure AD B2C service is highly available. Learn more about [Service Level Agreement (SLA) for Azure Active Directory B2C](https://azure.microsoft.com/support/legal/sla/active-directory-b2c/v1_1).

+Azure AD B2C stores customer data in the United States, Europe, the Asia Pacific region, Japan or Australia.

+Data residency is determined by the location you select when you [create an Azure AD B2C tenant](tutorial-create-tenant.md):

+To find the exact location where your data is located per region or country, refer to [where Azure Active Directory data is located](https://aka.ms/aaddatamap)service.

+### Go-Local add-on

+*Go-Local* refers to MicrosoftΓÇÖs commitment to allow some customers to configure some services to store their data at rest in the Geo of the customerΓÇÖs choice, typically a country. Go-Local is as way fulfilling corporate policies and compliance requirements. You choose the country where you want to store your data when you [create your Azure AD B2C](tutorial-create-tenant.md).

+The Go-Local add-on is a paid add-on, but it's optional. If you choose to use it, you'll incur an extra charge in addition to your Azure AD B2C Premium P1 or P2 licenses. See more information in [Billing model](billing.md).

+At the moment, the following countries have the local data residence option:

+- Japan

+- Australia

+#### What do I need to do?

+|If you're in | What to do |

+|-||

+| Australia | If you've an existing Azure AD B2C tenant that you created since **April 2021**, then your data is resident in Australia. You need to opt in to start using Go-Local add-on. <br> If you're creating a new Azure AD B2C tenant, you can enable Go-Local add-on when you create it.|

+| Japan | You can enable Go-Local add-on when you create a new Azure AD B2C tenant. |

+- Upon sign in, after credentials validation with a local or social account, Azure AD B2C invokes the REST API, which sends the user's unique identifier as a user primary key (email address or user objectId). The REST API reads the data from the remote database and returns the user profile.

+After sign-up, profile editing, or sign-in action is complete, Azure AD B2C includes the user profile in the access token that is returned to the application. For more information, see the [Azure AD B2C Remote profile sample solution](https://github.com/azure-ad-b2c/samples/tree/master/policies/remote-profile) in GitHub.

+ Title: Supported Azure Active Directory features

+description: Learn about Azure Active Directory features, which are still supported in Azure AD B2C.

+# Supported Azure Active Directory features

+An Azure Active Directory B2C (Azure AD B2C) tenant is different than an Azure Active Directory (Azure AD) tenant, which you may already have, but it relies on it. The following Azure AD features can be used in your Azure AD B2C tenant.

+| [Go-Local add-on](data-residency.md#go-local-add-on) | Azure AD Go-Local add-on enables you to store data in the country you choose when your Azure AD tenant.| Just like Azure AD, Azure AD B2C supports [Go-Local add-on](data-residency.md#go-local-add-on). |

+> **Other Azure resources in your tenant:** <br>In an Azure AD B2C tenant, you can't provision other Azure resources such as virtual machines, Azure web apps, or Azure functions. You must create these resources in your Azure AD tenant.

+1. Make sure you're using the Azure Active Directory (Azure AD) tenant that contains your subscription:

+ 1. In the Azure portal toolbar, select the **Directories + subscriptions** (:::image type="icon" source="./../active-directory/develop/media/common/portal-directory-subscription-filter.png" border="false":::) icon.

+

+ 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD directory that contains your subscription in the **Directory name** list, and then select **Switch** button next to it.

+

+ 1. Select your subscription, and then in the left menu, select **Resource providers**. If you don't see the left menu, select the **Show the menu for < name of your subscription >** icon at the top left part of the page to expand it.

+ 1. Make sure the **Microsoft.AzureActiveDirectory** row shows a status of **Registered**. If it doesn't, select the row, and then select **Register**.

+1. On the **Create a directory** page:

+ - For **Organization name**, enter a name for your Azure AD B2C tenant.

+ - For **Initial domain name**, enter a domain name for your Azure AD B2C tenant.

+ - For **Location**, select your country from the list. If the country you select has a [Go-Local add-on](data-residency.md#go-local-add-on) option, such as Japan or Australia, and you want to store your data exclusively within that country, select the **Store Azure AD Core Store data, components and service data in the location selected above** checkbox. Go-Local add-on is a paid add-on whose charge is added to your Azure AD B2C Premium P1 or P2 licenses charges, see [Billing model](billing.md#about-go-local-add-on). You can't change the data residency region after you create your Azure AD B2C tenant.

+ - For **Subscription**, select your subscription from the list.

+ - For **Resource group**, select or search for the resource group that will contain the tenant.

+ :::image type="content" source="media/tutorial-create-tenant/review-and-create-tenant.png" alt-text="Screenshot of create tenant form in with example values in Azure portal.":::

+1. In the Azure portal toolbar, select the **Directories + subscriptions** filter icon (:::image type="icon" source="./../active-directory/develop/media/common/portal-directory-subscription-filter.png" border="false":::).

+When a user selects **Yes** on the *Stay signed in?* prompt option during sign-in, a persistent cookie is set on the browser. This persistent cookie remembers both first and second factor, and it applies only for authentication requests in the browser.

+For more information on configuring the option to let users remain signed-in, see [How to manage the 'Stay signed in?' prompt](../fundamentals/how-to-manage-stay-signed-in-prompt.md).

+>[!IMPORTANT]

+>PolicyOID should be in object identifier format as per https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.4. For ex: If the certificate policies says "All Issuance Policies" you should enter the OID as 2.5.29.32.0 in the add rules editor. Entering the string "All Issuance Policies" in rules editor is invalid and will not take effect.

+>[!NOTE]

+>Rollout has not yet completed across Outlook applications. If this feature is enabled in your tenant, your users may not yet be prompted for the experience. To minimize user disruption, we recommend enabling this feature when the rollout completes.

+>[!NOTE]

+>Rollout has not yet completed across Outlook applications. If this feature is enabled in your tenant, your users may not yet be prompted for the experience. To minimize user disruption, we recommend enabling this feature when the rollout completes.

+### Enablement Authenticator Lite in Azure portal UX

+To enable Authenticator Lite in the Azure portal, complete the following steps:

+ 1. In the Azure portal, click Security > Authentication methods > Microsoft Authenticator.

+ 2. On the Enable and Target tab, click Yes and All users to enable the policy for everyone or add selected users and groups. Set the Authentication mode for these users/groups to Any or Push.

+ Only users who are enabled for Microsoft Authenticator here can be enabled to use Authenticator Lite for sign-in, or excluded from it. Users who aren't enabled for Microsoft Authenticator can't see the feature. Users who have Microsoft Authenticator downloaded on the same device Outlook is downloaded on will not be prompted to register for Authenticator Lite in Outlook.

+<img width="1112" alt="Entra portal Authenticator settings" src="https://user-images.githubusercontent.com/108090297/228603771-52c5933c-f95e-4f19-82db-eda2ba640b94.png">

+ 3. On the Configure tab, for **Microsoft Authenticator on companion applications**, change Status to Enabled, choose who to include or exclude from Authenticator Lite, and click Save.

+<img width="664" alt="Authenticator Lite configuration settings" src="https://user-images.githubusercontent.com/108090297/228603364-53f2581f-a4e0-42ee-8016-79b23e5eff6c.png">

+### Enable Authenticator Lite via Graph APIs

+Push notifications sent by Authenticator Lite aren't configurable and don't depend on the Authenticator feature settings. The settings for features included in the Authenticator Lite experience are listed in the following table. Every authentication includes a number matching prompt and does not include app and location context, regardless of Microsoft Authentiator feature settings.

+Users that have Microsoft Authenticator on their device can't register Authenticator Lite on that same device. If a user has an Authenticator Lite registration and then later downloads Microsoft Authenticator, they can register both. If a user has two devices, they can register Authenticator Lite on one and Microsoft Authenticator on the other.

+Although NPS doesn't support number matching, the latest NPS extension does support time-based one-time password (TOTP) methods such as the TOTP available in Microsoft Authenticator, other software tokens, and hardware FOBs. TOTP sign-in provides better security than the alternative **Approve**/**Deny** experience. Make sure you run the latest version of the [NPS extension](https://www.microsoft.com/download/details.aspx?id=54688).

+After May 8, 2023, when number matching is enabled for all users, anyone who performs a RADIUS connection with NPS extension version 1.2.2216.1 or later will be prompted to sign in with a TOTP method instead.

+Users must have a TOTP authentication method registered to see this behavior. Without a TOTP method registered, users continue to see **Approve**/**Deny**.

+Prior to the release of NPS extension version 1.2.2216.1 after May 8, 2023, organizations that run any of these earlier versions of NPS extension can modify the registry to require users to enter a TOTP:

+>NPS extensions versions earlier than 1.0.1.40 don't support TOTP enforced by number matching. These versions will continue to present users with **Approve**/**Deny**.

+To create the registry entry to override the **Approve**/**Deny** options in push notifications and require a TOTP instead:

+ - Name: OVERRIDE_NUMBER_MATCHING_WITH_OTP

+ - Value = TRUE

+- Users who perform TOTP must have either Microsoft Authenticator registered as an authentication method, or some other hardware or software OATH token. A user who can't use an OTP method will always see **Approve**/**Deny** options with push notifications if they use a version of NPS extension earlier than 1.2.2216.1.

+ >MSCHAPv2 doesn't support TOTP. If the NPS Server isn't configured to use PAP, user authorization will fail with events in the **AuthZOptCh** log of the NPS Extension server in Event Viewer:<br>

+If your organization uses Remote Desktop Gateway and the user is registered for a TOTP code along with Microsoft Authenticator push notifications, the user won't be able to meet the Azure AD MFA challenge and Remote Desktop Gateway sign-in will fail. In this case, you can set OVERRIDE_NUMBER_MATCHING_WITH_OTP = FALSE to fall back to **Approve**/**Deny** push notifications with Microsoft Authenticator.

+- NPS extension versions beginning 1.2.2131.2 will require users to do number matching. Because the NPS extension canΓÇÖt show a number, the user will be asked to enter a TOTP. The user must have a TOTP authentication method such as Microsoft Authenticator or software OATH tokens registered to see this behavior. If the user doesnΓÇÖt have a TOTP method registered, theyΓÇÖll continue to get the **Approve**/**Deny** experience.

+ - Name: OVERRIDE_NUMBER_MATCHING_WITH_OTP

+ - Value = FALSE

+### How can users enter a TOTP with the NPS extension?

+The VPN and NPS server must be using PAP protocol for TOTP prompts to appear. If they're using a protocol that doesn't support TOTP, such as MSCHAPv2, they'll continue to see the **Approve/Deny** notifications.

+### Will users get a prompt similar to a number matching prompt, but will need to enter a TOTP?

+Although NPS doesn't support number matching, the latest NPS extension does support time-based one-time password (TOTP) methods such as the TOTP available in Microsoft Authenticator, other software tokens, and hardware FOBs. TOTP sign-in provides better security than the alternative **Approve**/**Deny** experience. Make sure you run the latest version of the [NPS extension](https://www.microsoft.com/download/details.aspx?id=54688).

+After May 8, 2023, when number matching is enabled for all users, anyone who performs a RADIUS connection with NPS extension version 1.2.2216.1 or later will be prompted to sign in with a TOTP method instead.

+Users must have a TOTP authentication method registered to see this behavior. Without a TOTP method registered, users continue to see **Approve**/**Deny**.

+

+Prior to the release of NPS extension version 1.2.2216.1 after May 8, 2023, organizations that run earlier versions of NPS extension can modify the registry to require users to enter a TOTP. For more information, see [NPS extension](how-to-mfa-number-match.md#nps-extension).

+ Title: Using networks and countries in Azure Active Directory

+description: Use GPS locations and public IPv4 and IPv6 networks in Conditional Access policy to make access decisions.

+- Blocking access for users accessing a service from specific countries or regions your organization never operates from.

+> [!TIP]

+> Conditional Access policies are enforced after first-factor authentication is completed. Conditional Access isn't intended to be an organization's first line of defense for scenarios like denial-of-service (DoS) attacks, but it can use signals from these events to determine access.

+> [!VIDEO https://www.youtube.com/embed/P80SffTIThY]

+The first time the user must share their location from the Microsoft Authenticator app, the user receives a notification in the app. The user needs to open the app and grant location permissions. Every hour the user is accessing resources covered by the policy they need to approve a push notification from the app.

+### Cloud proxies and VPNs

+When you use a cloud hosted proxy or VPN solution, the IP address Azure AD uses while evaluating a policy is the IP address of the proxy. The X-Forwarded-For (XFF) header that contains the userΓÇÖs public IP address isn't used because there's no validation that it comes from a trusted source, so would present a method for faking an IP address.

+When a cloud proxy is in place, a policy that requires a [hybrid Azure AD joined or compliant device](howto-conditional-access-policy-compliant-device.md#create-a-conditional-access-policy) can be easier to manage. Keeping a list of IP addresses used by your cloud hosted proxy or VPN solution up to date can be nearly impossible.

+### When you might block locations?

+A policy that uses the location condition to block access is considered restrictive, and should be done with care after thorough testing. Some instances of using the location condition to block authentication may include:

+- Blocking countries where your organization never does business.

+- Blocking specific IP ranges like:

+ - Known malicious IPs before a firewall policy can be changed.

+ - For highly sensitive or privileged actions and cloud applications.

+ - Based on user specific IP range like access to accounting or payroll applications.

+### User exclusions

+### Bulk uploading and downloading of named locations

+When you create or update named locations, for bulk updates, you can upload or download a CSV file with the IP ranges. An upload replaces the IP ranges in the list with those ranges from the file. Each row of the file contains one IP Address range in CIDR format.

+| Claim | Format | Description | Authorization considerations |

+|-|--|-||

+| `aud` | String, an Application ID URI or GUID | Identifies the intended audience of the token. In v2.0 tokens, this value is always the client ID of the API. In v1.0 tokens, it can be the client ID or the resource URI used in the request. The value can depend on how the client requested the token. | This value must be validated, reject the token if the value doesn't match the intended audience. |

+| `iss` | String, a security token service (STS) URI | Identifies the STS that constructs and returns the token, and the Azure AD tenant in which the user was authenticated. If the token issued is a v2.0 token (see the `ver` claim), the URI ends in `/v2.0`. The GUID that indicates that the user is a consumer user from a Microsoft account is `9188040d-6c67-4c5b-b112-36a304b66dad`. | The application can use the GUID portion of the claim to restrict the set of tenants that can sign in to the application, if applicable. |

+|`idp`| String, usually an STS URI | Records the identity provider that authenticated the subject of the token. This value is identical to the value of the Issuer claim unless the user account isn't in the same tenant as the issuer, such as guests. If the claim isn't present, the value of `iss` can be used instead. For personal accounts being used in an organizational context (for instance, a personal account invited to an Azure AD tenant), the `idp` claim may be 'live.com' or an STS URI containing the Microsoft account tenant `9188040d-6c67-4c5b-b112-36a304b66dad`. | |

+| `iat` | int, a Unix timestamp | Specifies when the authentication for this token occurred. | |

+| `nbf` | int, a Unix timestamp | Specifies the time before which the JWT must not be accepted for processing. | |

+| `exp` | int, a Unix timestamp | Specifies the expiration time on or after which the JWT must not be accepted for processing. A resource may reject the token before this time as well. The rejection can occur when a change in authentication is required or a token revocation has been detected. | |

+| `aio` | Opaque String | An internal claim used by Azure AD to record data for token reuse. Resources shouldn't use this claim. | |

+| `acr` | String, a `0` or `1`, only present in v1.0 tokens | A value of `0` for the "Authentication context class" claim indicates the end-user authentication didn't meet the requirements of ISO/IEC 29115. | |

+| `amr` | JSON array of strings, only present in v1.0 tokens | Identifies how the subject of the token was authenticated. | |

+| `appid` | String, a GUID, only present in v1.0 tokens | The application ID of the client using the token. The application can act as itself or on behalf of a user. The application ID typically represents an application object, but it can also represent a service principal object in Azure AD. | `appid` may be used in authorization decisions. |

+| `azp` | String, a GUID, only present in v2.0 tokens | A replacement for `appid`. The application ID of the client using the token. The application can act as itself or on behalf of a user. The application ID typically represents an application object, but it can also represent a service principal object in Azure AD. | `azp` may be used in authorization decisions. |

+| `appidacr` | String, a `0`, `1`, or `2`, only present in v1.0 tokens | Indicates how the client was authenticated. For a public client, the value is `0`. If client ID and client secret are used, the value is `1`. If a client certificate was used for authentication, the value is `2`. | |

+| `azpacr` | String, a `0`, `1`, or `2`, only present in v2.0 tokens | A replacement for `appidacr`. Indicates how the client was authenticated. For a public client, the value is `0`. If client ID and client secret are used, the value is `1`. If a client certificate was used for authentication, the value is `2`. | |

+| `preferred_username` | String, only present in v2.0 tokens. | The primary username that represents the user. The value could be an email address, phone number, or a generic username without a specified format. The value is mutable and might change over time. The value can be used for username hints, however, and in human-readable UI as a username. The `profile` scope is required in order to receive this claim. | Since this value is mutable, it must not be used to make authorization decisions. |

+| `name` | String | Provides a human-readable value that identifies the subject of the token. The value isn't guaranteed to be unique, it's mutable, and is only used for display purposes. The `profile` scope is required in order to receive this claim. | This value must not be used to make authorization decisions. |

+| `scp` | String, a space separated list of scopes | The set of scopes exposed by the application for which the client application has requested (and received) consent. Only included for user tokens. | The application should verify that these scopes are valid ones exposed by the application, and make authorization decisions based on the value of these scopes. |

+| `roles` | Array of strings, a list of permissions | The set of permissions exposed by the application that the requesting application or user has been given permission to call. For application tokens, this set of permissions is used during the [client credential flow](v2-oauth2-client-creds-grant-flow.md) in place of user scopes. For user tokens, this set of values is populated with the roles the user was assigned to on the target application. | These values can be used for managing access, such as enforcing authorization to access a resource. |

+| `wids` | Array of [RoleTemplateID](../roles/permissions-reference.md#all-roles) GUIDs | Denotes the tenant-wide roles assigned to this user, from the section of roles present in [Azure AD built-in roles](../roles/permissions-reference.md#all-roles). This claim is configured on a per-application basis, through the `groupMembershipClaims` property of the [application manifest](reference-app-manifest.md). Setting it to `All` or `DirectoryRole` is required. May not be present in tokens obtained through the implicit flow due to token length concerns. | These values can be used for managing access, such as enforcing authorization to access a resource. |

+| `groups` | JSON array of GUIDs | Provides object IDs that represent the group memberships of the subject. The groups included in the groups claim are configured on a per-application basis, through the `groupMembershipClaims` property of the [application manifest](reference-app-manifest.md). A value of `null` excludes all groups, a value of `SecurityGroup` includes only Active Directory Security Group memberships, and a value of `All` includes both Security Groups and Microsoft 365 Distribution Lists. <br><br>See the `hasgroups` claim for details on using the `groups` claim with the implicit grant. For other flows, if the number of groups the user is in goes over 150 for SAML and 200 for JWT, then Azure AD adds an overage claim to the claim sources. The claim sources point to the Microsoft Graph endpoint that contains the list of groups for the user. | These values can be used for managing access, such as enforcing authorization to access a resource. |

+| `hasgroups` | Boolean | If present, always `true`, indicates whether the user is in at least one group. Used in place of the `groups` claim for JWTs in implicit grant flows if the full groups claim would extend the URI fragment beyond the URL length limits (currently six or more groups). Indicates that the client should use the Microsoft Graph API to determine the groups (`https://graph.microsoft.com/v1.0/users/{userID}/getMemberObjects`) of the user. | |

+| `groups:src1` | JSON object | For token requests that aren't length limited (see `hasgroups`) but still too large for the token, a link to the full groups list for the user is included. For JWTs as a distributed claim, for SAML as a new claim in place of the `groups` claim. <br><br>**Example JWT Value**: <br> `"groups":"src1"` <br> `"_claim_sources`: `"src1" : { "endpoint" : "https://graph.microsoft.com/v1.0/users/{userID}/getMemberObjects" }` | |

+| `sub` | String | The principal about which the token asserts information, such as the user of an application. This value is immutable and can't be reassigned or reused. The subject is a pairwise identifier that is unique to a particular application ID. If a single user signs into two different applications using two different client IDs, those applications receive two different values for the subject claim. Two different values may or may not be desired depending on architecture and privacy requirements. See also the `oid` claim (which does remain the same across applications within a tenant). | This value can be used to perform authorization checks, such as when the token is used to access a resource, and can be used as a key in database tables. |

+| `oid` | String, a GUID | The immutable identifier for the requestor, which is the user or service principal whose identity has been verified. This ID uniquely identifies the requestor across applications. Two different applications signing in the same user receive the same value in the `oid` claim. The `oid` can be used when making queries to Microsoft online services, such as the Microsoft Graph. The Microsoft Graph returns this ID as the `id` property for a given user account. Because the `oid` allows multiple applications to correlate principals, the `profile` scope is required in order to receive this claim for users. If a single user exists in multiple tenants, the user contains a different object ID in each tenant. The accounts are considered different, even though the user logs into each account with the same credentials. | This value can be used to perform authorization checks, such as when the token is used to access a resource, and can be used as a key in database tables. |

+| `tid` | String, a GUID | Represents the tenant that the user is signing in to. For work and school accounts, the GUID is the immutable tenant ID of the organization that the user is signing in to. For sign-ins to the personal Microsoft account tenant (services like Xbox, Teams for Life, or Outlook), the value is `9188040d-6c67-4c5b-b112-36a304b66dad`. To receive this claim, the application must request the `profile` scope. | This value should be considered in combination with other claims in authorization decisions. |

+| `unique_name` | String, only present in v1.0 tokens | Provides a human readable value that identifies the subject of the token. | This value isn't guaranteed to be unique within a tenant and should be used only for display purposes. |

+| `uti` | String | Token identifier claim, equivalent to `jti` in the JWT specification. Unique, per-token identifier that is case-sensitive. | |

+| `rh` | Opaque String | An internal claim used by Azure to revalidate tokens. Resources shouldn't use this claim. | |

+| `ver` | String, either `1.0` or `2.0` | Indicates the version of the access token. | |

+```

+Tenant administrators and developers often have requirements where an application must be restricted to a certain set of users or apps (services). There are two ways to restrict an application to a certain set of users, apps or security groups:

+The option to restrict an app to a specific set of users, apps or security groups in a tenant works with the following types of applications:

+- Application proxy applications that use Azure AD preauthentication.

+1. Under **Manage**, select **Enterprise Applications** then select **All applications**.

+## Assign the app to users and groups to restrict access

+1. Under **Manage**, select the **Users and groups** then select **Add user/group**.

+ A list of users and security groups are shown along with a textbox to search and locate a certain user or group. This screen allows you to select multiple users and groups in one go.

+## Restrict access to an app (resource) by assigning other services (client apps)

+Follow the steps in this section to secure app-to-app authentication access for your tenant.

+1. Navigate to Service Principal sign-in logs in your tenant to find services authenticating to access resources in your tenant.

+1. Check using app ID if a Service Principal exists for both resource and client apps in your tenant that you wish to manage access.

+ ```powershell

+ Get-MgServicePrincipal `

+ -Filter "AppId eq '$appId'"

+ ```

+1. Create a Service Principal using app ID, if it doesn't exist:

+ ```powershell

+ New-MgServicePrincipal `

+ -AppId $appId

+ ```

+1. Explicitly assign client apps to resource apps (this functionality is available only in API and not in the Azure AD Portal):

+ ```powershell

+ $clientAppId = ΓÇ£[guid]ΓÇ¥

+ $clientId = (Get-MgServicePrincipal -Filter "AppId eq '$clientAppId'").Id

+ New-MgServicePrincipalAppRoleAssignment `

+ -ServicePrincipalId $clientId `

+ -PrincipalId $clientId `

+ -ResourceId (Get-MgServicePrincipal -Filter "AppId eq '$appId'").Id `

+ -AppRoleId "00000000-0000-0000-0000-000000000000"

+ ```

+1. Require assignment for the resource application to restrict access only to the explicitly assigned users or services.

+ ```powershell

+ Update-MgServicePrincipal -ServicePrincipalId (Get-MgServicePrincipal -Filter "AppId eq '$appId'").Id -AppRoleAssignmentRequired:$true

+ ```

+ > [!NOTE]

+ > If you don't want tokens to be issued for an application or if you want to block an application from being accessed by users or services in your tenant, create a service principal for the application and [disable user sign-in](../manage-apps/disable-user-sign-in-portal.md) for it.

+You also have the option of using [Microsoft.IdentityModel.JsonWebTokens](https://www.nuget.org/packages/Microsoft.IdentityModel.JsonWebTokens/) to create the assertion for you. The code will be more elegant as shown in the example below:

+Host: login.microsoftonline.com:443

+Host: login.microsoftonline.com:443

+Host: login.microsoftonline.com:443

+GET /v1.0/users HTTP/1.1

+Host: graph.microsoft.com:443

+1. Run `sudo apt remove --purge aadlogin` (Ubuntu/Debian), `sudo yum remove aadlogin` (RHEL or CentOS), or `sudo zypper remove aadlogin` (openSUSE or SLES).

+ 1. For everything else, run `rpm -e --noscripts aadogin`.

+### Getting Permission Denied when trying to connect from Azure Shell to Linux Red Hat/Oracle/Centos 7.X VM.

+The OpenSSH server version in the target VM 7.4 is too old. Version incompatible with OpenSSH client version 8.8. Refer to [RSA SHA256 certificates no longer work](https://bugzilla.mindrot.org/show_bug.cgi?id=3351) for more information.

+Workaround:

+- Adding option `"PubkeyAcceptedKeyTypes= +ssh-rsa-cert-v01@openssh.com"` in the `az ssh vm ` command.

+```azurecli-interactive

+az ssh vm -n myVM -g MyResourceGroup -- -A -o "PubkeyAcceptedKeyTypes= +ssh-rsa-cert-v01@openssh.com"

+```

+- Adding the option `"PubkeyAcceptedKeyTypes= +ssh-rsa-cert-v01@openssh.com"` in the `/home/<user>/.ssh/config file`.

+Add the `"PubkeyAcceptedKeyTypes +ssh-rsa-cert-v01@openssh.com"` into the client config file.

+```config

+Host *

+PubkeyAcceptedKeyTypes +ssh-rsa-cert-v01@openssh.com

+```

+

+>This information last updated on March 28th, 2023.<br/>You can also download a CSV version of this table [here](https://download.microsoft.com/download/e/3/e/e3e9faf2-f28b-490a-9ada-c6089a1fc5b0/Product%20names%20and%20service%20plan%20identifiers%20for%20licensing.csv).

+| Common Data Service for Apps File Capacity | CDS_FILE_CAPACITY | 631d5fb1-a668-4c2a-9427-8830665a742e | CDS_FILE_CAPACITY (dd12a3a8-caec-44f8-b4fb-2f1a864b51e3)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318) | Common Data Service for Apps File Capacity (dd12a3a8-caec-44f8-b4fb-2f1a864b51e3)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318) |

+| Dynamics 365 for Customer Service Enterprise Attach to Qualifying Dynamics 365 Base Offer A | D365_CUSTOMER_SERVICE_ENT_ATTACH | eb18b715-ea9d-4290-9994-2ebf4b5042d2 | D365_CUSTOMER_SERVICE_ENT_ATTACH (61a2665f-1873-488c-9199-c3d0bc213fdf)<br/>Power_Pages_Internal_User (60bf28f9-2b70-4522-96f7-335f5e06c941)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318) | Dynamics 365 for Customer Service Enterprise Attach (61a2665f-1873-488c-9199-c3d0bc213fdf)<br/>Power Pages Internal User (60bf28f9-2b70-4522-96f7-335f5e06c941)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318) |

+| Dynamics 365 for Customer Service Chat | DYN365_CS_CHAT | 7d7af6c2-0be6-46df-84d1-c181b0272909 |DYN365_CS_CHAT_FPA (426ec19c-d5b1-4548-b894-6fe75028c30d)<br/>DYN365_CS_CHAT (f69129db-6dc1-4107-855e-0aaebbcd9dd4)<br/>POWER_VIRTUAL_AGENTS_D365_CS_CHAT (19e4c3a8-3ebe-455f-a294-4f3479873ae3)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318) | Dynamics 365 Customer Service Chat Application Integration (426ec19c-d5b1-4548-b894-6fe75028c30d)<br/>Dynamics 365 for Customer Service Chat (f69129db-6dc1-4107-855e-0aaebbcd9dd4)<br/>Power Virtual Agents for Chat (19e4c3a8-3ebe-455f-a294-4f3479873ae3)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318) |

+| Dynamics 365 Hybrid Connector | CRM_HYBRIDCONNECTOR | de176c31-616d-4eae-829a-718918d7ec23 | CRM_HYBRIDCONNECTOR (0210d5c8-49d2-4dd1-a01b-a91c7c14e0bf)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318) | CRM Hybrid Connector (0210d5c8-49d2-4dd1-a01b-a91c7c14e0bf)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318) |

+| Dynamics 365 for Marketing Additional Application | DYN365_MARKETING_APPLICATION_ADDON | 99c5688b-6c75-4496-876f-07f0fbd69add | DYN365_MARKETING_APPLICATION_ADDON (51cf0638-4861-40c0-8b20-1161ab2f80be)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318) | Dynamics 365 for Marketing Additional Application (51cf0638-4861-40c0-8b20-1161ab2f80be)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318) |

+| Dynamics 365 for Marketing Additional Non-Prod Application | DYN365_MARKETING_SANDBOX_APPLICATION_ADDON | c393e9bd-2335-4b46-8b88-9e2a86a85ec1 | DYN365_MARKETING_SANDBOX_APPLICATION_ADDON (1599de10-5250-4c95-acf2-491f74edce48) | Dynamics 365 Marketing Sandbox Application AddOn (1599de10-5250-4c95-acf2-491f74edce48) |

+| Dynamics 365 for Marketing Addnl Contacts Tier 5 | DYN365_MARKETING_CONTACT_ADDON_T5 | d8eec316-778c-4f14-a7d1-a0aca433b4e7 | DYN365_MARKETING_50K_CONTACT_ADDON (e626a4ec-1ba2-409e-bf75-9bc0bc30cca7)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318) | Dynamics 365 for Marketing 50K Addnl Contacts (e626a4ec-1ba2-409e-bf75-9bc0bc30cca7)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318) |

+| Dynamics 365 for Marketing Attach | DYN365_MARKETING_APP_ATTACH | 85430fb9-02e8-48be-9d7e-328beb41fa29 | DYN365_MARKETING_APP (a3a4fa10-5092-401a-af30-0462a95a7ac8)<br/>Forms_Pro_Marketing_App (22b657cf-0a9e-467b-8a91-5e31f21bc570)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318) | Dynamics 365 for Marketing (a3a4fa10-5092-401a-af30-0462a95a7ac8)<br/>Microsoft Dynamics 365 Customer Voice for Marketing Application (22b657cf-0a9e-467b-8a91-5e31f21bc570)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318) |

+| Dynamics 365 Sales Premium | DYN365_SALES_PREMIUM | 2edaa1dc-966d-4475-93d6-8ee8dfd96877 | DYN365_SALES_INSIGHTS (fedc185f-0711-4cc0-80ed-0a92da1a8384)<br/>SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)<br/>PROJECT_ESSENTIALS (1259157c-8581-4875-bca7-2ffb18c51bda)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>Microsoft_Viva_Sales_PowerAutomate (a933a62f-c3fb-48e5-a0b7-ac92b94b4420)<br/>Microsoft_Viva_Sales_PremiumTrial (8ba1ff15-7bf6-4620-b65c-ecedb6942766)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>FLOW_DYN_APPS (7e6d7d78-73de-46ba-83b1-6d25117334ba)<br/>POWERAPPS_DYN_APPS (874fc546-6efe-4d22-90b8-5c4e7aa59f4b)<br/>Power_Pages_Internal_User (60bf28f9-2b70-4522-96f7-335f5e06c941)<br/>Forms_Pro_SalesEnt (8839ef0e-91f1-4085-b485-62e06e7c7987)<br/>DYN365_ENTERPRISE_SALES (2da8e897-7791-486b-b08f-cc63c8129df7) | Dynamics 365 AI for Sales (Embedded) (fedc185f-0711-4cc0-80ed-0a92da1a8384)<br/>SharePoint (Plan 2) (5dbe027f-2339-4123-9542-606e4d348a72)<br/>Project Online Essentials (1259157c-8581-4875-bca7-2ffb18c51bda)<br/>Office for the Web (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>Microsoft Viva Sales Premium with Power Automate (a933a62f-c3fb-48e5-a0b7-ac92b94b4420)<br/>Microsoft Viva Sales Premium & Trial (8ba1ff15-7bf6-4620-b65c-ecedb6942766)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Power Automate for Dynamics 365 (7e6d7d78-73de-46ba-83b1-6d25117334ba)<br/>Power Apps for Dynamics 365 (874fc546-6efe-4d22-90b8-5c4e7aa59f4b)<br/>Power Pages Internal User (60bf28f9-2b70-4522-96f7-335f5e06c941)<br/>Microsoft Dynamics 365 Customer Voice for Sales Enterprise (8839ef0e-91f1-4085-b485-62e06e7c7987)<br/>Dynamics 365 for Sales (2da8e897-7791-486b-b08f-cc63c8129df7) |

+| Microsoft Relationship Sales solution | DYN365_ENTERPRISE_RELATIONSHIP_SALES | 4f05b1a3-a978-462c-b93f-781c6bee998f | Forms_Pro_Relationship_Sales (507172c0-6001-4f4f-80e7-f350507af3e5)<br/>DYN365_ENTERPRISE_RELATIONSHIP_SALES (56e3d4ca-2e31-4c3f-8d57-89c1d363503b)<br/>NBENTERPRISE (03acaee3-9492-4f40-aed4-bcb6b32981b6)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Microsoft_Viva_Sales_PremiumTrial (8ba1ff15-7bf6-4620-b65c-ecedb6942766)<br/>Microsoft_Viva_Sales_PowerAutomate (a933a62f-c3fb-48e5-a0b7-ac92b94b4420)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>PROJECT_ESSENTIALS (1259157c-8581-4875-bca7-2ffb18c51bda)<br/>SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)<br/>POWERAPPS_DYN_APPS (874fc546-6efe-4d22-90b8-5c4e7aa59f4b)<br/>FLOW_DYN_APPS (7e6d7d78-73de-46ba-83b1-6d25117334ba) | Microsoft Dynamics 365 Customer Voice for Relationship Sales (507172c0-6001-4f4f-80e7-f350507af3e5)<br/>Microsoft Relationship Sales solution (56e3d4ca-2e31-4c3f-8d57-89c1d363503b)<br/>Retired - Microsoft Social Engagement (03acaee3-9492-4f40-aed4-bcb6b32981b6)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Microsoft Viva Sales Premium & Trial (8ba1ff15-7bf6-4620-b65c-ecedb6942766)<br/>Microsoft Viva Sales Premium with Power Automate (a933a62f-c3fb-48e5-a0b7-ac92b94b4420)<br/>Office for the Web (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>Project Online Essentials (1259157c-8581-4875-bca7-2ffb18c51bda)<br/>SharePoint (Plan 2) (5dbe027f-2339-4123-9542-606e4d348a72)<br/>Power Apps for Dynamics 365 (874fc546-6efe-4d22-90b8-5c4e7aa59f4b)<br/>Power Automate for Dynamics 365 (7e6d7d78-73de-46ba-83b1-6d25117334ba) |

+| Power Apps Portals login capacity add-on Tier 3 (50 unit min) | POWERAPPS_PORTALS_LOGIN_T3 | 927d8402-8d3b-40e8-b779-34e859f7b497 | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>CDS_POWERAPPS_PORTALS_LOGIN (32ad3a4e-2272-43b4-88d0-80d284258208)<br/>POWERAPPS_PORTALS_LOGIN (084747ad-b095-4a57-b41f-061d84d69f6f) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Common Data Service Power Apps Portals Login Capacity (32ad3a4e-2272-43b4-88d0-80d284258208)<br/>Power Apps Portals Login Capacity Add-On (084747ad-b095-4a57-b41f-061d84d69f6f) |

+| Power Apps Portals page view capacity add-on | POWERAPPS_PORTALS_PAGEVIEW | a0de5e3a-2500-4a19-b8f4-ec1c64692d22 | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>CDS_POWERAPPS_PORTALS_PAGEVIEW (72c30473-7845-460a-9feb-b58f216e8694)<br/>POWERAPPS_PORTALS_PAGEVIEW (1c5a559a-ec06-4f76-be5b-6a315418495f) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>CDS PowerApps Portals page view capacity add-on (72c30473-7845-460a-9feb-b58f216e8694)<br/>Power Apps Portals Page View Capacity Add-On (1c5a559a-ec06-4f76-be5b-6a315418495f) |

+| Power Pages vTrial for Makers | Power_Pages_vTrial_for_Makers | 3f9f06f5-3c31-472c-985f-62d9c10ec167 | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>DYN365_CDS_VIRAL (17ab22cd-a0b3-4536-910a-cb6eb12696c0)<br/>POWER_PAGES_VTRIAL (6817d093-2d30-4249-8bd6-774f01efa78c) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Common Data Service (17ab22cd-a0b3-4536-910a-cb6eb12696c0)<br/>Power Pages vTrial for Makers (6817d093-2d30-4249-8bd6-774f01efa78c) |

+| Power Virtual Agent User License | VIRTUAL_AGENT_USL | 4b74a65c-8b4a-4fc8-9f6b-5177ed11ddfa | CDS_VIRTUAL_AGENT_USL (cb867b3c-7f38-4d0d-99ce-e29cd69812c8)<br/>FLOW_VIRTUAL_AGENT_USL (82f141c9-2e87-4f43-8cb2-12d2701dc6b3)<br/>VIRTUAL_AGENT_USL (1263586c-59a4-4ad0-85e1-d50bc7149501) | Common Data Service (cb867b3c-7f38-4d0d-99ce-e29cd69812c8)<br/>Power Automate for Virtual Agent (82f141c9-2e87-4f43-8cb2-12d2701dc6b3)<br/>Virtual Agent (1263586c-59a4-4ad0-85e1-d50bc7149501) |

+| Privacy Management - subject rights request (1) GCC | PRIVACY_MANAGEMENT_SUB_RIGHTS_REQ_1_V2_GCC | 017fb6f8-00dd-4025-be2b-4eff067cae72 | MIP_S_EXCHANGE_CO (5b96ffc4-3853-4cf4-af50-e38505080f6b)<br/>PRIVACY_MANGEMENT_DSR_EXCHANGE_1 (93d24177-c2c3-408a-821d-3d25dfa66e7a)<br/>PRIVACY_MANGEMENT_DSR_1 (07a4098c-3f2d-427f-bfe2-5889ed75dd7b) | Data Classification in Microsoft 365 - Company Level (5b96ffc4-3853-4cf4-af50-e38505080f6b)<br/>Privacy Management - Subject Rights Request (1 - Exchange) (93d24177-c2c3-408a-821d-3d25dfa66e7a)<br/>Privacy Management - Subject Rights Request (1) (07a4098c-3f2d-427f-bfe2-5889ed75dd7b) |

+The updated experience for adding company branding covered in this article is available as an Azure AD preview feature. To opt in and explore the new experience, go to **Azure AD** > **Preview features** and enable the **Enhanced Company Branding** feature. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+> Instructions for the legacy company branding customization process can be found in the **[Customize branding](customize-branding.md)** article. Instructions for how to manage the **'Stay signed in prompt?'** can be found in the **[Manage the 'Stay signed in?' prompt](how-to-manage-stay-signed-in-prompt.md)** article.

+> To manage the settings of the 'Stay signed in?' prompt, go to **Azure AD** > **Users** > **User settings**.

+- [Manage the 'stay signed in' prompt](how-to-manage-stay-signed-in-prompt.md)

+ Title: Manage the 'Stay signed in' prompt - Azure AD - Microsoft Entra

+description: Instructions about how to set up the 'Stay signed in' prompt for Azure AD users.

+# Manage the 'Stay signed in?' prompt

+The **Stay signed in?** prompt appears after a user successfully signs in. This process is known as **Keep me signed in** (KMSI) and was previously part of the [customize branding](how-to-customize-branding.md) process.

+This article covers how the KMSI process works, how to enable it for customers, and how to troubleshoot KMSI issues.

+## How does it work?

+If a user answers **Yes** to the **'Stay signed in?'** prompt, a persistent authentication cookie is issued. The cookie must be stored in session for KMSI to work. KMSI won't work with locally stored cookies. If KMSI isn't enabled, a non-persistent cookie is issued and lasts for 24 hours or until the browser is closed.

+The following diagram shows the user sign-in flow for a managed tenant and federated tenant using the KMSI in prompt. This flow contains smart logic so that the **Stay signed in?** option won't be displayed if the machine learning system detects a high-risk sign-in or a sign-in from a shared device. For federated tenants, the prompt will show after the user successfully authenticates with the federated identity service.

+Some features of SharePoint Online and Office 2010 depend on users being able to choose to remain signed in. If you uncheck the **Show option to remain signed in** option, your users may see other unexpected prompts during the sign-in process.

+

+## License and role requirements

+Configuring the 'keep me signed in' (KMSI) option requires one of the following licenses:

+- Azure AD Premium 1

+- Azure AD Premium 2

+- Office 365 (for Office apps)

+- Microsoft 365

+You must have the **Global Administrator** role to enable the 'Stay signed in?' prompt.

+## Enable the 'Stay signed in?' prompt

+The KMSI setting is managed in the **User settings** of Azure Active Directory (Azure AD).

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Go to **Azure Active Directory** > **Users** > **User settings**.

+1. Set the **Show keep user signed in** toggle to **Yes**.

+ 

+## Troubleshoot 'Stay signed in?' issues

+If a user doesn't act on the **Stay signed in?** prompt but abandons the sign-in attempt, a sign-in log entry appears in the Azure AD **Sign-ins** page. The prompt the user sees is called an "interrupt."

+

+Details about the sign-in error are found in the **Sign-in logs** in Azure AD. Select the impacted user from the list and locate the following details in the **Basic info** section.

+* **Sign in error code**: 50140

+* **Failure reason**: This error occurred due to "Keep me signed in" interrupt when the user was signing in.

+You can stop users from seeing the interrupt by setting the **Show option to remain signed in** setting to **No** in the user settings. This setting disables the KMSI prompt for all users in your Azure AD directory.

+You also can use the [persistent browser session controls in Conditional Access](../conditional-access/howto-conditional-access-session-lifetime.md) to prevent users from seeing the KMSI prompt. This option allows you to disable the KMSI prompt for a select group of users (such as the global administrators) without affecting sign-in behavior for everyone else in the directory.

+To ensure that the KMSI prompt is shown only when it can benefit the user, the KMSI prompt is intentionally not shown in the following scenarios:

+* User is signed in via seamless SSO and integrated Windows authentication (IWA)

+* User is signed in via Active Directory Federation Services and IWA

+* User is a guest in the tenant

+* User's risk score is high

+* Sign-in occurs during user or admin consent flow

+* Persistent browser session control is configured in a conditional access policy

+## Next steps

+- [Learn how to customize branding for sign-in experiences](how-to-customize-branding.md)

+- [Manage user settings in Azure AD](how-to-manage-user-profile-info.md)

+ 

+ 

+ 

+> [!Note]

+> You must use Windows Server Active Directory to update the identity, contact info, or job info for users whose source of authority is Windows Server Active Directory. After you complete your update, you must wait for the next synchronization cycle to complete before you'll see the changes.

+> [!Note]

+In the **User settings** area of Azure AD, you can adjust several settings that affect all users. Some settings are managed in a separate area of Azure AD and linked from this page. These settings require the Global Administrator role.

+Go to **Azure AD** > **User settings**.

+

+The following settings can be managed from Azure AD **User settings**.

+- Manage how end users launch and view their applications

+- Allow users to register their own applications

+- [Prevent non-admins from creating their own tenants](users-default-permissions.md#restrict-member-users-default-permissions)

+- Restrict access to the Azure AD administration portal

+- [Allow users to connect their work or school account with LinkedIn](../enterprise-users/linkedin-user-consent.md)

+- [Enable the "Stay signed in?" prompt](how-to-manage-stay-signed-in-prompt.md)

+- Manage external collaboration settings

+ - [Guest user access](../enterprise-users/users-restrict-guest-permissions.md)

+ - [Guest invite setting](../external-identities/external-collaboration-settings-configure.md)

+ - [External user leave settings](../external-identities/self-service-sign-up-user-flow.md#enable-self-service-sign-up-for-your-tenant)

+ - Collaboration restrictions

+- Manage user feature settings

+ > [!NOTE]

+ > The **Self-service** menu item isn't available if your app registration's setting for public client flows is enabled. To access this menu item, select **Authentication** in the left navigation, then set the **Allow public client flows** to **No**.

+ Title: Activate your group membership or ownership in Privileged Identity Management (Preview)

+# Activate your group membership or ownership in Privileged Identity Management (preview)

+>[!NOTE]

+> For the **Roles are being assigned outside of Privileged Identity Management** alerts, you may encounter duplicate notifications. These duplications may primarily be related to a potential live site incident where notifications are being sent again.

+> |AzureActiveDirectoryInsufficientRights|When a B2B user in the target tenant has a role other than User, Helpdesk Admin, or User Account Admin, they cannot be deleted.| Please remove the role(s) on the user in the target tenant in order to successfully delete the user in the target tenant.|

+* Boxcryptor Single sign-on enabled [subscription](https://www.boxcryptor.com/for-teams/).

+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)

+ Title: 'Tutorial: Configure Connecter for automatic user provisioning with Azure Active Directory'

+description: Learn how to automatically provision and de-provision user accounts from Azure AD to Connecter.

+writer: twimmers

+ms.assetid: 6e60505a-f8c8-46f6-8e6f-525e7c8416b7

+# Tutorial: Configure Connecter for automatic user provisioning

+This tutorial describes the steps you need to perform in both Connecter and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users to [Connecter](https://www.designconnected.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

+## Supported capabilities

+> [!div class="checklist"]

+> * Create users in Connecter.

+> * Remove users in Connecter when they do not require access anymore.

+> * Keep user attributes synchronized between Azure AD and Connecter.

+> * [Single sign-on](../manage-apps/add-application-portal-setup-oidc-sso.md) to Connecter (recommended).

+## Prerequisites

+The scenario outlined in this tutorial assumes that you already have the following prerequisites:

+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)

+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).

+* An admin account for Connecter Server's [Team Portal](https://teamwork.connecterapp.com/)

+## Step 1. Plan your provisioning deployment

+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).

+1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. Determine what data to [map between Azure AD and Connecter](../app-provisioning/customize-application-attributes.md).

+## Step 2. Configure Connecter to support provisioning with Azure AD

+### Roles

+There are two main roles involved in the configuration:

+1. **Team Portal admin** - the sole administrator of everything connected with user and permissions management in Connecter Server. Can be changed by the Connecter Server Subscription owner from here.

+1. Azure AD admin - a person that has full access to the administrative backend of Azure AD and can install new services.

+### Step-by-step guide

+#### Actions that must be done by the Team Portal admin:

+1. Log in to Connecter's [Team Portal](https://teamwork.connecterapp.com/).

+1. Select your team.

+1. Click on the **Features tab**.

+ 

+6. *Optional*: If you would like to select a workspace that your team members will be automatically added to when they are synchronized from Azure AD select the **Workspace configuration** action and select the workspace and the permissions.

+ 

+7. Click on the **Authenticate** button. This will open the sign-in page. Sign in with your **Azure AD admin** account to add Connecter to your enterprise applications.

+ 

+8. Click on **Get SCIM token**.

+9. Use the button to copy the token to your clipboard and save it for future purpose.

+## Step 3. Add Connecter from the Azure AD application gallery

+Add Connecter from the Azure AD application gallery to start managing provisioning to Connecter. If you have previously setup Connecter for SSO you can use the same application. However it's recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).

+## Step 4. Define who will be in scope for provisioning

+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* Start small. Test with a small set of users before rolling out to everyone. When scope for provisioning is set to assigned users, you can control this by assigning one or two users to the app. When scope is set to all users, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* If you need more roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles.

+## Step 5. Configure automatic user provisioning to Connecter

+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users in TestApp based on user and/or group assignments in Azure AD.

+### To configure automatic user provisioning for Connecter in Azure AD:

+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.

+ 

+1. In the applications list, select **Connecter**.

+ 

+1. Select the **Provisioning** tab.

+ 

+1. Set the **Provisioning Mode** to **Automatic**.

+ 

+1. Under the **Admin Credentials** section, input your Connecter Tenant URL as `https://teamwork.connecterapp.com/scim/v2` and corresponding Secret Token obtained from step 2. Click **Test Connection** to ensure Azure AD can connect to Connecter. If the connection fails, ensure your Connecter account has Admin permissions and try again.

+ 

+1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.

+ 

+1. Select **Save**.

+1. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Connecter**.

+1. Review the user attributes that are synchronized from Azure AD to Connecter in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Connecter for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you'll need to ensure that the Connecter API supports filtering users based on that attribute. Select the **Save** button to commit any changes.

+ |Attribute|Type|Supported for filtering|Required by Connecter|

+ |||||

+ |userName|String|&check;|&check;

+ |active|Boolean||

+ |displayName|String||&check;

+ |externalId|String||

+

+1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. To enable the Azure AD provisioning service for Connecter, change the **Provisioning Status** to **On** in the **Settings** section.

+ 

+1. Define the users that you would like to provision to Connecter by choosing the desired values in **Scope** in the **Settings** section.

+ 

+1. When you're ready to provision, click **Save**.

+ 

+This operation starts the initial synchronization cycle of all users defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.

+## Step 6. Monitor your deployment

+Once you've configured provisioning, use the following resources to monitor your deployment:

+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully

+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it's to completion

+* If the provisioning configuration seems to be in an unhealthy state, the application goes into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).

+## More resources

+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)

+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+## Next steps

+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)

+This tutorial describes the steps you need to perform in both Maptician and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Maptician](https://www.maptician.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

+* A [Maptician](https://www.maptician.com/) tenant.

+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)

+- **Cluster Nodes**: Cluster nodes go into a subnet in your VNet, so verify you have a subnet large enough to account for future scale. A simple `/24` subnet can host up to 251 nodes (the first three IP addresses in a subnet are reserved for management operations).

+- **Pods**: The overlay solution assigns a `/24` address space for pods on every node from the private CIDR that you specify during cluster creation. The `/24` size is fixed and can't be increased or decreased. You can run up to 250 pods on a node. When planning the pod address space, ensure that the private CIDR is large enough to provide `/24` address spaces for new nodes to support future cluster expansion.

+ - Pod CIDR space must not overlap with the cluster subnet range.

+ - Pod CIDR space must not overlap with IP ranges used in on-premises networks and peered networks.

+ - The same pod CIDR space can be used on multiple independent AKS clusters in the same VNet.

+- **Kubernetes service address range**: The size of the service address CIDR depends on the number of cluster services you plan to create. It must be smaller than `/12`. This range should also not overlap with the pod CIDR range, cluster subnet range, and IP range used in peered VNets and on-premises networks.

+- **Kubernetes DNS service IP address**: This is an IP address within the Kubernetes service address range that's used by cluster service discovery. Don't use the first IP address in your address range, as this address is used for the `kubernetes.default.svc.cluster.local` address.

+- Traffic from the node CIDR to the node CIDR on all ports and protocols

+- Traffic from the node CIDR to the pod CIDR on all ports and protocols (required for service traffic routing)

+- Traffic from the pod CIDR to the pod CIDR on all ports and protocols (required for pod to pod and pod to service traffic, including DNS)

+- You would like to scale to a large number of pods, but have limited IP address space in your VNet.

+- Most of the pod communication is within the cluster.

+- You don't need advanced AKS features, such as virtual nodes.

+- You have available IP address space.

+- Most of the pod communication is to resources outside of the cluster.

+- Resources outside the cluster need to reach pods directly.

+- You need AKS advanced features, such as virtual nodes.

+- You can't use Application Gateway as an Ingress Controller (AGIC) for an overlay cluster.

+- Windows Server 2019 node pools are not supported for overlay.

+- Traffic from host network pods is not able to reach Windows overlay pods.

+## Upgrade an existing cluster to CNI Overlay

+You can update an existing Azure CNI cluster to Overlay if the cluster meets certain criteria. A cluster must:

+- be on Kubernetes version 1.22+

+- **not** be using the dynamic pod IP allocation feature

+- **not** have network policies enabled

+- **not** be using any Windows node pools with docker as the container runtime

+The upgrade process will trigger each node pool to be re-imaged simultaneously (i.e. upgrading each node pool separately to overlay is not supported). Any disruptions to cluster networking will be similar to a node image upgrade or Kubernetes version upgrade where each node in a node pool is re-imaged.

+> [!WARNING]

+> Due to the limitation around Windows overlay pods incorrectly SNATing packets from host network pods, this has a more detrimental effect for clusters upgrading to overlay.

+While nodes are being upgraded to use the CNI Overlay feature, pods that are on nodes which haven't been upgraded yet will not be able to communicate with pods on Windows nodes that have been upgraded to Overlay. In other words, overlay Windows pods will not be able to reply to any traffic from pods still running with an IP from the node subnet.

+This network disruption will only occur during the upgrade. Once the migration to overlay has completed for all node pools, all overlay pods will be able to communicate successfully with the Windows pods.

+> [!NOTE]

+> The upgrade completion doesn't change the existing limitation that host network pods **cannot** communicate with Windows overlay pods.

+You can interact with Kubernetes clusters using the `kubectl` tool. The Azure CLI provides an easy way to get the access credentials and *kubeconfig* configuration file to connect to your AKS clusters using `kubectl`. You can use Azure role-based access control (Azure RBAC) to limit who can get access to the *kubeconfig* file and the permissions they have.

+* This article assumes that you have an existing AKS cluster. If you need an AKS cluster, create one using [Azure CLI][aks-quickstart-cli], [Azure PowerShell][aks-quickstart-powershell], or [the Azure portal][aks-quickstart-portal].

+* This article also requires that you're running Azure CLI version 2.0.65 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].

+## Available permissions for cluster roles

+When you interact with an AKS cluster using the `kubectl` tool, a configuration file, called *kubeconfig*, defines cluster connection information. This configuration file is typically stored in *~/.kube/config*. Multiple clusters can be defined in this *kubeconfig* file. You can switch between clusters using the [`kubectl config use-context`][kubectl-config-use-context] command.

+The [`az aks get-credentials`][az-aks-get-credentials] command lets you get the access credentials for an AKS cluster and merges these credentials into the *kubeconfig* file. You can use Azure RBAC to control access to these credentials. These Azure roles let you define who can retrieve the *kubeconfig* file and what permissions they have within the cluster.

+There are two Azure roles you can apply to an Azure Active Directory (Azure AD) user or group:

+- **Azure Kubernetes Service Cluster Admin Role**

+ * Allows access to `Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action` API call. This API call [lists the cluster admin credentials][api-cluster-admin].

+ * Downloads *kubeconfig* for the *clusterAdmin* role.

+- **Azure Kubernetes Service Cluster User Role**

+ * Allows access to `Microsoft.ContainerService/managedClusters/listClusterUserCredential/action` API call. This API call [lists the cluster user credentials][api-cluster-user].

+ * Downloads *kubeconfig* for *clusterUser* role.

+> On clusters that use Azure AD, users with the *clusterUser* role have an empty *kubeconfig* file that prompts a login. Once logged in, users have access based on their Azure AD user or group settings. Users with the *clusterAdmin* role have admin access.

+> On clusters that don't use Azure AD, the *clusterUser* role has same effect of *clusterAdmin* role.

+To assign one of the available roles, you need to get the resource ID of the AKS cluster and the ID of the Azure AD user account or group using the following steps:

+1. Get the cluster resource ID using the [`az aks show`][az-aks-show] command for the cluster named *myAKSCluster* in the *myResourceGroup* resource group. Provide your own cluster and resource group name as needed.

+2. Use the [`az account show`][az-account-show] and [`az ad user show`][az-ad-user-show] commands to get your user ID.

+3. Assign a role using the [`az role assignment create`][az-role-assignment-create] command.

+If you want to assign permissions to an Azure AD group, update the `--assignee` parameter shown in the previous example with the object ID for the *group* rather than the *user*.

+To get the object ID for a group, use the [`az ad group show`][az-ad-group-show] command. The following command gets the object ID for the Azure AD group named *appdev*:

+```azurecli-interactive

+az ad group show --group appdev --query objectId -o tsv

+```

+> In some cases, such as Azure AD guest users, the *user.name* in the account is different than the *userPrincipalName*.

+> ```azurecli-interactive

+>

+> In this case, set the value of *ACCOUNT_UPN* to the *userPrincipalName* from the Azure AD user. For example, if your account *user.name* is *user\@contoso.com*, this action would look like the following example:

+>

+Once the roles are assigned, use the [`az aks get-credentials`][az-aks-get-credentials] command to get the *kubeconfig* definition for your AKS cluster. The following example gets the *--admin* credentials, which works correctly if the user has been granted the *Cluster Admin Role*:

+You can then use the [`kubectl config view`][kubectl-config-view] command to verify that the *context* for the cluster shows that the admin configuration information has been applied.

+```azurecli-interactive

+```

+Your output should look similar to the following example output:

+```azurecli-interactive

+To remove role assignments, use the [`az role assignment delete`][az-role-assignment-delete] command. Specify the account ID and cluster resource ID that you obtained in the previous steps. If you assigned the role to a group rather than a user, specify the appropriate group object ID rather than account object ID for the `--assignee` parameter.

+- East US

+- West US

+- Central US

+- South Central US

+- East US 2

+- West US 2

+- North Europe

+- Canada Central

+- Southeast Asia

+- Australia East

+- Central India

+1. You can search for an offer or publisher directly by name, or you can browse all offers. To find Kubernetes application offers, on the left side under **Categories** select **Containers**.

+ :::image type="content" source="./media/deploy-marketplace/containers-inline.png" alt-text="Screenshot of Azure Marketplace offers in the Azure portal, with the container category on the left side highlighted." lightbox="./media/deploy-marketplace/containers.png":::

+ > The **Containers** category includes both Kubernetes applications and standalone container images. This walkthrough is specific to Kubernetes applications. If you find that the steps to deploy an offer differ in some way, you're most likely trying to deploy a container image-based offer instead of a Kubernetes application-based offer.

+1. You will see several Kubernetes application offers displayed on the page. To view all of the Kubernetes application offers, select **See more**.

+ :::image type="content" source="./media/deploy-marketplace/see-more-inline.png" alt-text="Screenshot of Azure Marketplace K8s offers in the Azure portal" lightbox="./media/deploy-marketplace/see-more.png":::

+You can customize egress for an AKS cluster to fit specific scenarios. By default, AKS will provision a standard SKU load balancer to be set up and used for egress. However, the default setup may not meet the requirements of all scenarios if public IPs are disallowed or additional hops are required for egress.

+This article covers the various types of outbound connectivity that are available in AKS clusters.

+> [!NOTE]

+> You can now update the `outboundType` after cluster creation. This feature is in preview. See [Updating `outboundType after cluster creation (preview)](#updating-outboundtype-after-cluster-creation-preview).

+* Setting `outboundType` requires AKS clusters with a `vm-set-type` of `VirtualMachineScaleSets` and `load-balancer-sku` of `Standard`.

+## Outbound types in AKS

+You can configure an AKS cluster using the following outbound types: load balancer, NAT gateway, or user-defined routing. The outbound type impacts only the egress traffic of your cluster. For more information, see [setting up ingress controllers](ingress-basic.md).

+> You can use your own [route table][byo-route-table] with UDR and [kubenet networking](../aks/configure-kubenet.md). Make sure your cluster identity (service principal or managed identity) has Contributor permissions to the custom route table.

+### Outbound type of `loadBalancer`

+The load balancer is used for egress through an AKS-assigned public IP. An outbound type of `loadBalancer` supports Kubernetes services of type `loadBalancer`, which expect egress out of the load balancer created by the AKS resource provider.

+If `loadBalancer` is set, AKS automatically completes the following configuration:

+* A public IP address is provisioned for cluster egress.

+* The public IP address is assigned to the load balancer resource.

+* Backend pools for the load balancer are set up for agent nodes in the cluster.

+For more information, see [using a standard load balancer in AKS](load-balancer-standard.md).

+If `managedNatGateway` or `userAssignedNatGateway` are selected for `outboundType`, AKS relies on [Azure Networking NAT gateway](../virtual-network/nat-gateway/manage-nat-gateway.md) for cluster egress.

+* Select `managedNatGateway` when using managed virtual networks. AKS will provision a NAT gateway and attach it to the cluster subnet.

+* Select `userAssignedNatGateway` when using bring-your-own virtual networking. This option requires that you have provisioned a NAT gateway before cluster creation.

+For more information, see [using NAT gateway with AKS](nat-gateway.md).

+### Outbound type of `userDefinedRouting`

+> The `userDefinedRouting` outbound type is an advanced networking scenario and requires proper network configuration.

+You must deploy the AKS cluster into an existing virtual network with a subnet that has been previously configured. Since you're not using a standard load balancer (SLB) architecture, you must establish explicit egress. This architecture requires explicitly sending egress traffic to an appliance like a firewall, gateway, proxy or to allow NAT to be done by a public IP assigned to the standard load balancer or appliance.

+For more information, see [configuring cluster egress via user-defined routing](egress-udr.md).

+## Updating `outboundType` after cluster creation (preview)

+> Changing the outbound type on a cluster is disruptive to network connectivity and will result in a change of the cluster's egress IP address. If any firewall rules have been configured to restrict traffic from the cluster, you need to update them to match the new egress IP address.

+### Install the `aks-preview` Azure CLI extension

+* Install and update the `aks-preview` extension.

+ ```azurecli

+ # Install aks-preview extension

+ az extension add --name aks-preview

+ # Update aks-preview extension

+ az extension update --name aks-preview

+ ```

+### Register the `AKS-OutBoundTypeMigrationPreview` feature flag

+1. Register the `AKS-OutBoundTypeMigrationPreview` feature flag using the [`az feature register`][az-feature-register] command. It takes a few minutes for the status to show *Registered*.

+ ```azurecli-interactive

+ az feature register --namespace "Microsoft.ContainerService" --name "AKS-OutBoundTypeMigrationPreview"

+ ```

+2. Verify the registration status using the [`az feature show`][az-feature-show] command.

+ ```azurecli-interactive

+ az feature show --namespace "Microsoft.ContainerService" --name "AKS-OutBoundTypeMigrationPreview"

+ ```

+3. When the status reflects *Registered*, refresh the registration of the *Microsoft.ContainerService* resource provider using the [`az provider register`][az-provider-register] command.

+ ```azurecli-interactive

+ az provider register --namespace Microsoft.ContainerService

+ ```

+### Update cluster to use a new outbound type

+* Update the outbound configuration of your cluster using the [`az aks update`][az-aks-update] command.

+ ```azurecli-interactive

+ az aks update -g <resourceGroup> -n <clusterName> --outbound-type <loadBalancer|managedNATGateway|userAssignedNATGateway>

+ ```

+* [Configure standard load balancing in an AKS cluster](load-balancer-standard.md)

+* [Configure NAT gateway in an AKS cluster](nat-gateway.md)

+* [Configure user-defined routing in an AKS cluster](egress-udr.md)

+* [NAT gateway documentation](./nat-gateway.md)

+* [Azure networking UDR overview](../virtual-network/virtual-networks-udr-overview.md)

+* [Manage route tables](../virtual-network/manage-route-table.md)

+[az-feature-register]: /cli/azure/feature#az_feature_register

+[az-feature-show]: /cli/azure/feature#az_feature_show

+[az-provider-register]: /cli/azure/provider#az_provider_register

+[az-aks-update]: /cli/azure/aks#az_aks_update

+# Upgrade Azure Kubernetes Service (AKS) node images

+Azure Kubernetes Service (AKS) regularly provides new node images, so it's beneficial to upgrade your node images frequently to use the latest AKS features. Linux node images are updated weekly, and Windows node images are updated monthly. Image upgrade announcements are included in the [AKS release notes](https://github.com/Azure/AKS/releases), and it can take up to a week for these updates to be rolled out across all regions. Node image upgrades can also be performed automatically and scheduled using planned maintenance. For more details, see [Automatically upgrade node images][auto-upgrade-node-image].

+This article shows you how to upgrade AKS cluster node images and how to update node pool images without upgrading the Kubernetes version. For information on upgrading the Kubernetes version for your cluster, see [Upgrade an AKS cluster][upgrade-cluster].

+## Check for available node image upgrades

+Check for available node image upgrades using the [`az aks nodepool get-upgrades`][az-aks-nodepool-get-upgrades] command.

+The output will show the `latestNodeImageVersion`, like in the following example:

+ "id": "/subscriptions/XXXX-XXX-XXX-XXX-XXXXX/resourcegroups/myResourceGroup/providers/Microsoft.ContainerService/managedClusters/myAKSCluster/agentPools/mynodepool/upgradeProfiles/default",

+The example output shows `AKSUbuntu-1604-2020.10.28` as the `latestNodeImageVersion`.

+Compare the latest version with your current node image version using the [`az aks nodepool show`][az-aks-nodepool-show] command.

+Your output should look similar to the following example:

+In this example, there's an available node image version upgrade, which is from version `AKSUbuntu-1604-2020.10.08` to version `AKSUbuntu-1604-2020.10.28`.

+## Upgrade all node images in all node pools

+Upgrade the node image using the [`az aks upgrade`][az-aks-upgrade] command with the `--node-image-only` flag.

+You can check the status of the node images using the `kubectl get nodes` command.

+When the upgrade is complete, use the [`az aks show`][az-aks-show] command to get the updated node pool details. The current node image is shown in the `nodeImageVersion` property.

+To update the OS image of a node pool without doing a Kubernetes cluster upgrade, use the [`az aks nodepool upgrade`][az-aks-nodepool-upgrade] command with the `--node-image-only` flag.

+You can check the status of the node images with the `kubectl get nodes` command.

+When the upgrade is complete, use the [`az aks nodepool show`][az-aks-nodepool-show] command to get the updated node pool details. The current node image is shown in the `nodeImageVersion` property.

+If you'd like to increase the speed of upgrades, use the [`az aks nodepool update`][az-aks-nodepool-update] command with the `--max-surge` flag to configure the number of nodes used for upgrades. To learn more about the trade-offs of various `--max-surge` settings, see [Customize node surge upgrade][max-surge].

+You can check the status of the node images with the `kubectl get nodes` command.

+- [Automatically apply cluster and node pool upgrades with GitHub Actions][github-schedule].

+[az-aks-nodepool-get-upgrades]: /cli/azure/aks/nodepool#az_aks_nodepool_get_upgrades

+[az-aks-nodepool-show]: /cli/azure/aks/nodepool#az_aks_nodepool_show

+[az-aks-nodepool-upgrade]: /cli/azure/aks/nodepool#az_aks_nodepool_upgrade

+[az-aks-nodepool-update]: /cli/azure/aks/nodepool#az_aks_nodepool_update

+[az-aks-upgrade]: /cli/azure/aks#az_aks_upgrade

+[az-aks-show]: /cli/azure/aks#az_aks_show

+A Spot node pool is a node pool backed by an [Azure Spot Virtual machine scale set][vmss-spot]. With Spot VMs in your AKS cluster, you can take advantage of unutilized Azure capacity with significant cost savings. The amount of available unutilized capacity varies based on many factors, such as node size, region, and time of day.

+When you deploy a Spot node pool, Azure allocates the Spot nodes if there's capacity available and deploys a Spot scale set that backs the Spot node pool in a single default domain. There's no SLA for the Spot nodes. There are no high availability guarantees. If Azure needs capacity back, the Azure infrastructure will evict the Spot nodes.

+* This article assumes a basic understanding of Kubernetes and Azure Load Balancer concepts. For more information, see [Kubernetes core concepts for Azure Kubernetes Service (AKS)][kubernetes-concepts].

+* If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+* When you create a cluster to use a Spot node pool, the cluster must use Virtual Machine Scale Sets for node pools and the *Standard* SKU load balancer. You must also add another node pool after you create your cluster, which is covered in this tutorial.

+* This article requires that you're running the Azure CLI version 2.14 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].

+* A Spot node pool can't be a default node pool, it can only be used as a secondary pool.

+* You can't change `ScaleSetPriority` or `SpotMaxPrice` after creation.

+* When setting `SpotMaxPrice`, the value must be *-1* or a *positive value with up to five decimal places*.

+* A Spot node pool will have the `kubernetes.azure.com/scalesetpriority:spot` label, the taint `kubernetes.azure.com/scalesetpriority=spot:NoSchedule`, and the system pods will have anti-affinity.

+When adding a Spot node pool to an existing cluster, it must be a cluster with multiple node pools enabled. When you create an AKS cluster with multiple node pools enabled, you create a node pool with a `priority` of `Regular` by default. To add a Spot node pool, you must specify `Spot` as the value for `priority`. For more details on creating an AKS cluster with multiple node pools, see [use multiple node pools][use-multiple-node-pools].

+* Create a node pool with a `priority` of `Spot` using the [az aks nodepool add][az-aks-nodepool-add] command.

+ ```azurecli-interactive

+ az aks nodepool add \

+ --resource-group myResourceGroup \

+ --cluster-name myAKSCluster \

+ --name spotnodepool \

+ --priority Spot \

+ --eviction-policy Delete \

+ --spot-max-price -1 \

+ --enable-cluster-autoscaler \

+ --min-count 1 \

+ --max-count 3 \

+ --no-wait

+ ```

+In the previous command, the `priority` of `Spot` makes the node pool a Spot node pool. The `eviction-policy` parameter is set to `Delete`, which is the default value. When you set the [eviction policy][eviction-policy] to `Delete`, nodes in the underlying scale set of the node pool are deleted when they're evicted.

+You can also set the eviction policy to `Deallocate`, which means that the nodes in the underlying scale set are set to the *stopped-deallocated* state upon eviction. Nodes in the *stopped-deallocated* state count against your compute quota and can cause issues with cluster scaling or upgrading. The `priority` and `eviction-policy` values can only be set during node pool creation. Those values can't be updated later.

+The previous command also enables the [cluster autoscaler][cluster-autoscaler], which we recommend using with Spot node pools. Based on the workloads running in your cluster, the cluster autoscaler scales the number of nodes up and down. For Spot node pools, the cluster autoscaler will scale up the number of nodes after an eviction if more nodes are still needed. If you change the maximum number of nodes a node pool can have, you also need to adjust the `maxCount` value associated with the cluster autoscaler. If you don't use a cluster autoscaler, upon eviction, the Spot pool will eventually decrease to *0* and require manual operation to receive any additional Spot nodes.

+> Only schedule workloads on Spot node pools that can handle interruptions, such as batch processing jobs and testing environments. We recommend you set up [taints and tolerations][taints-tolerations] on your Spot node pool to ensure that only workloads that can handle node evictions are scheduled on a Spot node pool. For example, the above command adds a taint of `kubernetes.azure.com/scalesetpriority=spot:NoSchedule`, so only pods with a corresponding toleration are scheduled on this node.

+### Verify the Spot node pool

+* Verify your node pool has been added using the [`az aks nodepool show`][az-aks-nodepool-show] command and confirming the `scaleSetPriority` is `Spot`.

+ ```azurecli

+ az aks nodepool show --resource-group myResourceGroup --cluster-name myAKSCluster --name spotnodepool

+ ```

+### Schedule a pod to run on the Spot node

+To schedule a pod to run on a Spot node, you can add a toleration and node affinity that corresponds to the taint applied to your Spot node.

+The following example shows a portion of a YAML file that defines a toleration corresponding to the `kubernetes.azure.com/scalesetpriority=spot:NoSchedule` taint and a node affinity corresponding to the `kubernetes.azure.com/scalesetpriority=spot` label used in the previous step.

+When you deploy a pod with this toleration and node affinity, Kubernetes will successfully schedule the pod on the nodes with the taint and label applied.

+When you upgrade a Spot node pool, AKS internally issues a cordon and an eviction notice, but no drain is applied. There are no surge nodes available for Spot node pool upgrades. Outside of these changes, the behavior when upgrading Spot node pools is consistent with that of other node pool types.

+For more information on upgrading, see [Upgrade an AKS cluster][upgrade-cluster].

+[Pricing for Spot instances is variable][pricing-spot], based on region and SKU. For more information, see pricing information for [Linux][pricing-linux] and [Windows][pricing-windows].

+With variable pricing, you have the option to set a max price, in US dollars (USD) using up to five decimal places. For example, the value *0.98765* would be a max price of *$0.98765 USD per hour*. If you set the max price to *-1*, the instance won't be evicted based on price. As long as there's capacity and quota available, the price for the instance will be the lower price of either the current price for a Spot instance or for a standard instance.

+[az-aks-nodepool-show]: /cli/azure/aks/nodepool#az_aks_nodepool_show

+[Azure ultra disks](../virtual-machines/disks-enable-ultra-ssd.md) offer high throughput, high IOPS, and consistent low latency disk storage for your stateful applications. With ultra disks, you can dynamically change the performance of the SSD along with your workloads without the need to restart your agent nodes. Ultra disks are suited for data-intensive workloads.

+This feature can only be set at cluster or node pool creation time.

+> Azure ultra disks require node pools deployed in availability zones and regions that support these disks and specific VM series. For more information, see the [**Ultra disks GA scope and limitations**](../virtual-machines/disks-enable-ultra-ssd.md#ga-scope-and-limitations).

+- Ultra disks can't be used with certain features, such as availability sets or Azure Disk encryption. Review [**Ultra disks GA scope and limitations**](../virtual-machines/disks-enable-ultra-ssd.md#ga-scope-and-limitations) before proceeding.

+- The supported size range for ultra disks is between *100* and *1500*.

+## Create a cluster that can use ultra disks

+Create an AKS cluster that can use ultra disks by enabling the `EnableUltraSSD` feature.

+1. Create an Azure resource group using the [`az group create`][az-group-create] command.

+ ```azurecli-interactive

+ az group create --name myResourceGroup --location westus2

+ ```

+2. Create an AKS-managed Azure AD cluster with support for ultra disks using the [`az aks create`][az-aks-create] command with the `--enable-ultra-ssd` flag.

+ ```azurecli-interactive

+ az aks create -g MyResourceGroup -n myAKSCluster -l westus2 --node-vm-size Standard_D2s_v3 --zones 1 2 --node-count 2 --enable-ultra-ssd

+ ```

+You can enable ultra disks on existing clusters by adding a new node pool to your cluster that support ultra disks.

+- Configure a new node pool to use ultra disks using the [`az aks nodepool add`][az-aks-nodepool-add] command with the `--enable-ultra-ssd` flag.

+ ```azurecli

+ az aks nodepool add --name ultradisk --cluster-name myAKSCluster --resource-group myResourceGroup --node-vm-size Standard_D2s_v3 --zones 1 2 --node-count 2 --enable-ultra-ssd

+ ```

+To use ultra disks in your deployments or stateful sets, you can use a [storage class for dynamic provisioning][azure-disk-volume].

+A storage class is used to define how a unit of storage is dynamically created with a persistent volume. For more information on Kubernetes storage classes, see [Kubernetes storage classes][kubernetes-storage-classes]. In this case, we'll create a storage class that references ultra disks.

+1. Create a file named `azure-ultra-disk-sc.yaml` and copy in the following manifest:

+ ```yaml

+ kind: StorageClass

+ apiVersion: storage.k8s.io/v1

+ metadata:

+ name: ultra-disk-sc

+ provisioner: disk.csi.azure.com # replace with "kubernetes.io/azure-disk" if aks version is less than 1.21

+ volumeBindingMode: WaitForFirstConsumer # optional, but recommended if you want to wait until the pod that will use this disk is created

+ parameters:

+ skuname: UltraSSD_LRS

+ kind: managed

+ cachingMode: None

+ diskIopsReadWrite: "2000" # minimum value: 2 IOPS/GiB

+ diskMbpsReadWrite: "320" # minimum value: 0.032/GiB

+ ```

+2. Create the storage class using the [`kubectl apply`][kubectl-apply] command and specify your `azure-ultra-disk-sc.yaml` file.

+ ```console

+ kubectl apply -f azure-ultra-disk-sc.yaml

+ ```

+ Your output should resemble the following example output:

+ ```console

+ storageclass.storage.k8s.io/ultra-disk-sc created

+ ```

+1. Create a file named `azure-ultra-disk-pvc.yaml` and copy in the following manifest:

+ ```yaml

+ apiVersion: v1

+ kind: PersistentVolumeClaim

+ metadata:

+ name: ultra-disk

+ spec:

+ accessModes:

+ - ReadWriteOnce

+ storageClassName: ultra-disk-sc

+ resources:

+ requests:

+ storage: 1000Gi

+ ```

+ The claim requests a disk named `ultra-disk` that is *1000 GB* in size with *ReadWriteOnce* access. The *ultra-disk-sc* storage class is specified as the storage class.

+2. Create the persistent volume claim using the [`kubectl apply`][kubectl-apply] command and specify your `azure-ultra-disk-pvc.yaml` file.

+ ```console

+ kubectl apply -f azure-ultra-disk-pvc.yaml

+ ```

+ Your output should resemble the following example output:

+ ```console

+ persistentvolumeclaim/ultra-disk created

+ ```

+1. Create a file named `nginx-ultra.yaml` and copy in the following manifest:

+ ```yaml

+ kind: Pod

+ apiVersion: v1

+ metadata:

+ name: nginx-ultra

+ spec:

+ containers:

+ - name: nginx-ultra

+ image: mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine

+ resources:

+ requests:

+ cpu: 100m

+ memory: 128Mi

+ limits:

+ cpu: 250m

+ memory: 256Mi

+ volumeMounts:

+ - mountPath: "/mnt/azure"

+ name: volume

+ volumes:

+ - name: volume

+ persistentVolumeClaim:

+ claimName: ultra-disk

+ ```

+2. Create the pod using [`kubectl apply`][kubectl-apply] command and specify your `nginx-ultra.yaml` file.

+ ```console

+ kubectl apply -f nginx-ultra.yaml

+ ```

+ Your output should resemble the following example output:

+ ```console

+ pod/nginx-ultra created

+ ```

+ You now have a running pod with your Azure disk mounted in the `/mnt/azure` directory.

+3. See your configuration details using the `kubectl describe pod` command and specify your `nginx-ultra.yaml` file.

+ ```console

+ kubectl describe pod nginx-ultra

+ ```

+ Your output should resemble the following example output:

+ ```console

+ [...]

+ Volumes:

+ volume:

+ Type: PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace)

+ ClaimName: azure-managed-disk

+ ReadOnly: false

+ default-token-smm2n:

+ Type: Secret (a volume populated by a Secret)

+ SecretName: default-token-smm2n

+ Optional: false

+ [...]

+ Events:

+ Type Reason Age From Message

+ - - - -

+ Normal Scheduled 2m default-scheduler Successfully assigned mypod to aks-nodepool1-79590246-0

+ Normal SuccessfulMountVolume 2m kubelet, aks-nodepool1-79590246-0 MountVolume.SetUp succeeded for volume "default-token-smm2n"

+ Normal SuccessfulMountVolume 1m kubelet, aks-nodepool1-79590246-0 MountVolume.SetUp succeeded for volume "pvc-faf0f176-8b8d-11e8-923b-deb28c58d242"

+ [...]

+ ```

+For more details on using Azure tags, see [Use Azure tags in AKS][use-tags].

+- For more about storage best practices, see [Best practices for storage and backups in AKS][operator-best-practices-storage].

+[az-group-create]: /cli/azure/group#az_group_create

+[az-aks-create]: /cli/azure/aks#az_aks_create

+[az-aks-nodepool-add]: /cli/azure/aks/nodepool#az_aks_nodepool_add

+Azure API Management provides you the ability to customize the content of developer portal pages using a set of templates that configure their content. Using [DotLiquid](https://github.com/dotliquid) syntax and the editor of your choice, such as [DotLiquid for Designers](https://github.com/dotliquid/dotliquid/wiki/DotLiquid-for-Designers), and a provided set of localized [String resources](api-management-template-resources.md#strings), [Glyph resources](api-management-template-resources.md#glyphs), and [Page controls](api-management-page-controls.md), you have great flexibility to configure the content of the pages as you see fit using these templates.

+Azure API Management provides you the ability to customize the content of developer portal pages using a set of templates that configure their content. Using [DotLiquid](https://github.com/dotliquid) syntax and the editor of your choice, such as [DotLiquid for Designers](https://github.com/dotliquid/dotliquid/wiki/DotLiquid-for-Designers), and a provided set of localized [String resources](api-management-template-resources.md#strings), [Glyph resources](api-management-template-resources.md#glyphs), and [Page controls](api-management-page-controls.md), you have great flexibility to configure the content of the pages as you see fit using these templates.

+If your plan uses the IP DDoS Protection SKU, see [Enable DDoS IP Protection for a public IP address](../ddos-protection/manage-ddos-protection-powershell-ip.md#disable-ddos-ip-protection-for-an-existing-public-ip-address).

+1. Create an App Configuration store by following the [App Configuration quickstart](../azure-app-configuration/quickstart-azure-app-configuration-create.md).

+App Service adds the power of Microsoft Azure to your application, such as security, load balancing, autoscaling, and automated management. Additionally, you can take advantage of its DevOps capabilities, such as continuous deployment from Azure DevOps, GitHub, Docker Hub, and other sources, package management, staging environments, custom domain, and TLS/SSL certificates.

+In the Cloud Shell, use `sed` to change "Azure App Service - Sample Static HTML Site" to "Azure App Service".

+```bash

+sed -i 's/Azure App Service - Sample Static HTML Site/Azure App Service/' https://docsupdatetracker.net/index.html

+```

+In the Cloud Shell, use `sed` to change "Azure App Service - Sample Static HTML Site" to "Azure App Service".

+```bash

+sed -i 's/Azure App Service - Sample Static HTML Site/Azure App Service/' https://docsupdatetracker.net/index.html

+```

+1. From Azure Cloud Shell, launch a text editor and edit the file `app/controllers/application_controller.rb`. Edit the *ApplicationController* class so that it shows "Hello world from Azure App Service on Linux!" instead of "Hello from Azure App Service on Linux!".

+ - For Azure Database for MySQL: `https://ossrdbms-aad.database.windows.net/.default`

+ - For Azure Database for PostgreSQL: `https://ossrdbms-aad.database.windows.net/.default`

+ var token = credential.GetToken(new Azure.Core.TokenRequestContext(new[] { "https://ossrdbms-aad.database.windows.net/.default" }));

+ var token = credential.GetToken(new Azure.Core.TokenRequestContext(new[] { "https://ossrdbms-aad.database.windows.net/.default" }));

+ var token = credential.GetToken(new Azure.Core.TokenRequestContext(new[] { "https://ossrdbms-aad.database.windows.net/.default" }));

+ var token = credential.GetToken(new Azure.Core.TokenRequestContext(new[] { "https://ossrdbms-aad.database.windows.net/.default" }));

+ const accessToken = await credential.getToken("https://ossrdbms-aad.database.windows.net/.default");

+ const accessToken = await credential.getToken("https://ossrdbms-aad.database.windows.net/.default");

+ token = credential.get_token("https://ossrdbms-aad.database.windows.net/.default")

+ token = credential.get_token("https://ossrdbms-aad.database.windows.net/.default")

+ request.addScopes("https://ossrdbms-aad.database.windows.net/.default");

+ request.addScopes("https://ossrdbms-aad.database.windows.net/.default");

+To use the custom image, you'll update your docker-compose-wordpress.yml file. In Cloud Shell, open a text editor and change the `image: wordpress` to use `image: mcr.microsoft.com/azuredocs/multicontainerwordpress`. You no longer need the database container. Remove the `db`, `environment`, `depends_on`, and `volumes` section from the configuration file. Your file should look like the following code:

+In the Cloud Shell, opne the file `docker-compose-wordpress.yml` in a text editor.

+> [!IMPORTANT]

+> If you receive an error message for the backend server certificate, verify that the frontend certificate Common Name (CN) matches the backend certificate CN. For more information, see [Trusted root certificate mismatch](./application-gateway-backend-health-troubleshooting.md#trusted-root-certificate-mismatch)

+

+The bulk operation feature is helpful for large gateways having multiple SSL certificates for separate listeners. Similar to individual certificate management, this option also allows you to change the type from "Uploaded" to "Key Vault" or vice-versa (if required). This utility is also helpful in recovering a gateway when facing misconfigurations for multiple certificate objects simultaneously.

+In Application Gateway v1 SKU gateways, [TLS policy](./application-gateway-ssl-policy-overview.md) applies the TLS version only to frontend traffic and the defined ciphers to both frontend and backend targets. In Application Gateway v2 SKU gateways, TLS policy only applies to frontend traffic, backend TLS connections will always be negotiated via TLS 1.0 to TLS 1.2 versions.

+Path rules are processed in order, based on how they're listed in the portal. The least specific path (with wildcards) should be at the end of the list, so that it will be processed last. If wildcard rules are present at the top of the list, they take priority and will be processed first. See the following example scenarios.

+# Azure Form Recognizer health insurance card model

+| **Acumatica** | [**Acumatica**](https://www.acumatica.com/) is a technology provider that develops cloud and browser-based enterprise resource planning (ERP) software for small and medium-sized businesses (SMBs). To bring expense claims into the modern age, Acumatica incorporated Form Recognizer into its native application. The Form Recognizer's prebuilt-receipt API and machine learning capabilities are used to automatically extract data from receipts. Acumatica's customers can file multiple, error-free claims in a matter of seconds, freeing up more time to focus on other important tasks. | |

+|**Arkas Logistics** | [**Arkas Logistics**](http://www.arkaslojistik.com.tr/) is operates under the umbrella of Arkas Holding, T├╝rkiye's leading holding institution and operating in 23 countries. During the COVID-19 crisis, the company has been able to provide outstanding, complete logistical services thanks to its focus on contactless operation and digitalization steps. Form Recognizer powers a solution that maintains the continuity of the supply chain and allows for uninterrupted service. ||

+|**Automation Anywhere**| [**Automation Anywhere**](https://www.automationanywhere.com/) is on a singular and unwavering mission to democratize automation by liberating teams from mundane, repetitive tasks, and allowing more time for innovation and creativity with cloud-native robotic process automation (RPA)software. To protect the citizens of the United Kingdom, healthcare providers must process tens of thousands of COVID-19 tests daily, each one accompanied by a form for the World Health Organization (WHO). Manually completing and processing these forms would potentially slow testing and divert resources away from patient care. In response, Automation Anywhere built an AI-powered bot to help a healthcare provider automatically process and submit the COVID-19 test forms at scale. | |

+|**AvidXchange**| [**AvidXchange**](https://www.avidxchange.com/) has developed an accounts payable automation solution applying Form Recognizer. AvidXchange partners with Azure Cognitive Services to deliver an accounts payable automation solution for the middle market. Customers benefit from faster invoice processing times and increased accuracy to ensure their suppliers are paid the right amount, at the right time. ||

+|**Blue Prism**| [**Blue Prism**](https://www.blueprism.com/) Decipher is an AI-powered document processing capability that's directly embedded into the company's connected-RPA platform. Decipher works with Form Recognizer to help organizations process forms faster and with less human effort. One of Blue Prism's customers has been testing the solution to automate invoice handling as part of its procurement process. ||

+|**Cross Masters**|[**Cross Masters**](https://crossmasters.com/), uses cutting-edge AI technologies not only as a passion, but as an essential part of a work culture requiring continuous innovation. One of the latest success stories is automation of manual paperwork required to process thousands of invoices. Cross Masters used Form Recognizer to develop a unique, customized solution, to provide clients with market insights from a large set of collected invoices. Most impressive is the extraction quality and continuous introduction of new features, such as model composing and table labeling. ||

+|**Financial Fabric**| [**Financial Fabric**](https://www.financialfabric.com/), a Microsoft Cloud Solution Provider, delivers data architecture, science, and analytics services to investment managers at hedge funds, family offices, and corporate treasuries. Its daily processes involve extracting and normalizing data from thousands of complex financial documents, such as bank statements and legal agreements. The company then provides custom analytics to help its clients make better investment decisions. Extracting this data previously took days or weeks. By using Form Recognizer, Financial Fabric has reduced the time it takes to go from extraction to analysis to just minutes. ||

+|**GEP**| [**GEP**](https://www.gep.com/) has developed an invoice processing solution for a client using Form Recognizer. GEP combined their AI solution with Azure Form Recognizer to automate the processing of 4,000 invoices a day for a client saving them tens of thousands of hours of manual effort. This collaborative effort improved accuracy, controls, and compliance on a global scale." Sarateudu Sethi, GEP's Vice President of Artificial Intelligence. ||

+|**Icertis**| [**Icertis**](https://www.icertis.com/), is a Software as a Service (SaaS) provider headquartered in Bellevue, Washington. Icertis digitally transforms the contract management process with a cloud-based, AI-powered, contract lifecycle management solution. Azure Form Recognizer enables Icertis Contract Intelligence to take key-value pairs embedded in contracts and create structured data understood and operated upon by machine algorithms. Through these and other powerful Azure Cognitive and AI services, Icertis empowers customers in every industry to improve business in multiple ways: optimized manufacturing operations, added agility to retail strategies, reduced risk in IT services, and faster delivery of life-saving pharmaceutical products. ||

+| **WEX**| [**WEX**](https://www.wexinc.com/) has developed a tool to process Explanation of Benefits documents using Form Recognizer. "The technology is truly amazing. I was initially worried that this type of solution wouldn't be feasible, but I soon realized that Form Recognizer can read virtually any document with accuracy." Matt Dallahan, Senior Vice President of Product Management and Strategy ||

+|**Wilson Allen** | [**Wilson Allen**](https://wilsonallen.com/) took advantage of AI container support for Azure Cognitive Services and created a powerful AI solution that help firms around the world find unprecedented levels of insight in previously siloed and unstructured data. Its clients can use this data to support business development and foster client relationships. ||

+To run PowerShell 7.2 runbooks on a Windows Hybrid Worker, install *PowerShell* on the Hybrid Worker. See [Installing PowerShell on Windows](/powershell/scripting/install/installing-powershell-on-windows).

+To run PowerShell 7.1 runbooks on a Windows Hybrid Worker, install *PowerShell* on the Hybrid Worker. See [Installing PowerShell on Windows](/powershell/scripting/install/installing-powershell-on-windows).

+To run PowerShell 7.1 runbooks on a Windows Hybrid Worker, install *PowerShell* on the Hybrid Worker. See [Installing PowerShell on Windows](/powershell/scripting/install/installing-powershell-on-windows).

+To run PowerShell 7.2 runbooks on a Linux Hybrid Worker, install *PowerShell* file on the Hybrid Worker. For more information, see [Installing PowerShell on Linux](/powershell/scripting/install/installing-powershell-on-linux).

+1. Once you are using **nxautomation**, generate the GPG keypair as root. GPG guides you through the steps. You must provide name, email address, expiration time, and passphrase. Then you wait until there is enough entropy on the machine for the key to be generated.

+1. Because the GPG directory was generated with sudo, you must change its owner to **nxautomation** using the following command as root.

+If signature validation has been disabled on the machine, you must turn it on by running the following command as root. Replace `<LogAnalyticsworkspaceId>` with your workspace ID.

+> - Currently, PowerShell 7.2 (preview) runtime version is supported for both Cloud and Hybrid jobs in all Public regions except Australia Central2, Korea South, Sweden South, Jio India Central, Brazil Southeast, Central India, West India, UAE Central, and Gov clouds.

+For example: if you're executing a runbook for a SharePoint automation scenario in **Runtime version** *7.1 (preview)*, then import the module in **Runtime version** **7.1 (preview)**; if you're executing a runbook for a SharePoint automation scenario in **Runtime version** **5.1**, then import the module in **Runtime version** *5.1*. In this case, you would see two entries for the module, one for **Runtime Version** **7.1(preview)** and other for **5.1**.

+- Runbooks can't use the PowerShell [#Requires](/powershell/module/microsoft.powershell.core/about/about_requires) statement, it isn't supported in Azure sandbox or on Hybrid Runbook Workers and might cause the job to fail.

+- The Azure Automation internal PowerShell cmdlets aren't supported on a Linux Hybrid Runbook Worker. You must import the `automationassets` module at the beginning of your Python runbook to access the Automation account shared resources (assets) functions.

+- For the PowerShell 7 runtime version, the module activities aren't extracted for the imported modules.

+- *PSCredential* runbook parameter type isn't supported in PowerShell 7 runtime version.

+- PowerShell 7.x doesn't support workflows. See [this](/powershell/scripting/whats-new/differences-from-windows-powershell#powershell-workflow) for more details.

+- PowerShell 7.x currently doesn't support signed runbooks.

+- PowerShell 7.1 module management isn't supported through `Get-AzAutomationModule` cmdlets.

+- Executing child scripts using `.\child-runbook.ps1` isn't supported in this preview.

+- When you import a PowerShell 7.1 module that's dependent on other modules, you may find that the import button is gray even when PowerShell 7.1 version of the dependent module is installed. For example, Az.Compute version 4.20.0, has a dependency on Az.Accounts being >= 2.6.0. This issue occurs when an equivalent dependent module in PowerShell 5.1 doesn't meet the version requirements. For example, 5.1 version of Az.Accounts were < 2.6.0.

+> Currently, PowerShell 7.2 (preview) runtime version is supported for both Cloud and Hybrid jobs in all Public regions except Australia Central2, Korea South, Sweden South, Jio India Central, Brazil Southeast, Central India, West India, UAE Central, and Gov clouds.

+- For the PowerShell 7 runtime version, the module activities aren't extracted for the imported modules.

+- *PSCredential* runbook parameter type isn't supported in PowerShell 7 runtime version.

+- PowerShell 7.x doesn't support workflows. See [this](/powershell/scripting/whats-new/differences-from-windows-powershell#powershell-workflow) for more details.

+- PowerShell 7.x currently doesn't support signed runbooks.

+- Source control integration doesn't support PowerShell 7.2 (preview). Also, PowerShell 7.2 (preview) runbooks in source control get created in Automation account as Runtime 5.1.

+- Currently, PowerShell 7.2 (preview) runbooks are only supported from Azure portal. Rest API and PowerShell isn't supported.

+- Az module 8.3.0 is installed by default and can't be managed at the automation account level. Use custom modules to override the Az module to the desired version.

+Currently, Python 3.10 (preview) runtime version is supported for both Cloud and Hybrid jobs in all Public regions except Australia Central2, Korea South, Sweden South, Jio India Central, Brazil SouthEast, Central India, West India, UAE Central, and Gov clouds.

+- For Python 2.7.12 modules, use wheel files cp27-amd6.

+- The Python **automationassets** package isn't available on pypi.org, so it's not available for import onto a Windows machine.

+- For Python 3.10 (preview) modules, currently, only the wheel files targeting cp310 Linux OS are supported. [Learn more](./python-3-packages.md).

+- Custom packages for Python 3.10 (preview) are only validated during job runtime. Job is expected to fail if the package is not compatible in the runtime or if necessary dependencies of packages are not imported into automation account.

+- Currently, Python 3.10 (preview) runbooks are only supported from Azure portal. Rest API and PowerShell isn't supported.

+It's applicable for Windows Hybrid workers. For a Windows Runbook Worker, when running a Python 2 runbook it looks for the environment variable `PYTHON_2_PATH` first and validates whether it points to a valid executable file. For example, if the installation folder is `C:\Python2`, it would check if `C:\Python2\python.exe` is a valid path. If not found, then it looks for the `PATH` environment variable to do a similar check.

+For cloud jobs, Python 3.8 jobs sometimes fail with an exception message `invalid interpreter executable path`. You might see this exception if the job is delayed, starting more than 10 minutes, or using **Start-AutomationRunbook** to start Python 3.8 runbooks. If the job is delayed, restarting the runbook should be sufficient.

+ > Currently, Python 3.10 (preview) runtime version is supported for both Cloud and Hybrid jobs in all Public regions except Australia Central2, Korea South, Sweden South, Jio India Central, Brazil Southeast, Central India, West India, UAE Central, and Gov clouds.

+1. Select **Import**.

+> Azure App Configuration supports [geo-replication](./concept-geo-replication.md). You can enable replicas of your data across multiple locations for enhanced resiliency to regional outages. You can also leverage App Configuration provider libraries in your applications for [automatic failover](./howto-geo-replication.md#use-replicas). Utilizing geo-replication is the recommended solution for high availability.

+ Title: Geo-replication in Azure App Configuration

+# Geo-replication overview

+The App Configuration geo-replication feature allows you to replicate your configuration store at-will to the regions of your choice. Each new **replica** will be in a different region and creates a new endpoint for your applications to send requests to. The original endpoint of your configuration store is called the **Origin**. The origin can't be removed, but otherwise behaves like any replica.

+> [Resiliency and Disaster Recovery](./concept-disaster-recovery.md)

+- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/).

+- An App Configuration store. [Create a store](./quickstart-azure-app-configuration-create.md#create-an-app-configuration-store).

+## Add key-values

+Add the following key-values to the App Configuration store and leave **Label** and **Content Type** with their default values. For more information about how to add key-values to a store using the Azure portal or the CLI, go to [Create a key-value](./quickstart-azure-app-configuration-create.md#create-a-key-value).

+| Key | Value |

+||-|

+| *TestApp:Settings:BackgroundColor* | *White* |

+| *TestApp:Settings:FontColor* | *Black* |

+| *TestApp:Settings:FontSize* | *40* |

+| *TestApp:Settings:Message* | *Data from Azure App Configuration* |

+| *TestApp:Settings:Sentinel* | *v1* |

+- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/).

+- An App Configuration store. [Create a store](./quickstart-azure-app-configuration-create.md#create-an-app-configuration-store).

+## Add a key-value

+Add the following key-value to the App Configuration store and leave **Label** and **Content Type** with their default values. For more information about how to add key-values to a store using the Azure portal or the CLI, go to [Create a key-value](./quickstart-azure-app-configuration-create.md#create-a-key-value).

+| Key | Value |

+|-|-|

+| *TestApp:Settings:Message* | *Data from Azure App Configuration* |

+> [!IMPORTANT]

+> Azure App Configuration supports [geo-replication](./concept-geo-replication.md). You can enable replicas of your data across multiple locations for enhanced resiliency to regional outages. You can also leverage App Configuration provider libraries in your applications for [automatic failover](./howto-geo-replication.md#use-replicas). Utilizing geo-replication is the recommended solution for high availability.

+ Title: Enable geo-replication

+# Enable geo-replication

+Assuming you have an application using Azure App Configuration, you can update it as the following sample code to take advantage of the failover feature. You can either provide a list of endpoints for Azure Active Directory (Azure AD) authentication or a list of connection strings for access key-based authentication.

+**Connect with Azure AD**

+ new Uri("<first-replica-endpoint>"),

+ new Uri("<second-replica-endpoint>") };

+ // Connect to replica endpoints using Azure AD authentication

+**Connect with Connection String**

+```csharp

+configurationBuilder.AddAzureAppConfiguration(options =>

+{

+ // Provide an ordered list of replica connection strings

+ var connectionStrings = new string[] {

+ Environment.GetEnvironmentVariable("FIRST_REPLICA_CONNECTION_STRING"),

+ Environment.GetEnvironmentVariable("SECOND_REPLICA_CONNECTION_STRING") };

+

+ // Connect to replica endpoints using connection strings

+ options.Connect(connectionStrings);

+ // Other changes to options

+});

+```

+> The failover support is available if you use version **6.0.0** or later of any of the following packages.

+Edit the `endpoints` or `connection-strings` properties in the `bootstrap.properties` file of your application.

+**Connect with Azure AD**

+spring.cloud.azure.appconfiguration.stores[0].endpoints[0]="<first-replica-endpoint>"

+spring.cloud.azure.appconfiguration.stores[0].endpoints[1]="<second-replica-endpoint>"

+> The failover support is available if you use version of **4.0.0-beta.1** or later of any of the following packages.

+> - `spring-cloud-azure-appconfiguration-config`

+> - `spring-cloud-azure-appconfiguration-config-web`

+> - `spring-cloud-azure-starter-appconfiguration-config`

+- An App Configuration store. [Create a store](./quickstart-azure-app-configuration-create.md#create-an-app-configuration-store).

+Add the following key-values to the App Configuration store. Leave **Label** with its default value. For more information about how to add key-values to a store using the Azure portal or the CLI, go to [Create a key-value](./quickstart-azure-app-configuration-create.md#create-a-key-value).

+| Key | Value | Content Type |

+| - | - | |

+| *Settings:BackgroundColor* | *"Green"* | *application/json* |

+| *Settings:FontSize* | *24* | *application/json* |

+| *Settings:UseDefaultRouting* | *false* | *application/json* |

+| *Settings:BlockedUsers* | *null* | *application/json* |

+| *Settings:ReleaseDate* | *"2020-08-04T12:34:56.789Z"* | *application/json* |

+| *Settings:RolloutPercentage* | *[25,50,75,100]* | *application/json* |

+| *Settings:Logging* | *{"Test":{"Level":"Debug"},"Prod":{"Level":"Warning"}}* | *application/json* |

+1. Select **Apply**.

+> The `--depth` argument is used for flattening hierarchical data from a file into key-values. In this tutorial, depth is specified for demonstrating that you can also store JSON objects as values in App Configuration. If depth isn't specified, JSON objects will be flattened to the deepest level by default.

+#Customer intent: I want to move my App Configuration resource from one Azure region to another.

+# Move an App Configuration store to another region

+App Configuration stores are region-specific and can't be moved across regions automatically. You must create a new App Configuration store in the target region, then move your content from the source store to the new target store. You might move your configuration to another region for a number of reasons. For example, to take advantage of a new Azure region with availability zone support, to deploy features or services available in specific regions only, or to meet internal policy and governance requirements.

+The following steps walk you through the process of creating a new target store and exporting your current store to the new region.

+* Configuration store names are globally unique.

+## Create a target configuration store

+1. Create a new App Configuration store by following the [App Configuration quickstart](../azure-app-configuration/quickstart-azure-app-configuration-create.md#create-an-app-configuration-store). For **Location** select the target region you want to move your configuration store to, and for **Pricing tier** select **Standard**.

+1. Once the resource has been deployed, recreate the access policies and network configuration settings of your source store. These will not be transferred with the configuration. This can include using managed identities, virtual networks, and public network access.

+Follow these steps to export your configuration to the target store using the Azure portal:

+1. Navigate to your source configuration store in the [Azure portal](https://portal.azure.com) and select **Import/Export** under **Operations**.

+1. Select **Export** and choose **App Configuration** in the **Target Service** dropdown.

+1. Click on **Select Resource** and enter your **Subscription** and **Resource group**. The **Resource** is the name of the target configuration store you created previously.

+1. Select **Apply** to verify your target configuration store.

+1. Leave the **From label**, **Time**, and **Label** fields with their default values and select **Apply**. For more information about labels, go to [Keys and values](concept-key-value.md).

+1. To verify that your configurations have been successfully transferred from your source to your target store, navigate to your target configuration store in the portal. Select **Configuration Explorer** under **Operations** and verify that this contains the same key-values as those in your original store.

+1. In the Azure CLI, enter the following command that will export all of the values from your source configuration store to your target configuration store.

+1. To verify that your configurations have been successfully transferred from your source to your target store, list all of the key values in your target store.

+## Delete your source configuration store

+If the configuration has been transferred to the target store, you can choose to delete your source configuration store.

+1. In the **Filter by name** box, enter the name of your resource group.

+1. Select your source configuration store, and on the **Overview** blade, select **Delete**.

+1. In the Azure CLI, run the following command:

+ Note that the **Resource Group** is the one associated with your source Configuration store.

+> [!div class="nextstepaction"]

+> [Azure App Configuration resiliency and disaster recovery](./concept-disaster-recovery.md)

+> [!div class="nextstepaction"]

+> [How to enable geo-replication](./howto-geo-replication.md)

+- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/).

+- An App Configuration store. [Create a store](./quickstart-azure-app-configuration-create.md#create-an-app-configuration-store).

+## Add key-values

+Add the following key-values to the App Configuration store and leave **Label** and **Content Type** with their default values. For more information about how to add key-values to a store using the Azure portal or the CLI, go to [Create a key-value](./quickstart-azure-app-configuration-create.md#create-a-key-value).

+| Key | Value |

+|||

+| *settings.color* | *White* |

+| *settings.message* | *Data from Azure App Configuration* |

+> [!div class="nextstepaction"]

+> [FAQ](faq.yml)

+>

+> [!div class="nextstepaction"]

+> [Create an App Configuration store](quickstart-azure-app-configuration-create.md)

+- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/).

+- An App Configuration store. [Create a store](./quickstart-azure-app-configuration-create.md#create-an-app-configuration-store).

+- [.NET Core SDK](https://dotnet.microsoft.com/download)

+## Add key-values

+Add the following key-values to the App Configuration store and leave **Label** and **Content Type** with their default values. For more information about how to add key-values to a store using the Azure portal or the CLI, go to [Create a key-value](./quickstart-azure-app-configuration-create.md#create-a-key-value).

+| Key | Value |

+||-|

+| *TestApp:Settings:BackgroundColor* | *white* |

+| *TestApp:Settings:FontColor* | *black* |

+| *TestApp:Settings:FontSize* | *24* |

+| *TestApp:Settings:Message* | *Data from Azure App Configuration* |

+ Title: "Quickstart: Create an Azure App Configuration store"

+description: "In this quickstart, learn how to create an App Configuration store."

+ms.devlang: csharp

+#Customer intent: As an Azure developer, I want to create an app configuration store to manage all my app settings in one place using Azure App Configuration.

+# Quickstart: Create an Azure App Configuration store

+Azure App Configuration is an Azure service designed to help you centrally manage your app settings and feature flags. In this quickstart, learn how to create an App Configuration store and add a few key-values and feature flags.

+## Prerequisites

+An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/).

+## Create an App Configuration store

+### [Portal](#tab/azure-portal)

+1. On the Azure portal's homepage, enter *App Configuration* in the search box at the top and select **App Configuration** from the search results.

+ :::image type="content" source="media/azure-app-configuration-create/azure-portal-find-app-configuration.png" alt-text="Screenshot of the Azure portal that shows the App Configuration service in the search bar.":::

+1. Select **Create** or **Create app configuration**.

+ :::image type="content" source="media/azure-app-configuration-create/azure-portal-select-create-app-configuration.png" alt-text="Screenshot of the Azure portal that shows the button to launch the creation of an App Configuration store.":::

+1. In the **Basics** tab, enter the following settings:

+ | Setting | Suggested value | Description |

+ |-|-||

+ | **Subscription** | Your subscription | Select the Azure subscription that you want to use to create an App Configuration store. If your account has only one subscription, it's automatically selected and the **Subscription** list isn't displayed. |

+ | **Resource group** | *AppConfigTestResources* | Select or create a resource group for your App Configuration store resource. A resource group can be used to organize and manage multiple resources at the same time, such as deleting multiple resources in a single operation by deleting their resource group. For more information, see [Manage Azure resource groups by using the Azure portal](../azure-resource-manager/management/manage-resource-groups-portal.md). |

+ | **Location** | *Central US* | Use **Location** to specify the geographic location in which your app configuration store is hosted. For the best performance, create the resource in the same region as other components of your application. |

+ | **Resource name** | Globally unique name | Enter a unique resource name to use for the App Configuration store resource. The name must be a string between 5 and 50 characters and contain only numbers, letters, and the `-` character. The name can't start or end with the `-` character. |

+ | **Pricing tier** | *Free* | Selecting **Free**. If you select the standard tier, you can also get access to geo-replication and soft-delete features. For more information, see the [App Configuration pricing page](https://azure.microsoft.com/pricing/details/app-configuration). |

+

+ :::image type="content" source="media/azure-app-configuration-create/azure-portal-basic-tab.png" alt-text="Screenshot of the Azure portal that shows the basic tab of the creation for with the free tier selected.":::

+1. Select **Review + create** to validate your settings.

+ :::image type="content" source="media/azure-app-configuration-create/azure-portal-review.png" alt-text="Screenshot of the Azure portal that shows the configuration settings in the Review + create tab.":::

+1. Select **Create**. The deployment might take a few minutes.

+1. After the deployment finishes, go to the App Configuration resource. Select **Settings** > **Access keys**. Make a note of the primary read-only key connection string. You'll use this connection string later to configure your application to communicate with the App Configuration store that you created.

+### [Azure CLI](#tab/azure-cli)

+To create an App Configuration store, start by creating a resource group for your new service.

+### Create a resource group

+Create a resource group named *AppConfigTestResources* in the Central US location with the [az group create](/cli/azure/group#az-group-create) command:

+```azurecli

+az group create --name AppConfigTestResources --location centralus

+```

+### Create an App Configuration store

+Create a new store with the [az group create](/cli/azure/appconfig/#az-appconfig-create) command and replace the placeholder `<name>` with a unique resource name for your App Configuration store.

+```azurecli

+az appconfig create --location centralus --name <name> --resource-group AppConfigTestResources

+```

+If you're following another tutorial to use the App Configuration store, you can go back to your original tutorial as the store should be ready. To continue with this tutorial, follow the steps below.

+## Create a key-value

+### [Portal](#tab/azure-portal)

+ 1. Select **Operations** > **Configuration explorer** > **Create** > **Key-value** to add a key-value to a store. For example:

+ | Key | Value |

+ ||-|

+ |*TestApp:Settings:TextAlign* | *center* |

+

+1. Leave **Label** and **Content Type** with their default values, then select **Apply**. For more information about labels and content types, go to [Keys and values](concept-key-value.md).

+ :::image type="content" source="media/azure-app-configuration-create/azure-portal-create-key-value.png" alt-text="Screenshot of the Azure portal that shows the configuration settings to create a key-value.":::

+### [Azure CLI](#tab/azure-cli)

+Add a key-value to the App Configuration store using the [az appconfig kv set](/cli/azure/appconfig/#az-appconfig-kv-set) command. Replace the placeholder `<name>` with the name of the App Configuration store:

+```azurecli

+az appconfig kv set --name <name> --key TestApp:Settings:TextAlign --value center

+```

+## Create a feature flag

+### [Portal](#tab/azure-portal)

+1. Select **Operations** > **Feature Manager** > **Create** and fill out the form with the following parameters:

+ | Setting | Suggested value | Description |

+ ||--|--|

+ | Enable feature flag | Box is checked. | Check this box to make the new feature flag active as soon as the flag has been created. |

+ | Feature flag name | *featureA* | The feature flag name is the unique ID of the flag, and the name that should be used when referencing the flag in code. |

+1. Leave all other fields with their default values and select **Apply**.

+ :::image type="content" source="media/azure-app-configuration-create/azure-portal-create-feature-flag.png" alt-text="Screenshot of the Azure portal that shows the configuration settings to create a feature flag.":::

+### [Azure CLI](#tab/azure-cli)

+Add a feature flag to the App Configuration store using the [az appconfig feature set](/cli/azure/appconfig/#az-appconfig-feature-set) command. Replace the placeholder `<name>` with the name of the App Configuration store:

+```azurecli

+az appconfig feature set --name <name> --feature featureA

+```

+## Clean up resources

+When no longer needed, delete the resource group. Deleting a resource group also deletes the resources in it.

+> [!WARNING]

+> Deleting a resource group is irreversible.

+### [Portal](#tab/azure-portal)

+1. In the Azure portal, search for and select **Resource groups**.

+1. Select your resource group, for instance *AppConfigTestResources*, and then select **Delete resource group**.

+1. Type the resource group name to verify, and then select **Delete**.

+### [Azure CLI](#tab/azure-cli)

+Run the [az group delete](/cli/azure/group/#az-group-delete) command. Replace the placeholder `<name>` with the name of the App Configuration store:

+```azurecli

+az group delete --name <name>

+```

+## Next steps

+Advance to the next article to learn how to create an ASP.NET Core app with Azure App Configuration to centralize storage and management of its application settings.

+> [!div class="nextstepaction"]

+> [Quickstart ASP.NET Core](quickstart-aspnet-core-app.md)

+- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/).

+- An App Configuration store. [Create a store](./quickstart-azure-app-configuration-create.md#create-an-app-configuration-store).

+## Add a key-value

+Add the following key-value to the App Configuration store and leave **Label** and **Content Type** with their default values. For more information about how to add key-values to a store using the Azure portal or the CLI, go to [Create a key-value](./quickstart-azure-app-configuration-create.md#create-a-key-value).

+| Key | Value |

+| -- | -- |

+| *TestApp:Settings:Message* | *Data from Azure App Configuration* |

+- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/).

+- An App Configuration store. [Create a store](./quickstart-azure-app-configuration-create.md#create-an-app-configuration-store).

+## Add a key-value

+Add the following key-value to the App Configuration store and leave **Label** and **Content Type** with their default values. For more information about how to add key-values to a store using the Azure portal or the CLI, go to [Create a key-value](./quickstart-azure-app-configuration-create.md#create-a-key-value).

+| Key | Value |

+|-|-|

+| *TestApp:Settings:Message* | *Data from Azure App Configuration* |

+- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/).

+- An App Configuration store. [Create a store](./quickstart-azure-app-configuration-create.md#create-an-app-configuration-store).

+## Add a key-value

+Add the following key-value to the App Configuration store and leave **Label** and **Content Type** with their default values. For more information about how to add key-values to a store using the Azure portal or the CLI, go to [Create a key-value](./quickstart-azure-app-configuration-create.md#create-a-key-value).

+| Key | Value |

+|-|-|

+| *TestApp:Settings:Message* | *Data from Azure App Configuration* |

+In this quickstart, you'll create a feature flag in Azure App Configuration and use it to dynamically control the availability of a new web page in an ASP.NET Core app without restarting or redeploying it.

+- [Quickstart: Create an ASP.NET Core app with App Configuration](./quickstart-aspnet-core-app.md)

+- [Tutorial: Use dynamic configuration in an ASP.NET Core app](./enable-dynamic-configuration-aspnet-core.md)

+Add a feature flag called *Beta* to the App Configuration store and leave **Label** and **Description** with their default values. For more information about how to add feature flags to a store using the Azure portal or the CLI, go to [Create a feature flag](./quickstart-azure-app-configuration-create.md#create-a-feature-flag).

+- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/).

+- An App Configuration store. [Create a store](./quickstart-azure-app-configuration-create.md#create-an-app-configuration-store).

+## Add a feature flag

+Add a feature flag called *Beta* to the App Configuration store and leave **Label** and **Description** with their default values. For more information about how to add feature flags to a store using the Azure portal or the CLI, go to [Create a feature flag](./quickstart-azure-app-configuration-create.md#create-a-feature-flag).

+> [!div class="mx-imgBorder"]

+> 

+- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/).

+- An App Configuration store. [Create a store](./quickstart-azure-app-configuration-create.md#create-an-app-configuration-store).

+## Add a feature flag

+Add a feature flag called *Beta* to the App Configuration store and leave **Label** and **Description** with their default values. For more information about how to add feature flags to a store using the Azure portal or the CLI, go to [Create a feature flag](./quickstart-azure-app-configuration-create.md#create-a-feature-flag).

+> [!div class="mx-imgBorder"]

+> 

+- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/).

+- An App Configuration store. [Create a store](./quickstart-azure-app-configuration-create.md#create-an-app-configuration-store).

+- A supported [Java Development Kit SDK](/java/azure/jdk) with version 11.

+- [Apache Maven](https://maven.apache.org/download.cgi) version 3.0 or above.

+## Add a feature flag

+Add a feature flag called *Beta* to the App Configuration store and leave **Label** and **Description** with their default values. For more information about how to add feature flags to a store using the Azure portal or the CLI, go to [Create a feature flag](./quickstart-azure-app-configuration-create.md#create-a-feature-flag).

+> [!div class="mx-imgBorder"]

+> 

+- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/).

+- An App Configuration store. [Create a store](./quickstart-azure-app-configuration-create.md#create-an-app-configuration-store).

+## Add a key-value

+Add the following key-value to the App Configuration store and leave **Label** and **Content Type** with their default values. For more information about how to add key-values to a store using the Azure portal or the CLI, go to [Create a key-value](./quickstart-azure-app-configuration-create.md#create-a-key-value).

+| Key | Value |

+|||

+| /application/config.message | Hello |

+- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/).

+- An App Configuration store. [Create a store](./quickstart-azure-app-configuration-create.md#create-an-app-configuration-store).

+## Add a key-value

+Add the following key-value to the App Configuration store and leave **Label** and **Content Type** with their default values. For more information about how to add key-values to a store using the Azure portal or the CLI, go to [Create a key-value](./quickstart-azure-app-configuration-create.md#create-a-key-value).

+| Key | Value |

+|||

+| TestApp:Settings:Message | Data from Azure App Configuration |

+- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/).

+- An App Configuration store. [Create a store](./quickstart-azure-app-configuration-create.md#create-an-app-configuration-store).

+## Add key-values

+Add the following key-values to the App Configuration store. For more information about how to add key-values to a store using the Azure portal or the CLI, go to [Create a key-value](./quickstart-azure-app-configuration-create.md#create-a-key-value).

+| Key | Value | Label | Content type |

+|-|-|-|--|

+| *message* | *Hello* | Leave empty | Leave empty |

+| *test.message* | *Hello test* | Leave empty | Leave empty |

+| *my_json* | *{"key":"value"}* | Leave empty | *application/json* |

+- An App Configuration store. [Create a store](./quickstart-azure-app-configuration-create.md#create-an-app-configuration-store).

+Add the following key-value to the App Configuration store and leave **Label** and **Content Type** with their default values. For more information about how to add key-values to a store using the Azure portal or the CLI, go to [Create a key-value](./quickstart-azure-app-configuration-create.md#create-a-key-value).

+| Key | Value |

+|-|-|

+| *TestApp:Settings:Message* | *Data from Azure App Configuration* |

+kubectl delete crd failovergroups.sql.arcdata.microsoft.com

+kubectl delete crd kafkas.arcdata.microsoft.com

+kubectl delete crd postgresqlrestoretasks.tasks.postgresql.arcdata.microsoft.com

+kubectl delete crd sqlmanagedinstancemonitoringprofiles.arcdata.microsoft.com

+kubectl delete crd sqlmanagedinstancereprovisionreplicatasks.tasks.sql.arcdata.microsoft.com

+kubectl delete crd telemetrycollectors.arcdata.microsoft.com

+kubectl delete crd telemetryrouters.arcdata.microsoft.com

+Already created a Data Controller? [Create an Azure Arc-enabled SQL Managed Instance](create-sql-managed-instance.md)

+ Title: Rotate SQL Managed Instance service-managed credentials (preview)

+description: Rotate SQL Managed Instance service-managed credentials (preview)

+# Rotate Azure Arc-enabled SQL Managed Instance service-managed credentials (preview)

+This article describes how to rotate service-managed credentials for Azure Arc-enabled SQL Managed Instance. Arc data services generates various service-managed credentials like certificates and SQL logins used for Monitoring, Backup/Restore, High Availability etc. These credentials are considered custom resource credentials managed by Azure Arc data services.

+Service-managed credential rotation is a user-triggered operation that you initiate during a security issue or when periodic rotation is required for compliance.

+## Limitations

+Consider the following limitations when you rotate a managed instance service-managed credentials:

+- SQL Server failover groups aren't supported.

+- Automatically pre-scheduled rotation isn't supported.

+- The service-managed DPAPI symmetric keys, keytab, active directory accounts, and service-managed TDE credentials aren't included in this credential rotation.

+- SQL Managed Instance Business Critical tier isn't supported.

+- This feature should not be used in production currently. There is a known limitation where _rollback_ cannot be triggered unless credential rotation is completed successfully and the SQLMI is in "Ready" state.

+## General Purpose tier

+During a SQL Managed Instance service-managed credential rotation, the managed instance Kubernetes pod is terminated and reprovisioned when new credentials are generated. This process causes a short amount of downtime as the new managed instance pod is created. To handle the interruption, build resiliency into your application such as connection retry logic, to ensure minimal disruption. Read [Overview of the reliability pillar](/azure/architecture/framework/resiliency/overview) for more information on how to architect resiliency and [retry guidance for Azure Services](/azure/architecture/best-practices/retry-service-specific#sql-database-using-adonet).

+## Prerequisites:

+Before you proceed with this article, you must have an Azure Arc-enabled SQL Managed Instance resource created.

+- [An Azure Arc-enabled SQL Managed Instance created](./create-sql-managed-instance.md)

+## How to rotate service-managed credentials in a managed instance

+Service-managed credentials are associated with a generation within the managed instance. To rotate all service-managed credentials for a managed instance, the generation must be increased by 1.

+Run the following commands to get current service-managed credentials generation from spec and generate the new generation of service-managed credentials. This action triggers a service-managed credential rotation.

+```console

+rotateCredentialGeneration=$(($(kubectl get sqlmi <sqlmi-name> -o jsonpath='{.spec.update.managedCredentialsGeneration}' -n <namespace>) + 1)) 

+```

+```console

+kubectl patch sqlmi <sqlmi-name> --namespace <namespace> --type merge --patch '{ "spec": { "update": { "managedCredentialsGeneration": '$rotateCredentialGeneration'} } }' 

+```

+The `managedCredentialsGeneration` identifies the target generation for the service-managed credentials. The rest of the features like configuration and the kubernetes topology remain the same.

+## How to roll back service-managed credentials in a managed instance

+> [!NOTE]

+> Rollback is required when credential rotation failed for any reasons. Rollback to previous credentials generation is supported only once to n-1 where n is current generation.

+Run the following two commands to get current service-managed credentials generation from spec and rollback to the previous generation of service-managed credentials:

+```console

+rotateCredentialGeneration=$(($(kubectl get sqlmi <sqlmi-name> -o jsonpath='{.spec.update.managedCredentialsGeneration}' -n <namespace>) - 1)) 

+```

+```console

+kubectl patch sqlmi <sqlmi-name> --namespace <namespace> --type merge --patch '{ "spec": { "update": { "managedCredentialsGeneration": '$rotateCredentialGeneration'} } }' 

+```

+Triggering rollback is the same as triggering a rotation of service-managed credentials except that the target generation is previous generation and doesn't generate a new generation or credentials.

+## Next steps

+- [View the SQL managed instance dashboards](azure-data-studio-dashboards.md#view-the-sql-managed-instance-dashboards)

+- [View SQL Managed Instance in the Azure portal](view-arc-data-services-inventory-in-azure-portal.md)

+If you encounter this issue, and your cluster is behind an outbound proxy server, make sure you've passed proxy parameters during the onboarding of your cluster and that the proxy is configured correctly. For more information, see [Connect using an outbound proxy server](quickstart-connect-cluster.md#connect-using-an-outbound-proxy-server).

+If the provided kubeconfig file doesn't have sufficient permissions to install the Azure Arc agents, the Azure CLI command returns an error.

+3. If the `azure-identity-certificate` isn't present, the system assigned managed identity hasn't been installed.

+ To resolve this issue, try deleting the Arc deployment by running the `az connectedk8s delete` command and reinstalling it. If the issue continues to happen, it could be an issue with your proxy settings. In that case, [try connecting your cluster to Azure Arc via a proxy](./quickstart-connect-cluster.md#connect-using-an-outbound-proxy-server) to connect your cluster to Arc via a proxy. Also verify that all of the [network prerequisites](network-requirements.md) have been met.

+ If the certificate is missing, [delete the deployment](quickstart-connect-cluster.md#clean-up-resources) and re-onboard with a different name for the cluster. If the problem continues, contact support.

+Check if the azure-arc namespace was deployed, and run 'kubectl get pods -n azure-arc' to check if all the pods are in running state. A possible cause for pods stuck in pending state could be insufficientresources on the Kubernetes cluster to onboard to Azure Arc.

+If you experience an error during installation, or if the extension is in a failed state, run a script to investigate. The cluster-type parameter can be set to `connectedClusters` for an Arc-enabled cluster or `managedClusters` for an AKS cluster. The name of the `microsoft.flux` extension is "flux" if the extension was installed automatically during creation of a GitOps configuration. Look in the "statuses" object for information.

+* For an AKS cluster, ensure that the subscription has the `Microsoft.ContainerService/AKS-ExtensionManager` feature flag enabled.

+* Ensure that the cluster doesn't have any policies that restrict creation of the `flux-system` namespace or resources in that namespace.

+With these actions accomplished, you can either [recreate a flux configuration](./tutorial-use-gitops-flux2.md), which installs the flux extension automatically, or you can reinstall the flux extension manually.

+You can fix this issue by upgrading to the latest version of the `microsoft.flux` extension. For version 1.6.1 or earlier, the workaround is to create an `AzurePodIdentityException` that tells Azure AD Pod Identity to ignore the token requests from flux-extension pods.

+| fluxconfig-agent | 50 m | 150 Mi |

+| fluxconfig-controller | 100 m | 150 Mi |

+| fluent-bit | 20 m | 150 Mi |

+| helm-controller | 1000 m | 1 Gi |

+| source-controller | 1000 m | 1 Gi |

+| kustomize-controller | 1000 m | 1 i |

+| notification-controller | 1000 m | 1 Gi |

+| image-automation-controller | 1000 m | 1 Gi |

+| image-reflector-controller | 1000 m | 1 Gi |

+If you've enabled a custom or built-in Azure Gatekeeper Policy that limits the resources for containers on Kubernetes clusters, such as `Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits`, ensure that either the resource limits on the policy are greater than the limits shown above or that the `flux-system` namespace is part of the `excludedNamespaces` parameter in the policy assignment.

+### Flux v1

+> [!NOTE]

+> We recommend [migrating to Flux v2](conceptual-gitops-flux2.md#migrate-from-flux-v1) as soon as possible. Support for Flux v1-based cluster configuration resources created prior to May 1, 2023 will end on [May 24, 2025](https://azure.microsoft.com/updates/migrate-your-gitops-configurations-from-flux-v1-to-flux-v2-by-24-may-2025/). Starting on May 1, 2023, you won't be able to create new Flux v1-based cluster configuration resources.

+To help troubleshoot issues with `sourceControlConfigurations` resource (Flux v1), run these Azure CLI commands with `--debug` parameter specified:

+```azurecli

+az provider show -n Microsoft.KubernetesConfiguration --debug

+az k8s-configuration create <parameters> --debug

+```

+#### Flux v1 - Create configurations

+Write permissions on the Azure Arc-enabled Kubernetes resource (`Microsoft.Kubernetes/connectedClusters/Write`) are necessary and sufficient for creating configurations on that cluster.

+#### `sourceControlConfigurations` remains `Pending` (Flux v1)

+```console

+kubectl -n azure-arc logs -l app.kubernetes.io/component=config-agent -c config-agent

+$ k -n pending get gitconfigs.clusterconfig.azure.com -o yaml

+apiVersion: v1

+items:

+- apiVersion: clusterconfig.azure.com/v1beta1

+ kind: GitConfig

+ metadata:

+ creationTimestamp: "2020-04-13T20:37:25Z"

+ generation: 1

+ name: pending

+ namespace: pending

+ resourceVersion: "10088301"

+ selfLink: /apis/clusterconfig.azure.com/v1beta1/namespaces/pending/gitconfigs/pending

+ uid: d9452407-ff53-4c02-9b5a-51d55e62f704

+ spec:

+ correlationId: ""

+ deleteOperator: false

+ enableHelmOperator: false

+ giturl: git@github.com:slack/cluster-config.git

+ helmOperatorProperties: null

+ operatorClientLocation: azurearcfork8s.azurecr.io/arc-preview/fluxctl:0.1.3

+ operatorInstanceName: pending

+ operatorParams: '"--disable-registry-scanning"'

+ operatorScope: cluster

+ operatorType: flux

+ status:

+ configAppliedTime: "2020-04-13T20:38:43.081Z"

+ isSyncedWithAzure: true

+ lastPolledStatusTime: ""

+ message: 'Error: {exit status 1} occurred while doing the operation : {Installing

+ the operator} on the config'

+ operatorPropertiesHashed: ""

+ publicKey: ""

+ retryCountPublicKey: 0

+ status: Installing the operator

+kind: List

+metadata:

+ resourceVersion: ""

+ selfLink: ""

+```

+1. Sign in into Azure CLI using the service principal. Use the `<objectId>` value from the previous step to enable custom locations on the cluster:

+This section shows how to validate the deployment of all the Open Service Mesh (OSM) extension components on your cluster.

+The number in the output indicates the number of bytes, or the size of the CA Bundle. If the output is empty, 0, or a number under 1000, the CA Bundle isn't correctly provisioned. Without a correct CA Bundle, the `ValidatingWebhook` will throw an error.

+>The arc-osm-system namespace will never participate in a service mesh and will never be labeled or annotated with the key/values shown here.

+If you aren't using `osm` CLI, you could also manually add these annotations to your namespaces. If a namespace isn't annotated with `"openservicemesh.io/sidecar-injection": "enabled"`, or isn't labeled with `"openservicemesh.io/monitored-by": "osm"`, the OSM Injector won't add Envoy sidecars.

+The following example enables the Datadog extension on an Azure Arc-enabled Windows server:

+```azurecli

+az connectedmachine extension create --resource-group "resourceGroupName" --machine-name "myMachineName" --location "regionName" --publisher "Datadog.Agent" --type "DatadogWindowsAgent" --settings '{"site": "us3.datadoghq.com"}' --protected-settings '{"api_key": "YourDatadogAPIKey" }'

+```

+### Datadog VM extension

+The following example enables the Datadog VM extension on an Azure Arc-enabled server:

+```azurepowershell

+$resourceGroup = "resourceGroupName"

+$machineName = "machineName"

+$location = "machineRegion"

+$osType = "Windows" # change to Linux if appropriate

+$settings = @{

+ # change to your preferred Datadog site

+ site = "us3.datadoghq.com"

+}

+$protectedSettings = @{

+ # change to your Datadog API key

+ api_key = "APIKEY"

+}

+New-AzConnectedMachineExtension -ResourceGroupName $resourceGroup -Location $location -MachineName $machineName -Name "Datadog$($osType)Agent" -Publisher "Datadog.Agent" -ExtensionType "Datadog$($osType)Agent" -Setting $settings -ProtectedSetting $protectedSettings

+```

+ Title: Configure disk encryption in Azure Cache for Redis

+description: Learn about disk encryption when using Azure Cache for Redis.

+Existing caches can be updated using the [az redisenterprise database update](/cli/azure/redisenterprise/database#az-redisenterprise-database-update) command. This example adds RDB persistence with 12 hour frequency to an existing cache instance:

+## March 2023

+### In-place scale up and scale out for the Enterprise tiers (preview)

+The Enterprise and Enterprise Flash tiers now support the ability to scale cache instances up and out without requiring downtime or data loss. Scale up and scale out actions can both occur in the same operation.

+For more information, see [Scale an Azure Cache for Redis instance](cache-how-to-scale.md)

+### Support for RedisJSON in active geo-replicated caches (preview)

+Cache instances using active geo-replication now support the RedisJSON module.

+For more information, see [Configure active geo-replication](cache-how-to-active-geo-replication.md).

+### Flush operation for active geo-replicated caches (preview)

+Caches using active geo-replication now include a built-in _flush_ operation that can be initiated at the control plane level. Use the _flush_ operation with your cache instead of the `FLUSH ALL` and `FLUSH DB` operations, which are blocked by design for active geo-replicated caches.

+For more information, see [Flush operation](cache-how-to-active-geo-replication.md#flush-operation)

+### Customer managed key (CMK) disk encryption (preview)

+Redis data that is saved on disk can now be encrypted using customer managed keys (CMK) in the Enterprise and Enterprise Flash tiers. Using CMK adds another layer of control to the default disk encryption.

+For more information, see [Enable disk encryption](cache-how-to-encryption.md)

+### Connection event audit logs (preview)

+Enterprise and Enterprise Flash tier caches can now log all connection, disconnection, and authentication events through diagnostic settings. Logging this information helps in security audits. You can also monitor who has access to your cache resource.

+For more information, see [Enabling connection audit logs](cache-monitor-diagnostic-settings.md)

+If you need a specific version of Redis for your application, we recommend using latest artifact versions as shown in the table. Then, choose the Redis version explicitly when you create the cache.

+We expect that most Azure Cache for Redis customers aren't affected. However, your application might be affected if you explicitly specify a list of acceptable certificate authorities (CAs), known as _certificate pinning_.

+ public String getKey() { return this.rowKey; }

+ private String rowKey;

+ public String partitionKey;

+ public String rowKey;

+ public String name;

+ this.partitionKey = p;

+ this.rowKey = r;

+ this.name = n;

+|[RSMUS, LLC](https://rsmus.com)|

+Door openings in an Azure Maps dataset are represented as a single-line segment that overlaps multiple unit boundaries. The following images show how Azure Maps converts door layer geometry into opening features in a dataset.

+|`categoryName`|string|false|Purpose of the unit. A list of values that the provided rendering styles can make use of is documented in [categories.json](https://atlas.microsoft.com/sdk/javascript/indoor/0.2/categories.json).|

+|categoryName| string| false |Purpose of the zone. A list of values that the provided rendering styles can make use of is documented in [categories.json](https://atlas.microsoft.com/sdk/javascript/indoor/0.2/categories.json).|

+[categories]: https://atlas.microsoft.com/sdk/javascript/indoor/0.2/categories.json

+<link rel="stylesheet" href="https://atlas.microsoft.com/sdk/javascript/indoor/0.2/atlas-indoor.min.css" type="text/css"/>

+<script src="https://atlas.microsoft.com/sdk/javascript/indoor/0.2/atlas-indoor.min.js"></script>

+ <link rel="stylesheet" href="https://atlas.microsoft.com/sdk/javascript/indoor/0.2/atlas-indoor.min.css" type="text/css"/>

+ <script src="https://atlas.microsoft.com/sdk/javascript/indoor/0.2/atlas-indoor.min.js"></script>

+ Title: Release notes - Indoor Module

+description: Release notes for the Azure Maps Indoor Module.

+# Indoor Module release notes

+This document contains information about new features and other changes to the Azure Maps Indoor Module.

+## [0.2.0]

+### New features (0.2.0)

+- Support for new [drawing package 2.0] derived tilesets.

+- Support the possibility to select a facility when clicking on a feature that doesn't contain a facilityId, but has a levelId so that the facility can be inferred from the levelId.

+### Changes (0.2.0)

+- Performance improvements for level picker and indoor manager.

+- Revamp of how level filters are applied to indoor style layers.

+### Bug fixes (0.2.0)

+- Fix slider not updating when changing level in the level picker when used inside the shadow dom of a custom element.

+- Fix exception on disabling of dynamic styling.

+## Next steps

+Explore samples showcasing Azure Maps:

+> [!div class="nextstepaction"]

+> [Azure Maps Creator Samples]

+Stay up to date on Azure Maps:

+> [!div class="nextstepaction"]

+> [Azure Maps Blog]

+[drawing package 2.0]: ./drawing-package-guide.md

+[0.2.0]: https://www.npmjs.com/package/azure-maps-indoor/v/0.2.0

+[Azure Maps Creator Samples]: https://samples.azuremaps.com/?search=creator

+[Azure Maps Blog]: https://techcommunity.microsoft.com/t5/azure-maps-blog/bg-p/AzureMapsBlog

+### [3.0.0-preview.5] (March 15, 2023)

+### [2.2.5]

+[3.0.0-preview.5]: https://www.npmjs.com/package/azure-maps-control/v/3.0.0-preview.5

+[2.2.5]: https://www.npmjs.com/package/azure-maps-control/v/2.2.5

+Classic metric alerts in Azure Monitor provide a way to get notified when one of your metrics crosses a threshold. Classic metric alerts is an older functionality that allows for alerting only on non-dimensional metrics. There's an existing newer functionality called Metric alerts, which has improved functionality over classic metric alerts. You can learn more about the new metric alerts functionality in [metric alerts overview](./alerts-metric-overview.md). In this article, we'll describe how to create, view and manage classic metric alert rules through Azure portal and PowerShell.

+This section shows how to use PowerShell commands create, view and manage classic metric alerts.The examples in the article illustrate how you can use Azure Monitor cmdlets for classic metric alerts.

+* Templates aren't shown as a part of the action definition dropdown and an error message is shown: "Can't retrieve the template configuration, see the connector logs for more information."

+* Values aren't shown in the dropdowns of the default fields as a part of the action definition and an error message is shown: "No values found for the following fields: \<field names\>."

+* Incidents/Events aren't created in ServiceNow.

+* The alert isn't a log alert. Configuration items are only supported by log alerts.

+> - Use transformations to filter resource logs for [supported tables](logs/tables-feature-support.md).

+| Configure tables used for debugging, troubleshooting, and auditing as Basic Logs. | Tables in a Log Analytics workspace configured for [Basic Logs](logs/basic-logs-configure.md) have a lower ingestion cost in exchange for limited features and a charge for log queries. If you query these tables infrequently, this query cost can be more than offset by the reduced ingestion cost.<br><br>See [Configure Basic Logs in Azure Monitor](logs/basic-logs-configure.md) for more information about Basic Logs and [Query Basic Logs in Azure Monitor](.//logs/basic-logs-query.md) for details on query limitations. |

+| Collect only critical resource log data from Azure resources. | When you create [diagnostic settings](essentials/diagnostic-settings.md) to send [resource logs](essentials/resource-logs.md) for your Azure resources to a Log Analytics database, only specify those categories that you require. Since diagnostic settings don't allow granular filtering of resource logs, you can use a [workspace transformation](essentials/data-collection-transformations.md?#workspace-transformation-dcr) to further filter unneeded data for those resources that use a [supported table](logs/tables-feature-support.md). See [Diagnostic settings in Azure Monitor](essentials/diagnostic-settings.md#controlling-costs) for details on how to configure diagnostic settings and using transformations to filter their data. |

+| Change to Workspace-based Application Insights | Ensure that your Application Insights resources are [Workspace-based](app/create-workspace-resource.md) so that they can leveage new cost savings tools such as [Basic Logs](logs/basic-logs-configure.md), [Commitment Tiers](logs/cost-logs.md#commitment-tiers), [Retention by data type and Data Archive](logs/data-retention-archive.md#set-retention-and-archive-policy-by-table). |

+| Remove unnecssary data during data ingestion | After following all of the preveious recommendations, consider using Azure Monitor [data collection transformations](essentials/data-collection-transformations.md) to reduce the size of your data during ingestion. |

+Use Prometheus [remote write](./essentials/prometheus-remote-write.md) from your on-premises, AWS, or GCP clusters to send data to Azure managed service for Prometheus.

+The policy is visible in the resources' diagnostic settings after approximately 30 minutes.

+# Collect Prometheus metrics from an AKS cluster (preview)

+This article describes how to configure your Azure Kubernetes Service (AKS) cluster to send data to Azure Monitor managed service for Prometheus. When you configure your AKS cluster to send data to Azure Monitor managed service for Prometheus, a containerized version of the [Azure Monitor agent](../agents/agents-overview.md) is installed with a metrics extension. Then you specify the Azure Monitor workspace where the data should be sent.

+> The process described here doesn't enable [Container insights](../containers/container-insights-overview.md) on the cluster even though the Azure Monitor agent installed in this process is the same one used by Container insights.

+>

+>For different methods to enable Container insights on your cluster, see [Enable Container insights](../containers/container-insights-onboard.md). For details on adding Prometheus collection to a cluster that already has Container insights enabled, see [Collect Prometheus metrics with Container insights](../containers/container-insights-prometheus.md).

+- The following resource providers must be registered in the subscription of the AKS cluster and the Azure Monitor workspace:

+1. Select **Managed Prometheus** to display a list of AKS clusters.

+1. Select **Configure** next to the cluster you want to enable.

+ :::image type="content" source="media/prometheus-metrics-enable/azure-monitor-workspace-configure-prometheus.png" lightbox="media/prometheus-metrics-enable/azure-monitor-workspace-configure-prometheus.png" alt-text="Screenshot that shows an Azure Monitor workspace with a Prometheus configuration.":::

+- Register the `AKS-PrometheusAddonPreview` feature flag in the Azure Kubernetes clusters subscription with the following command in the Azure CLI: `az feature register --namespace Microsoft.ContainerService --name AKS-PrometheusAddonPreview`.

+- The aks-preview extension must be installed by using the command `az extension add --name aks-preview`. For more information on how to install a CLI extension, see [Use and manage extensions with the Azure CLI](/cli/azure/azure-cli-extensions-overview).

+- The aks-preview version 0.5.122 or higher is required for this feature. Check the aks-preview version by using the `az version` command.

+#### Install the metrics add-on

+Use `az aks update` with the `-enable-azuremonitormetrics` option to install the metrics add-on. Depending on the Azure Monitor workspace and Grafana workspace you want to use, choose one of the following options:

+- **Create a new default Azure Monitor workspace.**<br>

+If no Azure Monitor workspace is specified, a default Azure Monitor workspace is created in the `DefaultRG-<cluster_region>` following the format `DefaultAzureMonitorWorkspace-<mapped_region>`.

+This Azure Monitor workspace is in the region specified in [Region mappings](#region-mappings).

+

+ ```azurecli

+ az aks update --enable-azuremonitormetrics -n <cluster-name> -g <cluster-resource-group>

+ ```

+- **Use an existing Azure Monitor workspace.**<br>

+If the Azure Monitor workspace is linked to one or more Grafana workspaces, the data is available in Grafana.

+ ```azurecli

+ az aks update --enable-azuremonitormetrics -n <cluster-name> -g <cluster-resource-group> --azure-monitor-workspace-resource-id <workspace-name-resource-id>

+ ```

+- **Use an existing Azure Monitor workspace and link with an existing Grafana workspace.**<br>

+This option creates a link between the Azure Monitor workspace and the Grafana workspace.

+

+ ```azurecli

+ az aks update --enable-azuremonitormetrics -n <cluster-name> -g <cluster-resource-group> --azure-monitor-workspace-resource-id <azure-monitor-workspace-name-resource-id> --grafana-resource-id <grafana-workspace-name-resource-id>

+ ```

+The output for each command looks similar to the following example:

+You can use the following optional parameters with the previous commands:

+- `--ksm-metric-annotations-allow-list` is a comma-separated list of Kubernetes annotations keys used in the resource's labels metric. By default, the metric contains only name and namespace labels. To include more annotations, provide a list of resource names in their plural form and Kubernetes annotation keys that you want to allow for them. A single `*` can be provided per resource instead to allow any annotations, but it has severe performance implications.

+- `--ksm-metric-labels-allow-list` is a comma-separated list of more Kubernetes label keys that is used in the resource's labels metric. By default the metric contains only name and namespace labels. To include more labels, provide a list of resource names in their plural form and Kubernetes label keys that you want to allow for them. A single asterisk (`*`) can be provided per resource instead to allow any labels, but it has severe performance implications.

+- `--enable-windows-recording-rules` lets you enable the recording rule groups required for proper functioning of the Windows dashboards.

+The output is similar to the following example:

+## [Azure Resource Manager](#tab/resource-manager)

+- Register the `AKS-PrometheusAddonPreview` feature flag in the Azure Kubernetes clusters subscription with the following command in the Azure CLI: `az feature register --namespace Microsoft.ContainerService --name AKS-PrometheusAddonPreview`.

+- If the Azure Managed Grafana instance is in a subscription other than the Azure Monitor Workspaces subscription, register the Azure Monitor Workspace subscription with the `Microsoft.Dashboard` resource provider by following [this documentation](../../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider).

+- The template must be deployed in the same resource group as the Azure Managed Grafana workspace.

+- Users with the User Access Administrator role in the subscription of the AKS cluster can enable the Monitoring Data Reader role directly by deploying the template.

+On the **Overview** page for the Azure Managed Grafana instance in the Azure portal, select **JSON view**.

+If you're using an existing Azure Managed Grafana instance that's already linked to an Azure Monitor workspace, you need the list of Grafana integrations. Copy the value of the `azureMonitorWorkspaceIntegrations` field. If it doesn't exist, the instance hasn't been linked with any Azure Monitor workspace.

+### Download and edit the template and the parameter file

+1. Download the parameter file at [https://aka.ms/azureprometheus-enable-arm-template-parameterss](https://aka.ms/azureprometheus-enable-arm-template-parameters) and save it as **existingClusterParam.json**.

+1. Edit the values in the parameter file.

+ | `metricLabelsAllowlist` | Comma-separated list of Kubernetes labels keys to be used in the resource's labels metric. |

+ | `metricAnnotationsAllowList` | Comma-separated list of more Kubernetes label keys to be used in the resource's labels metric. |

+1. Open the template file and update the `grafanaIntegrations` property at the end of the file with the values that you retrieved from the Grafana instance. The following example is similar:

+In this JSON, `full_resource_id_1` and `full_resource_id_2` were already in the Azure Managed Grafana resource JSON. They're added here to the Azure Resource Manager template (ARM template). If you have no existing Grafana integrations, don't include these entries for `full_resource_id_1` and `full_resource_id_2`.

+The final `azureMonitorWorkspaceResourceId` entry is already in the template and is used to link to the Azure Monitor workspace resource ID provided in the parameters file.

+- Users with the User Access Administrator role in the subscription of the AKS cluster can enable the Monitoring Data Reader role directly by deploying the template.

+### Minor limitation with Bicep deployment

+Currently in Bicep, there's no way to explicitly "scope" the Monitoring Data Reader role assignment on a string parameter "resource ID" for an Azure Monitor workspace (like in an ARM template). Bicep expects a value of type `resource | tenant`. Currently, there's no REST API [spec](https://github.com/Azure/azure-rest-api-specs) for an Azure Monitor workspace.

+As a workaround, the default scoping for the Monitoring Data Reader role is on the resource group. The role is applied on the same Azure Monitor workspace (by inheritance), which is the expected behavior. After you deploy this Bicep template, the Grafana resource gets read permissions in all the Azure Monitor workspaces under the subscription.

+### Retrieve required values for a Grafana resource

+On the **Overview** page for the Azure Managed Grafana instance in the Azure portal, select **JSON view**.

+If you're using an existing Azure Managed Grafana instance that's already linked to an Azure Monitor workspace, you need the list of Grafana integrations. Copy the value of the `azureMonitorWorkspaceIntegrations` field. If it doesn't exist, the instance hasn't been linked with any Azure Monitor workspace.

+### Download and edit templates and the parameter file

+1. Download the main Bicep template from [this GitHub file](https://aka.ms/azureprometheus-enable-bicep-template). Save it as **FullAzureMonitorMetricsProfile.bicep**.

+1. Download the parameter file from [this GitHub file](https://aka.ms/azureprometheus-enable-bicep-template-parameters) and save it as **FullAzureMonitorMetricsProfileParameters.json** in the same directory as the main Bicep template.

+1. Download the [nested_azuremonitormetrics_dcra_clusterResourceId.bicep](https://aka.ms/nested_azuremonitormetrics_dcra_clusterResourceId) and [nested_azuremonitormetrics_profile_clusterResourceId.bicep](https://aka.ms/nested_azuremonitormetrics_profile_clusterResourceId) files in the same directory as the main Bicep template.

+1. Edit the values in the parameter file.

+1. The main Bicep template creates all the required resources. It uses two modules for creating the Data Collection Rule Associations (DCRA) and Azure Monitor metrics profile resources from the other two Bicep files.

+ | `metricLabelsAllowlist` | Comma-separated list of Kubernetes labels keys used in the resource's labels metric. |

+ | `metricAnnotationsAllowList` | Comma-separated list of more Kubernetes label keys used in the resource's labels metric. |

+1. Open the template file and update the `grafanaIntegrations` property at the end of the file with the values that you retrieved from the Grafana instance. The following example is similar:

+In this JSON, `full_resource_id_1` and `full_resource_id_2` were already in the Azure Managed Grafana resource JSON. They're added here to the ARM template. If you have no existing Grafana integrations, don't include these entries for `full_resource_id_1` and `full_resource_id_2`.

+The final `azureMonitorWorkspaceResourceId` entry is already in the template and is used to link to the Azure Monitor workspace resource ID provided in the parameters file.

+- Register the `AKS-PrometheusAddonPreview` feature flag in the Azure Kubernetes clusters subscription with the following command in the Azure CLI: `az feature register --namespace Microsoft.ContainerService --name AKS-PrometheusAddonPreview`.

+### Download Azure Policy rules and parameters and deploy

+1. Download the main Azure Policy rules template from [this GitHub file](https://aka.ms/AddonPolicyMetricsProfile). Save it as **AddonPolicyMetricsProfile.rules.json**.

+1. Download the parameter file from [this GitHub file](https://aka.ms/AddonPolicyMetricsProfile.parameters). Save it as **AddonPolicyMetricsProfile.parameters.json** in the same directory as the rules template.

+1. Create the policy definition by using a command like: <br> `az policy definition create --name "(Preview) Prometheus Metrics addon" --display-name "(Preview) Prometheus Metrics addon" --mode Indexed --metadata version=1.0.0 category=Kubernetes --rules .\AddonPolicyMetricsProfile.rules.json --params .\AddonPolicyMetricsProfile.parameters.json`

+1. After you create the policy definition, in the Azure portal, select **Policy** > **Definitions**. Select the policy definition you created.

+1. Select **Assign**, go to the **Parameters** tab, and fill in the details. Select **Review + Create**.

+1. Now that the policy is assigned to the subscription, whenever you create a new cluster, which doesn't have Prometheus enabled, the policy runs and deploys the resources. If you want to apply the policy to an existing AKS cluster, create a **Remediation task** for that AKS cluster resource after you go to the **Policy Assignment**.

+1. Now you should see metrics flowing in the existing linked Grafana resource, which is linked with the corresponding Azure Monitor workspace.

+In case you create a new Managed Grafana resource from the Azure portal, link it with the corresponding Azure Monitor workspace from the **Linked Grafana Workspaces** tab of the relevant **Azure Monitor Workspace** page. Assign the Monitoring Data Reader role to the Grafana MSI on the Azure Monitor workspace resource so that it can read data for displaying the charts. Use the following instructions.

+1. On the **Overview** page for the Azure Managed Grafana instance in the Azure portal, select **JSON view**.

+1. Copy the value of the `principalId` field for the `SystemAssigned` identity.

+ ```json

+ "identity": {

+ "principalId": "00000000-0000-0000-0000-000000000000",

+ "tenantId": "00000000-0000-0000-0000-000000000000",

+ "type": "SystemAssigned"

+ },

+ ```

+1. On the **Access control (IAM)** page for the Azure Managed Grafana instance in the Azure portal, select **Add** > **Add role assignment**.

+1. Select `Monitoring Data Reader`.

+1. Select **Managed identity** > **Select members**.

+1. Select the **system-assigned managed identity** with the `principalId` from the Grafana resource.

+1. Choose **Select** > **Review+assign**.

+### Deploy the template

+Deploy the template with the parameter file by using any valid method for deploying ARM templates. For examples of different methods, see [Deploy the sample templates](../resource-manager-samples.md#deploy-the-sample-templates).

+- Ensure that you update the `kube-state metrics` Annotations and Labels list with proper formatting. There's a limitation in the ARM template deployments that require exact values in the `kube-state` metrics pods. If the Kubernetes pod has any issues with malformed parameters and isn't running, the feature won't work as expected.

+- A data collection rule and data collection endpoint are created with the name `MSProm-\<short-cluster-region\>-\<cluster-name\>`. Currently, these names can't be modified.

+- You must get the existing Azure Monitor workspace integrations for a Grafana workspace and update the ARM template with it. Otherwise, it overwrites and removes the existing integrations from the Grafana workspace.

+## Enable Windows metrics collection

+As of version 6.4.0-main-02-22-2023-3ee44b9e, Windows metric collection has been enabled for the AKS clusters. Onboarding to the Azure Monitor Metrics add-on enables the Windows DaemonSet pods to start running on your node pools. Both Windows Server 2019 and Windows Server 2022 are supported. Follow these steps to enable the pods to collect metrics from your Windows node pools.

+1. Manually install windows-exporter on AKS nodes to access Windows metrics.

+ Deploy the [windows-exporter-daemonset YAML](https://github.com/prometheus-community/windows_exporter/blob/master/kubernetes/windows-exporter-daemonset.yaml) file:

+1. Apply the [ama-metrics-settings-configmap](https://github.com/Azure/prometheus-collector/blob/main/otelcollector/configmaps/ama-metrics-settings-configmap.yaml) to your cluster. Set the `windowsexporter` and `windowskubeproxy` Booleans to `true`. For more information, see [Metrics add-on settings configmap](./prometheus-metrics-scrape-configuration.md#metrics-add-on-settings-configmap).

+1. Enable the recording rules required for the default dashboards:

+ * For the CLI, include the option `--enable-windows-recording-rules`.

+ * For an ARM template, Bicep, or Azure Policy, set `enableWindowsRecordingRules` to `true` in the parameters file.

+ If the cluster is already onboarded to Azure Monitor metrics, to enable Windows recording rule groups, use this [ARM template](https://github.com/Azure/prometheus-collector/blob/kaveesh/windows_recording_rules/AddonArmTemplate/WindowsRecordingRuleGroupTemplate/WindowsRecordingRules.json) and [parameters](https://github.com/Azure/prometheus-collector/blob/kaveesh/windows_recording_rules/AddonArmTemplate/WindowsRecordingRuleGroupTemplate/WindowsRecordingRulesParameters.json) file to create the rule groups.

+## Verify deployment

+1. Run the following command to verify that the DaemonSet was deployed properly on the Linux node pools:

+ ```

+ kubectl get ds ama-metrics-node --namespace=kube-system

+ ```

+ The number of pods should be equal to the number of nodes on the cluster. The output should resemble the following example:

+

+ ```

+ User@aksuser:~$ kubectl get ds ama-metrics-node --namespace=kube-system

+ NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE

+ ama-metrics-node 1 1 1 1 1 <none> 10h

+ ```

+1. Run the following command to verify that the DaemonSet was deployed properly on the Windows node pools:

+ ```

+ kubectl get ds ama-metrics-win-node --namespace=kube-system

+ ```

+

+ The output should resemble the following example:

+

+ ```

+ User@aksuser:~$ kubectl get ds ama-metrics-node --namespace=kube-system

+ NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE

+ ama-metrics-win-node 3 3 3 3 3 <none> 10h

+ ```

+1. Run the following command to verify that the ReplicaSets were deployed properly:

+ ```

+ kubectl get rs --namespace=kube-system

+ ```

+

+ The output should resemble the following example:

+

+ ```

+ User@aksuser:~$kubectl get rs --namespace=kube-system

+ NAME DESIRED CURRENT READY AGE

+ ama-metrics-5c974985b8 1 1 1 11h

+ ama-metrics-ksm-5fcf8dffcd 1 1 1 11h

+ ```

+## Feature support

+- HTTP Proxy is supported and uses the same settings as the HTTP Proxy settings for the AKS cluster configured with [these instructions](../../../articles/aks/http-proxy.md).

+- CPU and Memory requests and limits can't be changed for the Container insights metrics add-on. If changed, they're reconciled and replaced by original values in a few seconds.

+- Azure Monitor Private Link isn't currently supported.

+## Uninstall the metrics add-on

+Currently, the Azure CLI is the only option to remove the metrics add-on and stop sending Prometheus metrics to Azure Monitor managed service for Prometheus.

+1. Install the `aks-preview` extension by using the following command:

+ ```

+ az extension add --name aks-preview

+ ```

+

+ For more information on installing a CLI extension, see [Use and manage extensions with the Azure CLI](/cli/azure/azure-cli-extensions-overview).

+

+ > [!NOTE]

+ > Upgrade your az cli version to the latest version and ensure that the aks-preview version you're using is at least '0.5.132'. Find your current version by using the `az version`.

+

+ ```azurecli

+ az extension add --name aks-preview

+ ```

+1. Use the following command to remove the agent from the cluster nodes and delete the recording rules created for the data being collected from the cluster, along with the DCRA that links the data collection endpoint or data collection rule with your cluster. This action doesn't remove the data collection endpoint, data collection rule, or the data already collected and stored in your Azure Monitor workspace.

+ ```azurecli

+ az aks update --disable-azuremonitormetrics -n <cluster-name> -g <cluster-resource-group>

+ ```

+When you allow a default Azure Monitor workspace to be created when you install the metrics add-on, it's created in the region listed in the following table.

+| AKS cluster region | Azure Monitor workspace region |

+- [See the default configuration for Prometheus metrics](./prometheus-metrics-scrape-default.md)

+- [Customize Prometheus metric scraping for the cluster](./prometheus-metrics-scrape-configuration.md)

+- [Use Azure Monitor managed service for Prometheus (preview) as the data source for Grafana](./prometheus-grafana.md)

+description: Customize metrics scraping for a Kubernetes cluster with the metrics add-on in Azure Monitor.

+This article provides instructions on customizing metrics scraping for a Kubernetes cluster with the [metrics add-on](prometheus-metrics-enable.md) in Azure Monitor.

+Three different configmaps can be configured to change the default settings of the metrics add-on:

+- `ama-metrics-settings-configmap`

+- `ama-metrics-prometheus-config`

+- `ama-metrics-prometheus-config-node`

+## Metrics add-on settings configmap

+The [ama-metrics-settings-configmap](https://github.com/Azure/prometheus-collector/blob/main/otelcollector/configmaps/ama-metrics-settings-configmap.yaml) can be downloaded, edited, and applied to the cluster to customize the out-of-the-box features of the metrics add-on.

+### Enable and disable default targets

+The following table has a list of all the default targets that the Azure Monitor metrics add-on can scrape by default and whether it's initially enabled. Default targets are scraped every 30 seconds.

+| kubestate | bool | `true` | Scrape kube-state-metrics in the K8s cluster (installed as a part of the add-on) without any extra scrape config. |

+| kubeproxy | bool | `false` | Scrape kube-proxy in every Linux node discovered in the K8s cluster without any extra scrape config.<br>Linux only. |

+| apiserver | bool | `false` | Scrape the Kubernetes API server in the K8s cluster without any extra scrape config. |

+| windowsexporter | bool | `false` | Scrape windows-exporter in every node in the K8s cluster without any extra scrape config.<br>Windows only. |

+| windowskubeproxy | bool | `false` | Scrape windows-kube-proxy in every node in the K8s cluster without any extra scrape config.<br>Windows only. |

+| prometheuscollectorhealth | bool | `false` | Scrape information about the prometheus-collector container, such as the amount and size of time series scraped. |

+If you want to turn on the scraping of the default targets that aren't enabled by default, edit the [configmap](https://aka.ms/azureprometheus-addon-settings-configmap) `ama-metrics-settings-configmap` to update the targets listed under `default-scrape-settings-enabled` to `true`. Apply the configmap to your cluster.

+### Customize metrics collected by default targets

+To filter in more metrics for any default targets, edit the settings under `default-targets-metrics-keep-list` for the corresponding job you want to change.

+For example, `kubelet` is the metric filtering setting for the default target kubelet. Use the following script to filter *in* metrics collected for the default targets by using regex-based filtering.

+> If you use quotation marks or backslashes in the regex, you need to escape them by using a backslash like the examples `"test\'smetric\"s\""` and `testbackslash\\*`.

+To further customize the default jobs to change properties like collection frequency or labels, disable the corresponding default target by setting the configmap value for the target to `false`. Then apply the job by using a custom configmap. For details on custom configuration, see [Customize scraping of Prometheus metrics in Azure Monitor](prometheus-metrics-scrape-configuration.md#configure-custom-prometheus-scrape-jobs).

+The cluster label appended to every time series scraped uses the last part of the full AKS cluster's Azure Resource Manager resource ID. For example, if the resource ID is `/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg-name/providers/Microsoft.ContainerService/managedClusters/clustername`, the cluster label is `clustername`.

+To override the cluster label in the time series scraped, update the setting `cluster_alias` to any string under `prometheus-collector-settings` in the [configmap](https://aka.ms/azureprometheus-addon-settings-configmap) `ama-metrics-settings-configmap`. You can either create this configmap or edit an existing one.

+The new label also shows up in the cluster parameter dropdown in the Grafana dashboards instead of the default one.

+> Only alphanumeric characters are allowed. Any other characters are replaced with `_`. This change is to ensure that different components that consume this label adhere to the basic alphanumeric convention.

+To view every metric that's being scraped for debugging purposes, the metrics add-on agent can be configured to run in debug mode by updating the setting `enabled` to `true` under the `debug-mode` setting in the [configmap](https://aka.ms/azureprometheus-addon-settings-configmap) `ama-metrics-settings-configmap`. You can either create this configmap or edit an existing one. For more information, see the [Debug mode section in Troubleshoot collection of Prometheus metrics](prometheus-metrics-troubleshoot.md#debug-mode).

+To update the scrape interval settings for any target, you can update the duration in the setting `default-targets-scrape-interval-settings` for that target in the [configmap](https://aka.ms/azureprometheus-addon-settings-configmap) `ama-metrics-settings-configmap`. You have to set the scrape intervals in the correct format specified in [this website](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#configuration-file). Otherwise, the default value of 30 seconds is applied to the corresponding targets.

+You can configure the metrics add-on to scrape targets other than the default ones by using the same configuration format as the [Prometheus configuration file](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#configuration-file).

+### Advanced setup: Configure custom Prometheus scrape jobs for the DaemonSet

+The `ama-metrics` ReplicaSet pod consumes the custom Prometheus config and scrapes the specified targets. For a cluster with a large number of nodes and pods and a large volume of metrics to scrape, some of the applicable custom scrape targets can be off-loaded from the single `ama-metrics` ReplicaSet pod to the `ama-metrics` DaemonSet pod.

+The [ama-metrics-prometheus-config-node configmap](https://aka.ms/azureprometheus-addon-ds-configmap), similar to the regular configmap, can be created to have static scrape configs on each node. The scrape config should only target a single node and shouldn't use service discovery. Otherwise, each node tries to scrape all targets and makes many calls to the Kubernetes API server.

+The following `node-exporter` config is one of the default targets for the DaemonSet pods. It uses the `$NODE_IP` environment variable, which is already set for every `ama-metrics` add-on container to target a specific port on the node.

+Custom scrape targets can follow the same format by using `static_configs` with targets and using the `$NODE_IP` environment variable and specifying the port to scrape. Each pod of the DaemonSet takes the config, scrapes the metrics, and sends them for that node.

+Learn some tips from examples in this section.

+### Configuration file for custom scrape config

+The configuration format is the same as the [Prometheus configuration file](https://aka.ms/azureprometheus-promioconfig). Currently, the following sections are supported:

+Any other unsupported sections must be removed from the config before they're applied as a configmap. Otherwise, the custom configuration fails validation and isn't applied.

+See the [Apply config file](prometheus-metrics-scrape-validate.md#apply-config-file) section to create a configmap from the Prometheus config.

+> When custom scrape configuration fails to apply because of validation errors, default scrape configuration continues to be used.

+## Scrape configs

+Currently, the supported methods of target discovery for a [scrape config](https://aka.ms/azureprometheus-promioconfig-scrape) are either [`static_configs`](https://aka.ms/azureprometheus-promioconfig-static) or [`kubernetes_sd_configs`](https://aka.ms/azureprometheus-promioconfig-sdk8s) for specifying or discovering targets.

+Targets discovered using [`kubernetes_sd_configs`](https://aka.ms/azureprometheus-promioconfig-sdk8s) each have different `__meta_*` labels depending on what role is specified. You can use the labels in the `relabel_configs` section to filter targets or replace labels for the targets.

+The `relabel_configs` section is applied at the time of target discovery and applies to each target for the job. The following examples show ways to use `relabel_configs`.

+#### Add a label

+Add a new label called `example_label` with the value `example_value` to every metric of the job. Use `__address__` as the source label only because that label always exists and adds the label for every target of the job.

+If a job is using [`kubernetes_sd_configs`](https://aka.ms/azureprometheus-promioconfig-sdk8s) to discover targets, each role has associated `__meta_*` labels for metrics. The `__*` labels are dropped after discovering the targets. To filter by using them at the metrics level, first keep them using `relabel_configs` by assigning a label name. Then use `metric_relabel_configs` to filter.

+You can change the `job` and `instance` label values based on the source label, just like any other label.

+Metric relabel configs are applied after scraping and before ingestion. Use the `metric_relabel_configs` section to filter metrics after scraping. The following examples show how to do so.

+#### Rename metrics

+#### Filter metrics by labels

+# Keep metrics only where example_label = 'example'

+# Keep metrics only if `example_label_1 = value_1` and `example_label_2 = value_2`

+# Keep metrics only if `example_label` exists as a label

+### Pod annotation-based scraping

+If you're currently using Azure Monitor Container insights Prometheus scraping with the setting `monitor_kubernetes_pods = true`, adding this job to your custom config allows you to scrape the same pods and metrics.

+The following scrape config uses the `__meta_*` labels added from the `kubernetes_sd_configs` for the `pod` role to filter for pods with certain annotations.

+To scrape certain pods, specify the port, path, and scheme through annotations for the pod and the following job scrapes only the address specified by the annotation:

+- `prometheus.io/scrape`: Enable scraping for this pod.

+- `prometheus.io/scheme`: If the metrics endpoint is secured, you need to set scheme to `https` and most likely set the TLS config.

+- `prometheus.io/port`: Specify a single port that you want to scrape.

+See the [Apply config file](prometheus-metrics-scrape-validate.md#apply-config-file) section to create a configmap from the Prometheus config.

+[Learn more about collecting Prometheus metrics](prometheus-metrics-overview.md)

+description: This article lists the default targets, dashboards, and recording rules for Prometheus metrics in Azure Monitor.

+This article lists the default targets, dashboards, and recording rules when you [configure Prometheus metrics to be scraped from an Azure Kubernetes Service (AKS) cluster](prometheus-metrics-enable.md) for any AKS cluster.

+ The default scrape frequency for all default targets and scrapes is 30 seconds.

+## Targets scraped for Windows

+Two default jobs can be run for Windows that scrape metrics required for the dashboards specific to Windows.

+> This requires an update in the ama-metrics-settings-configmap and installing windows-exporter on all Windows node pools. For more information, see the [enablement document](./prometheus-metrics-enable.md#enable-prometheus-metric-collection).

+## Metrics scraped for Windows

+The following metrics are collected when windows-exporter and kube-proxy-windows are enabled.

+The following default dashboards are automatically provisioned and configured by Azure Monitor managed service for Prometheus when you [link your Azure Monitor workspace to an Azure Managed Grafana instance](../essentials/azure-monitor-workspace-manage.md#link-a-grafana-workspace). Source code for these dashboards can be found in [this GitHub folder](https://aka.ms/azureprometheus-mixins).

+The following default recording rules are automatically configured by Azure Monitor managed service for Prometheus when you [link your Azure Monitor workspace to an Azure Managed Grafana instance](../essentials/azure-monitor-workspace-manage.md#link-a-grafana-workspace). Source code for these recording rules can be found in [this GitHub folder](https://aka.ms/azureprometheus-mixins).

+[Customize scraping of Prometheus metrics](prometheus-metrics-scrape-configuration.md)

+- Scheduled export from a log query by using a logic app workflow. This method is similar to the data export feature but allows you to send filtered or aggregated data to Azure Storage. This method is subject to [log query limits](../service-limits.md#log-analytics-workspaces). For more information, see [Archive data from a Log Analytics workspace to Azure Storage by using Azure Logic Apps](./logs-export-logic-app.md).

+- One-time export by using a logic app workflow. For more information, see [Azure Monitor Logs connector for Azure Logic Apps](../../connectors/connectors-azure-monitor-logs.md).

+| Retrieve | Access log query results from:<ul><li>Command line via the [Azure CLI](/cli/azure/monitor/log-analytics) or [Azure PowerShell cmdlets](/powershell/module/az.operationalinsights).</li><li>Custom app via the [REST API](/rest/api/loganalytics/) or client library for [.NET](/dotnet/api/overview/azure/Monitor.Query-readme), [Go](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/monitor/azquery), [Java](/java/api/overview/azure/monitor-query-readme), [JavaScript](/javascript/api/overview/azure/monitor-query-readme), or [Python](/python/api/overview/azure/monitor-query-readme).</li></ul> |

+| Import | Upload logs from a custom app via the [REST API](/azure/azure-monitor/logs/logs-ingestion-api-overview) or client library for [.NET](/dotnet/api/overview/azure/Monitor.Ingestion-readme), [Java](/java/api/overview/azure/monitor-ingestion-readme), [JavaScript](/javascript/api/overview/azure/monitor-ingestion-readme), or [Python](/python/api/overview/azure/monitor-ingestion-readme). |

+| Export | Configure [automated export of log data](./logs-data-export.md) to an Azure Storage account or Azure Event Hubs.<br>Build a workflow to retrieve log data and copy it to an external location by using [Azure Logic Apps](../../connectors/connectors-azure-monitor-logs.md). |

+- Learn about the [monitoring data available](../data-sources.md) for various resources in Azure.

+> [!NOTE]

+> Classic Application Insights resources don't support parameterized functions. If you have a [workspace-based Application Insights resource](../app/create-workspace-resource.md), you can create parameterized functions from your Log Analytics workspace. For information on migrating your Classic Application Insights resource to a workspace-based resource, see [Migrate to workspace-based Application Insights resources](../app/convert-classic-resource.md).

+- [Azure Logic Apps](../../connectors/connectors-azure-monitor-logs.md): Use the results of a log query in an automated workflow by using a logic app workflow.

+1. Use Azure Data Explorer to [query data in Azure Data Lake](/azure/data-explorer/data-lake-query-data).

+2. Use Azure Data Explorer to [ingest data from a Storage Account](/azure/data-explorer/ingest-from-container).

+- One-time export by using a logic app. See [Azure Monitor Logs connector for Logic Apps](../../connectors/connectors-azure-monitor-logs.md).

+A Log Analytics workspace lets you collect logs from Azure and non-Azure resources into one space for data analysis, use by other services, such as [Sentinel](../../../articles/sentinel/overview.md), and to trigger alerts and actions, for example, using [Azure Logic Apps](../../connectors/connectors-azure-monitor-logs.md). The Log Analytics workspace consists of tables, which you can configure to manage your data model and log-related costs. This article explains the table configuration options in Azure Monitor Logs and how to set table properties based on your data analysis and cost management needs.

+Root mapping defaults to the `nobody` user because the NFSv4 domain is set to `localdomain` by default. When you mount an Azure NetApp Files NFSv4.1 volume as root, you'll see file permissions as follows:

+ The following examples show the initial configuration of `/etc/idmapd.conf` before changes:

+4. Clear the keyring of the NFS `idmapper` (`nfsidmap -c`).

+## Behavior of other (nonroot) users and groups

+Azure NetApp Files supports local users (users created locally on a host) who have permissions associated with files or folders in NFSv4.1 volumes. However, the service doesn't currently support mapping the users/groups across multiple nodes. Therefore, users created on one host don't map by default to users created on another host.

+On `Host2`, the test user accounts haven't been created, but the same volume is mounted on both hosts:

+* [Configure AD DS LDAP with extended groups for NFS volume access](configure-ldap-extended-groups.md)

+## Quotas in cross-region or cross-zone replication relationships

+Quota rules are synced from cross-region replication (CRR) or cross-zone replication (CZR) source to destination volumes. Quota rules that you create, delete, or update on a CRR or CZR source volume automatically applies to the destination volume.

+Quota rules only come into effect on the CRR/CZR destination volume after the replication relationship is deleted because the destination volume is read-only. To learn how to break the replication relationship, see [Delete volume replications](cross-region-replication-delete.md#delete-volume-replications). If source volumes have quota rules and you create a replication relationship later, all the quota rules are synced to the destination volume.

+* In a CRR/CZR setting:

+ * You can't create, update, or delete quota rules on the destination volume until you [delete the replication](cross-region-replication-delete.md).

+| After my private cloud NSX-T Data Center upgrade to version [3.2.2](https://docs.vmware.com/en/VMware-NSX/3.2.2/rn/vmware-nsxt-data-center-322-release-notes/https://docsupdatetracker.net/index.html), the NSX-T Manager **DNS Forwarder Upstream Server Timeout** alarm is raised | February 2023 | [Enable private cloud internet Access](concepts-design-public-internet-access.md), alarm is raised because NSX-T Manager cannot access the configured CloudFlare DNS server. Otherwise, [change the default DNS zone to point to a valid and reachable DNS server.](configure-dns-azure-vmware-solution.md) | February 2023 |

+In this article, learn how to implement disaster recovery for on-premises VMware or Azure VMware Solution-based virtual machines (VMs). The solution in this article uses [Zerto disaster recovery](https://www.zerto.com/solutions/use-cases/disaster-recovery/). Instances of Zerto are deployed at both the protected and the recovery sites.

+> [!NOTE]

+> For Azure NetApp Files (ANFs), [Azure VMware Solution](/azure/azure-vmware/introduction) supports Network File System (NFS) datastores as a persistent storage option. You can create NFS datastores with Azure NetApp Files volumes and attach them to clusters of your choice. You can also create virtual machines (VMs) for optimal cost and performance. To leverage ANF datastores, select them as a Recovery Datastore in the Zerto VPG wizard when creating or editing a VPG.

+>[!TIP]

+> Explore more about ANF datastores and how to [Attach Azure NetApp datastores to Azure VMware Solution hosts](/azure/azure-vmware/attach-azure-netapp-files-to-azure-vmware-solution-hosts?tabs=azure-portal).

+To request IA support for Zerto on Azure VMware Solution, submit this [Install Zerto on AVS form](https://aka.ms/ZertoAVSinstall) with the required information. In the IA phase, Azure VMware Solution only supports manual installation and onboarding of Zerto. However, Microsoft works with you to ensure that you can manually install Zerto on your private cloud.

+After the ZVM installation, select the options from the Zerto Virtual Manager **Site Settings**.

+- As you scale your Azure VMware Solution private cloud operations, you might need to add new Azure VMware Solution hosts for Zerto protection or configure Zerto disaster recovery to new Azure VMware Solution vSphere Clusters. In both these scenarios, you're required to open a Support Request with the Azure VMware Solution team in the Initial Availability phase. Open the [support ticket](https://rc.portal.azure.com/#create/Microsoft.Support) from the Azure portal for these Day 2 configurations.

+- In the GA phase, all the above operations are enabled in an automated self-service fashion.

+Zerto disaster recovery is a solution sold and supported by Zerto. For any support issue with Zerto disaster recovery, always contact [Zerto support](https://www.zerto.com/support-and-services/).

+Zerto and Microsoft support teams engage each other as needed to troubleshoot Zerto disaster recovery issues on Azure VMware Solution.

+ The `connect` event forwards the subprotocol and authentication information to Upstream from the client. Web PubSub service uses the status code to determine if the request will be upgraded to WebSocket protocol.

+- Private endpoint-enabled Azure PostgreSQL servers can be backed up by allowing trusted Microsoft services in the network settings.

+ >- Private endpoint-enabled Azure PostgreSQL servers can be backed up by allowing trusted Microsoft services in the network settings.

+### UserErrorOperationNotAllowedDatabaseMirroringEnabled

+| Error message | Possible cause | Recommended action |

+| | | |

+| Backup of databases participating in a database mirroring session is not supported by AzureWorkloadBackup. | When you've the mirrioring operation enabled on a SQL database, this error appears. Currently, Azure Backup doesn't support databases with this feature enabled. | You can remove the database mirroring session of the database for the operation to complete successfully. Alternatively, if the database is already protected, do *Stop backup* operation on the database. |

+Register Azure CDN as an app in your Azure Active Directory.

+> [!NOTE]

+> * `205478c0-bd83-4e1b-a9d6-db63a3e1e1c8` is the service principal for `Microsoft.AzureFrontDoor-Cdn`.

+> * You need to have the **Global Administrator** role to run this command.

+> * The service principal name was changed from `Microsoft.Azure.Cdn` to `Microsoft.AzureFrontDoor-Cdn`.

+# [Azure PowerShell](#tab/powershell)

+ `New-AzADServicePrincipal -ApplicationId "205478c0-bd83-4e1b-a9d6-db63a3e1e1c8"`

+ New-AzADServicePrincipal -ApplicationId "205478c0-bd83-4e1b-a9d6-db63a3e1e1c8"

+ Id : abcdef12-3456-7890-abcd-ef1234567890

+# [Azure CLI](#tab/cli)

+1. If needed, install [Azure CLI](/cli/azure/install-azure-cli) on your local machine.

+1. Use the Azure CLI to run the following command:

+ ```azurecli-interactive

+ az ad sp create --id 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8

+ ```

+| Rel 23-03 | [5023697] | Latest Cumulative Update(LCU) | [5.79] | Mar 14, 2023 |

+| Rel 23-03 | [5022835] | IE Cumulative Updates | [2.135], [3.122], [4.115] | Feb 14, 2023 |

+| Rel 23-03 | [5023705] | Latest Cumulative Update(LCU) | [7.23] | Mar 14, 2023 |

+| Rel 23-03 | [5023702] | Latest Cumulative Update(LCU) | [6.55] | Mar 14, 2023 |

+| Rel 23-03 | [5022523] | .NET Framework 3.5 Security and Quality Rollup  | [2.135] | Feb 14, 2023 |

+| Rel 23-03 | [5022515] | .NET Framework 4.6.2 Security and Quality Rollup  | [2.135] | Feb 14, 2023 |

+| Rel 23-03 | [5022574] | .NET Framework 3.5 Security and Quality Rollup  | [4.115] | Feb 14, 2023 |

+| Rel 23-03 | [5022513] | .NET Framework 4.6.2 Security and Quality Rollup  | [4.115] | Feb 14, 2023 |

+| Rel 23-03 | [5022574] | .NET Framework 3.5 Security and Quality Rollup  | [3.122] | Feb 14, 2023 |

+| Rel 23-03 | [5022512] | .NET Framework 4.6.2 Security and Quality Rollup  | [3.122] | Feb 14, 2023 |

+| Rel 23-03 | [5022511] | . NET Framework 4.7.2 Cumulative Update  | [6.55] | Feb 14, 2023 |

+| Rel 23-03 | [5022507] | .NET Framework 4.8 Security and Quality Rollup  | [7.23] | Feb 14, 2023 |

+| Rel 23-03 | [5023769] | Monthly Rollup  | [2.135] | Mar 14, 2023 |

+| Rel 23-03 | [5023756] | Monthly Rollup  | [3.122] | Mar 14, 2023 |

+| Rel 23-03 | [5023765] | Monthly Rollup  | [4.115] | Mar 14, 2023 |

+| Rel 23-03 | [5023791] | Servicing Stack Update  | [3.122] | Mar 14, 2023 |

+| Rel 23-03 | [5023790] | Servicing Stack update | [4.115] | Mar 14, 2022 |

+| Rel 23-03 | [4578013] | OOB Standalone Security Update  | [4.115] | Aug 19, 2020 |

+| Rel 23-03 | [5023788] | Servicing Stack Update | [5.79] | Mar 14, 2023 |

+| Rel 23-03 | [5017397] | Servicing Stack Update LKG  | [2.135] | Sep 13, 2022 |

+| Rel 23-03 | [4494175] | Microcode  | [5.79] | Sep 1, 2020 |

+| Rel 23-03 | [4494174] | Microcode  | [6.55] | Sep 1, 2020 |

+| Rel 23-03 | [5023793] | Servicing Stack Update  | [7.23] | |

+[2.135]: ./cloud-services-guestos-update-matrix.md#family-2-releases

+[3.122]: ./cloud-services-guestos-update-matrix.md#family-3-releases

+[4.115]: ./cloud-services-guestos-update-matrix.md#family-4-releases

+[5.79]: ./cloud-services-guestos-update-matrix.md#family-5-releases

+[6.55]: ./cloud-services-guestos-update-matrix.md#family-6-releases

+[7.23]: ./cloud-services-guestos-update-matrix.md#family-7-releases

+###### **March 28, 2023**

+The March Guest OS has released.

+| WA-GUEST-OS-7.23_202303-01 | March 28, 2023 | Post 7.25 |

+|~~WA-GUEST-OS-7.21_202301-01~~| January 31, 2023 | March 28, 2023 |

+| WA-GUEST-OS-6.55_202303-01 | March 28, 2023 | Post 6.57 |

+|~~WA-GUEST-OS-6.53_202301-01~~| January 31, 2023 | March 28, 2023 |

+| WA-GUEST-OS-5.79_202303-01 | March 28, 2023 | Post 5.81 |

+|~~WA-GUEST-OS-5.77_202301-01~~| January 31, 2023 | March 28, 2023 |

+| WA-GUEST-OS-4.115_202303-01 | March 28, 2023 | Post 4.117 |

+|~~WA-GUEST-OS-4.113_202301-01~~| January 31, 2023 | March 28, 2023 |

+| WA-GUEST-OS-3.122_202303-01 | March 28, 2023 | Post 3.124 |

+|~~WA-GUEST-OS-3.120_202301-01~~| January 31, 2023 | March 28, 2023 |

+| WA-GUEST-OS-2.135_202303-01 | March 28, 2023 | Post 2.137 |

+|~~WA-GUEST-OS-2.133_202301-01~~| January 31, 2023 | March 28, 2023 |

+| SpeechEchoBotTutorial-Speech | Speech | West US |

+ > The example used an enabled [**system-assigned managed identity**](create-use-managed-identities.md#enable-a-system-assigned-managed-identity) with a [**Storage Blob Data Contributor**](create-use-managed-identities.md#grant-storage-account-access-for-your-translator-resource) role assignment for authorization. For more information, *see* [**Managed identities for Document Translation**](./create-use-managed-identities.md).

+Managed identities for Azure resources are service principals that create an Azure Active Directory (Azure AD) identity and specific permissions for Azure managed resources. Managed identities are a safer way to grant access to data compared to SAS URLs.

+* You can use managed identities to grant access to any resource that supports Azure AD authentication, including your own applications. Using managed identities replaces the requirement for you to include shared access signature tokens (SAS) with your [source and target URLs](#post-request-body).

+* **If your storage account is behind a firewall, you must enable the following configuration**:

+ 1. Go to the [Azure portal](https://portal.azure.com/) and sign in to your Azure account.

+ 1. Select the Storage account.

+ 1. In the **Security + networking** group in the left pane, select **Networking**.

+ 1. In the **Firewalls and virtual networks** tab, select **Enabled from selected virtual networks and IP addresses**.

+ :::image type="content" source="../../media/managed-identities/firewalls-and-virtual-networks.png" alt-text="Screenshot: Selected networks radio button selected.":::

+ 1. Deselect all check boxes.

+ 1. Make sure **Microsoft network routing** is selected.

+ 1. Under the **Resource instances** section, select **Microsoft.CognitiveServices/accounts** as the resource type and select your Translator resource as the instance name.

+ 1. Make certain that the **Allow Azure services on the trusted services list to access this storage account** box is checked. For more information about managing exceptions, _see_ [Configure Azure Storage firewalls and virtual networks](../../../../storage/common/storage-network-security.md?tabs=azure-portal#manage-exceptions).

+ :::image type="content" source="../../media/managed-identities/allow-trusted-services-checkbox-portal-view.png" alt-text="Screenshot: allow trusted services checkbox, portal view.":::

+ 1. Select **Save**.

+ > [!NOTE]

+ > It may take up to 5 min for the network changes to propagate.

+ Although by now the network access is permitted, the Translator resource can't yet access the data in the Storage account. You need to [assign a specific access role](#grant-storage-account-access-for-your-translator-resource) for Translator resource managed identity.

+You must grant the Translator resource access to your storage account before it can create, read, or delete blobs. Once you enabled the Translator resource with a system-assigned managed identity, you can use Azure role-based access control (`Azure RBAC`), to give Translator access to your Azure storage containers.

+1. Go to the [Azure portal](https://portal.azure.com/) and sign in to your Azure account.

+1. Select the Translator resource.

+1. In the **Resource Management** group in the left pane, select **Identity**.

+1. Within the **System assigned** tab, turn on the **Status** toggle.

+ > [!IMPORTANT]

+ > User assigned managed identity won't meet requirements for the batch transcription storage account scenario. Be sure to enable system assigned managed identity.

+1. Select **Save**.

+## Grant storage account access for your Translator resource

+> [!IMPORTANT]

+> To assign a system-assigned managed identity role, you need **Microsoft.Authorization/roleAssignments/write** permissions, such as [**Owner**](../../../../role-based-access-control/built-in-roles.md#owner) or [**User Access Administrator**](../../../../role-based-access-control/built-in-roles.md#user-access-administrator) at the storage scope for the storage resource.

+1. Go to the [Azure portal](https://portal.azure.com/) and sign in to your Azure account.

+1. Select the Translator resource.

+1. In the **Resource Management** group in the left pane, select **Identity**.

+1. Next, you assign a **Storage Blob Data Contributor** role to your Translator service resource. The **Storage Blob Data Contributor** role gives Translator (represented by the system-assigned managed identity) read, write, and delete access to the blob container and data. In the **Add role assignment** pop-up window, complete the fields as follows and select **Save**:

+1. After the _Added Role assignment_ confirmation message appears, refresh the page to see the added role assignment.

+1. If you don't see the new role assignment right away, wait and try refreshing the page again. When you assign or remove role assignments, it can take up to 30 minutes for changes to take effect.

+* The request URL is POST `https://<NAME-OF-YOUR-RESOURCE>.cognitiveservices.azure.com/translator/text/batch/v1.0/batches`.

+* The `inputs` object contains both `sourceURL` and `targetURL` container addresses for your source and target language pairs. With system assigned managed identity, you use a plain Storage Account URL (no SAS or other additions). The format is `https://<storage_account_name>.blob.core.windows.net/<container_name>`.

+> [!IMPORTANT]

+> If a file with the same name already exists in the destination, the job will fail. When using managed identities, don't include a SAS token URL with your HTTP requests. If you do so, your requests will fail.

+This sample request body references a source container for all documents to be translated to a target language.

+For more information, _see_ [request parameters](#post-request-body).

+ "sourceUrl": "https://<storage_account_name>.blob.core.windows.net/<source_container_name>"

+ "targetUrl": "https://<storage_account_name>.blob.core.windows.net/<target_container_name>"

+This sample request body references a single source document to be translated into two target languages.

+> [!IMPORTANT]

+> In addition to the request parameters [noted previously](#post-request-body), you must include `"storageType": "File"`. Otherwise the source URL is assumed to be at the container level.

+ "sourceUrl": "https://<storage_account_name>.blob.core.windows.net/<source_container_name>/source-english.docx"

+ "targetUrl": "https://<storage_account_name>.blob.core.windows.net/<target_container_name>/Target-Spanish.docx"

+ "targetUrl": "https://<storage_account_name>.blob.core.windows.net/<target_container_name>/Target-German.docx",

+### Translate all documents in a container using a custom glossary

+This sample request body references a source container for all documents to be translated to a target language using a glossary.

+For more information, _see_ [request parameters](#post-request-body).

+ "sourceUrl": "https://<storage_account_name>.blob.core.windows.net/<source_container_name>",

+ "targetUrl": "https://<storage_account_name>.blob.core.windows.net/<target_container_name>",

+ "glossaryUrl": "https://<storage_account_name>.blob.core.windows.net/<glossary_container_name>/en-es.xlf",

+Great! You've learned how to enable and use a system-assigned managed identity. With managed identity for Azure Resources and `Azure RBAC`, you granted Translator specific access rights to your storage resource without including SAS tokens with your HTTP requests.

+> [Quickstart: Get started with Document Translation](../quickstarts/get-started-with-rest-api.md)

+> [Tutorial: Access Azure Storage from a web app using managed identities](../../../../app-service/scenario-secure-app-access-storage.md?bc=%2fazure%2fcognitive-services%2ftranslator%2fbreadcrumb%2ftoc.json&toc=%2fazure%2fcognitive-services%2ftranslator%2ftoc.json)

+* A [**single-service Translator resource**](https://portal.azure.com/#create/Microsoft.CognitiveServicesTextTranslation) (**not** a multi-service Cognitive Services resource) with [**system-assigned managed identity**](how-to-guides/create-use-managed-identities.md#enable-a-system-assigned-managed-identity) enabled and a [**Storage Blob Data Contributor**](how-to-guides/create-use-managed-identities.md#grant-storage-account-access-for-your-translator-resource) role assigned. For more information, *see* [**Managed identities for Document Translation**](how-to-guides/create-use-managed-identities.md). Also, make sure the region and pricing sections are completed as follows:

+* [Text Translation (Standard)](../translator/containers/translator-disconnected-containers.md)

+description: Learn how to send requests for custom NER.

+ Title: Create custom NER projects and use Azure resources

+description: Learn how to create and manage projects and Azure resources for custom NER.

+ Title: How to deploy a custom NER model

+description: Learn how to deploy a model for custom NER.

+ Title: Send a text classification request to your custom model

+description: Learn how to send requests for custom text classification.

+# Send text classification requests to your model

+After you've successfully deployed a model, you can query the deployment to classify text based on the model you assigned to the deployment.

+ Title: How to deploy a custom text classification model

+ Title: How to send requests to orchestration workflow

+description: Learn about sending requests for orchestration workflow.

+ Title: Create orchestration workflow projects and use Azure resources

+These models can be used with Completion API requests. `gpt-35-turbo` is the only model that can be used with both Completion API requests and the Chat Completion API.

+| Model ID | Base model Regions | Fine-Tuning Regions | Max Request (tokens) | Training Data (up to) |

+| | | - | -- | - |

+| ada | N/A | South Central US ² | 2,049 | Oct 2019|

+| text-ada-001 | East US, South Central US, West Europe | N/A | 2,049 | Oct 2019|

+| babbage | N/A | South Central US² | 2,049 | Oct 2019 |

+| text-babbage-001 | East US, South Central US, West Europe | N/A | 2,049 | Oct 2019 |

+| curie | N/A | South Central US² | 2,049 | Oct 2019 |

+| text-curie-001 | East US, South Central US, West Europe | N/A | 2,049 | Oct 2019 |

+| davinci¹ | N/A | Currently unavailable | 2,049 | Oct 2019|

+| text-davinci-001 | South Central US, West Europe | N/A | | |

+| text-davinci-002 | East US, South Central US, West Europe | N/A | 4,097 | Jun 2021 |

+| text-davinci-003 | East US, West Europe | N/A | 4,097 | Jun 2021 |

+| text-davinci-fine-tune-002¹ | N/A | Currently unavailable | | |

+| gpt-35-turbo³ (ChatGPT) (preview) | East US, South Central US | N/A | 4,096 | Sep 2021 |

+<br>² East US and West Europe were previously available, but due to high demand they are currently unavailable for new customers to use for fine-tuning. Please use US South Central region for fine-tuning.

+These models can only be used with the Chat Completion API.

+| Model ID | Base model Regions | Fine-Tuning Regions | Max Request (tokens) | Training Data (up to) |

+| | | | | |

+| `gpt-4` ^1,² (preview) | East US, South Central US | N/A | 8,192 | September 2021 |

+| `gpt-4-32k` ^1,² (preview) | East US, South Central US | N/A | 32,768 | September 2021 |

+¹ The model is in preview and [only available by request](https://aka.ms/oai/get-gpt4).<br>

+These models can only be used with Completions API requests.

+| Model ID | Base model Regions | Fine-Tuning Regions | Max Request (tokens) | Training Data (up to) |

+| | | | | |

+| code-cushman-001¹ | South Central US, West Europe | Currently unavailable | 2,048 | |

+| code-davinci-002 | East US, West Europe | N/A | 8,001 | Jun 2021 |

+These models can only be used with Embedding API requests.

+| Model ID | Base model Regions | Fine-Tuning Regions | Max Request (tokens) | Training Data (up to) |

+| | | | | |

+| text-embedding-ada-002 | East US, South Central US, West Europe | N/A |2,046 | Sep 2021 |

+| text-similarity-ada-001| East US, South Central US, West Europe | N/A | 2,046 | Aug 2020 |

+| text-similarity-babbage-001 | South Central US, West Europe | N/A | 2,046 | Aug 2020 |

+| text-similarity-curie-001 | East US, South Central US, West Europe | N/A | 2046 | Aug 2020 |

+| text-similarity-davinci-001 | South Central US, West Europe | N/A | 2,046 | Aug 2020 |

+| text-search-ada-doc-001 | South Central US, West Europe | N/A | 2,046 | Aug 2020 |

+| text-search-ada-query-001 | South Central US, West Europe | N/A | 2,046 | Aug 2020 |

+| text-search-babbage-doc-001 | South Central US, West Europe | N/A | 2,046 | Aug 2020 |

+| text-search-babbage-query-001 | South Central US, West Europe | N/A | 2,046 | Aug 2020 |

+| text-search-curie-doc-001 | South Central US, West Europe | N/A | 2,046 | Aug 2020 |

+| text-search-curie-query-001 | South Central US, West Europe | N/A | 2,046 | Aug 2020 |

+| text-search-davinci-doc-001 | South Central US, West Europe | N/A | 2,046 | Aug 2020 |

+| text-search-davinci-query-001 | South Central US, West Europe | N/A | 2,046 | Aug 2020 |

+| code-search-ada-code-001 | South Central US, West Europe | N/A | 2,046 | Aug 2020 |

+| code-search-ada-text-001 | South Central US, West Europe | N/A | 2,046 | Aug 2020 |

+| code-search-babbage-code-001 | South Central US, West Europe | N/A | 2,046 | Aug 2020 |

+| code-search-babbage-text-001 | South Central US, West Europe | N/A | 2,046 | Aug 2020 |

+### Fine-tuned model change

+Deployed customized models (fine-tuned models) that are inactive for greater than 90 days will now automatically have their deployments deleted. **The underlying fine-tuned model is retained and can be redeployed at any time**. Once a fine-tuned model is deployed, it will continue to incur an hourly hosting cost regardless of whether you're actively using the model. To learn more about planning and managing costs with Azure OpenAI, refer to our [cost management guide](/azure/cognitive-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models).

+### New Features

+ Title: Call Automation Teams Interop overview

+description: Learn about Teams interoperability with Azure Communication Services Call Automation.

+# Deliver expedient customer service by adding Microsoft Teams users in Call Automation workflows

+Businesses are looking for innovative ways to increase the efficiency of their customer service operations. Azure Communication Services Call Automation provides developers the ability to build programmable customer interactions using real-time event triggers to perform actions based on custom business logic. For example, with support for interoperability with Microsoft Teams, developers can use Call Automation APIs to add subject matter experts (SMEs). These SMEs, who use Microsoft Teams, can be added to an existing customer service call to provide to resolve a customer issue.

+This interoperability with Microsoft Teams over VoIP makes it easy for developers to implement per-region multi-tenant trunks that maximize value and reduce telephony infrastructure overhead. Each new tenant will be able to use this setup in a few minutes after Microsoft Teams admin has granted necessary permissions to the Azure Communication Services resource.

+## Use-cases

+1. Expert Consultation: Businesses can invite subject matter experts into their customer service workflows for expedient issue resolution, and to improve their first call resolution rate.

+1. Extend customer service workforce with knowledge workers: Businesses can extend their customer service operation with more capacity during peak influx of customer service calls.

+## Scenario Showcase ΓÇô Expert Consultation

+A customer service agent, who is using a Contact Center Agent experience, wants to now add a subject matter expert, who is knowledge worker (regular employee) at Contoso and uses Microsoft Teams, into a support call with a customer to provide some expert advice to resolve a customer issue.

+The dataflow diagram depicts a canonical scenario where a Teams user is added to an ongoing ACS call for expert consultation.

+[ ](./media/call-automation-teams-interop.png#lightbox)

+1. Customer is on an ongoing call with a Contact Center customer service agent.

+1. the call, the customer service agent needs expert help from one of the domain experts part of an engineering team. The agent is able to identify a knowledge worker who is available on Teams (presence via Graph APIs) and tries to add them to the call.

+1. Contoso Contact CenterΓÇÖs SBC is already configured with ACS Direct Routing where this add participant request is processed.

+1. Contoso Contact Center provider has implemented a web service, using ACS Call Automation that receives the ΓÇ£add ParticipantΓÇ¥ request.

+1. With Teams interop built into ACS Call Automation, ACS then uses the Teams userΓÇÖs ObjectId to add them to the call. The Teams user receives the incoming call notification. They accept and join the call.

+1. Once the Teams has provided their expertise, they leave the call. The customer service agent and customer continue wrap up their conversation.

+## Capabilities

+The following list presents the set of features that are currently available in the Azure Communication Services Call Automation SDKs for calls with Microsoft Teams users.

+| Feature Area | Capability | .NET | Java |

+| -| -- | | -- |

+| Pre-call scenarios | Place new outbound call to a Microsoft Teams user | ✔️ | ✔️ |

+| | Redirect (forward) a call to a Microsoft Teams user | ✔️ | ✔️ |

+| | Set custom display name for the callee when making a call offer to a Microsoft Teams user | Only on Microsoft Teams desktop client | Only on Microsoft Teams desktop client |

+| Mid-call scenarios | Add one or more endpoints to an existing call with a Microsoft Teams user | ✔️ | ✔️ |

+| | Play Audio from an audio file | ✔️ | ✔️ |

+| | Recognize user input through DTMF | ✔️ | ✔️ |

+| | Remove one or more endpoints from an existing call| ✔️ | ✔️ |

+| | Blind Transfer a 1:1 call to another endpoint | ✔️ | ✔️ |

+| | Hang up a call (remove the call leg) | ✔️ | ✔️ |

+| | Terminate a call (remove all participants and end call)| ✔️ | ✔️ |

+| Query scenarios | Get the call state | ✔️ | ✔️ |

+| | Get a participant in a call | ✔️ | ✔️ |

+| | List all participants in a call | ✔️ | ✔️ |

+| Call Recording* | Start/pause/resume/stop recording | ✔️ | ✔️ |

+> [!IMPORTANT]

+> Azure Communication Services call recording notifications in Teams clients are not supported. You must obtain consent from and notify the parties of recorded communications in a manner that complies with the laws applicable to each participant. i.e., using the Play API available in Call Automation.

+## Supported clients

+| Clients | Support |

+| --| -- |

+| Microsoft Teams Desktop | ✔️ |

+| Microsoft Teams Web | ❌ |

+| Microsoft Teams iOS | ❌ |

+| Microsoft Teams Android | ❌ |

+| Azure Communications Services signed in with Microsoft 365 Identity | ❌ |

+## Roadmap

+1. Support for Microsoft Teams Web coming soon.

+1. Support for Azure Communications Services signed in with Microsoft 365 Identity coming soon.

+## Next steps

+> [!div class="nextstepaction"]

+> [Get started with Adding a Microsoft Teams user to an ongoing call using Call Automation](./../../quickstarts/call-automation/Callflows-for-customer-interactions.md)

+Here are some articles of interest to you:

+- Understand how your resource is [charged for various calling use cases](../pricing.md) with examples.

+# Bring your own Azure storage overview

+Bring Your Own Azure Storage for Call Recording allows you to specify an Azure blob storage account for storing call recording files. Bring your own Azure storage enables businesses to store their data in a way that meets their compliance requirements and business needs. For example, end-users could customize their own rules and access to the data, enabling them to store or delete content whenever they need it. Bring your own Azure Storage provides a simple and straightforward solution that eliminates the need for developers to invest time and resources in downloading and exporting files.

+Bring your own Azure storage uses [Azure Managed Identities](../../../../active-directory/managed-identities-azure-resources/overview.md) to access user-owned resources securely. Azure Managed Identities provides an identity for the application to use when it needs to access Azure resources, eliminating the need for developers to manage credentials.

+- Azure Communication Services will also store your files in a built-in storage for 48 hours even if the exporting is successful.

+- Randomly, recording files are duplicated during the exporting process. Make sure you delete the duplicated file to avoid extra storage costs in your storage account.

+- Learn more about Bring your own Azure storage, check out the [BYO Azure Storage Quickstart](../../../quickstarts/call-automation/call-recording/bring-your-own-storage.md).

+- Apply for [Toll-free verification](./sms-faq.md#toll-free-verification)

+In the United States, Azure Communication Services does not check for landline numbers and attempts to send it to carriers for delivery. Customers are charged for messages sent to landline numbers.

+- **STOP** - If a text message recipient wishes to opt out, they can send ΓÇÿSTOPΓÇÖ to the toll-free number. The carrier sends the following default response for STOP: *"NETWORK MSG: You replied with the word "stop", which blocks all texts sent from this number. Text back "unstop" to receive messages again."*

+- Azure Communication Services detects STOP messages and blocks all further messages to the recipient. The delivery report will indicate a failed delivery with status message as ΓÇ£Sender blocked for given recipient.ΓÇ¥

+Azure communication service offers an opt-out management service for short codes that allows customers to configure responses to mandatory keywords STOP/START/HELP. Prior to provisioning your short code, you are asked for your preference to manage opt-outs. If you opt-in to use it, the opt-out management service automatically uses your responses in the program brief for Opt-in/ Opt-out/ Help keywords in response to STOP/START/HELP keyword.

+Azure Communication Services detects STOP messages and blocks all further messages to the recipient. The delivery report indicates a failed delivery with status message as ΓÇ£Sender blocked for given recipient.ΓÇ¥ The STOP, UNSTOP and START messages are relayed back to you. Azure Communication Services encourages you to monitor and implement these opt-outs to ensure that no further message send attempts are made to recipients who have opted out of your communications.

+Once you have submitted the short code program brief application in the Azure portal, the service desk works with the aggregators to get your application approved by each wireless carrier. This process generally takes 8-12 weeks. All updates and the status changes for your applications are communicated via the email you provide in the application. For more questions about your submitted application, please email acstnrequest@microsoft.com.

+1. **Stricter filtering** - SMS messages are more likely to get blocked due to strict filtering, preventing messages to be delivered (that is, SMS messages with URLs might be blocked).

+Effective April 1, 2023, the industryΓÇÖs toll-free aggregator is implementing new limits to messaging traffic for restricted and pending toll-free numbers. Messaging that exceeds a limit returns Error Code 795/ 4795: tfn-not-verified.

+New limits are as follows:

+|Limit type |Verification Status|Current limit| Limit effective April 1, 2023 |

+||-|-|-|

+|Daily limit |Unverified | 2,000 |500|

+|Weekly limit| Unverified| 12,000| 1,000|

+|Monthly Limit| Unverified| 25,000| 2,000|

+|Daily limit| Pending Verification| No Limit| 2,000|

+|Weekly limit| Pending Verification| No Limit| 6,000|

+|Monthly Limit| Pending Verification| 500,000| 10,000|

+|Daily limit| Verified | No Limit| No Limit|

+|Weekly limit| Verified| No Limit| No Limit|

+|Monthly Limit| Verified| No Limit| No Limit|

+> [!IMPORTANT]

+> In the near future, the verification process will need to be completed before sending any traffic on a toll-free number. The official date will be shared in the coming weeks. In the meantime, please start to prepare for this change in your onboarding processes.

+- **Verified:** Verified numbers have gone through the toll-free verification process and have been approved. Their traffic is subjected to limited filters. If traffic does trigger any filters, that specific content is blocked but the number is not automatically blocked.

+- **Pending**: Numbers in pending state have an associated toll-free verification form being reviewed by the toll-free messaging aggregator. They can send at a lower throughput than verified numbers, but higher than unverified numbers. Blocking can be applied to individual content or there can be an automatic block of all traffic from the number. These numbers remain in this pending state until a decision has been made on verification status.

+- **Unverified:** Unverified numbers have either 1) not submitted a verification application or 2) have had their application denied. These numbers are subject to the highest amount of filtering, and numbers in this state automatically get shut off if any spam or unwanted traffic is detected.

+The higher the quality of the application the higher chances your application enters [pending state](#what-do-the-different-application-statuses-verified-pending-and-unverified-mean) faster.

+- **GSM-7** - A message containing text characters only is encoded using GSM-7

+- **UCS-2** - A message containing unicode (emojis, international languages) is encoded using UCS-2

+To ensure that we continue offering the high quality of service consistent with our SLAs, Azure Communication Services applies rate limits (different for each primitive). Developers who call our APIs beyond the limit receives a 429 HTTP Status Code Response. If your company has requirements that exceed the rate-limits, email us at phone@microsoft.com.

+US and CA carriers charge an added fee for SMS messages sent and/or received from toll-free numbers and short codes. The carrier surcharge is calculated based on the destination of the message for sent messages and based on the sender of the message for received messages. Azure Communication Services charges a standard carrier fee per message segment. Carrier fees are subject to change by mobile carriers. Refer to [SMS pricing](../sms-pricing.md) for more details.

+### When do we come to know of changes to these surcharges?

+As with similar Azure services, customers are notified at least 30 days prior to the implementation of any price changes. These charges are reflected on our SMS pricing page along with the effective dates.

+Azure Communication Services does not support text-to-911 functionality in the United States, but itΓÇÖs possible that you may have an obligation to do so under the rules of the Federal Communications Commission (FCC). You should assess whether the FCCΓÇÖs text-to-911 rules apply to your service or application. To the extent you're covered by these rules, you are responsible for routing 911 text messages to emergency call centers that request them. You're free to determine your own text-to-911 delivery model, but one approach accepted by the FCC involves automatically launching the native dialer on the userΓÇÖs mobile device to deliver 911 texts through the underlying mobile carrier.

+ Title: Toll-free verification guidelines

+description: Learn about how to fill the toll-free verification form

+# Toll-free verification guidelines

+In this document, we review the guidelines on filling out an application to verify your toll-free number. For detailed process and timelines toll-free verification process, check the [toll-free verification FAQ](./sms-faq.md#toll-free-verification). The toll-free verification application consists of five sections:

+- Application Type

+- Company Details

+- Program Details

+- Volume

+- Templates

+## Application type

+### Country or region

+ Primary location your toll-free number is used to send messages to. Toll-free numbers are domestic within North America region. Your newly acquired toll-free number can only send messages to US, PR, and CA (regardless of where it's acquired for).

+### Associated phone number(s)

+This drop down displays all the toll-free numbers you have in the Azure Communication Services resource. You're required to select the toll-free numbers that you would like to get verified. If you don't have a toll-free number, navigate to the phone numbers blade to acquire a toll-free number first.

+### Are you using more than one sending phone number?

+If you're using multiple sending numbers for the same use case, justify how you're using the multiple numbers. If you need multiple numbers for multiple environments (development, QA, production), state that here.

+## Company details

+You need to provide information about your company and point of contact. Status updates for your short code application are sent to the point of contact email address.

+## Program content

+Message Senders are required to provide detailed information on the content of their SMS campaign and to ensure that the customer consents to receive text messages, and understands the nature of the program.

+### Program description

+You need to describe the program for which the toll-free number is used to send SMS. Include who will be receiving the messages and frequency of the messages.

+### Opt-in

+The general rule of thumb for opt-in are:

+- Making sure the opt-in flow is thoroughly detailed.ΓÇ»

+- Consumer consent must be collected by the direct (first) party sending the messages. If you're a third party helping the direct party sending messages

+- Ensure there's explicitly stated consent disclaimer language at the time of collection. (that is, when the phone number is collected there must be a disclosure about opting-in to messaging).

+- If your message has Marketing/Promotional content, then it must be optional for customers to opt-in

+ Here are some tips on how to show the proof of your opt-in workflow:

+### Opt-in URL

+|Type of Opt-In| Tips|

+|--|--|

+|Website | Screenshots of the web form where the end customer adds a phone number and agrees to receive SMS messages. This screenshot must explicitly state the consent disclaimer language at the time of collection|

+|Keyword or QR Code Opt-in| Image or screenshot of where the customer discovers the keyword/ QR Code in order to opt-in to these messages|

+|Verbal/IVR opt-in|Provide a screenshot record of opt-in via verbal in your database/ CRM to show how the opt-in data is stored. (that is, a check box on their CRM saying that the customer opted in and the date) OR an audio recording of the IVR flow.|

+|Point of Sale | For POS opt-ins on a screen/tablet, provide screenshot of the form. For verbal POS opt-ins of informational traffic, provide a screenshot of the database or a record of the entry. |

+|2FA/OTP| Provide a screenshot of the process to receive the initial text.|

+|Paper form | Upload the form and make sure it includes XXXX. |

+ ## Volume

+### Expected total messages sent

+In this field, you're required to provide an estimate of total messages sent per month.

+## Templates

+Message senders are required to disclose all the types/categories of messages with samples that are sent over the toll-free number.

+#### Examples

+- Contoso Promo Alerts: 3 msgs/week. Msg&Data Rates May Apply. Reply HELP for help. Reply STOP to opt-out.

+- Contoso: Your reservation has been confirmed for 30th February 2022. Txt R to reschedule. Txt HELP or STOP. Msg&Data rates may apply.

+ ## Next steps

+> [!div class="nextstepaction"]

+> [Acquire a toll-free number](../../quickstarts/telephony/get-phone-number.md)

+> [!div class="nextstepaction"]

+> [Apply for a short code](../../quickstarts/sms/apply-for-short-code.md)

+The following documents may be interesting to you:

+- Familiarize yourself with the [SMS FAQ](./sms-faq.md#toll-free-verification)

+- Familiarize yourself with the [SMS SDK](../sms/sdk-features.md)

+| Signaling, telemetry, registration| *.skype.com, *.microsoft.com, *.azure.net, *.azure.com, *.office.com| TCP 443, 80 |

+# Call recording: Bring your own Azure storage quickstart

+This quickstart gets you started with Bring your own Azure storage for Call Recording. To start using Bring your own Azure Storage functionality, make sure you're familiar with the [Call Recording APIs](../../voice-video-calling/get-started-call-recording.md).

+ Title: Azure Communication Services Call Automation how-to for adding Microsoft Teams User into an existing call

+description: ProvIDes a how-to for adding a Microsoft Teams user to a call with Call Automation.

+zone_pivot_groups: acs-csharp-java

+# Add a Microsoft Teams user to an existing call using Call Automation

+In this quickstart, we use the Azure Communication Services Call Automation APIs to add, remove and transfer to a Teams user.

+You need to be part of the Azure Communication Services TAP program. It's likely that youΓÇÖre already part of this program, and if you aren't, sign-up using https://aka.ms/acs-tap-invite. To access to the specific Teams Interop functionality for Call Automation, submit your Teams Tenant IDs and Azure Communication Services Resource IDs by filling this form ΓÇô https://aka.ms/acs-ca-teams-tap. You need to fill the form every time you need a new tenant ID and new resource ID allow-listed.

+## Prerequisites

+- An Azure account with an active subscription.

+- A Microsoft Teams tenant with administrative privileges.

+- A deployed [Communication Service resource](../../quickstarts/create-communication-resource.md) and valid connection string found by selecting Keys in left side menu on Azure portal.

+- [Acquire a PSTN phone number from the Communication Service resource](../../quickstarts/telephony/get-phone-number.md). Note the phone number you acquired to use in this quickstart.

+- An Azure Event Grid subscription to receive the `IncomingCall` event.

+- The latest [Azure Communication Service Call Automation API library](./callflows-for-customer-interactions.md) for your operating system.

+- A web service that implements the Call Automation API library, follow [this tutorial](./callflows-for-customer-interactions.md).

+## Step 1: Authorization for your Azure Communication Services Resource to enable calling to Microsoft Teams users

+To enable calling through Call Automation APIs, a [Microsoft Teams Administrator](/azure/active-directory/roles/permissions-reference#teams-administrator) or [Global Administrator](/en-us/azure/active-directory/roles/permissions-reference#global-administrator) must explicitly enable the ACS resource(s) access to their tenant to allow calling.

+[Set-CsTeamsAcsFederationConfiguration (MicrosoftTeamsPowerShell)](/powershell/module/teams/set-csteamsacsfederationconfiguration)

+Tenant level setting that enables/disables federation between their tenant and specific ACS resources.

+[Set-CsExternalAccessPolicy (SkypeForBusiness)](/powershell/module/skype/set-csexternalaccesspolicy)

+User policy that allows the admin to further control which users in their organization can participate in federated communications with ACS users.

+## Step 2: Use the Graph API to get Azure AD object ID for Teams users and optionally check their presence

+A Teams userΓÇÖs Azure Active Directory (Azure AD) object ID (OID) is required to add them to or transfer to them from an ACS call. The OID can be retrieved through 1) Office portal, 2) Azure AD portal, 3) Azure AD Connect; or 4) Graph API. The example below uses Graph API.

+Consent must be granted by an Azure AD admin before Graph can be used to search for users, learn more by following on the [Microsoft Graph Security API overview](/graph/security-concept-overview) document. The OID can be retrieved using the list users API to search for users. The following shows a search by display name, but other properties can be searched as well:

+[List users using Microsoft Graph v1.0](/graph/api/user-list):

+```rest

+Request:

+ https://graph.microsoft.com/v1.0/users?$search="displayName:Art Anderson"

+Permissions:

+ Application and delegated. Refer to documentation.

+Response:

+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users",

+ "value": [

+ {

+ "displayName": "Art Anderson",

+ "mail": "artanderson@contoso.com",

+ "id": "fc4ccb5f-8046-4812-803f-6c344a5d1560"

+ }

+```

+Optionally, Presence for a user can be retrieved using the get presence API and the user ObjectId. Learn more on the [Microsoft Graph v1.0 documentation](/graph/api/presence-get).

+```rest

+Request:

+https://graph.microsoft.com/v1.0/users/fc4ccb5f-8046-4812-803f-6c344a5d1560/presence

+Permissions:

+Delegated only. Application not supported. Refer to documentation.

+Response:

+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users('fc4ccb5f-8046-4812-803f-6c344a5d1560')/presence/$entity",

+ "id": "fc4ccb5f-8046-4812-803f-6c344a5d1560",

+ "availability": "Offline",

+ "activity": "Offline"

+```

+## Step 3: Add a Teams user to an existing ACS call controlled by Call Automation APIs

+You need to complete the prerequisite step and have a web service app to control an ACS call. Using the callConnection object, add a participant to the call.

+```csharp

+CallAutomationClient client = new CallAutomationClient('<Connection_String>');

+AnswerCallResult answer = await client.AnswerCallAsync(incomingCallContext, new Uri('<Callback_URI>'));

+await answer.Value.CallConnection.AddParticipantAsync(

+ new CallInvite(new MicrosoftTeamsUserIdentifier('<Teams_User_Guid>'))

+ {

+ SourceDisplayName = "Jack (Contoso Tech Support)"

+ });

+```

+On the Microsoft Teams desktop client, Jack's call will be sent to the Microsoft Teams user through an incoming call toast notification.

+

+After the Microsoft Teams user accepts the call, the in-call experience for the Microsoft Teams user will have all the participants displayed on the Microsoft Teams roster.

+

+## Step 4: Remove a Teams user from an existing ACS call controlled by Call Automation APIs

+```csharp

+await answer.Value.CallConnection.RemoveParticipantAsync(new MicrosoftTeamsUserIdentifier('<Teams_User_Guid>'));

+```

+### Optional feature: Transfer to a Teams user from an existing ACS call controlled by Call Automation APIs

+```csharp

+await answer.Value.CallConnection.TransferCallToParticipantAsync(new CallInvite(new MicrosoftTeamsUserIdentifier('<Teams_User_Guid>')));

+```

+### How to tell if your Tenant isn't enabled for this preview?

+

+## Clean up resources

+If you want to clean up and remove a Communication Services subscription, you can delete the resource or resource group. Deleting the resource group also deletes any other resources associated with it. Learn more about [cleaning up resources](../../quickstarts/create-communication-resource.md#clean-up-resources).

+## Next steps

+- Learn more about [Call Automation](../../concepts/call-automation/call-automation.md) and its features.

+- Learn about [Play action](../../concepts/call-automation/play-Action.md) to play audio in a call.

+- Learn how to build a [call workflow](../../quickstarts/call-automation/callflows-for-customer-interactions.md) for a customer support scenario.

+zone_pivot_groups: acs-azcli-js-csharp-java-python-swift-android-power-platform

+zone_pivot_groups: acs-azcli-js-csharp-java-python-power-platform

+## Clean up Azure Communication Service resources

+ - Learn more about [how to send a chat message](../chat/logic-app.md) from Power Automate using Azure Communication Services.

+ - Learn more about access tokens check [Create and Manage Azure Communication Services users and access tokens](../chat/logic-app.md).

+ Title: Apply for toll-free verification

+description: Learn about how to apply for toll-free verification

+# Quickstart: Apply for toll-free verification

+Get started with reliable SMS service using toll-free numbers by submitting a toll-free verification. Toll-free verification maximizes deliverability of messages with low to no traffic filtering.

+## Prerequisites

+- [An active Communication Services resource.](../create-communication-resource.md)

+- [An SMS-enabled toll-free number](../telephony/get-phone-number.md)

+

+### What is toll free verification?

+The toll-free verification process ensures that your services running on toll-free numbers (TFNs) comply with carrier policies and [industry best practices](../../concepts/sms/messaging-policy.md). This also provides relevant service information to the downstream carriers, reduces the likelihood of false positive filtering and wrongful spam blocks. For detailed process and timelines toll-free verification process check the [toll-free verification FAQ](../../concepts/sms/sms-faq.md#toll-free-verification).

+Verification is **required** for best SMS delivery experience.

+## Submit a toll-free verification

+To begin toll-free verification, go to your Communication Services resource on the [Azure portal](https://portal.azure.com).

+## Apply for a toll-free verification

+Navigate to the Regulatory Documents blade in the resource menu and click on "Add" button to launch the toll-free verification application wizard. For detailed guidance on how to fill out the program brief application check the [toll-free verification filling guidelines](../../concepts/sms/toll-free-verification-guidelines.md).

+A toll-free verification application consists of the following five sections:

+### Application type

+You first need to choose country/region and toll-free numbers you would like to get verified. If you have not acquired a toll-free number, then you need to first acquire the number and then come back to this application. If you have selected more than one toll-free number to verify, you need to provide justification on how the multiple numbers are used for the campaign.

+### Contact details

+This section requires you to provide information about your company and point of contact in the case we need additional information for this application.

+### Program content

+This section requires you to provide description of the SMS campaign, opt-in method (how you plan to get consent from the customer to receive SMS), and screenshots of the selected opt-in method.

+### Volume details

+This section requires you to provide an estimate of the number of messages you plan on sending per month.

+### Template information

+This section captures sample messages related to your campaign. Provide samples of each type of message you are sending out to recipients.

+### Review

+Once completed, review the toll-free verification details and submit the completed application through the Azure portal.

+

+This program brief is automatically sent to the toll-free messaging aggregator for review. The toll-free aggregator then reviews the details of the toll-free verification application, a process that can typically take between 5-6 weeks. Once they approve the application, you are notified via application status change in the Azure portal. You can now start sending and receiving messages with low filtering on this toll-free number for your messaging programs.

+## Next steps

+> [!div class="nextstepaction"]

+> [Check guidelines for filling a toll-free verification application](../../concepts/sms/toll-free-verification-guidelines.md)

+> [!div class="nextstepaction"]

+> [Send an SMS](../sms/send.md)

+The following documents may be interesting to you:

+- Familiarize yourself with the [SMS SDK](../../concepts/sms/sdk-features.md)

+- Familiarize yourself with the [SMS FAQ](../../concepts/sms/sms-faq.md)

+zone_pivot_groups: acs-azcli-js-csharp-java-python-power-platform

+>

+> [!div class="nextstepaction"]

+> [Toll-free verification](../../concepts/sms/sms-faq.md#toll-free-verification)

+> [!div class="nextstepaction"]

+To deploy a confidential VM instance, consider a [pay-as-you-go subscription](/azure/virtual-machines/linux/azure-hybrid-benefit-linux) or other purchase option. If you're using an [Azure free account](https://azure.microsoft.com/free/), the quota doesn't allow the appropriate number of Azure compute cores.

+ Title: Connect to Azure Application Insights

+description: Connect to Application Insights from a workflow in Azure Logic Apps.

+ms.suite: integration

+tags: connectors

+# As a developer, I want to get telemetry from an Application Insights resource to use with my workflow in Azure Logic Apps.

+# Connect to Azure Application Insights from workflows in Azure Logic Apps

+> [!NOTE]

+>

+> The [Azure Monitor Logs connector](/connectors/azuremonitorlogs/) replaces the [Azure Log Analytics connector](/connectors/azureloganalytics/)

+> and the [Azure Application Insights connector](/connectors/applicationinsights/). This combined connector provides the same functionality as

+> the other connectors and is the preferred method for running a query against a Log Analytics workspace or an Application Insights resource.

+>

+> For example, when you connect to your Application Insights resource, you don't have to create or provide an application ID and API key.

+> Authentication is integrated with Azure Active Directory. For the how-to guide to use the Azure Monitor Logs connector, see

+> [Connect to Log Analytics or Application Insights from workflows in Azure Logic Apps](connectors-azure-monitor-logs.md).

+For more information, see the following documentation:

+- [Azure Monitor Logs connector](/connectors/azuremonitorlogs/)

+- [Connect to Log Analytics or Application Insights from workflows in Azure Logic Apps](connectors-azure-monitor-logs.md)

+- [What is Azure Logic Apps](../logic-apps/logic-apps-overview.md)

+ Title: Connect to Log Analytics or Application Insights

+description: Get log data from a Log Analytics workspace or Application Insights resource to use with your workflow in Azure Logic Apps.

+ms.suite: integration

+tags: connectors

+# As a developer, I want to get log data from my Log Analytics workspace or telemetry from my Application Insights resource to use with my workflow in Azure Logic Apps.

+# Connect to Log Analytics or Application Insights from workflows in Azure Logic Apps

+> [!NOTE]

+>

+> The Azure Monitor Logs connector replaces the [Azure Log Analytics connector](/connectors/azureloganalytics/)

+> and the [Azure Application Insights connector](/connectors/applicationinsights/). This connector provides

+> the same functionality as the other connectors and is the preferred method for running a query against a

+> Log Analytics workspace or an Application Insights resource. For example, when you connect to your Application

+> Insights resource, you don't have to create or provide an application ID and API key. Authentication is

+> integrated with Azure Active Directory.

+To build workflows in Azure Logic Apps that retrieve data from a Log Analytics workspace or an Application Insights resource in Azure Monitor, you can use the Azure Monitor Logs connector.

+For example, you can create a logic app workflow that sends Azure Monitor log data in an email message from your Office 365 Outlook account, create a bug in Azure DevOps, or post a Slack message. This connector provides only actions, so to start a workflow, you can use a Recurrence trigger to specify a simple schedule or any trigger from another service.

+This how-to guide describes how to build a [Consumption logic app workflow](../logic-apps/logic-apps-overview.md#resource-environment-differences) that sends the results of an Azure Monitor log query by email.

+## Connector technical reference

+For technical information about this connector's operations, see the [connector's reference documentation](/connectors/azuremonitorlogs/).

+> [!NOTE]

+>

+> Both of the following actions can run a log query against a Log Analytics workspace or

+> Application Insights resource. The difference exists in the way that data is returned.

+>

+> | Action | Description |

+> |--|-|

+> | [Run query and and list results](/connectors/azuremonitorlogs/#run-query-and-list-results) | Returns each row as its own object. Use this action when you want to work with each row separately in the rest of the workflow. The action is typically followed by a [For each action](../logic-apps/logic-apps-control-flow-loops.md). |

+> | [Run query and and visualize results](/connectors/azuremonitorlogs/#run-query-and-visualize-results) | Returns a JPG file that depicts the query result set. This action lets you use the result set in the rest of the workflow by sending the results in an email, for example. The action only returns a JPG file if the query returns results. |

+## Limitations

+- The connector has the following limits, which your workflow might reach, based on the query that you use and the size of the results:

+ | Limit | Value | Notes |

+ |-|-|-|

+ | Max query response size | ~16.7 MB or 16 MiB | The connector infrastructure dictates that the size limit is set lower than the query API limit. |

+ | Max number of records | 500,000 records ||

+ | Max connector timeout | 110 seconds ||

+ | Max query timeout | 100 seconds ||

+ To avoid reaching these limits, try aggregating data to reduce the results size, or adjusting the workflow recurrence to run more frequently across a smaller time range. However, due to caching, frequent queries with intervals less than 120 seconds aren't recommended.

+- Visualizations on the Logs page and the connector use different charting libraries. So, the connector currently doesn't include some functionality.

+## Prerequisites

+- An Azure account and subscription. If you don't have an Azure subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- The [Log Analytics workspace](../azure-monitor/logs/quick-create-workspace.md) or [Application Insights resource](../azure-monitor/app/app-insights-overview.md) that you want to connect.

+- The [Consumption logic app workflow](../logic-apps/logic-apps-overview.md#resource-environment-differences) from where you want to access your Log Analytics workspace or Application Insights resource. To use an Azure Monitor Logs action, start your workflow with any trigger. This guide uses the [**Recurrence** trigger](connectors-native-recurrence.md).

+ > [!NOTE]

+ >

+ > Although you can turn on the Log Analytics setting in a logic app resource to collect information about runtime data

+ > and events as described in the how-to guide [Set up Azure Monitor logs and collect diagnostics data for Azure Logic Apps](../logic-apps/monitor-workflows-collect-diagnostic-data.md), this setting isn't required

+ > for you to use the Azure Monitor Logs connector.

+- An Office 365 Outlook account to complete the example in this guide. Otherwise, you can use any email provider that has an available connector in Azure Logic Apps.

+## Add an Azure Monitor Logs action

+1. In the [Azure portal](https://portal.azure.com), open your logic app workflow in the designer.

+1. In your workflow where you want to add the Azure Monitor Logs action, follow one of these steps:

+ - To add an action under the last step, select **New step**.

+ - To add an action between steps, move your pointer use over the connecting arrow. Select the plus sign (**+**) that appears, and then select **Add an action**.

+ For more information about adding an action, see [Build a workflow by adding a trigger or action](../logic-apps/create-workflow-with-trigger-or-action.md).

+1. Under the **Choose an operation** search box, select **Standard**. In the search box, enter **Azure Monitor Logs**.

+1. From the actions list, select the action that you want.

+ This example continues with the action named **Run query and visualize results**.

+1. In the connection box, from the **Tenant** list, select your Azure Active Directory (Azure AD) tenant, and then select **Create**.

+ > [!NOTE]

+ >

+ > The account associated with the current connection is used later to send the email.

+ > To use a different account, select **Change connection**.

+1. In the **Run query and visualize results** action box, provide the following information:

+ | Property | Required | Value | Description |

+ |-|-|-|-|

+ | **Subscription** | Yes | <*Azure-subscription*> | The Azure subscription for your Log Analytics workspace or Application Insights application. |

+ | **Resource Group** | Yes | <*Azure-resource-group*> | The Azure resource group for your Log Analytics workspace or Application Insights application. |

+ | **Resource Type** | Yes | **Log Analytics Workspace** or **Application Insights** | The resource type to connect from your workflow. This example continues by selecting **Log Analytics Workspace**. |

+ | **Resource Name** | Yes | <*Azure-resource-name*> | The name for your Log Analytics workspace or Application Insights resource. |

+1. In the **Query** box, enter the following Kusto query to retrieve the specified log data from the following sources:

+ * Log Analytics workspace

+ The following example query selects errors that occurred within the last day, reports their total number, and sorts them in ascending order.

+ ```Kusto

+ Event

+ | where EventLevelName == "Error"

+ | where TimeGenerated > ago(1day)

+ | summarize TotalErrors=count() by Computer

+ | sort by Computer asc

+ ```

+ * Application Insights resource

+ The following example query selects the failed requests within the last day and correlates them with exceptions that occurred as part of the operation, based on the `operation_Id` identifier. The query then segments the results by using the `autocluster()` algorithm.

+ ```kusto

+ requests

+ | where timestamp > ago(1d)

+ | where success == "False"

+ | project name, operation_Id

+ | join ( exceptions

+ | project problemId, outerMessage, operation_Id

+ ) on operation_Id

+ | evaluate autocluster()

+ ```

+ > [!NOTE]

+ >

+ > When you create your own queries, make sure they work correctly in Log Analytics before you add them to your Azure Monitor Logs action.

+1. For **Time Range**, select **Set in query**.

+1. For **Chart Type**, select **Html Table**.

+1. Save your workflow. On the designer toolbar, select **Save**.

+## Add an email action

+1. In your workflow where you want to add the Office 365 Outlook action, follow one of these steps:

+ - To add an action under the last step, select **New step**.

+ - To add an action between steps, move your pointer use over the connecting arrow. Select the plus sign (**+**) that appears, and then select **Add an action**.

+1. Under the **Choose an operation** search box, select **Standard**. In the search box, enter **Office 365 send email**.

+1. From the actions list, select the action named **Send an email (V2)**.

+1. In the **To** box, enter the recipient's email address. For this example, use your own email address.

+1. In the **Subject** box, enter a subject for the email, for example, **Top daily errors or failures**.

+1. In the **Body** box, click anywhere inside to open the **Dynamic content** list, which shows the outputs from the previous steps in the workflow.

+ 1. In the **Dynamic content** list, next to the **Run query and visualize results** section name, select **See more**.

+ 1. From the outputs list, select **Body**, which represents the results of the query that you previously entered in the Log Analytics action.

+1. From the **Add new parameter** list, select **Attachments**.

+ The **Send an email** action now includes the **Attachments Name** and **Attachments Content** properties.

+1. For the added properties, follow these steps:

+ 1. In the **Attachment Name** box, from the dynamic content list that appears, under **Run query and visualize results**, select the **Attachment Name** output.

+ 1. In the **Attachment Content** box, from the dynamic content list that appears, under **Run query and visualize results**, select the **Attachment Content** output.

+1. Save your workflow. On the designer toolbar, select **Save**.

+### Test your workflow

+1. On the designer toolbar, select **Run Trigger** > **Run**.

+1. When the workflow completes, check your email.

+ > [!NOTE]

+ >

+ > The workflow generates an email with a JPG file that shows the query result set.

+ > If your query doesn't return any results, the workflow won't create a JPG file.

+ For the Log Analytics workspace example, the email that you receive has a body that looks similar to the following example:

+ 

+ For an Application Insights resource, the email that you receive has a body that looks similar to the following example:

+ 

+## Next steps

+- Learn more about [log queries in Azure Monitor](../azure-monitor/logs/log-query-overview.md)

+- Learn more about [queries for Log Analytics](../azure-monitor/logs/get-started-queries.md)