- "userMessage": "There was a problem with your request. You are not able to sign up at this time.",

-OpenID Connect (OIDC) is an authentication protocol that's built on OAuth 2.0. You can use OIDC to securely sign users in to an application. This web app sample uses the [Microsoft Authentication Library (MSAL) for Python](https://github.com/AzureAD/microsoft-authentication-library-for-python). The MSAL for Python simplifies adding authentication and authorization support to Python web apps.

-### Sign-out

-A computer that's running:

-* [Visual Studio Code](https://code.visualstudio.com/) or another code editor

-* [Python](https://www.python.org/downloads/) 3.9 or above

-1. Rename the *app_config_b2c.py* file to *app_config.py*.

-Open the *app_config.py* file. This file contains information about your Azure AD B2C identity provider. Update the following app settings properties:

-|Key |Value |

-|||

-|`b2c_tenant`| The first part of your Azure AD B2C [tenant name]( tenant-management-read-tenant-name.md#get-your-tenant-name) (for example, `contoso`).|

-|`CLIENT_ID`| The web API application ID from [step 2.1](#step-21-register-the-app).|

-|`CLIENT_SECRET`| The client secret value you created in [step 2.2](#step-22-create-a-web-app-client-secret). To help increase security, consider storing it instead in an environment variable, as recommended in the comments. |

-|`*_user_flow`|The user flows or custom policy you created in [step 1](#step-1-configure-your-user-flow).|

-| | |

-Your final configuration file should look like the following Python code:

-```python

-import os

-b2c_tenant = "contoso"

-signupsignin_user_flow = "B2C_1_signupsignin"

-editprofile_user_flow = "B2C_1_profileediting"

-resetpassword_user_flow = "B2C_1_passwordreset"

-authority_template = "https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{user_flow}"

-CLIENT_ID = "11111111-1111-1111-1111-111111111111" # Application (client) ID of app registration

-CLIENT_SECRET = "xxxxxxxxxxxxxxxxxxxxxxxx" # Placeholder - for use ONLY during testing.

-```

-> [!IMPORTANT]

-> As noted in the code snippet comments, we recommend that you *do not store secrets in plaintext* in your application code. The hard-coded variable is used in the code sample *for convenience only*. Consider using an environment variable or a secret store, such as an Azure key vault.

- * Serving Flask app "app" (lazy loading)

- * Environment: production

- * Debug mode: off

-

-This sample acquires an access token with the relevant scopes, which the web app can use for a web API. To call a web API from the code, use an existing web API or create a new one. For more information, see [Enable authentication in your own web API by using Azure AD B2C](enable-authentication-web-api.md).

-|`ENDPOINT`| The URI of your web API (for example, `https://localhost:5000/getAToken`).|

-|`SCOPE`| The web API [scopes](#step-62-configure-scopes) that you created.|

-Your final configuration file should look like the following Python code:

-```python

-import os

-b2c_tenant = "contoso"

-signupsignin_user_flow = "B2C_1_signupsignin"

-editprofile_user_flow = "B2C_1_profileediting"

-resetpassword_user_flow = "B2C_1_passwordreset"

-authority_template = "https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{user_flow}"

-CLIENT_ID = "11111111-1111-1111-1111-111111111111" # Application (client) ID of app registration

-CLIENT_SECRET = "xxxxxxxxxxxxxxxxxxxxxxxx" # Placeholder - for use ONLY during testing.

-### More code here

-# This is the API resource endpoint

-ENDPOINT = 'https://localhost:5000'

-SCOPE = ["https://contoso.onmicrosoft.com/api/demo.read", "https://contoso.onmicrosoft.com/api/demo.write"]

-```

-1. Stop the app. and then rerun it.

-1. Select **Call Microsoft Graph API**.

- 

-* The reply URL must begin with the scheme `https`.

-* The reply URL is case-sensitive. Its case must match the case of the URL path of your running application.

-| | [Tutorial: Configure Workday for automatic user provisioning](../saas-apps/workday-inbound-tutorial.md#frequently-asked-questions-faq) |

-Tenant admins can run MS Graph queries to find all the users with a given certificateUserId value.

-GET all user objects that have the value 'bob@contoso.com' value in certificateUserIds:

-```http

-GET https://graph.microsoft.com/v1.0/users?$filter=certificateUserIds/any(x:x eq 'bob@contoso.com')

-```

-

-```http

-GET https://graph.microsoft.com/v1.0/users?$filter=startswith(certificateUserIds, 'bob@contoso.com')

-```http

-GET https://graph.microsoft.com/v1.0/users?$filter=certificateUserIds eq 'bob@contoso.com'

-```

-## Update certificate user IDs using Microsoft Graph queries

-PATCH the user object certificateUserIds value for a given userId

-PATCH https://graph.microsoft.us/v1.0/users/{id}

-{

- "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(authorizationInfo,department)/$entity",

- "department": "Accounting",

-Through co-management, you can use Microsoft Endpoint Configuration Manager to manage certain aspects of your devices while policies are delivered through your MDM platform. Microsoft Intune enables co-management with Microsoft Endpoint Configuration Manager. For more information on co-management for Windows 10 or newer devices, see [What is co-management?](/configmgr/core/clients/manage/co-management-overview). If you use an MDM product other than Intune, check with your MDM provider on applicable co-management scenarios.

-Administrators can secure and further control Azure AD joined devices using Mobile Device Management (MDM) tools like Microsoft Intune or in co-management scenarios using Microsoft Endpoint Configuration Manager. These tools provide a means to enforce organization-required configurations like:

-You can deploy the package by using a software distribution system like [Microsoft Endpoint Configuration Manager](/configmgr/). The package supports the standard silent installation options with the `quiet` parameter. The current branch of Configuration Manager offers benefits over earlier versions, like the ability to track completed registrations.

-You can deploy the package by using a software distribution system likeΓÇ»[Microsoft Endpoint Configuration Manager](/configmgr/). The package supports the standard silent installation options with the quiet parameter. The current branch of Configuration Manager offers benefits over earlier versions, like the ability to track completed registrations.

-| [Co-management with Microsoft Intune and Microsoft Endpoint Configuration Manager](/mem/configmgr/comanage/overview) <br>(Windows 10 or newer) | |  |  |

-description: Guidance for increasing resiliency of authentication and authorization in client application using the Microsoft identity platform

-This section provides guidance on building resilience into client applications that use the Microsoft identity platform and Azure Active Directory to sign in users and perform actions on behalf of those users.

-The [Microsoft Authentication Library (MSAL)](../develop/msal-overview.md) is a key part of the [Microsoft identity platform](../develop/index.yml). It simplifies and manages acquiring, managing, caching, and refreshing tokens, and uses best practices for resilience. MSAL is designed to enable a secure solution without developers having to worry about the implementation details.

-MSAL caches tokens and uses a silent token acquisition pattern. It also automatically serializes the token cache on platforms that natively provide secure storage like Windows UWP, iOS and Android. Developers can customize the serialization behavior when using [Microsoft.Identity.Web](https://github.com/AzureAD/microsoft-identity-web/wiki/token-cache-serialization), [MSAL.NET](../develop/msal-net-token-cache-serialization.md), [MSAL for Java](../develop/msal-java-token-cache-serialization.md), and [MSAL for Python](../develop/msal-python-token-cache-serialization.md).

-

-When using MSAL, token caching, refreshing, and silent acquisition is supported automatically. You can use simple patterns to acquire the tokens necessary for modern authentication. We support many languages, and you can find a sample that matches your language and scenario on our [Samples](../develop/sample-v2-code.md) page.

-MSAL can in some cases proactively refresh tokens. When Microsoft Identity issues a long-lived token, it can send information to the client for the optimal time to refresh the token ("refresh\_in"). MSAL will proactively refresh the token based on this information. The app will continue to run while the old token is valid but will have a longer timeframe during which to make another successful token acquisition.

-### Stay up to date

-Developers should have a process for updating to the latest MSAL release. Authentication is part of your app security and your app needs to stay current with the security improvements contained in new MSAL releases. This is generally good practice for libraries under continuous development and doing so will ensure you have the most up to date code with respect to app resilience. As Microsoft Identity continues to innovate on ways for applications to be more resilient, apps that use the latest MSAL will be the most prepared to build on these innovations.

-[Check the latest MSAL.js version and release notes](https://github.com/AzureAD/microsoft-authentication-library-for-js/releases)

-[Check the latest MSAL .NET version and release notes](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/releases)

-[Check the latest MSAL Python version and release notes](https://github.com/AzureAD/microsoft-authentication-library-for-python/releases)

-[Check the latest MSAL Java version and release notes](https://github.com/AzureAD/microsoft-authentication-library-for-java/releases)

-[Check the latest MSAL iOS and macOS version and release notes](https://github.com/AzureAD/microsoft-authentication-library-for-objc/releases)

-[Check the latest MSAL Android version and release notes](https://github.com/AzureAD/microsoft-authentication-library-for-android/releases)

-[Check the latest MSAL Angular version and release notes](https://github.com/AzureAD/microsoft-authentication-library-for-js/releases)

-[Check the latest Microsoft.Identity.Web version and release notes](https://github.com/AzureAD/microsoft-identity-web/releases)

-## Use resilient patterns for token handling

-If you are not using MSAL, you can use these resilient patterns for token handling. These best practices are implemented automatically by the MSAL library.

-In general, an application that uses modern authentication will call an endpoint to retrieve tokens that authenticate the user or authorize the application to call protected APIs. MSAL is meant to handle the details of authentication and implements several patterns to improve resilience of this process. Use the guidance in this section to implement best practices if you choose to use a library other than MSAL. If you use MSAL, you get all of these best-practices for free, as MSAL implements them automatically.

-### Cache tokens

-Apps should properly cache tokens received from Microsoft Identity. When your app receives tokens, the HTTP response that contains the tokens also contains an "expires_in" property that tells the application how long to cache, and reuse, the token. It is important that applications use the "expires_in" property to determine the lifespan of the token. Application must never attempt to decode an API access token.

-

-Using the cached token prevents unnecessary traffic between your app and Microsoft Identity, and makes your app less susceptible to token acquisition failures by reducing the number of token acquisition calls. Cached tokens also improve your application's performance as the app needs to block on acquiring tokens less. Your user can stay signed-in to your application for the length of that token's lifetime.

-### Serialize and persist tokens

-Apps should securely serialize their token cache to persist the tokens between instances of the app. Tokens can be reused as long as they are within their valid lifetime. [Refresh tokens](../develop/v2-oauth2-auth-code-flow.md#refresh-the-access-token), and, increasingly, [access tokens](../develop/access-tokens.md), are issued for many hours. This valid time can span a user starting your application many times. When your app starts, it should check to see if there is a valid access or refresh token that can be used. This will increase the app's resilience and performance as it avoids any unnecessary calls to Microsoft Identity.

-

-The persistent token storage should be access controlled and encrypted to the owning user or process identity. On platforms like mobile, Windows and Mac, the developer should take advantage of built-in capabilities for storing credentials.

-### Acquire tokens silently

-The process of authenticating a user or retrieving authorization to call an API can require multiple steps in Microsoft Identity. For example, when the user signs in for the first time they may need to enter credentials and perform a multi-factor authentication via a text message. Each step adds a dependency on the resource that provides that service. The best experience for the user, and the one with the least dependencies, is to attempt to acquire a token silently to avoid these extra steps before requesting user interaction.

-

-Acquiring a token silently starts with using a valid token from the app's token cache. If there is no valid token available, the app should attempt to acquire a token using a refresh token, if available, and the token endpoint. If neither of these options is available, the app should acquire a token using the "prompt=none" parameter. This will use the authorization endpoint, but not show any UI to the user. If the Microsoft Identity can provide a token to the app without interacting with the user, it will. If none of these methods result in a token, then a user will need to re-authenticate interactively.

-> [!NOTE]

-> In general, apps should avoid using prompts like "login" and "consent" as they will force user interaction even when no interaction is required.

-## Handle service responses properly

-While applications should handle all error responses, there are some responses that can impact resilience. If your application receives an HTTP 429 response code, Too Many Requests, Microsoft Identity is throttling your requests. If your app continues to make too many requests, it will continue to be throttled preventing your app from receiving tokens. Your application should not attempt to acquire a token again until after the time, in seconds, in the Retry-After response field has passed. Receiving a 429 response is often an indication that the application is not caching and reusing tokens correctly. Developers should review how tokens are cached and reused in the application.

-When an application receives an HTTP 5xx response code the app must not enter a fast retry loop. When present, the application should honor the same Retry-After handling as it does for a 429 response. If no Retry-After header is provided by the response, we recommend implementing an exponential back-off retry with the first retry at least 5 seconds after the response.

-When a request times out applications should not retry immediately. Implement an exponential back-off retry with the first retry at least 5 seconds after the response.

-## Evaluate options for retrieving authorization related information

-Many applications and APIs need specific information about the user to make authorization decisions. There are a few ways for an application to get this information. Each method has its advantages and disadvantages. Developers should weigh these to determine which strategy is best for resilience in their app.

-Identity (ID) tokens and access tokens contain standard claims that provide information about the subject. These are documented in [Microsoft identity platform ID tokens](../develop/id-tokens.md) and [Microsoft identity platform access tokens](../develop/access-tokens.md). If the information your app needs is already in the token, then the most efficient technique for retrieving that data is to use token claims as that will save the overheard of an additional network call to retrieve information separately. Fewer network calls mean higher overall resilience for the application.

-> Some applications call the UserInfo endpoint to retrieve claims about the user that authenticated. The information available in the ID token that your app can receive is a superset of the information it can get from the UserInfo endpoint. Your app should use the ID token to get information about the user instead of calling the UserInfo endpoint.

-An app developer can augment standard token claims with [optional claims](../develop/active-directory-optional-claims.md). One common optional claim is [groups](../develop/active-directory-optional-claims.md#configuring-groups-optional-claims). There are several ways to add group claims. The "Application Group" option only includes groups assigned to the application. The "All" or "Security groups" options include groups from all apps in the same tenant, which can add many groups to the token. It is important to evaluate the effect in your case, as it can potentially negate the efficiency gained by requesting groups in the token by causing token bloat and even requiring additional calls to get the full list of groups.

-Instead of using groups in your token you can instead use and include app roles. Developers can define [app roles](../develop/howto-add-app-roles-in-azure-ad-apps.md) for their apps and APIs which the customer can manage from their directory using the portal or APIs. IT Pros can then assign roles to different users and groups to control who has access to what content and functionality. When a token is issued for the application or API, the roles assigned to the user will be available in the roles claim in the token. Getting this information directly in a token can save additional APIs calls.

-Finally, IT Admins can also add claims based on specific information in a tenant. For example, an enterprise can have an extension to have an enterprise specific User ID.

-In all cases, adding information from the directory directly to a token can be efficient and increase the apps resilience by reducing the number of dependencies the app has. On the other hand, it does not address any resilience issues from being unable to acquire a token. You should only add optional claims for the main scenarios of your application. If the app requires information only for the admin functionality, then it is best for the application to obtain that information only as needed.

-Microsoft Graph provides a unified API endpoint to access the Microsoft 365 data that describes the patterns of productivity, identity and security in an organization. Applications that use Microsoft Graph can potentially use any of the information across Microsoft 365 for authorization decisions.

-Apps require just a single token to access all of Microsoft 365. This is more resilient than using the older APIs that are specific to Microsoft 365 components like Microsoft Exchange or Microsoft SharePoint where multiple tokens are required.

-When using Microsoft Graph APIs, we suggest your use a [Microsoft Graph SDK](/graph/sdks/sdks-overview). The Microsoft Graph SDKs are designed to simplify building high-quality, efficient, and resilient applications that access Microsoft Graph.

-For authorization decisions, developers should consider when to use the claims available in a token as an alternative to some Microsoft Graph calls. As mentioned above, developers could request groups, app roles, and optional claims in their tokens. In terms of resilience, using Microsoft Graph for authorization requires additional network calls that rely on Microsoft Identity (to get the token to access Microsoft Graph) as well as Microsoft Graph itself. However, if your application already relies on Microsoft Graph as its data layer, then relying on the Graph for authorization is not an additional risk to take.

-On mobile devices, using an authentication broker like Microsoft Authenticator will improve resilience. The broker adds benefits above what is available with other options such as the system browser or an embedded WebView. The authentication broker can utilize a [primary refresh token](../devices/concept-primary-refresh-token.md) (PRT) that contains claims about the user and the device and can be used to get authentication tokens to access other applications from the device. When a PRT is used to request access to an application, its device and MFA claims are trusted by Azure AD. This increases resilience by avoiding additional steps to authenticate the device again. Users won't be challenged with multiple MFA prompts on the same device, therefore increasing resilience by reducing dependencies on external services and improving the user experience.

-

-Broker authentication is automatically supported by MSAL. You can find more information on using brokered authentication on the following pages:

-## Adopt Continuous Access Evaluation

-[Continuous Access Evaluation (CAE)](../conditional-access/concept-continuous-access-evaluation.md) is a recent development that can increase application security and resilience with long-lived tokens. CAE is an emerging industry standard being developed in the Shared Signals and Events Working Group of the OpenID Foundation. With CAE, an access token can be revoked based on [critical events](../conditional-access/concept-continuous-access-evaluation.md#critical-event-evaluation) and [policy evaluation](../conditional-access/concept-continuous-access-evaluation.md#conditional-access-policy-evaluation), rather than relying on a short token lifetime. For some resource APIs, because risk and policy are evaluated in real time, CAE can substantially increase token lifetime up to 28 hours. As resource APIs and applications adopt CAE, Microsoft Identity will be able to issue access tokens that are revocable and are valid for extended periods of time. These long-lived tokens will be proactively refreshed by MSAL.

-While CAE is in early phases, it is possible to [develop client applications today that will benefit from CAE](../develop/app-resilience-continuous-access-evaluation.md) when the resources (APIs) the application uses adopt CAE. As more resources adopt CAE, your application will be able to acquire CAE enabled tokens for those resources as well. The Microsoft Graph API, and [Microsoft Graph SDKs](/graph/sdks/sdks-overview), will preview CAE capability early 2021. If you would like to participate in the public preview of Microsoft Graph with CAE, you can let us know you are interested here: [https://aka.ms/GraphCAEPreview](https://aka.ms/GraphCAEPreview).

-If you develop resource APIs, we encourage you to participate in the [Shared Signals and Events WG](https://openid.net/wg/sse/). We are working with this group to enable the sharing of security events between Microsoft Identity and resource providers.

-description: Guidance for increasing resiliency of authentication and authorization in daemon application using the Microsoft identity platform

-This article provides guidance on how developers can use the Microsoft identity platform and Azure Active Directory to increase the resilience of daemon applications. This includes background processes, services, server to server apps, and applications without users.

-

-## Use Managed Identities for Azure Resources

-Developers building daemon apps on Microsoft Azure can use [Managed Identities for Azure Resources](../managed-identities-azure-resources/overview.md). Managed Identities eliminate the need for developers to manage secrets and credentials. The feature improves resilience by avoiding mistakes around certificate expiry, rotation errors, or trust. It also has several built-in features meant specifically to increase resilience.

-Managed Identities use long lived access tokens and information from Microsoft Identity to proactively acquire new tokens within a large window of time before the existing token expires. Your app can continue to run while attempting to acquire a new token.

-Managed Identities also use regional endpoints to improve performance and resilience against out-of-region failures. Using a regional endpoint helps to keep all traffic inside a geographical area. For example, if your Azure Resource is in WestUS2, all the traffic, including Microsoft Identity generated traffic, should stay in WestUS2. This eliminates possible points of failure by consolidating the dependencies of your service.

-## Use the Microsoft Authentication Library

-Developers of daemon apps who do not use Managed Identities can use the [Microsoft Authentication Library (MSAL)](../develop/msal-overview.md), which makes implementing authentication and authorization simple, and automatically uses best practices for resilience. MSAL will make the process of providing the required Client Credentials easier. For example, your application does not need to implement creating and signing JSON Web Token assertions when using certificate-based credentials.

-### Use Microsoft.Identity.Web for .NET Developers

-Developers building daemon apps on ASP.NET Core can use the [Microsoft.Identity.Web](../develop/microsoft-identity-web.md) library. This library is built on top of MSAL to make implementing authorization even easier for ASP.NET Core apps. It includes several [distributed token cache](https://github.com/AzureAD/microsoft-identity-web/wiki/token-cache-serialization#distributed-token-cache) strategies for distributed apps that can run in multiple regions.

-If you are not using MSAL to implement authentication and authorization, you can implement some best practices for caching and storing tokens. MSAL implements and follows these best practices automatically.

-An application acquires tokens from an Identity provider to authorize the application to call protected APIs. When your app receives tokens, the response that contains the tokens also contains an "expires\_in" property that tells the application how long to cache, and reuse, the token. It is important that applications use the "expires\_in" property to determine the lifespan of the token. Application must never attempt to decode an API access token. Using the cached token prevents unnecessary traffic between your app and Microsoft Identity. Your user can stay signed-in to your application for the length of that token's lifetime.

-## Properly handle service responses

-Finally, while applications should handle all error responses, there are some responses that can impact resilience. If your application receives an HTTP 429 response code, Too Many Requests, Microsoft Identity is throttling your requests. If your app continues to make too many requests, it will continue to be throttled preventing your app from receiving tokens. Your application should not attempt to acquire a token again until after the time, in seconds, in the "Retry-After" response field has passed. Receiving a 429 response is often an indication that the application is not caching and reusing tokens correctly. Developers should review how tokens are cached and reused in the application.

-When an application receives an HTTP 5xx response code the app must not enter a fast retry loop. When present, the application should honor the same "Retry-After" handling as it does for a 429 response. If no "Retry-After" header is provided by the response, we recommend implementing an exponential back-off retry with the first retry at least 5 seconds after the response.

-When a request times out applications should not retry immediately. Implement an exponential back-off retry with the first retry at least 5 seconds after the response.

-Client workstations are traditionally joined to Active Directory and managed via Group Policy objects (GPOs) or device management solutions such as Microsoft Endpoint Configuration Manager. Your teams will establish a new policy and process to prevent newly deployed workstations from being domain joined. Key points include:

-Traditionally, application servers are often joined to an on-premises Active Directory domain so that they can use Windows Integrated Authentication (Kerberos or NTLM), directory queries through LDAP, and server management through GPO or Microsoft Endpoint Configuration Manager.

-In terms of infrastructure management, on-premises environments often use a combination of Group Policy objects (GPOs) and Microsoft Endpoint Configuration Manager features to segment management duties. For example, duties can be segmented into security policy management, update management, configuration management, and monitoring.

-| Security policy management| GPO, Microsoft Endpoint Configuration Manager| [Microsoft 365 Defender for Cloud](https://azure.microsoft.com/services/security-center/) |

-| Update management| Microsoft Endpoint Configuration Manager, Windows Server Update Services| [Azure Automation Update Management](../../automation/update-management/overview.md) |

-| Configuration management| GPO, Microsoft Endpoint Configuration Manager| [Azure Automation State Configuration](../../automation/automation-dsc-overview.md) |

-If you require management of application servers with Microsoft Endpoint Configuration Manager, you can't achieve this by using Azure AD DS. Microsoft Endpoint Configuration Manager isn't supported to run in an Azure AD DS environment. Instead, you'll need to extend your on-premises Active Directory instance to a domain controller running on an Azure VM. Or, you'll need to deploy a new Active Directory instance to an Azure IaaS virtual network.

-Active Directory, Azure Active Directory (Azure AD), and other Microsoft tools are at the core of identity and access management (IAM). For example, Active Directory Domain Services (AD DS) and Microsoft Endpoint Configuration Manager provide device management in Active Directory. In Azure AD, Intune provides the same capability.

-* [Microsoft Endpoint Configuration Manager blog](https://techcommunity.microsoft.com/t5/Configuration-Manager-Blog/bg-p/ConfigurationManagerBlog)

-If you want to assign Azure AD role to a group, it has to be role-assignable. Even if you do not intend to assign Azure AD role to the group but the group provides access to sensitive resources, it is still recommended to consider creating the group as role-assignable. This is because of extra protections role-assignable groups have ΓÇô see ΓÇ£What are Azure AD role-assignable groups?ΓÇ¥ in the section above.

-User<br/>(no admin role, but member or owner of a role-assignable group) | &nbsp; | &nbsp; | &nbsp; | &nbsp; | :heavy_check_mark: | :heavy_check_mark:

-User<br/>(no admin role, but member or owner of a role-assignable group) | &nbsp; | &nbsp; | :heavy_check_mark: | :heavy_check_mark:

-* Selecting the the right matching identifier, attribute mapping, transformation and scoping filters

-* Set a session inactivity time out of 15 minutes: Lock the device at the OS level by using Microsoft Endpoint Configuration Manager, Group Policy Object (GPO), or Intune. For the subscriber to unlock it, require local authentication.

-> Azure CNI Overlay is currently **_unavailable_** in the following regions:

-> - South Central US

-> - West US

-| OS platforms supported | Linux and Windows Server 2022 | Linux only |

-Azure Kubernetes Service (AKS) uses the [CoreDNS][coredns] project for cluster DNS management and resolution with all *1.12.x* and higher clusters. Previously, the kube-dns project was used. This kube-dns project is now deprecated. For more information about CoreDNS customization and Kubernetes, see the [official upstream documentation][corednsk8s].

-As AKS is a managed service, you cannot modify the main configuration for CoreDNS (a *CoreFile*). Instead, you use a Kubernetes *ConfigMap* to override the default settings. To see the default AKS CoreDNS ConfigMaps, use the `kubectl get configmaps --namespace=kube-system coredns -o yaml` command.

-This article shows you how to use ConfigMaps for basic customization options of CoreDNS in AKS. This approach differs from configuring CoreDNS in other contexts such as using the CoreFile. Verify the version of CoreDNS you are running as the configuration values may change between versions.

-> `kube-dns` offered different [customization options][kubednsblog] via a Kubernetes config map. CoreDNS is **not** backwards compatible with kube-dns. Any customizations you previously used must be updated for use with CoreDNS.

-This article assumes that you have an existing AKS cluster. If you need an AKS cluster, see the AKS quickstart [using the Azure CLI][aks-quickstart-cli], [using Azure PowerShell][aks-quickstart-powershell], or [using the Azure portal][aks-quickstart-portal].

-When creating a configuration like the examples below, your names in the *data* section must end in either *.server* or *.override*. This naming convention is defined in the default AKS CoreDNS Configmap which you can view using the `kubectl get configmaps --namespace=kube-system coredns -o yaml` command.

-## What is supported/unsupported

-One scenario you have is to perform on-the-fly DNS name rewrites. In the following example, replace `<domain to be written>` with your own fully qualified domain name. Create a file named `corednsms.yaml` and paste the following example configuration:

-```yaml

-apiVersion: v1

-kind: ConfigMap

-metadata:

- name: coredns-custom

- namespace: kube-system

-data:

- test.server: | # you may select any name here, but it must end with the .server file extension

- <domain to be rewritten>.com:53 {

- log

- errors

- rewrite stop {

- name regex (.*)\.<domain to be rewritten>.com {1}.default.svc.cluster.local

- answer name (.*)\.default\.svc\.cluster\.local {1}.<domain to be rewritten>.com

- }

- forward . /etc/resolv.conf # you can redirect this to a specific DNS server such as 10.0.0.10, but that server must be able to resolve the rewritten domain name

- }

-```

-> [!IMPORTANT]

-> If you redirect to a DNS server, such as the CoreDNS service IP, that DNS server must be able to resolve the rewritten domain name.

-Create the ConfigMap using the [kubectl apply configmap][kubectl-apply] command and specify the name of your YAML manifest:

-```console

-kubectl apply -f corednsms.yaml

-```

-To verify the customizations have been applied, use the [kubectl get configmaps][kubectl-get] and specify your *coredns-custom* ConfigMap:

-```

-kubectl get configmaps --namespace=kube-system coredns-custom -o yaml

-```

-Now force CoreDNS to reload the ConfigMap. The [kubectl delete pod][kubectl delete] command isn't destructive and doesn't cause down time. The `kube-dns` pods are deleted, and the Kubernetes Scheduler then recreates them. These new pods contain the change in TTL value.

-```console

-kubectl delete pod --namespace kube-system -l k8s-app=kube-dns

-```

-> [!Note]

-> The command above is correct. While we're changing `coredns`, the deployment is under the **kube-dns** label.

-If you need to specify a forward server for your network traffic, you can create a ConfigMap to customize DNS. In the following example, update the `forward` name and address with the values for your own environment. Create a file named `corednsms.yaml` and paste the following example configuration:

-```yaml

-apiVersion: v1

-kind: ConfigMap

-metadata:

- name: coredns-custom

- namespace: kube-system

-data:

- test.server: | # you may select any name here, but it must end with the .server file extension

- <domain to be rewritten>.com:53 {

- forward foo.com 1.1.1.1

- }

-```

-As in the previous examples, create the ConfigMap using the [kubectl apply configmap][kubectl-apply] command and specify the name of your YAML manifest. Then, force CoreDNS to reload the ConfigMap using the [kubectl delete pod][kubectl delete] for the Kubernetes Scheduler to recreate them:

-```console

-kubectl apply -f corednsms.yaml

-kubectl delete pod --namespace kube-system --selector k8s-app=kube-dns

-```

-In the following example, update the custom domain and IP address to direct traffic to with the values for your own environment. Create a file named `corednsms.yaml` and paste the following example configuration:

-```yaml

-apiVersion: v1

-kind: ConfigMap

-metadata:

- name: coredns-custom

- namespace: kube-system

-data:

- puglife.server: | # you may select any name here, but it must end with the .server file extension

- puglife.local:53 {

- errors

- cache 30

- forward . 192.11.0.1 # this is my test/dev DNS server

- }

-```

-As in the previous examples, create the ConfigMap using the [kubectl apply configmap][kubectl-apply] command and specify the name of your YAML manifest. Then, force CoreDNS to reload the ConfigMap using the [kubectl delete pod][kubectl delete] for the Kubernetes Scheduler to recreate them:

-```console

-kubectl apply -f corednsms.yaml

-kubectl delete pod --namespace kube-system --selector k8s-app=kube-dns

-```

-CoreDNS can also be used to configure stub domains. In the following example, update the custom domains and IP addresses with the values for your own environment. Create a file named `corednsms.yaml` and paste the following example configuration:

-```yaml

-apiVersion: v1

-kind: ConfigMap

-metadata:

- name: coredns-custom

- namespace: kube-system

-data:

- test.server: | # you may select any name here, but it must end with the .server file extension

- abc.com:53 {

- errors

- cache 30

- forward . 1.2.3.4

- }

- my.cluster.local:53 {

- errors

- cache 30

- forward . 2.3.4.5

- }

-```

-As in the previous examples, create the ConfigMap using the [kubectl apply configmap][kubectl-apply] command and specify the name of your YAML manifest. Then, force CoreDNS to reload the ConfigMap using the [kubectl delete pod][kubectl delete] for the Kubernetes Scheduler to recreate them:

-```console

-kubectl apply -f corednsms.yaml

-kubectl delete pod --namespace kube-system --selector k8s-app=kube-dns

-```

-As all built-in plugins are supported this means that the CoreDNS [Hosts][coredns hosts] plugin is available to customize as well:

-For general CoreDNS troubleshooting steps, such as checking the endpoints or resolution, see [Debugging DNS Resolution][coredns-troubleshooting].

-To enable DNS query logging, apply the following configuration in your coredns-custom ConfigMap:

-```yaml

-apiVersion: v1

-kind: ConfigMap

-metadata:

- name: coredns-custom

- namespace: kube-system

-data:

- log.override: | # you may select any name here, but it must end with the .override file extension

- log

-```

-After you apply the configuration changes, use the `kubectl logs` command to view the CoreDNS debug logging. For example:

-```console

-kubectl logs --namespace kube-system --selector k8s-app=kube-dns

-```

-[dnscache]: https://coredns.io/plugins/cache/

-## Connect Azure Private Link service to internal load balancer (Preview)

-* Azure CLI version 2.0.59 or later.

-In this quickstart, you'll use Helm to package and run an application on AKS. For more details on installing an existing application using Helm, see the [Install existing applications with Helm in AKS][helm-existing] how-to guide.

-You'll need to store your container images in an Azure Container Registry (ACR) to run your application in your AKS cluster using Helm. Provide your own registry name unique within Azure and containing 5-50 alphanumeric characters. The *Basic* SKU is a cost-optimized entry point for development purposes that provides a balance of storage and throughput.

-The below example uses [az acr create][az-acr-create] to create an ACR named *MyHelmACR* in *MyResourceGroup* with the *Basic* SKU.

-az group create --name MyResourceGroup --location eastus

-az acr create --resource-group MyResourceGroup --name MyHelmACR --sku Basic

-Output will be similar to the following example. Take note of your *loginServer* value for your ACR since you'll use it in a later step. In the below example, *myhelmacr.azurecr.io* is the *loginServer* for *MyHelmACR*.

-The below example uses the [New-AzContainerRegistry][new-azcontainerregistry] cmdlet to create an ACR named *MyHelmACR* in *MyResourceGroup* with the *Basic* SKU.

-New-AzResourceGroup -Name MyResourceGroup -Location eastus

-New-AzContainerRegistry -ResourceGroupName MyResourceGroup -Name MyHelmACR -Sku Basic

-Output will be similar to the following example. Take note of your *LoginServer* value for your ACR since you'll use it in a later step. In the below example, *myhelmacr.azurecr.io* is the *LoginServer* for *MyHelmACR*.

-MyHelmACR Basic myhelmacr.azurecr.io 5/30/2022 9:16:14 PM Succeeded False

-Your new AKS cluster needs access to your ACR to pull the container images and run them. Use the following command to:

-* Create an AKS cluster called *MyAKS* and attach *MyHelmACR*.

-* Grant the *MyAKS* cluster access to your *MyHelmACR* ACR.

-az aks create --resource-group MyResourceGroup --name MyAKS --location eastus --attach-acr MyHelmACR --generate-ssh-keys

-New-AzAksCluster -ResourceGroupName MyResourceGroup -Name MyAKS -Location eastus -AcrNameToAttach MyHelmACR -GenerateSshKey

-To connect a Kubernetes cluster locally, use the Kubernetes command-line client, [kubectl][kubectl]. `kubectl` is already installed if you use Azure Cloud Shell.

-1. Install `kubectl` locally using the [az aks install-cli][az-aks-install-cli] command:

-2. Configure `kubectl` to connect to your Kubernetes cluster using the [az aks get-credentials][az-aks-get-credentials] command. The following command example gets credentials for the AKS cluster named *MyAKS* in the *MyResourceGroup*:

- az aks get-credentials --resource-group MyResourceGroup --name MyAKS

-1. Install `kubectl` locally using the [Install-AzAksKubectl][install-azakskubectl] cmdlet:

-2. Configure `kubectl` to connect to your Kubernetes cluster using the [Import-AzAksCredential][import-azakscredential] cmdlet. The following command example gets credentials for the AKS cluster named *MyAKS* in the *MyResourceGroup*:

- Import-AzAksCredential -ResourceGroupName MyResourceGroup -Name MyAKS

-This quickstart uses the [Azure Vote application][azure-vote-app]. Clone the application from GitHub and navigate to the `azure-vote` directory.

-Using the preceding Dockerfile, run the [az acr build][az-acr-build] command to build and push an image to the registry. The `.` at the end of the command provides the location of the source code directory path (in this case, the current directory). The `--file` parameter takes in the path of the Dockerfile relative to this source code directory path.

-az acr build --image azure-vote-front:v1 --registry MyHelmACR --file Dockerfile .

-Generate your Helm chart using the `helm create` command.

-```console

-helm create azure-vote-front

-```

-Update *azure-vote-front/Chart.yaml* to add a dependency for the *redis* chart from the `https://charts.bitnami.com/bitnami` chart repository and update `appVersion` to `v1`. For example:

-> [!NOTE]

-> The container image versions shown in this guide have been tested to work with this example but may not be the latest version available.

-```yml

-apiVersion: v2

-name: azure-vote-front

-description: A Helm chart for Kubernetes

-dependencies:

- - name: redis

- version: 17.3.17

- repository: https://charts.bitnami.com/bitnami

-...

-# This is the version number of the application being deployed. This version number should be

-# incremented each time you make changes to the application.

-appVersion: v1

-```

-Update your helm chart dependencies using `helm dependency update`:

-```console

-helm dependency update azure-vote-front

-```

-Update *azure-vote-front/values.yaml*:

-* Add a *redis* section to set the image details, container port, and deployment name.

-* Add a *backendName* for connecting the frontend portion to the *redis* deployment.

-* Change *image.repository* to `<loginServer>/azure-vote-front`.

-* Change *image.tag* to `v1`.

-* Change *service.type* to *LoadBalancer*.

-For example:

-```yml

-# Default values for azure-vote-front.

-# This is a YAML-formatted file.

-# Declare variables to be passed into your templates.

-replicaCount: 1

-backendName: azure-vote-backend-master

-redis:

- image:

- registry: mcr.microsoft.com

- repository: oss/bitnami/redis

- tag: 6.0.8

- fullnameOverride: azure-vote-backend

- auth:

- enabled: false

-image:

- repository: myhelmacr.azurecr.io/azure-vote-front

- pullPolicy: IfNotPresent

- tag: "v1"

-...

-service:

- type: LoadBalancer

- port: 80

-...

-```

-Add an `env` section to *azure-vote-front/templates/deployment.yaml* for passing the name of the *redis* deployment.

-```yml

-...

- containers:

- - name: {{ .Chart.Name }}

- securityContext:

- {{- toYaml .Values.securityContext | nindent 12 }}

- image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"

- imagePullPolicy: {{ .Values.image.pullPolicy }}

- env:

- - name: REDIS

- value: {{ .Values.backendName }}

-...

-```

-Install your application using your Helm chart using the `helm install` command.

-```console

-helm install azure-vote-front azure-vote-front/

-```

-It takes a few minutes for the service to return a public IP address. Monitor progress using the `kubectl get service` command with the `--watch` argument.

-```console

-$ kubectl get service azure-vote-front --watch

-NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE

-azure-vote-front LoadBalancer 10.0.18.228 <pending> 80:32021/TCP 6s

-...

-azure-vote-front LoadBalancer 10.0.18.228 52.188.140.81 80:32021/TCP 2m6s

-```

-Navigate to your application's load balancer in a browser using the `<EXTERNAL-IP>` to see the sample application.

-Use the [az group delete][az-group-delete] command to remove the resource group, the AKS cluster, the container registry, the container images stored in the ACR, and all related resources.

-az group delete --name MyResourceGroup --yes --no-wait

-Use the [Remove-AzResourceGroup][remove-azresourcegroup] cmdlet to remove the resource group, the AKS cluster, the container registry, the container images stored in the ACR, and all related resources.

-Remove-AzResourceGroup -Name MyResourceGroup

-> If the AKS cluster was created with system-assigned managed identity (default identity option used in this quickstart), the identity is managed by the platform and does not require removal.

->

-> If the AKS cluster was created with service principal as the identity option instead, then when you delete the cluster, the service principal used by the AKS cluster is not removed. For steps on how to remove the service principal, see [AKS service principal considerations and deletion][sp-delete].

-For more information about using Helm, see the Helm documentation.

-> [!div class="nextstepaction"]

-> [Helm documentation][helm-documentation]

-* **Azure CLI** - Run `az version -help` to check your version. If you're running version 2.38.0 or later, no action is required. Use the `az upgrade` command to upgrade the Azure CLI if necessary. For more information, see [How to update the Azure CLI](/cli/azure/update-azure-cli).

-See all [upcoming breaking changes and feature retirements](overview.md).

-> [Learn how to migrate .NET apps to App Service using the .NET migration tutorial.](../migrate/tutorial-migrate-webapps.md)

-There are existing tools which enable migration of a standalone ASP.Net web app or multiple ASP.NET web apps hosted on a single IIS server as explained in [Migrate .NET apps to Azure App Service](../migrate/tutorial-migrate-webapps.md). With introduction of At-Scale or bulk migration feature integrated with Azure Migrate we are now opening up the possibilities to migrate multiple ASP.NET application hosted on multiple on-premises IIS servers.

-| [Migrate .NET apps to App Service](../migrate/tutorial-migrate-webapps.md) |

->By default, the Azure contexts are saved for use between PowerShell sessions. It is possible that when a previous runbook on the Hybrid Runbook Worker has been authenticated with Azure, that context persists to the disk in the System PowerShell profile, as per [Azure contexts and sign-in credentials | Microsoft Docs](/powershell/azure/context-persistence?view=azps-7.3.2&preserve-view=true).

-For instance, a runbook with `Get-AzVM` can return all the VMs in the subscription with no call to `Connect-AzAccount`, and the user would be able to access Azure resources without having to authenticate within that runbook. You can disable context autosave in Azure PowerShell, as detailed [here](/powershell/azure/context-persistence?view=azps-7.3.2&preserve-view=true#save-azure-contexts-across-powershell-sessions).

-|[`Get-AzAutomationHybridRunbookWorkerGroup`](/powershell/module/az.automation/get-azautomationhybridrunbookworkergroup?view=azps-9.1.0) | Gets Hybrid Runbook Worker group|

-|[`Remove-AzAutomationHybridRunbookWorkerGroup`](/powershell/module/az.automation/remove-azautomationhybridrunbookworkergroup?view=azps-9.1.0) | Removes Hybrid Runbook Worker group|

-|[`Set-AzAutomationHybridRunbookWorkerGroup`](/powershell/module/az.automation/set-azautomationhybridrunbookworkergroup?view=azps-9.1.0) | Updates Hybrid Worker group with Hybrid Worker credentials|

-|[`New-AzAutomationHybridRunbookWorkerGroup`](/powershell/module/az.automation/new-azautomationhybridrunbookworkergroup?view=azps-9.1.0) | Creates new Hybrid Runbook Worker group|

-|[`Get-AzAutomationHybridRunbookWorker`](/powershell/module/az.automation/get-azautomationhybridrunbookworker?view=azps-9.1.0) | Gets Hybrid Runbook Worker|

-|[`Move-AzAutomationHybridRunbookWorker`](/powershell/module/az.automation/move-azautomationhybridrunbookworker?view=azps-9.1.0) | Moves Hybrid Worker from one group to other|

-|[`New-AzAutomationHybridRunbookWorker`](/powershell/module/az.automation/new-azautomationhybridrunbookworker?view=azps-9.1.0) | Creates new Hybrid Runbook Worker|

-|[`Remove-AzAutomationHybridRunbookWorker`](/powershell/module/az.automation/remove-azautomationhybridrunbookworker?view=azps-9.1.0)| Removes Hybrid Runbook Worker|

-1. Add identity support for use in the runbook by using the `Connect-AzAccount` activity from the `Az.Accounts` cmdlet that uses the PowerShell code to connect to the managed identity.

-This often happens if machines are configured to get updates from WSUS or Microsoft Endpoint Configuration Manager but WSUS and Configuration Manager haven't approved the updates.

-description: This article tells how to configure Microsoft Endpoint Configuration Manager with Update Management to deploy software updates to manager clients.

-# Integrate Update Management with Microsoft Endpoint Configuration Manager

-Customers who have invested in Microsoft Endpoint Configuration Manager to manage PCs, servers, and mobile devices also rely on its strength and maturity in managing software updates as part of their software update management (SUM) cycle.

-You can report and update managed Windows servers by creating and pre-staging software update deployments in Microsoft Endpoint Configuration Manager, and get detailed status of completed update deployments using [Update Management](overview.md). If you use Microsoft Endpoint Configuration Manager for update compliance reporting, but not for managing update deployments with your Windows servers, you can continue reporting to Microsoft Endpoint Configuration Manager while security updates are managed with Azure Automation Update Management.

->While Update Management supports update assessment and patching of Windows Server 2008 R2, it does not support clients managed by Microsoft Endpoint Configuration Manager running this operating system.

-* Windows servers currently managed by your Microsoft Endpoint Configuration Manager environment also need to report to the Log Analytics workspace that also has Update Management enabled.

-* This feature is enabled in Microsoft Endpoint Configuration Manager current branch version 1606 and higher. To integrate your Microsoft Endpoint Configuration Manager central administration site or a standalone primary site with Azure Monitor logs and import collections, review [Connect Configuration Manager to Azure Monitor logs](../../azure-monitor/logs/collect-sccm.md).

-* Windows agents must either be configured to communicate with a Windows Server Update Services (WSUS) server or have access to Microsoft Update if they don't receive security updates from Microsoft Endpoint Configuration Manager.

-How you manage clients hosted in Azure IaaS with your existing Microsoft Endpoint Configuration Manager environment primarily depends on the connection you have between Azure datacenters and your infrastructure. This connection affects any design changes you may need to make to your Microsoft Endpoint Configuration Manager infrastructure and related cost to support those necessary changes. To understand what planning considerations you need to evaluate before proceeding, review [Configuration Manager on Azure - Frequently Asked Questions](/configmgr/core/understand/configuration-manager-on-azure#networking).

-## Manage software updates from Microsoft Endpoint Configuration Manager

-Perform the following steps if you are going to continue managing update deployments from Microsoft Endpoint Configuration Manager. Azure Automation connects to Microsoft Endpoint Configuration Manager to apply updates to the client computers connected to your Log Analytics workspace. Update content is available from the client computer cache as if the deployment were managed by Microsoft Endpoint Configuration Manager.

-1. Create a software update deployment from the top-level site in your Microsoft Endpoint Configuration Manager hierarchy using the process described in [Deploy software updates](/configmgr/sum/deploy-use/deploy-software-updates). The only setting that must be configured differently from a standard deployment is the **Installation deadline** option in Endpoint Configuration Manager. It needs to be set to a future date to ensure only Automation Update Management initiates the update deployment. This setting is described under [Step 4, Deploy the software update group](/configmgr/sum/deploy-use/manually-deploy-software-updates#BKMK_4DeployUpdateGroup).

-2. In Endpoint Configuration Manager, configure the **User notifications** option to prevent displaying notifications on the target machines. We recommend setting the **Hide in Software Center and all notifications** option to avoid a logged on user from being notified of a scheduled update deployment and manually deploying those updates. This setting is described under [Step 4, Deploy the software update group](/configmgr/sum/deploy-use/manually-deploy-software-updates#BKMK_4DeployUpdateGroup).

-3. In Azure Automation, select **Update Management**. Create a new deployment following the steps described in [Creating an Update Deployment](deploy-updates.md#schedule-an-update-deployment) and select **Imported groups** on the **Type** dropdown to select the appropriate Microsoft Endpoint Configuration Manager collection. Keep in mind the following important points:

- a. If a maintenance window is defined on the selected Microsoft Endpoint Configuration Manager device collection, members of the collection honor it instead of the **Duration** setting defined in the scheduled deployment.

-To manage updates for Windows Server VMs that are Microsoft Endpoint Configuration Manager clients, you need to configure client policy to disable the Software Update Management feature for all clients managed by Update Management. By default, client settings target all devices in the hierarchy. For more information about this policy setting and how to configure it, review [How to configure client settings in Configuration Manager](/configmgr/core/clients/deploy/configure-client-settings).

-After performing this configuration change, you create a new deployment following the steps described in [Creating an Update Deployment](deploy-updates.md#schedule-an-update-deployment) and select **Imported groups** on the **Type** drop-down to select the appropriate Microsoft Endpoint Configuration Manager collection.

-|Windows client | Client operating systems (such as Windows 7 and Windows 10) aren't supported.<br>For Azure Virtual Desktop, the recommended method to manage updates is [Microsoft Endpoint Configuration Manager](../../virtual-desktop/configure-automatic-updates.md) for Windows 10 client machine patch management. |

-You can use Update Management with Microsoft Endpoint Configuration Manager. To learn more about integration scenarios, see [Integrate Update Management with Windows Endpoint Configuration Manager](mecmintegration.md). The [Log Analytics agent for Windows](../../azure-monitor/agents/agent-windows.md) is required for Windows servers managed by sites in your Configuration Manager environment.

-The machines assigned to Update Management report how up to date they are based on what source they are configured to synchronize with. Windows machines need to be configured to report to either [Windows Server Update Services](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or [Microsoft Update](https://www.update.microsoft.com), and Linux machines need to be configured to report to a local or public repository. You can also use Update Management with Microsoft Endpoint Configuration Manager, and to learn more see [Integrate Update Management with Windows Endpoint Configuration Manager](mecmintegration.md).

-Customers who have invested in Microsoft Endpoint Configuration Manager for managing PCs, servers, and mobile devices also rely on the strength and maturity of Configuration Manager to help manage software updates. To learn how to integrate Update Management with Configuration Manager, see [Integrate Update Management with Windows Endpoint Configuration Manager](mecmintegration.md).

-6. a. For Direct Mode - Onboard the Cluster to Azure Arc, then deploys the Controller via the [unified experience](create-data-controller-direct-cli.md?tabs=linux#deployunified-experience)

-[Create an Azure Arc-enabled SQL managed instance](create-sql-managed-instance.md)

-You can create them individually or in a unified experience.

-## Deploy - unified experience

-In the unified experience, you can create the Arc data controller extension, custom location, and Arc data controller all in one command as follows:

-## Deploy - individual experience

-

-### Step 1: Create an Azure Arc-enabled data services extension

-Use the k8s-extension CLI to create a data services extension.

-#### Set environment variables

-Set the following environment variables, which will be then used in later steps.

-Following are two sets of environment variables. The first set of variables identifies your Azure subscription, resource group, cluster name, location, extension, and namespace. The second defines credentials to access the metrics and logs dashboards.

-The environment variables include passwords for log and metric services. The passwords must be at least eight characters long and contain characters from three of the following four categories: Latin uppercase letters, Latin lowercase letters, numbers, and non-alphanumeric characters.

-##### [Linux](#tab/linux)

-```console

-## variables for Azure subscription, resource group, cluster name, location, extension, and namespace.

-export subscription=<Your subscription ID>

-export resourceGroup=<Your resource group>

-export clusterName=<name of your connected Kubernetes cluster>

-export location=<Azure location>

-export adsExtensionName="<extension name>"

-export namespace="<namespace>"

-## variables for logs and metrics dashboard credentials

-export AZDATA_LOGSUI_USERNAME=<username for Kibana dashboard>

-export AZDATA_LOGSUI_PASSWORD=<password for Kibana dashboard>

-export AZDATA_METRICSUI_USERNAME=<username for Grafana dashboard>

-export AZDATA_METRICSUI_PASSWORD=<password for Grafana dashboard>

-```

-##### [Windows (PowerShell)](#tab/windows)

-``` PowerShell

-## variables for Azure location, extension and namespace

-$ENV:subscription="<Your subscription ID>"

-$ENV:resourceGroup="<Your resource group>"

-$ENV:clusterName="<name of your connected Kubernetes cluster>"

-$ENV:location="<Azure location>"

-$ENV:adsExtensionName="<name of Data controller extension"

-$ENV:namespace="<namespace where you will deploy the extension and data controller>"

-## variables for Metrics and Monitoring dashboard credentials

-$ENV:AZDATA_LOGSUI_USERNAME="<username for Kibana dashboard>"

-$ENV:AZDATA_LOGSUI_PASSWORD="<password for Kibana dashboard>"

-$ENV:AZDATA_METRICSUI_USERNAME="<username for Grafana dashboard>"

-$ENV:AZDATA_METRICSUI_PASSWORD="<password for Grafana dashboard>"

-```

-

-#### Create the Arc data services extension

-The following command creates the Arc data services extension.

-##### [Linux](#tab/linux)

-```azurecli

-az k8s-extension create --cluster-name ${clusterName} --resource-group ${resourceGroup} --name ${adsExtensionName} --cluster-type connectedClusters --extension-type microsoft.arcdataservices --auto-upgrade false --auto-upgrade-minor-version false --scope cluster --release-namespace ${namespace} --config Microsoft.CustomLocation.ServiceAccount=sa-arc-bootstrapper

-az k8s-extension show --resource-group ${resourceGroup} --cluster-name ${resourceName} --name ${adsExtensionName} --cluster-type connectedclusters

-```

-##### [Windows (PowerShell)](#tab/windows)

-```azurecli

-az k8s-extension create --cluster-name $ENV:clusterName --resource-group $ENV:resourceGroup --name $ENV:adsExtensionName --cluster-type connectedClusters --extension-type microsoft.arcdataservices --auto-upgrade false --auto-upgrade-minor-version false --scope cluster --release-namespace $ENV:namespace --config Microsoft.CustomLocation.ServiceAccount=sa-arc-bootstrapper

-az k8s-extension show --resource-group $ENV:resourceGroup --cluster-name $ENV:clusterName --name $ENV:adsExtensionName --cluster-type connectedclusters

-```

-##### Deploy Azure Arc data services extension using private container registry and credentials

-Use the below command if you are deploying from your private repository:

-```azurecli

-az k8s-extension create --cluster-name "<connected cluster name>" --resource-group "<resource group>" --name "<extension name>" --cluster-type connectedClusters -auto-upgrade false --auto-upgrade-minor-version false --extension-type microsoft.arcdataservices --scope cluster --release-namespace "<namespace>" --config Microsoft.CustomLocation.ServiceAccount=sa-arc-bootstrapper --config imageCredentials.registry=<registry info> --config imageCredentials.username=<username> --config systemDefaultValues.image=<registry/repo/arc-bootstrapper:<imagetag>> --config-protected imageCredentials.password=$ENV:DOCKER_PASSWORD --debug

-```

-For example:

-```azurecli

-az k8s-extension create --cluster-name "my-connected-cluster" --resource-group "my-resource-group" --name "arc-data-services" --cluster-type connectedClusters -auto-upgrade false --auto-upgrade-minor-version false --extension-type microsoft.arcdataservices --scope cluster --release-namespace "arc" --config Microsoft.CustomLocation.ServiceAccount=sa-bootstrapper --config imageCredentials.registry=mcr.microsoft.com --config imageCredentials.username=arcuser --config systemDefaultValues.image=mcr.microsoft.com/arcdata/arc-bootstrapper:latest --config-protected imageCredentials.password=$ENV:DOCKER_PASSWORD --debug

-```

-> [!NOTE]

-> The Arc data services extension install can take a few minutes to complete.

-#### Verify the Arc data services extension is created

-You can verify the status of the deployment of Azure Arc-enabled data services extension. Use the Azure portal or Cube

-##### Check status from Azure portal

-1. Log in to the Azure portal and browse to the resource group where the Kubernetes connected cluster resource is located.

-1. Select the Azure Arc-enabled Kubernetes cluster (Type = "Kubernetes - Azure Arc") where the extension was deployed.

-1. In the navigation on the left side, under **Settings**, select **Extensions**.

-1. The portal shows the extension that was created earlier in an installed state.

-##### Check status using kubectl CLI

-1. Connect to your Kubernetes cluster via a Terminal window.

-1. Run the below command and ensure:

- - The namespace mentioned above is created

- and

- - The `bootstrapper` pod state is **running** before proceeding to the next step.

- ``` console

- kubectl get pods --name <name of namespace used in the json template file above>

- ```

-For example, the following example gets the pods from `arc` namespace.

-```console

-#Example:

-kubectl get pods --name arc

-```

-### Retrieve the managed identity and grant roles

-When the Arc data services extension is created, Azure creates a managed identity. You need to assign certain roles to this managed identity for usage and/or metrics to be uploaded.

-#### Retrieve managed identity of the Arc data controller extension

-```azurecli

-$Env:MSI_OBJECT_ID = (az k8s-extension show --resource-group <resource group> --cluster-name <connectedclustername> --cluster-type connectedClusters --name <name of extension> | convertFrom-json).identity.principalId

-#Example

-$Env:MSI_OBJECT_ID = (az k8s-extension show --resource-group myresourcegroup --cluster-name myconnectedcluster --cluster-type connectedClusters --name ads-extension | convertFrom-json).identity.principalId

-```

-#### Assign role to the managed identity

-Run the below command to assign the **Contributor** and **Monitoring Metrics Publisher** roles:

-```azurecli

-az role assignment create --assignee $Env:MSI_OBJECT_ID --role "Contributor" --scope "/subscriptions/$ENV:subscription/resourceGroups/$ENV:resourceGroup"

-az role assignment create --assignee $Env:MSI_OBJECT_ID --role "Monitoring Metrics Publisher" --scope "/subscriptions/$ENV:subscription/resourceGroups/$ENV:resourceGroup"

-```

-### Step 2: Create a custom location using `customlocation` CLI extension

-A custom location is an Azure resource that is equivalent to a namespace in a Kubernetes cluster. Custom locations are used as a target to deploy resources to or from Azure. Learn more about custom locations in the [Custom locations on top of Azure Arc-enabled Kubernetes documentation](../kubernetes/conceptual-custom-locations.md).

-#### Set environment variables

-##### [Linux](#tab/linux)

-```azurecli

-export clName=mycustomlocation

-export hostClusterId=$(az connectedk8s show --resource-group ${resourceGroup} --name ${clusterName} --query id -o tsv)

-export extensionId=$(az k8s-extension show --resource-group ${resourceGroup} --cluster-name ${clusterName} --cluster-type connectedClusters --name ${adsExtensionName} --query id -o tsv)

-az customlocation create --resource-group ${resourceGroup} --name ${clName} --namespace ${namespace} --host-resource-id ${hostClusterId} --cluster-extension-ids ${extensionId} --location ${location}

-```

-##### [Windows (PowerShell)](#tab/windows)

-```azurecli

-$ENV:clName="mycustomlocation"

-$ENV:hostClusterId=(az connectedk8s show --resource-group $ENV:resourceGroup --name $ENV:clusterName --query id -o tsv)

-$ENV:extensionId=(az k8s-extension show --resource-group $ENV:resourceGroup --cluster-name $ENV:clusterName --cluster-type connectedClusters --name $ENV:adsExtensionName --query id -o tsv)

-az customlocation create --resource-group $ENV:resourceGroup --name $ENV:clName --namespace $ENV:namespace --host-resource-id $ENV:hostClusterId --cluster-extension-ids $ENV:extensionId

-```

-### Validate the custom location is created

-From the terminal, run the below command to list the custom locations, and validate that the **Provisioning State** shows Succeeded:

-```azurecli

-az customlocation list -o table

-```

-### Create certificates for logs and metrics UI dashboards

-Optionally, you can specify certificates for logs and metrics UI dashboards. See [Provide certificates for monitoring](monitor-certificates.md) for examples. The December, 2021 release introduces this option.

-### Step 3: Create the Azure Arc data controller

-After the extension and custom location are created, proceed to deploy the Azure Arc data controller as follows.

-```azurecli

-az arcdata dc create --name <name> --resource-group <resourcegroup> --location <location> --connectivity-mode direct --profile-name <profile name> --auto-upload-metrics true --custom-location <name of custom location> --storage-class <storageclass>

-# Example

-az arcdata dc create --name arc-dc1 --resource-group my-resource-group --location eastasia --connectivity-mode direct --profile-name azure-arc-aks-premium-storage --auto-upload-metrics true --custom-location mycustomlocation --storage-class mystorageclass

-```

-If you want to create the Azure Arc data controller using a custom configuration template, follow the steps described in [Create custom configuration profile](create-custom-configuration-template.md) and provide the path to the file as follows:

-```azurecli

-az arcdata dc create --name <name> --resource-group <resourcegroup> --location <location> --connectivity-mode direct --path ./azure-arc-custom --auto-upload-metrics true --custom-location <name of custom location>

-# Example

-az arcdata dc create --name arc-dc1 --resource-group my-resource-group --location eastasia --connectivity-mode direct --path ./azure-arc-custom --auto-upload-metrics true --custom-location mycustomlocation

-```

-[Create an Azure SQL managed instance on Azure Arc](create-sql-managed-instance.md)

-description: Create an Azure SQL managed instance on Azure Arc

-# Create an Azure SQL managed instance on Azure Arc

-[Already created a Data Controller? Create an Azure Arc-enabled SQL Managed Instance](create-sql-managed-instance.md)

-[Create an Azure SQL managed instance on Azure Arc](create-sql-managed-instance.md) (requires creation of an Azure Arc data controller first)

- For example, [Create an Azure SQL managed instance on Azure Arc](create-sql-managed-instance.md).

-[Already created a Data Controller? Create an Azure Arc-enabled SQL Managed Instance](create-sql-managed-instance.md)

-| [Unity XT](https://www.dell.com/en-us/dt/storage/unity.htm) |1.25.4|1.15.0_2023-01-10|16.0.816.19223 |Not validated|

-| [PowerStore T](https://www.dell.com/en-us/dt/storage/powerstore-storage-appliance.htm) |1.25.4|1.15.0_2023-01-10|16.0.816.19223 |Not validated|

-| TKG 2.1.0 | 1.26.0 | 1.15.0_2023-01-10 | 16.0.816.19223 | 14.5 (Ubuntu 20.04)

- - [Create an Azure SQL managed instance on Azure Arc](create-sql-managed-instance.md)

-You can authenticate, authorize, and control access to your Azure Arc-enabled Kubernetes clusters. Kubernetes role-based access control (Kubernetes RBAC) lets you grant users, groups, and service accounts access to only the resources they need. You can further enhance the security and permissions structure by using Azure Active Directory and Azure role-based access control (RBAC).

-Azure Arc-enabled Kubernetes allows you to attach and configure Kubernetes clusters running anywhere. You can connect your clusters running on other public cloud providers (such as GCP or AWS) or clusters running on your on-premises data center (such as VMware vSphere or Azure Stack HCI) to Azure through the Arc platform.

-When you connect a Kubernetes cluster to Azure, it will:

-* Be represented in Azure Resource Manager by a unique ID

-* Be placed in an Azure subscription and resource group

-* Receive tags just like any other Azure resource

-Azure Arc-enabled Kubernetes supports industry-standard SSL to secure data in transit. For the connected clusters, cluster extensions, and custom locations, data at rest is stored encrypted in an Azure Cosmos DB database to ensure confidentiality.

-Azure Arc-enabled Kubernetes supports the following scenarios for connected clusters:

-* Single pane of glass to view all [connected Kubernetes clusters](quickstart-connect-cluster.md) running outside of Azure for inventory, grouping, and tagging, along with Azure Kubernetes Service (AKS) clusters.

-* Deploy applications and apply configuration using [GitOps-based configuration management](tutorial-use-gitops-connected-cluster.md).

-* Manage access by using [Azure Active Directory for authentication and authorization checks](azure-rbac.md) on your cluster.

-* Securely access your Kubernetes cluster from anywhere without opening inbound port on firewall using [Cluster Connect](cluster-connect.md).

-* Deploy [Open Service Mesh](tutorial-arc-enabled-open-service-mesh.md) on top of your cluster for observability and policy enforcement on service-to-service interactions

-* Deploy machine learning workloads using [Azure Machine Learning for Kubernetes clusters](../../machine-learning/how-to-attach-kubernetes-anywhere.md?toc=/azure/azure-arc/kubernetes/toc.json).

-* Create [custom locations](./custom-locations.md) as target locations for deploying Azure Arc-enabled data services (SQL Managed Instances, PostgreSQL server (preview)), [App Services on Azure Arc](../../app-service/overview-arc-integration.md) (including web, function, and logic apps), and [Event Grid on Kubernetes](../../event-grid/kubernetes/overview.md).

-Azure Arc-enabled Kubernetes works with any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters. The Azure Arc team has worked with [key industry partners to validate conformance](./validation-program.md) of their Kubernetes distributions with Azure Arc-enabled Kubernetes.

-Learn how to connect your existing Kubernetes cluster to Azure Arc.

-> [!div class="nextstepaction"]

-> [Connect an existing Kubernetes cluster to Azure Arc](./quickstart-connect-cluster.md)

-The recommended way of keeping the Windows agent up to date is to automatically obtain the latest version through Microsoft Update. This allows you to utilize your existing update infrastructure (such as Microsoft Endpoint Configuration Manager or Windows Server Update Services) and include Azure Connected Machine agent updates with your regular OS update schedule.

-For organizations that use Microsoft Endpoint Configuration Manager (MECM) or Windows Server Update Services (WSUS) to deliver updates to their servers, you need to configure WSUS to synchronize the Azure Connected Machine Agent packages and approve them for installation on your servers. Follow the guidance for [Windows Server Update Services](/windows-server/administration/windows-server-update-services/manage/setting-up-update-synchronizations#to-specify-update-products-and-classifications-for-synchronization) or [MECM](/mem/configmgr/sum/get-started/configure-classifications-and-products#to-configure-classifications-and-products-to-synchronize) to add the following products and classifications to your configuration:

-When a new version of a VM extension is published, it becomes available for installation and manual upgrade on Arc-enabled servers. For servers that already have the extension installed and automatic extension upgrade enabled, it may take up to 5 weeks for every server with that extension to get the automatic upgrade. Upgrades are issued in batches across Azure regions and subscriptions, so you may see the extension get upgraded on some of your servers before others. If you need to upgrade an extension immediately, follow the guidance to manually upgrade extensions using the [Azure portal](manage-vm-extensions-portal.md#upgrade-extensions), [Azure PowerShell](manage-vm-extensions-cli.md#upgrade-extensions) or [Azure CLI](manage-vm-extensions-powershell.md#upgrade-extension).

-Microsoft Endpoint Configuration Manager facilitates comprehensive management of servers supporting the secure and scalable deployment of applications, software updates, and operating systems. Configuration Manager offers the custom task sequence as a flexible paradigm for application deployment.

-Microsoft Endpoint Configuration Manager facilitates comprehensive management of servers supporting the secure and scalable deployment of applications, software updates, and operating systems. Configuration Manager has an integrated ability to run PowerShell scripts.

-For example, a computer running Windows 11 that's responsible for digital signage, point-of-sale solutions, and general back office management tasks is a good candidate for Azure Arc. End-user productivity machines, such as a laptop, which may go offline for long periods of time, shouldn't use Azure Arc and instead should consider [Microsoft Intune](/mem/intune) or [Microsoft Endpoint Configuration Manager](/mem/configmgr).

-Use Azure PowerShell for creating a new cache with managed identity or updating an existing cache to use managed identity. For more information, see [New-AzRedisCache](/powershell/module/az.rediscache/new-azrediscache?view=azps-7.1.0&preserve-view=true) or [Set-AzRedisCache](/powershell/module/az.rediscache/set-azrediscache?view=azps-7.1.0&preserve-view=true).

- | .NET runtime | Process model | Description |

- | | | |

- | **.NET 6.0 (LTS)** | [In-process](functions-dotnet-class-library.md) | _In-process_ C# functions are only supported on [Long Term Support (LTS)](https://dotnet.microsoft.com/en-us/platform/support/policy/dotnet-core) .NET versions. Function code runs in the same process as the Functions host. |

- | **.NET 6.0 Isolated (LTS)** | [Isolated worker process](dotnet-isolated-process-guide.md) | Functions run on .NET 6, but in a separate process from the Functions host. |

- | **.NET 7.0 Isolated** | [Isolated worker process](dotnet-isolated-process-guide.md) | Because .NET 7 isn't an LTS version of .NET, your functions must run in an isolated process on .NET 7. |

- | **.NET Framework Isolated** | [Isolated worker process](dotnet-isolated-process-guide.md) | Choose this option when your functions need to use libraries only supported on the .NET Framework. |

-To use the Netherite storage provider, you must first add a reference to the [Microsoft.Azure.DurableTask.Netherite.AzureFunctions](https://www.nuget.org/packages/Microsoft.Azure.DurableTask.Netherite.AzureFunctions) NuGet package in your **csproj** file (.NET apps) or your **extensions.proj** file (JavaScript, Python, and PowerShell apps).

-To use the MSSQL storage provider, you must first add a reference to the [Microsoft.DurableTask.SqlServer.AzureFunctions](https://www.nuget.org/packages/Microsoft.DurableTask.SqlServer.AzureFunctions) NuGet package in your **csproj** file (.NET apps) or your **extensions.proj** file (JavaScript, Python, and PowerShell apps).

-Migration of [Task Hub data](durable-functions-task-hubs.md) across storage providers is not currently supported. Function apps with existing runtime data will start with a fresh, empty task hub after switching to the MSSQL backend. Similarly, the task hub contents created with MSSQL cannot be preserved when switching to a different storage provider.

-The following steps assume that you are starting with an existing Durable Functions app and are familiar with how to operate it.

-If this is not the case, we suggest you start with one of the following articles, which provides detailed instructions on how to achieve all the requirements above:

-You will need to install the latest version of the `Microsoft.DurableTask.SqlServer.AzureFunctions` [Extension on NuGet](https://www.nuget.org/packages/Microsoft.DurableTask.SqlServer.AzureFunctions) on your app. This usually means to include a reference to it in your `.csproj` file and building the project.

-func extensions install --package Microsoft.DurableTask.SqlServer.AzureFunctions --version <latestVersionOnNuget>

-Edit the storage provider section of the `host.json` file so it sets the `type` to `mssql`. We'll also specify the connection string variable name, `SQLDB_Connection`, under `connectionStringName`. We'll set `createDatabaseIfNotExists` to `true`; this setting creates a database named `DurableDB` if one does not already exists, with collation `Latin1_General_100_BIN2_UTF8`.

-You'll need to install the latest version of the `Microsoft.Azure.DurableTask.Netherite.AzureFunctions` [Extension on NuGet](https://www.nuget.org/packages/Microsoft.Azure.DurableTask.Netherite.AzureFunctions) on your app. This usually means to include a reference to it in your `.csproj` file and building the project.

-func extensions install --package Microsoft.Azure.DurableTask.Netherite.AzureFunctions --version <latestVersionOnNuget>

-> The new programming model for authoring Functions in Python (V2) is currently in preview. Compared to the current model, the new experience is designed to have a more idiomatic and intuitive. To learn more, see Azure Functions Python [developer guide](../functions-reference-python.md?pivots=python-mode-decorators).

- public string Id { get; set; }

- log.LogInformation("First document Id " + input[0].Id);

- #r "Microsoft.Azure.DocumentDB.Core"

- using Microsoft.Azure.Documents;

- public static void Run(IReadOnlyList<Document> documents, ILogger log)

- log.LogInformation("First document Id " + documents[0].Id);

- | .NET runtime | Process model | Description |

- | | | |

- | **.NET 6.0 (Long Term Support)** | [In-process](functions-dotnet-class-library.md) | _In-process_ C# functions are only supported on [Long Term Support (LTS)](https://dotnet.microsoft.com/en-us/platform/support/policy/dotnet-core) .NET versions. Function code runs in the same process as the Functions host. |

- | **.NET 6.0 Isolated (Long Term Support)** | [Isolated worker process](dotnet-isolated-process-guide.md) | Functions run on .NET 6, but in a separate process from the Functions host. |

- | **.NET 7.0 Isolated** | [Isolated worker process](dotnet-isolated-process-guide.md) | Because .NET 7 isn't an LTS version of .NET, your functions must run in an isolated process on .NET 7. |

- | **.NET Framework Isolated v4** | [Isolated worker process](dotnet-isolated-process-guide.md) | Choose this option when your functions need to use libraries only supported on the .NET Framework. |

- | **.NET Core 3.1 (Long Term Support)** | [In-process](functions-dotnet-class-library.md) | .NET Core 3.1 is no longer a supported version of .NET and isn't supported by Functions version 4.x. Use .NET 6.0 instead. |

- | **.NET Framework v1** | [In-process](functions-dotnet-class-library.md) | Choose this option when your functions need to use libraries only supported on older versions of .NET Framework. Requires version 1.x of the Functions runtime. |

-1. Enter information about the hybrid connection as shown right after the following screenshot. You have the option of making the **Endpoint Host** setting match the host name of the on-premises server to make it easier to remember the server later when you're running remote commands. The port matches the default Windows remote management service port that was defined on the server earlier.

- <PackageReference Include="Microsoft.Azure.Functions.Worker" Version="1.8.0" />

-Azure Maps Creator enables users to import their indoor map data in GeoJSON format with [Facility Ontology 2.0][Facility Ontology], which can then be used to create a [dataset][dataset-concept].

- files, you can download the [Contoso building sample][Contoso building sample].

-Use the [Data Upload API](/rest/api/maps/data-v2/upload) to upload the drawing package to Azure Maps Creator account.

-The Data Upload API is a long running transaction that implements the pattern defined in [Creator Long-Running Operation API V2](creator-long-running-operation-v2.md).

-1. Execute the following HTTP POST request that uses the [Data Upload API](/rest/api/maps/data-v2/upload):

-The GeoJSON zip package consists of one or more [RFC 7946][RFC 7946] compliant GeoJSON files, one for each feature class, all in the root directory (subdirectories aren't supported), compressed with standard Zip compression and named using the `.ZIP` extension.

-> If you want to be certain you have a globally unique identifier (GUID), consider creating it by running a GUID generating tool such as the Guidgen.exe command line program (Available with [Visual Studio][Visual Studio]). Guidgen.exe never produces the same number twice, no matter how many times it is run or how many different machines it runs on.

-[Facility ontology][Facility ontology] defines how Azure Maps Creator internally stores facility data, divided into feature classes, in a Creator dataset. When importing a GeoJSON package, anytime a feature is added or modified, a series of validations run. This includes referential integrity checks as well as geometry and attribute validations. These validations are described in more detail below.

- - `unit` can consist of an array of items such as hallways, offices and courtyards, which are defined by [area][areaElement], [line][lineElement] or [point][pointElement] elements. Units are defined in the file *unit.goejson*.

-> [Create a tileset](tutorial-creator-indoor-maps.md#create-a-tileset)

-> [!div class="nextstepaction"]

-> [Query datasets with WFS API](tutorial-creator-wfs.md)

-> [!div class="nextstepaction"]

-> [Create a feature stateset](tutorial-creator-feature-stateset.md)

-[unit]: creator-facility-ontology.md?pivots=facility-ontology-v2#unit

-[structure]: creator-facility-ontology.md?pivots=facility-ontology-v2#structure

-[verticalPenetration]: creator-facility-ontology.md?pivots=facility-ontology-v2#verticalpenetration

-[opening]: creator-facility-ontology.md?pivots=facility-ontology-v2#opening

-[areaElement]: creator-facility-ontology.md?pivots=facility-ontology-v2#areaelement

-[lineElement]: creator-facility-ontology.md?pivots=facility-ontology-v2#lineelement

-[pointElement]: creator-facility-ontology.md?pivots=facility-ontology-v2#pointelement

-[dataset-concept]: creator-indoor-maps.md#datasets

-You can use Azure Maps Creator [Feature State service](/rest/api/maps/v2/feature-state) to apply styles that are based on the dynamic properties of indoor map data features. For example, you can render facility meeting rooms with a specific color to reflect occupancy status. This article describes how to dynamically render indoor map features with the [Feature State service](/rest/api/maps/v2/feature-state) and the [Indoor Web module](how-to-use-indoor-module.md).

-1. [Create an Azure Maps account](quick-demo-map-app.md#create-an-azure-maps-account)

-2. [Obtain a primary subscription key](quick-demo-map-app.md#get-the-primary-key-for-your-account), also known as the primary key or the subscription key.

-3. [Create a Creator resource](how-to-manage-creator.md)

-4. Download the [sample drawing package](https://github.com/Azure-Samples/am-creator-indoor-data-examples).

-5. [Create an indoor map](tutorial-creator-indoor-maps.md) to obtain a `tilesetId` and `statesetId`.

-6. Build a web application by following the steps in [How to use the Indoor Map module](how-to-use-indoor-module.md).

-This tutorial uses the [Postman](https://www.postman.com/) application, but you may choose a different API development environment.

-After you complete the prerequisites, you should have a simple web application configured with your subscription key, `tilesetId`, and `statesetId`.

-To implement dynamic styling, a feature - such as a meeting or conference room - must be referenced by its feature `id`. You use the feature `id` to update the dynamic property or *state* of that feature. To view the features defined in a dataset, you can use one of the following methods:

-* WFS API (Web Feature service). You can use the [WFS API](/rest/api/maps/v2/wfs) to query datasets. WFS follows the [Open Geospatial Consortium API Features](https://docs.opengeospatial.org/DRAFTS/17-069r4.html). The WFS API is helpful for querying features within a dataset. For example, you can use WFS to find all mid-size meeting rooms of a specific facility and floor level.

-* Implement customized code that a user can use to select features on a map using your web application. We use this option in this article.

-The following script implements the mouse-click event. The code retrieves the feature `id` based on the clicked point. In your application, you can insert the code after your Indoor Manager code block. Run your application, and then check the console to obtain the feature `id` of the clicked point.

-The [Create an indoor map](tutorial-creator-indoor-maps.md) tutorial configured the feature stateset to accept state updates for `occupancy`.

-In the next section, we'll set the occupancy *state* of office `UNIT26` to `true` and office `UNIT27` to `false`.

- We'll now update the state of the two offices, `UNIT26` and `UNIT27`:

-4. Enter the following URL to the [Feature Update States API](/rest/api/maps/v2/feature-state/update-states) (replace `{Your-Azure-Maps-Subscription-key}` with your Azure Maps subscription key and `statesetId` with the `statesetId`):

- >The update will be saved only if the posted time stamp is after the time stamp used in previous feature state update requests for the same feature `ID`.

-* Office `UNIT27`(142) should appear green.

-* Office `UNIT26`(143) should appear red.

-[See live demo](https://samples.azuremaps.com/?sample=creator-indoor-maps)

-> [Creator for indoor mapping](creator-indoor-maps.md)

-See the references for the APIs mentioned in this article:

-> [!div class="nextstepaction"]

-> [Data Upload](creator-indoor-maps.md#upload-a-drawing-package)

-> [!div class="nextstepaction"]

-> [Data Conversion](creator-indoor-maps.md#convert-a-drawing-package)

-> [!div class="nextstepaction"]

-> [Dataset](creator-indoor-maps.md#datasets)

-> [!div class="nextstepaction"]

-> [Tileset](creator-indoor-maps.md#tilesets)

-> [!div class="nextstepaction"]

-> [Feature State set](creator-indoor-maps.md#feature-statesets)

-> [!div class="nextstepaction"]

-> [WFS service](creator-indoor-maps.md#web-feature-service-api)

-description: The third tutorial on Microsoft Azure Maps Creator. How to create a feature stateset.

-# Tutorial: Create a feature stateset

-[Feature statesets](/rest/api/maps/v2/feature-state) define dynamic properties and values on specific features that support them. In this Tutorial, you'll:

-> [!div class="checklist"]

->

-> * Create a stateset that defines boolean values and corresponding styles for the **occupancy** property.

-> * Change the `occupancy` property state of the desired unit.

-## Prerequisites

-* Successful completion of [Tutorial: Query datasets with WFS API](tutorial-creator-wfs.md).

-* The `datasetId` obtained in the [Check the dataset creation status](tutorial-creator-indoor-maps.md#check-the-dataset-creation-status) section of the *Use Creator to create indoor maps* tutorial.

-This tutorial uses the [Postman](https://www.postman.com/) application, but you can use a different API development environment.

->[!IMPORTANT]

->

-> * This article uses the `us.atlas.microsoft.com` geographical URL. If your Creator service wasn't created in the United States, you must use a different geographical URL. For more information, see [Access to Creator Services](how-to-manage-creator.md#access-to-creator-services).

-> * In the URL examples in this article you will need to replace:

-> * `{Your-Azure-Maps-Subscription-key}` with your Azure Maps subscription key.

-> * `{datasetId}` with the `datasetId` obtained in the [Check the dataset creation status](tutorial-creator-indoor-maps.md#check-the-dataset-creation-status) section of the *Use Creator to create indoor maps* tutorial

-## Create a feature stateset

-To create a stateset:

-1. In the Postman app, create a new **HTTP Request** and save it as *POST Create Stateset*.

-2. Select the **POST** HTTP method.

-3. Enter the following URL to the [Stateset API](/rest/api/maps/v2/feature-state/create-stateset). The request should look like the following URL:

- ```http

- https://us.atlas.microsoft.com/featurestatesets?api-version=2.0&datasetId={datasetId}&subscription-key={Your-Azure-Maps-Subscription-key}

- ```

-4. Select the **Headers** tab.

-5. In the **KEY** field, select `Content-Type`.

-6. In the **VALUE** field, select `application/json`.

- :::image type="content" source="./media/tutorial-creator-indoor-maps/stateset-header.png"alt-text="A screenshot of Postman showing the Header tab of the POST request that shows the Content Type Key with a value of application forward slash json.":::

-7. Select the **Body** tab.

-8. Select **raw** and **JSON**.

-9. Copy the following JSON styles, and then paste them in the **Body** window:

- ```json

- {

- "styles":[

- {

- "keyname":"occupied",

- "type":"boolean",

- "rules":[

- {

- "true":"#FF0000",

- "false":"#00FF00"

- }

- ]

- }

- ]

- }

- ```

-10. Select **Send**.

-11. After the response returns successfully, copy the `statesetId` from the response body. In the next section, you'll use the `statesetId` to change the `occupancy` property state of the unit with feature `id` "UNIT26".

- :::image type="content" source="./media/tutorial-creator-indoor-maps/response-stateset-id.png"alt-text="A screenshot of Postman showing the resource Stateset ID value in the responses body.":::

-## Update a feature state

-To update the `occupied` state of the unit with feature `id` "UNIT26":

-1. In the Postman app, create a new **HTTP Request** and save it as *PUT Set Stateset*.

-2. Select the **PUT** HTTP method.

-3. Enter the following URL to the [Feature Statesets API](/rest/api/maps/v2/feature-state/create-stateset). The request should look like the following URL (replace `{statesetId`} with the `statesetId` obtained in [Create a feature stateset](#create-a-feature-stateset)):

- ```http

- https://us.atlas.microsoft.com/featurestatesets/{statesetId}/featureStates/UNIT26?api-version=2.0&subscription-key={Your-Azure-Maps-Subscription-key}

- ```

-4. Select the **Headers** tab.

-5. In the **KEY** field, select `Content-Type`.

-6. In the **VALUE** field, select `application/json`.

- :::image type="content" source="./media/tutorial-creator-indoor-maps/stateset-header.png"alt-text="Header tab information for stateset creation.":::

-7. Select the **Body** tab.

-8. Select **raw** and **JSON**.

-9. Copy the following JSON style, and then paste it in the **Body** window:

- ```json

- {

- "states": [

- {

- "keyName": "occupied",

- "value": true,

- "eventTimestamp": "2020-11-14T17:10:20"

- }

- ]

- }

- ```

- >[!NOTE]

- > The update will be saved only if the time posted stamp is after the time stamp of the previous request.

-10. Select **Send**.

-11. After the update completes, you'll receive a `200 OK` HTTP status code. If you implemented [dynamic styling](indoor-map-dynamic-styling.md) for an indoor map, the update displays at the specified time stamp in your rendered map.

-## Additional information

-* For information on how to retrieve the state of a feature using its feature id, see [Feature State - List States](/rest/api/maps/v2/feature-state/list-states).

-* For information on how to delete the stateset and its resources, see [Feature State - Delete Stateset](/rest/api/maps/v2/feature-state/delete-stateset) .

-* For information on using the Azure Maps Creator [Feature State service](/rest/api/maps/v2/feature-state) to apply styles that are based on the dynamic properties of indoor map data features, see how to article [Implement dynamic styling for Creator indoor maps](indoor-map-dynamic-styling.md).

-* For more information on the different Azure Maps Creator services discussed in this tutorial, see [Creator Indoor Maps](creator-indoor-maps.md).

-In the next tutorials in the Creator series you'll learn to:

-> * Query the Azure Maps Web Feature Service (WFS) API to learn about your map features.

-> * Create a feature stateset that can be used to set the states of features in your dataset.

-> * Update the state of a given map feature.

-<!--For additional information, see [Create custom styles for indoor maps](how-to-create-custom-styles.md).-->

-## Additional information

-* For additional information see the how to [Use the Azure Maps Indoor Maps module](how-to-use-indoor-module.md) article.

-* See [Azure IoT Maps Creator Functional API](/rest/api/maps-creator/) for additional information on the Creator REST API.

-To learn how to query Azure Maps Creator [datasets](/rest/api/maps/v2/dataset) using [WFS API](/rest/api/maps/v2/wfs) in the next Creator tutorial.

-> [!div class="nextstepaction"]

-> [Tutorial: Query datasets with WFS API](tutorial-creator-wfs.md)

-> [Create custom styles for indoor maps](how-to-create-custom-styles.md)

-description: The second tutorial on Microsoft Azure Maps Creator. How to Query datasets with WFS API

-# Tutorial: Query datasets with WFS API

-This tutorial describes how to query Azure Maps Creator [datasets](/rest/api/maps/v2/dataset) using [WFS API](/rest/api/maps/v2/wfs). You can use the WFS API to query features within a dataset. For example, you can use WFS to find all mid-size meeting rooms in a specific building and floor level.

-In this tutorial, you'll learn how to:

-> [!div class="checklist"]

->

-> * Query the Azure Maps Web Feature Service (WFS) API to query for all feature collections.

-> * Query the Azure Maps Web Feature Service (WFS) API to query for a specific collection.

-First you'll query all collections, and then you'll query for the `unit` collection.

-## Prerequisites

-* Successful completion of [Tutorial: Use Creator to create indoor maps](tutorial-creator-indoor-maps.md).

-* The `datasetId` obtained in [Check dataset creation status](tutorial-creator-indoor-maps.md#check-the-dataset-creation-status) section of the previous tutorial.

-This tutorial uses the [Postman](https://www.postman.com/) application, but you can use a different API development environment.

->[!IMPORTANT]

->

-> * This article uses the `us.atlas.microsoft.com` geographical URL. If your Creator service wasn't created in the United States, you must use a different geographical URL. For more information, see [Access to Creator Services](how-to-manage-creator.md#access-to-creator-services).

-> * In the URL examples in this article you will need to replace:

-> * `{Your-Azure-Maps-Subscription-key}` with your Azure Maps subscription key.

-> * `{datasetId}` with the `datasetId` obtained in the [Check the dataset creation status](tutorial-creator-indoor-maps.md#check-the-dataset-creation-status) section of the *Use Creator to create indoor maps* tutorial

-## Query for feature collections

-To query all collections in your dataset:

-1. In the Postman app, create a new **HTTP Request** and save it as *GET Dataset Collections*.

-2. Select the **GET** HTTP method.

-3. Enter the following URL to [WFS API](/rest/api/maps/v2/wfs). The request should look like the following URL:

- ```http

- https://us.atlas.microsoft.com/wfs/datasets/{datasetId}/collections?subscription-key={Your-Azure-Maps-Subscription-key}&api-version=2.0

- ```

-4. Select **Send**.

-5. The response body is returned in GeoJSON format and contains all collections in the dataset. For simplicity, the example here only shows the `unit` collection. To see an example that contains all collections, see [WFS Describe Collections API](/rest/api/maps/v2/wfs/get-collection-definition). To learn more about any collection, you can select any of the URLs inside the `links` element.

- ```json

- {

- "collections": [

- {

- "name": "unit",

- "description": "A physical and non-overlapping area which might be occupied and traversed by a navigating agent. Can be a hallway, a room, a courtyard, etc. It is surrounded by physical obstruction (wall), unless the is_open_area attribute is equal to true, and one must add openings where the obstruction shouldn't be there. If is_open_area attribute is equal to true, all the sides are assumed open to the surroundings and walls are to be added where needed. Walls for open areas are represented as a line_element or area_element with is_obstruction equal to true.",

- "links": [

- {

- "href": "https://atlas.microsoft.com/wfs/datasets/{datasetId}/collections/unit/definition?api-version=1.0",

- "rel": "describedBy",

- "title": "Metadata catalogue for unit"

- },

- {

- "href": "https://atlas.microsoft.com/wfs/datasets/{datasetId}/collections/unit/items?api-version=1.0",

- "rel": "data",

- "title": "unit"

- }

- {

- "href": "https://atlas.microsoft.com/wfs/datasets/{datasetId}/collections/unit?api-version=1.0",

- "rel": "self",

- "title": "Metadata catalogue for unit"

- }

- ]

- },

- ```

-## Query for unit feature collection

-In this section, you'll query [WFS API](/rest/api/maps/v2/wfs) for the `unit` feature collection.

-To query the unit collection in your dataset:

-1. In the Postman app, create a new **HTTP Request** and save it as *GET Unit Collection*.

-2. Select the **GET** HTTP method.

-3. Enter the following URL:

- ```http

- https://us.atlas.microsoft.com/wfs/datasets/{datasetId}/collections/unit/items?subscription-key={Your-Azure-Maps-Subscription-key}&api-version=2.0

- ```

-4. Select **Send**.

-5. After the response returns, copy the feature `id` for one of the `unit` features. In the following example, the feature `id` is "UNIT26". You'll use "UNIT26" as your feature `id` when you [Update a feature state](tutorial-creator-feature-stateset.md#update-a-feature-state) in the next tutorial.

- ```json

- {

- "type": "FeatureCollection",

- "features": [

- {

- "type": "Feature",

- "geometry": {

- "type": "Polygon",

- "coordinates": ["..."]

- },

- "properties": {

- "original_id": "b7410920-8cb0-490b-ab23-b489fd35aed0",

- "category_id": "CTG8",

- "is_open_area": true,

- "navigable_by": [

- "pedestrian"

- ],

- "route_through_behavior": "allowed",

- "level_id": "LVL14",

- "occupants": [],

- "address_id": "DIR1",

- "name": "157"

- },

- "id": "UNIT26",

- "featureType": ""

- }, {"..."}

- ]

- }

- ```

-## Additional information

-See [WFS](/rest/api/maps/v2/wfs) for information on the Creator Web Feature Service REST API.

-## Next steps

-To learn how to use feature statesets to define dynamic properties and values on specific features in the final Creator tutorial.

-> [!div class="nextstepaction"]

-> [Tutorial: Create a feature stateset](tutorial-creator-feature-stateset.md)

-| Get rules | [Get-AzDataCollectionRule](/powershell/module/az.monitor/get-azdatacollectionrule?view=azps-5.4.0&preserve-view=true) |

-| Create a rule | [New-AzDataCollectionRule](/powershell/module/az.monitor/new-azdatacollectionrule?view=azps-6.0.0&viewFallbackFrom=azps-5.4.0&preserve-view=true) |

-| Update a rule | [Set-AzDataCollectionRule](/powershell/module/az.monitor/set-azdatacollectionrule?view=azps-6.0.0&viewFallbackFrom=azps-5.4.0&preserve-view=true) |

-| Delete a rule | [Remove-AzDataCollectionRule](/powershell/module/az.monitor/remove-azdatacollectionrule?view=azps-6.0.0&viewFallbackFrom=azps-5.4.0&preserve-view=true) |

-| Update "Tags" for a rule | [Update-AzDataCollectionRule](/powershell/module/az.monitor/update-azdatacollectionrule?view=azps-6.0.0&viewFallbackFrom=azps-5.4.0&preserve-view=true) |

-| Get associations | [Get-AzDataCollectionRuleAssociation](/powershell/module/az.monitor/get-azdatacollectionruleassociation?view=azps-6.0.0&viewFallbackFrom=azps-5.4.0&preserve-view=true) |

-| Create an association | [New-AzDataCollectionRuleAssociation](/powershell/module/az.monitor/new-azdatacollectionruleassociation?view=azps-6.0.0&viewFallbackFrom=azps-5.4.0&preserve-view=true) |

-| Delete an association | [Remove-AzDataCollectionRuleAssociation](/powershell/module/az.monitor/remove-azdatacollectionruleassociation?view=azps-6.0.0&viewFallbackFrom=azps-5.4.0&preserve-view=true) |

-Check out the [Application Insights React demo](https://github.com/Azure-Samples/application-insights-react-demo).

-Use the [New-AzDiagnosticSetting](/powershell/module/az.monitor/new-azdiagnosticsetting?view=azps-9.1.0&preserve-view=true) cmdlet to create a diagnostic setting with [Azure PowerShell](../powershell-samples.md). See the documentation for this cmdlet for descriptions of its parameters.

-| Configuration Manager | Import collections from Microsoft Endpoint Configuration Manager and create a group in Azure Monitor for each. |

-Use the [Update-AzOperationalInsightsTable](/powershell/module/az.operationalinsights/Update-AzOperationalInsightsTable?view=azps-9.1.0) cmdlet to set the retention and archive duration for a table. This example sets the table's interactive retention to 30 days, and the total retention to two years, which means that the archive duration is 23 months:

-To reapply the workspace's default interactive retention value to the table and reset its total retention to 0, run the [Update-AzOperationalInsightsTable](/powershell/module/az.operationalinsights/Update-AzOperationalInsightsTable?view=azps-9.1.0) cmdlet with the `-RetentionInDays` and `-TotalRetentionInDays` parameters set to `-1`.

-To get the retention policy of a particular table, run the [Get-AzOperationalInsightsTable](/powershell/module/az.operationalinsights/get-azoperationalinsightstable?view=azps-9.1.0) cmdlet.

-> | spring | resource group | 4-32 | Lowercase letters, numbers, and hyphens. |

-* [How to enable TLS 1.2 on clients](/mem/configmgr/core/plan-design/security/enable-tls-1-2-client) ΓÇô for Microsoft Endpoint Configuration Manager.

-Before creating a backup vault, choose the storage redundancy of the data within the vault. Then proceed to create the backup vault with that storage redundancy and the location. In this article, we will create a backup vault _TestBkpVault_ in region _westus_, under the resource group _testBkpVaultRG_. Use the [New-AzDataProtectionBackupVault](/powershell/module/az.dataprotection/new-azdataprotectionbackupvault?view=azps-5.9.0&preserve-view=true) command to create a backup vault.Learn more about [creating a Backup vault](./backup-vault-overview.md#create-a-backup-vault).

-To understand the inner components of a backup policy for Azure blob backup, retrieve the policy template using the [Get-AzDataProtectionPolicyTemplate](/powershell/module/az.dataprotection/get-azdataprotectionpolicytemplate?view=azps-5.9.0&preserve-view=true) command. This command returns a default policy template for a given datasource type. Use this policy template to create a new policy.

-Once the policy object has all the desired values, proceed to create a new policy from the policy object using the [New-AzDataProtectionBackupPolicy](/powershell/module/az.dataprotection/new-azdataprotectionbackuppolicy?view=azps-5.9.0&preserve-view=true) command.

-Once all the relevant permissions are set, the configuration of backup is performed in 2 steps. First, we prepare the relevant request by using the relevant vault, policy, storage account using the [Initialize-AzDataProtectionBackupInstance](/powershell/module/az.dataprotection/initialize-azdataprotectionbackupinstance?view=azps-5.9.0&preserve-view=true) command. Then, we submit the request to protect the blobs within the storage account using the [New-AzDataProtectionBackupInstance](/powershell/module/az.dataprotection/new-azdataprotectionbackupinstance?view=azps-5.9.0&preserve-view=true) command.

-Before creating a backup vault, choose the storage redundancy of the data within the vault. Then proceed to create the backup vault with that storage redundancy and the location. In this article, we will create a backup vault "TestBkpVault" in "westus" region under the resource group "testBkpVaultRG". Use the [New-AzDataProtectionBackupVault](/powershell/module/az.dataprotection/new-azdataprotectionbackupvault?view=azps-5.7.0&preserve-view=true) command to create a backup vault.Learn more about [creating a Backup vault](./backup-vault-overview.md#create-a-backup-vault).

-To understand the inner components of a backup policy for Azure disk backup, retrieve the policy template using the command [Get-AzDataProtectionPolicyTemplate](/powershell/module/az.dataprotection/get-azdataprotectionpolicytemplate?view=azps-5.7.0&preserve-view=true). This command returns a default policy template for a given datasource type. Use this policy template to create a new policy.

-If you want to edit the hourly frequency or the retention period, use the [Edit-AzDataProtectionPolicyTriggerClientObject](/powershell/module/az.dataprotection/edit-azdataprotectionpolicytriggerclientobject?view=azps-5.7.0&preserve-view=true) and/or [Edit-AzDataProtectionPolicyRetentionRuleClientObject](/powershell/module/az.dataprotection/edit-azdataprotectionpolicyretentionruleclientobject?view=azps-5.7.0&preserve-view=true) commands. Once the policy object has all the desired values, proceed to create a new policy from the policy object using the [New-AzDataProtectionBackupPolicy](/powershell/module/az.dataprotection/new-azdataprotectionbackuppolicy?view=azps-5.7.0&preserve-view=true).

-The Backup vaults require permissions on disk and the snapshot resource group to be able to trigger snapshots and manage their lifecycle. The system-assigned managed identity of the vault is used for assigning such permissions. Use the [Update-AzRecoveryServicesVault](/powershell/module/az.recoveryservices/update-azrecoveryservicesvault?view=azps-5.7.0&preserve-view=true) command to enable system-assigned managed identity for the recovery services vault.

-Once all the relevant permissions are set, the configuration of backup is performed in 2 steps. First, we prepare the relevant request by using the relevant vault, policy, disk and snapshot resource group using the [Initialize-AzDataProtectionBackupInstance](/powershell/module/az.dataprotection/initialize-azdataprotectionbackupinstance?view=azps-5.7.0&preserve-view=true) command. Then, we submit the request to protect the disk using the [New-AzDataProtectionBackupInstance](/powershell/module/az.dataprotection/new-azdataprotectionbackupinstance?view=azps-5.7.0&preserve-view=true) command.

-Fetch the relevant backup instance on which the user desires to trigger a backup using the [Get-AzDataProtectionBackupInstance](/powershell/module/az.dataprotection/get-azdataprotectionbackupinstance?view=azps-5.7.0&preserve-view=true)

-Trigger an on-demand backup using the [Backup-AzDataProtectionBackupInstanceAdhoc](/powershell/module/az.dataprotection/backup-azdataprotectionbackupinstanceadhoc?view=azps-5.7.0&preserve-view=true) command.

-Track all the jobs using the [Get-AzDataProtectionJob](/powershell/module/az.dataprotection/get-azdataprotectionjob?view=azps-5.7.0&preserve-view=true) command. You can list all jobs and fetch a particular job detail.

-You can also use Az.ResourceGraph to track all jobs across all backup vaults. Use the [Search-AzDataProtectionJobInAzGraph](/powershell/module/az.dataprotection/search-azdataprotectionjobinazgraph?view=azps-5.7.0&preserve-view=true) command to get the relevant job which can be across any backup vault.

-In this article, we'll create a Backup vault *TestBkpVault*, in *westus* region, under the resource group *testBkpVaultRG*. Use the [New-AzDataProtectionBackupVault](/powershell/module/az.dataprotection/new-azdataprotectionbackupvault?view=azps-5.7.0&preserve-view=true) command to create a Backup vault. Learn more about [creating a Backup vault](./backup-vault-overview.md#create-a-backup-vault).

-To understand the inner components of a backup policy for Azure PostgreSQL database backup, retrieve the policy template using the [Get-AzDataProtectionPolicyTemplate](/powershell/module/az.dataprotection/get-azdataprotectionpolicytemplate?view=azps-5.7.0&preserve-view=true) command. This command returns a default policy template for a given datasource type. Use this policy template to create a new policy.

-The default policy template offers a backup once per week. You can modify the schedule for the backup to happen multiple days per week. To change the schedule, use the [Edit-AzDataProtectionPolicyTriggerClientObject](/powershell/module/az.dataprotection/edit-azdataprotectionpolicytriggerclientobject?view=azps-6.5.0&preserve-view=true) command.

-The default template will have a lifecycle for the initial datastore under the default retention rule. In this scenario, the rule says to delete the backup data after three months. You should add a new retention rule that defines when the data is *moved* to *archive* datastore, that is, backup data is first copied to archive datastore, and then deleted in vault datastore. Also, the rule should define for how long the data is kept in the *archive* datastore. Use the [New-AzDataProtectionRetentionLifeCycleClientObject](/powershell/module/az.dataprotection/new-azdataprotectionretentionlifecycleclientobject?view=azps-6.5.0&preserve-view=true) command to create new lifecycles and use the [Edit-AzDataProtectionPolicyRetentionRuleClientObject](/powershell/module/az.dataprotection/edit-azdataprotectionpolicyretentionruleclientobject?view=azps-6.5.0&preserve-view=true) command to associate them with new the rules or to the existing rules.

-Once a retention rule is created, you've to create a corresponding *tag* in the *Trigger* property of the backup policy. Use the [New-AzDataProtectionPolicyTagCriteriaClientObject](/powershell/module/az.dataprotection/new-azdataprotectionpolicytagcriteriaclientobject?view=azps-6.5.0&preserve-view=true) command to create a new tagging criteria and use the [Edit-AzDataProtectionPolicyTagClientObject](/powershell/module/az.dataprotection/edit-azdataprotectionpolicytagclientobject?view=azps-6.5.0&preserve-view=true) command to update the existing tag or create a new tag.

-Once the template is modified as per the requirements, use the [New-AzDataProtectionBackupPolicy](/powershell/module/az.dataprotection/new-azdataprotectionbackuppolicy?view=azps-6.5.0&preserve-view=true) command to create a policy using the modified template.

-1. We prepare the relevant request by using the relevant vault, policy, PostgreSQL database using the [Initialize-AzDataProtectionBackupInstance](/powershell/module/az.dataprotection/initialize-azdataprotectionbackupinstance?view=azps-5.7.0&preserve-view=true) command.

-1. We submit the request to protect the database using the [New-AzDataProtectionBackupInstance](/powershell/module/az.dataprotection/new-azdataprotectionbackupinstance?view=azps-5.7.0&preserve-view=true) command.

-Fetch the relevant backup instance on which you need to trigger a backup using the [Get-AzDataProtectionBackupInstance](/powershell/module/az.dataprotection/get-azdataprotectionbackupinstance?view=azps-5.7.0&preserve-view=true) command.

-To trigger an on-demand backup, use the [Backup-AzDataProtectionBackupInstanceAdhoc](/powershell/module/az.dataprotection/backup-azdataprotectionbackupinstanceadhoc?view=azps-5.7.0&preserve-view=true) command.

-Track all jobs using the [Get-AzDataProtectionJob](/powershell/module/az.dataprotection/get-azdataprotectionjob?view=azps-5.7.0&preserve-view=true) command. You can list all jobs and fetch a particular job detail.

-You can also use _Az.ResourceGraph_ to track all jobs across all backup vaults. Use the [Search-AzDataProtectionJobInAzGraph](/powershell/module/az.dataprotection/search-azdataprotectionjobinazgraph?view=azps-5.7.0&preserve-view=true) command to fetch the relevant jobs that are across any backup vault.

->You can also move Backup vaults to a different resource group or subscription using [PowerShell](/powershell/module/az.resources/move-azresource?view=azps-6.3.0&preserve-view=true) and [CLI](/cli/azure/resource#az-resource-move).

-To modify the alert settings of the vault, use the [Update-AzRecoveryServicesVault](/powershell/module/az.recoveryservices/update-azrecoveryservicesvault?view=azps-8.2.0&preserve-view=true) command.

-1. Create an action group associated with an email ID using the [New-AzActionGroupReceiver](/powershell/module/az.monitor/new-azactiongroupreceiver?view=azps-8.2.0&preserve-view=true) cmdlet and the [Set-AzActionGroup](/powershell/module/az.monitor/set-azactiongroup?view=azps-8.2.0&preserve-view=true) cmdlet.

-1. Create an alert processing rule that's linked to the above action group using the [Set-AzAlertProcessingRule](/powershell/module/az.alertsmanagement/set-azalertprocessingrule?view=azps-8.2.0&preserve-view=true) cmdlet.

-First fetch all instances using [Get-AzDataProtectionBackupInstance](/powershell/module/az.dataprotection/get-azdataprotectionbackupinstance?view=azps-5.9.0&preserve-view=true) command and identify the relevant instance.

-You can also use Az.Resourcegraph and the [Search-AzDataProtectionBackupInstanceInAzGraph](/powershell/module/az.dataprotection/search-azdataprotectionbackupinstanceinazgraph?view=azps-5.9.0&preserve-view=true) command to search across instances in many vaults and subscriptions.

-Once the point-in-time to restore is fixed, there are multiple options to restore. Use the [Initialize-AzDataProtectionRestoreRequest](/powershell/module/az.dataprotection/initialize-azdataprotectionrestorerequest?view=azps-5.9.0&preserve-view=true) command to prepare the restore request with all relevant details.

-Use the [Start-AzDataProtectionBackupInstanceRestore](/powershell/module/az.dataprotection/start-azdataprotectionbackupinstancerestore?view=azps-5.9.0&preserve-view=true) command to trigger the restore with the request prepared above.

-Track all jobs using the [Get-AzDataProtectionJob](/powershell/module/az.dataprotection/get-azdataprotectionjob?view=azps-5.9.0&preserve-view=true) command. You can list all jobs and fetch a particular job detail.

-You can also use Az.ResourceGraph to track all jobs across all backup vaults. Use the [Search-AzDataProtectionJobInAzGraph](/powershell/module/az.dataprotection/search-azdataprotectionjobinazgraph?view=azps-5.9.0&preserve-view=true) command to get the relevant job which can be across any backup vault.

-Fetch all instances using [Get-AzDataProtectionBackupInstance](/powershell/module/az.dataprotection/get-azdataprotectionbackupinstance?view=azps-5.7.0&preserve-view=true) command and identify the relevant instance.

-You can also use **Az.Resourcegraph** and the [Search-AzDataProtectionBackupInstanceInAzGraph](/powershell/module/az.dataprotection/search-azdataprotectionbackupinstanceinazgraph?view=azps-5.7.0&preserve-view=true) command to search across instances in many vaults and subscriptions.

-Use the [Initialize-AzDataProtectionRestoreRequest](/powershell/module/az.dataprotection/initialize-azdataprotectionrestorerequest?view=azps-5.7.0&preserve-view=true) command to prepare the restore request with all relevant details.

-Use the [Start-AzDataProtectionBackupInstanceRestore](/powershell/module/az.dataprotection/start-azdataprotectionbackupinstancerestore?view=azps-5.7.0&preserve-view=true) command to trigger the restore with the request prepared above.

-Track all the jobs using the [Get-AzDataProtectionJob](/powershell/module/az.dataprotection/get-azdataprotectionjob?view=azps-5.7.0&preserve-view=true) command. You can list all jobs and fetch a particular job detail.

-You can also use **Az.ResourceGraph** to track all jobs across all backup vaults. Use the [Search-AzDataProtectionJobInAzGraph](/powershell/module/az.dataprotection/search-azdataprotectionjobinazgraph?view=azps-5.7.0&preserve-view=true) command to get the relevant job, which can be across any backup vault.

-Fetch all instances using [Get-AzDataProtectionBackupInstance](/powershell/module/az.dataprotection/get-azdataprotectionbackupinstance?view=azps-5.7.0&preserve-view=true) command and identify the relevant instance.

-You can also use **Az.Resourcegraph** and the [Search-AzDataProtectionBackupInstanceInAzGraph](/powershell/module/az.dataprotection/search-azdataprotectionbackupinstanceinazgraph?view=azps-5.7.0&preserve-view=true) command to search recovery points across instances in many vaults and subscriptions.

-Use the [Initialize-AzDataProtectionRestoreRequest](/powershell/module/az.dataprotection/initialize-azdataprotectionrestorerequest?view=azps-5.7.0&preserve-view=true) command to prepare the restore request with all relevant details.

-Use the [Initialize-AzDataProtectionRestoreRequest](/powershell/module/az.dataprotection/initialize-azdataprotectionrestorerequest?view=azps-5.7.0&preserve-view=true) command to prepare the restore request with all relevant details.

-Use the [Start-AzDataProtectionBackupInstanceRestore](/powershell/module/az.dataprotection/start-azdataprotectionbackupinstancerestore?view=azps-5.7.0&preserve-view=true) command to trigger the restore with the request prepared above.

-Track all the jobs using the [Get-AzDataProtectionJob](/powershell/module/az.dataprotection/get-azdataprotectionjob?view=azps-5.7.0&preserve-view=true) command. You can list all jobs and fetch a particular job detail.

-You can also use *Az.ResourceGraph* to track jobs across all Backup vaults. Use the [Search-AzDataProtectionJobInAzGraph](/powershell/module/az.dataprotection/search-azdataprotectionjobinazgraph?view=azps-5.7.0&preserve-view=true) command to get the relevant job, which is across all backup vault.

-VNet injection allows Chaos resource provider to inject containerized workloads into your VNet. This means that resources without public endpoints can be accessed via a private IP address on the VNet. Below are the steps you can follow for vnet injection:

- You should see output similar to the following:

-2. Re-register the `Microsoft.Chaos` resource provider with your subscription.

- You should see output similar to the following:

-3. Create a subnet named `ChaosStudioSubnet` in the VNet you want to inject into. And delegate the subnet to `Microsoft.ContainerInstance/containerGroups` service.

-4. Set the `properties.subnetId` property when you create or update the Target resource. The value should be the resource ID of the subnet created in step 3.

- URL=https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.ContainerService/managedClusters/$AKS_CLUSTER/providers/Microsoft.Chaos/targets/microsoft-azurekubernetesservicechaosmesh?api-version=2022-10-01-preview

- SUBNET_ID=/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$AKS_INFRA_RESOURCE_GROUP/providers/Microsoft.Network/virtualNetworks/$AKS_VNET/subnets/ChaosStudioSubnet

- BODY="{ \"properties\": { \"subnetId\": \"$SUBNET_ID\" } }"

-5. Start the experiment.

-* At present the VNet injection will only be possible in subscriptions/regions where Azure Container Instances and Azure Relay are available. They are deployed to target regions.

-* When you create a Target resource that you would like to enable with VNet injection, you will need Microsoft.Network/virtualNetworks/subnets/write access to the virtual network. For example, if the AKS cluster is deployed to VNet_A, then you must have permissions to create subnets in VNet_A in order to enable VNet injection for the AKS cluster. You will have to specify a subnet (in VNet_A) that the container will be deployed to.

-<!--

-TODO:

-CBL-Mariner. You can get a full list of installed package versions using the following command:

-`tdnf list installed`. If these changes affected your Cloud Shell environment, contact Azure Support

-or create an issue in the [Cloud Shell repository][12].

-[Learn more about persisting files in Cloud Shell.][29]

-filesystem navigation. You can continue to use the familiar [Azure PowerShell cmdlets][07] to manage

-![Screenshot of an Azure Cloud Shell being initialized and a list of directory resources.][26]

-![Screenshot of an Azure Cloud Shell running the commands Connect-EXOPSSession and Get-User.][27]

-![Screenshot of an Azure Cloud Shell running the command Get-Command -Module tmp_*.][28]

-<!--

-TODO:

-Linux tools

-Azure tools

-Text editors

-Source control

-Build tools

-Containers

-Databases

-Other

-### Language support

-| Language | Version |

-| - | |

-| .NET Core | [6.0.402][16] |

-| Go | 1.9 |

-| Java | 1.8 |

-| Node.js | 8.16.0 |

-| PowerShell | [7.2][08] |

-| Python | 2.7 and 3.7 (default) |

-[05]: ../azure-functions/functions-run-local.md

-[06]: /cli/azure/

-[07]: /powershell/azure

-[08]: /powershell/scripting/whats-new/what-s-new-in-powershell-72

-[09]: /sql/tools/sqlcmd-utility

-[10]: https://batch-shipyard.readthedocs.io/en/latest/

-[11]: https://blobxfer.readthedocs.io/en/latest/

-[12]: https://github.com/Azure/CloudShell/issues

-[17]: https://helm.sh/docs/

-[19]: https://kubernetes.io/docs/user-guide/kubectl-overview/

-[20]: https://pnp.github.io/office365-cli/

-[21]: https://puppet.com/docs/bolt/latest/bolt.html

-[22]: https://www.ansible.com/microsoft-azure

-[23]: https://docs.chef.io/

-[24]: https://developer.hashicorp.com/packer/docs

-[25]: https://www.terraform.io/docs/providers/azurerm/

-[26]: media/features/azure-drive.png

-[27]: media/features/exchangeonline.png

-[28]: medilets.png

-[29]: persisting-shell-storage.md

-[30]: quickstart-powershell.md

-[31]: quickstart.md

-<!--

-TODO:

-<!--

-TODO:

-Cloud Shell supports the latest versions of Microsoft Edge, Microsoft Internet Explorer, Google

-Chrome, Mozilla Firefox, and Apple Safari. Safari in private mode isn't supported.

- <kbd>Shift</kbd>-<kbd>Insert</kbd> to paste.

- - FireFox/IE may not support clipboard permissions properly.

-restarts the Cloud Shell session and terminate the existing session. To avoid losing your current

-<!--

-TODO:

-### `SqlServer` module functionality

-The `SqlServer` module included in Cloud Shell has only prerelease support for PowerShell Core. In

-particular, `Invoke-SqlCmd` isn't available yet.

-as vim or nano, the files are saved to the `$HOME` by default.

-### GUI applications aren't supported

-If the user runs a command that would create a dialog box, one sees an error message such

-as:

-> Unable to load DLL 'IEFRAME.dll': The specified module couldn't be found.

-[02]: persisting-shell-storage.md#mount-a-new-clouddrive

-[03]: quickstart-powershell.md

-[04]: quickstart.md

-[05]: troubleshooting.md

-Access key authentication is suitable for service applications running in a trusted service environment. Your access key can be found in the Azure Communication Services portal. The service application uses it as a credential to initialize the corresponding SDKs. See an example of how it is used in the [Identity SDK](../quickstarts/access-tokens.md).

-User access tokens are generated using the Identity SDK and are associated with users created in the Identity SDK. See an example of how to [create users and generate tokens](../quickstarts/access-tokens.md). Then, user access tokens are used to authenticate participants added to conversations in the Chat or Calling SDK. For more information, see [add chat to your app](../quickstarts/chat/get-started.md). User access token authentication is different compared to access key and Azure AD authentication in that it is used to authenticate a user rather than a secured Azure resource.

-> [Create user access tokens](../quickstarts/access-tokens.md)

-* [Create and manage access tokens](../quickstarts/access-tokens.md)

-* For an introduction to access token management, see [Create and manage access tokens](../quickstarts/access-tokens.md).

-Azure Communication Services maintains a directory of identities, use the [DeleteIdentity](/rest/api/communication/communication-identity/delete?tabs=HTTP) API to remove them. Deleting an identity will revoke all associated access tokens and delete their chat messages. For more information on how to remove an identity [see this page](../quickstarts/access-tokens.md).

-[useraccesstokens]: ../../quickstarts/access-tokens.md?pivots=programming-language-csharp

- For details, see [Use Azure CLI to Create and Manage Access Tokens](../../quickstarts/access-tokens.md?pivots=platform-azcli).

-For details on using the CLI, see [Use Azure CLI to Create and Manage Access Tokens](../../quickstarts/access-tokens.md?pivots=platform-azcli).

- - A user access token to enable the calling client. For more information, see [Create and manage access tokens](../../quickstarts/access-tokens.md).

-# How to integrate with Microsoft Teams Data Loss Prevention policies by subscribing to real-time chat notifications

- if(e.messageBody == ΓÇ£ΓÇ¥ && e.sender.kind == "microsoftTeamsUser")

- // Show UI message blocked

-|**[Create your first user access token](./quickstarts/access-tokens.md)**|User access tokens authenticate clients against your Azure Communication Services resource. These tokens are provisioned and reissued using Communication Services Identity APIs and SDKs.|

-description: Learn how to manage identities and access tokens by using the Azure Communication Services Identity SDK.

-zone_pivot_groups: acs-azcli-js-csharp-java-python

-# Quickstart: Create and manage access tokens

-Access tokens let Azure Communication Services SDKs [authenticate](../concepts/authentication.md) directly against Azure Communication Services as a particular identity. You'll need to create access tokens if you want your users to join a call or chat thread within your application.

-In this quickstart, you'll learn how to use the Azure Communication Services SDKs to create identities and manage your access tokens. For production use cases, we recommend that you generate access tokens on a [server-side service](../concepts/client-and-server-architecture.md).

-## Use identity for monitoring and metrics

-The user ID is intended to act as a primary key for logs and metrics that are collected through Azure Monitor. To view all of a user's calls, for example, you can set up your authentication in a way that maps a specific Azure Communication Services identity (or identities) to a single user.

-Learn more about [authentication concepts](../concepts/authentication.md), call diagnostics through [log analytics](../concepts/analytics/log-analytics.md), and [metrics](../concepts/metrics.md) that are available to you.

-## Clean up resources

-To clean up and remove a Communication Services subscription, delete the resource or resource group. Deleting a resource group also deletes any other resources that are associated with it. For more information, see the "Clean up resources" section of [Create and manage Communication Services resources](./create-communication-resource.md#clean-up-resources).

-## Next steps

-In this quickstart, you learned how to:

-> [!div class="checklist"]

-> * Manage identities

-> * Issue access tokens

-> * Use the Communication Services Identity SDK

-> [!div class="nextstepaction"]

-> [Add voice calling to your app](./voice-video-calling/getting-started-with-calling.md)

-You might also want to:

-1. Create a Communication Services user and issue a [user access token](../../quickstarts/access-tokens.md). Be sure to set the scope to **chat**. *Copy the token string and the user ID string*.

-> [Create your first user access tokens](access-tokens.md)

-description: Learn how to manage identities and access tokens for Teams external users by using the Azure Communication Services Identity SDK.

-zone_pivot_groups: acs-azcli-js-csharp-java-python

-# Quickstart: Create and manage access tokens for Teams external users

-Teams external users are authenticated as Azure Communication Services users in Teams. With an access token for Azure Communication Services users, you can use chat and calling SDKs to join Teams meeting audio, video, and chat as Teams external user. The quickstart here is identical to [identity and access token management of Azure Communication Services users](../access-tokens.md).

-In this quickstart, you'll learn how to use the Azure Communication Services SDKs to create identities and manage your access tokens. For production use cases, we recommend that you generate access tokens on a [server-side service](../../concepts/client-and-server-architecture.md).

-## Use identity for monitoring and metrics

-The user ID is a primary key for logs and metrics collected through Azure Monitor. To view all of a user's calls, for example, you can set up your authentication in a way that maps a specific Azure Communication Services identity (or identities) to a single user.

-Learn more about [authentication concepts](../../concepts/authentication.md), call diagnostics through [log analytics](../../concepts/analytics/log-analytics.md), and [metrics](../../concepts/metrics.md) that are available to you.

-## Clean up resources

-Delete the resource or resource group to clean up and remove a Communication Services subscription. Deleting a resource group also deletes any other resources that are associated with it. For more information, see the "Clean up resources" section of [Create and manage Communication Services resources](../create-communication-resource.md#clean-up-resources).

-## Next steps

-In this quickstart, you learned how to:

-> [!div class="checklist"]

-> * Manage Teams external user identity

-> * Issue access tokens for Teams external user

-> * Use the Communication Services Identity SDK

-> [!div class="nextstepaction"]

-> [Add Teams meeting voice to your app](../voice-video-calling/get-started-teams-interop.md)

-You might also want to:

-description: In this quickstart, learn how to manage users and access tokens in Azure Logic Apps workflows by using the Azure Communication Services Identity connector.

-# Quickstart: Create and Manage Azure Communication Services users and access tokens in Microsoft Power Automate

-Access tokens let Azure Communication Services connectors authenticate directly against Azure Communication Services as a particular identity. You'll need to create access tokens if you want to perform actions like send a message in a chat using the [Azure Communication Services Chat](../chat/logic-app.md) connector.

-This quickstart shows how to [create a user](#create-user), [delete a user](#delete-a-user), [issue a user an access token](#issue-a-user-access-token) and [remove user access token](#revoke-user-access-tokens) using the [Azure Communication Services Identity](https://powerautomate.microsoft.com/connectors/details/shared_acsidentity/azure-communication-services-identity/) connector.

-## Prerequisites

-## Create user

-Add a new step in your workflow by using the Azure Communication Services Identity connector, follow these steps in Power Automate with your Power Automate flow open in edit mode.

-1. On the designer, under the step where you want to add the new action, select New step. Alternatively, to add the new action between steps, move your pointer over the arrow between those steps, select the plus sign (+), and select Add an action.

-1. In the Choose an operation search box, enter Communication Services Identity. From the actions list, select Create a user.

- :::image type="content" source="./media/logic-app/azure-communications-services-connector-create-user.png" alt-text="Screenshot that shows the Azure Communication Services Identity connector Create user action.":::

-1. Provide the Connection String. This can be found in the [Microsoft Azure](https://portal.azure.com/), within your Azure Communication Service Resource, on the Keys option from the left menu > Connection String

- :::image type="content" source="./media/logic-app/azure-portal-connection-string.png" alt-text="Screenshot that shows the Keys page within an Azure Communication Services Resource." lightbox="./media/logic-app/azure-portal-connection-string.png":::

-1. Provide a Connection Name

-1. Click **Create**

- This action will output a User ID, which is a Communication Services user identity.

- Additionally, if you click ΓÇ£Show advanced optionsΓÇ¥ and select the Token Scope the action will also output an access token and its expiration time with the specified scope.

- :::image type="content" source="./media/logic-app/azure-communications-services-connector-create-user-action.png" alt-text="Screenshot that shows the Azure Communication Services connector Create user action.":::

- :::image type="content" source="./media/logic-app/azure-communications-services-connector-create-user-action-advanced.png" alt-text="Screenshot that shows the Azure Communication Services connector Create user action advanced options.":::

-## Issue a user access token

-After you have a Communication Services identity, you can use the Issue a user access token action to issue an access token. The following steps will show you how:

-1. Add a new action and enter Communication Services Identity in the search box. From the actions list, select Issue a user access token.

- :::image type="content" source="./media/logic-app/azure-communications-services-connector-issue-access-token-action.png" alt-text="Screenshot that shows the Azure Communication Services Identity connector Issue access token action.":::

-

-1. Then, you can use the User ID output from the previous [Create a user](#create-user) step.

-1. Specify the token scope: VoIP or chat. [Learn more about tokens and authentication](../../concepts/authentication.md).

-

- :::image type="content" source="./media/logic-app/azure-communications-services-connector-issue-access-token-action-token-scope.png" alt-text="Screenshot that shows the Azure Communication Services Identity connector Issue access token action, specifying the token scope.":::

-This will output an access token and its expiration time with the specified scope.

-## Revoke user access tokens

-After you have a Communication Services identity, you can use the Issue a user access token action to revoke an access token . The following steps will show you how:

-1. Add a new action and enter Communication Services Identity in the search box. From the actions list, select Revoke user access tokens.

-

- :::image type="content" source="./media/logic-app/azure-communications-services-connector-revoke-access-token-action.png" alt-text="Screenshot that shows the Azure Communication Services Identity connector Revoke access token action.":::

-1. Specify the User ID

- :::image type="content" source="./media/logic-app/azure-communications-services-connector-revoke-access-token-action-user-id.png" alt-text="Screenshot that shows the Azure Communication Services Identity connector Revoke access token action input.":::

-

-This will revoke all user access tokens for the specified user, there are no outputs for this action.

-## Delete a user

-After you have a Communication Services identity, you can use the Issue a user access token action to delete an access token . The following steps will show you how:

-1. Add a new action and enter Communication Services Identity in the search box. From the actions list, select Delete a user.

- :::image type="content" source="./media/logic-app/azure-communications-services-connector-delete-user.png" alt-text="Screenshot that shows the Azure Communication Services Identity connector Delete user action.":::

-1. Specify the User ID

-

- :::image type="content" source="./media/logic-app/azure-communications-services-connector-delete-user-id.png" alt-text="Screenshot that shows the Azure Communication Services Identity connector Delete user action input.":::

- This will remove the user and revoke all user access tokens for the specified user, there are no outputs for this action.

-## Test your logic app

-To manually start your workflow, on the designer toolbar, select **Run**. The workflow should create a user, issue an access token for that user, then remove it and delete the user. For more information, review [how to run your workflow](../../../logic-apps/quickstart-create-first-logic-app-workflow.md#run-workflow). You can check the outputs of these actions after the workflow runs successfully.

-## Clean up resources

-To remove a Communication Services subscription, delete the Communication Services resource or resource group. Deleting the resource group also deletes any other resources in that group. For more information, review [how to clean up Communication Services resources](../create-communication-resource.md#clean-up-resources).

-To clean up your logic app workflow and related resources, review [how to clean up Logic Apps resources](../../../logic-apps/quickstart-create-first-logic-app-workflow.md#clean-up-resources).

-## Next steps

-In this quickstart, you learned how to create a user, delete a user, issue a user an access token and remove user access token using the Azure Communication Services Identity connector. To learn more check the [Azure Communication Services Identity Connector](/connectors/acsidentity/) documentation.

-To see how tokens are use by other connectors, check out [how to send a chat message](../chat/logic-app.md) from Power Automate using Azure Communication Services.

-To learn more about how to send an email using the Azure Communication Services Email connector check [Send email message in Power Automate with Azure Communication Services](../email/logic-app.md).

-description: Learn how to use the Identities & Access Tokens tool in the Azure portal to use with samples and for troubleshooting.

-# Quickstart: Quickly create Azure Communication Services access tokens for testing

-In the [Azure portal](https://portal.azure.com) Communication Services extension, you can generate a Communication Services identity and access token. This lets you skip creating an authentication service, which makes it easier for you to test the sample apps and simple development scenarios. This feature is intended for small-scale validation and testing and should not be used for production scenarios. For production code, refer to the [creating access tokens quickstart](../access-tokens.md).

-The tool showcases the behavior of the ```Identity SDK``` in a simple user experience. Tokens and identities that are created through this tool follow the same behaviors and rules as if they were created using the ```Identity SDK```. For example, access tokens expire after 24 hours.

-## Prerequisites

-## Create the access tokens

-In the [Azure portal](https://portal.azure.com), navigate to the **Identities & User Access Tokens** blade within your Communication Services resource.

-Choose the scope of the access tokens. You can select none, one, or multiple. Click **Generate**.

-

-You'll see an identity and corresponding user access token generated. You can copy these strings and use them in the [sample apps](../../samples/overview.md) and other testing scenarios.

-

-## Next steps

-You may also want to:

-You'll need to create a User Access Token for each call participant. [Learn how to create and manage user access tokens](../access-tokens.md). You can also use the Azure CLI and run the command below with your connection string to create a user and an access token.

-For details, see [Use Azure CLI to Create and Manage Access Tokens](../access-tokens.md?pivots=platform-azcli).

->If you are looking to get started with Azure Communication Services, but are still in learning / prototyping phases, check out our [quickstarts for getting started with Azure communication services users and access tokens](../quickstarts/access-tokens.md?pivots=programming-language-csharp).

-Microsoft empowers event platforms to integrate event capabilities using [Microsoft Teams](/microsoftteams/quick-start-meetings-live-events), [Graph](/graph/api/application-post-onlinemeetings?tabs=http&view=graph-rest-beta) and [Azure Communication Services](../overview.md). Virtual Events are a communication modality where event organizers schedule and configure a virtual environment for event presenters and participants to engage with content through voice, video, and chat. Event management platforms enable users to configure events and for attendees to participate in those events, within their platform, applying in-platform capabilities and gamification. Learn more about [Teams Meetings, Webinars and Live Events](/microsoftteams/quick-start-meetings-live-events) that are used throughout this article to enable virtual event scenarios.

- 1. As part of the application setup, the service account is used to login into the solution once. With this permission the application can retrieve and store an access token on behalf of the service account that will own the meetings. Your application will need to store the tokens generated from the login and place them in a secure location such as a key vault. The application will need to store both the access token and the refresh token. Learn more about [auth tokens](../../active-directory/develop/access-tokens.md). and [refresh tokens](../../active-directory/develop/refresh-tokens.md).

- 1. The application will require "on behalf of" permissions with the [offline scope](../../active-directory/develop/v2-permissions-and-consent.md#offline_access) to act on behalf of the service account for the purpose of creating meetings. Individual Graph APIs require different scopes, learn more in the links detailed below as we introduce the required APIs.

- 1. Refresh tokens can be revoked in the event of a breach or account termination

- 1. The [Create Calendar Event API](/graph/api/user-post-events?tabs=http&view=graph-rest-1.0) to POST the new event to be created. The Event object returned will contain the join URL required for the next step. Need to set the following parameter: `isonlinemeeting: true` and `onlineMeetingProvider: "teamsForBusiness"`. Set a time zone for the event, using the `Prefer` header.

- 1. Next, use the [Create Online Meeting API](/graph/api/application-post-onlinemeetings?tabs=http&view=graph-rest-beta) to `GET` the online meeting information using the join URL generated from the step above. The `OnlineMeeting` object will contain the `meetingId` required for the registration steps.

-3. To enable registration for an event, Contoso can use the [External Meeting Registration API](/graph/api/resources/externalmeetingregistration?view=graph-rest-beta) to POST. The API requires Contoso to pass in the `meetingId` of the `OnlineMeeting` created above. Registration is optional. You can set options on who can register.

-Event management platforms can use a custom registration flow to register attendees. This flow is powered by the [External Meeting Registrant API](/graph/api/externalmeetingregistrant-post?tabs=http&view=graph-rest-beta). By using the API Contoso will receive a unique `Teams Join URL` for each attendee. This URL will be used as part of the attendee experience either through Teams or Azure Communication Services to have the attendee join the meeting.

-1. To start, developers can leverage Microsoft Graph APIs to retrieve the join URL. This URL is provided uniquely per attendee during [registration](/graph/api/externalmeetingregistrant-post?tabs=http&view=graph-rest-beta). Alternatively, it can be [requested for a given meeting](/graph/api/onlinemeeting-get?tabs=http&view=graph-rest-beta).

-2. Before developers dive into using [Azure Communication Services](../overview.md), they must [create a resource](../quickstarts/create-communication-resource.md?pivots=platform-azp&tabs=windows).

-3. Once a resource is created, developers must [generate access tokens](../quickstarts/access-tokens.md?pivots=programming-language-javascript) for attendees to access Azure Communication Services. We recommend using a [trusted service architecture](../concepts/client-and-server-architecture.md).

-| Developers can leverage the [calling](../quickstarts/voice-video-calling/get-started-teams-interop.md?pivots=platform-javascript) and [chat](../quickstarts/chat/meeting-interop.md?pivots=platform-javascript) SDKs to join a Teams meeting with your custom client | Developers can choose between the [call + chat](https://azure.github.io/communication-ui-library/?path=/docs/composites-meeting-basicexample--basic-example) or pure [call](https://azure.github.io/communication-ui-library/?path=/docs/composites-call-basicexample--basic-example) and [chat](https://azure.github.io/communication-ui-library/?path=/docs/composites-chat-basicexample--basic-example) composites to build their experience. Alternatively, developers can leverage [composable components](https://azure.github.io/communication-ui-library/?path=/docs/quickstarts-uicomponents--page) to build a custom Teams interop experience.|

-The Sample BuilderΓÇÖs consumer experience does not authenticate the end user, but provides [Azure Communication Services user access tokens](../quickstarts/access-tokens.md) to any random visitor. That isnΓÇÖt realistic for most scenarios, and you will want to implement an authentication scheme.

-**Azure Container Instances with Confidential containers (AMD SEV_SNP)** are the first serverless offering that helps protect your container deployments with confidential computing through AMD SEV-SNP technology. Read more on the product [here](https://aka.ms/ccacipreview).

-There are two programming and deployment models on Azure Kubernetes Service (AKS).

-<!-- You can deploy containers with confidential application enclaves. This method of container deployments has the strongest security and compute isolation, with a lower Trusted Computing Base (TCB). Confidential containers based on Intel Software Guard Extensions (SGX) that run in the hardware-based Trusted Execution Environment (TEE) are available. These containers support lifting and shifting your existing container apps. Another option is to allow building custom apps with enclave awareness. -->

-**Unmodified containers** support higher programming languages on Intel SGX through the Azure Partner ecosystem of OSS projects. For more information, see the [unmodified containers deployment flow and samples](./confidential-containers.md).

-This model works well for off the shelf container applications available in the market or custom apps currently running on general purpose nodes

-description: Learn about unmodified lift and shift container support to confidential containers.

-Confidential containers provide a set of features and capabilities to further secure your standard container workloads to achieve higher data security by running them in a Trusted Execution Environment (TEE). Azure offers a portfolio of capabilities through different confidential container options as discussed below.

-Confidential containers on Azure run within an enclave-based TEE or VM based TEE environments. Both deployment models help achieve high-isolation and memory encryption through hardware-based assurances. Confidential computing can enhance your deployment security posture in Azure cloud by protecting your memory space through encryption.

-## VM Isolated Confidential containers on Azure Container Instances (ACI) - Private Preview

-Confidential Containers on ACI platform leverages VM-based trusted execution environments (TEEs) based on AMDΓÇÖs SEV-SNP technology. The TEE provides memory encryption and integrity of the utility VMΓÇÖs address space as well as hardware-level isolation from other container groups, the host operating system, and the hypervisor. The Root-of-Trust (RoT), which is responsible for managing the TEE, provides support for remote attestation, including issuing an attestation report which may be used by a relying party to verify that the utility VM has been created and configured on a genuine AMD SEV-SNP CPU. Read more on the product [here](https://aka.ms/ccacipreview)

- Run `az --version` to find the version. If you need to install or upgrade, see [Install the Azure CLI](../container-registry/container-registry-get-started-azure-cli.md).

-### Create an AKS cluster with a system node pool

-### Add an user node pool with confidential computing capabilities to the AKS cluster<a id="add-a-user-node-pool-with-confidential-computing-capabilities-to-the-aks-cluster"></a>

-> If you are using a Intel SGX wrapper software (OSS/ISV) to run you unmodified containers the attestation interaction with hardware is typically handled for your higher level apps. Please refer to the attestation implementation per provider.

- | - | - |

- | `logProcessor.appLogs.logAnalyticsConfig.sharedKey` | Required only when `logProcessor.appLogs.destination` is set to `log-analytics`. The base64-encoded Log analytics workspace shared key. This parameter should be configured as a protected setting. |4

- | `envoy.annotations.service.beta.kubernetes.io/azure-load-balancer-resource-group` | The name of the resource group in which the Azure Kubernetes Service cluster resides. Valid and required only when the underlying cluster is Azure Kubernetes Service. |

- | | |

-||||||

-| `<extensionName>-k8se-log-processor` | Gathers logs from apps and other components and sends them to Log Analytics. | 2 | 200 millicpu | 500 MB | |

-The Distributed Application Runtime ([Dapr][dapr-concepts]) is a set of incrementally adoptable features that simplify the authoring of distributed, microservice-based applications. For example, Dapr provides capabilities for enabling application intercommunication, whether through messaging via pub/sub or reliable and secure service-to-service calls. Once Dapr is enabled for a container app, a secondary process will be created alongside your application code that will enable communication with Dapr via HTTP or gRPC.

-| `--dapr-app-port` | `dapr.appPort` | The port your application is listening on which will be used by Dapr for communicating to your application |

-The above Dapr configuration values are considered application-scope changes. When you run a container app in multiple revision mode, changes to these settings won't create a new revision. Instead, all existing revisions will be restarted to ensure they're configured with the most up-to-date values.

-By default, all Dapr-enabled container apps within the same environment will load the full set of deployed components. To ensure components are loaded at runtime by only the appropriate container apps, application scopes should be used. In the example below, the component will only be loaded by the two Dapr-enabled container apps with Dapr application IDs `APP-ID-1` and `APP-ID-2`:

-> Kubernetes secrets, Local environment variables and Local file Dapr secret stores are not supported in Container Apps. As an alternative for the upstream Dapr default Kubernetes secret store, container apps provides a platform-managed approach for creating and leveraging Kubernetes secrets.

-You can choose to restore any combination of provisioned throughput containers, shared throughput database, or the entire account. The restore action restores all data and its index properties into a new account. The restore process ensures that all the data restored in an account, database, or a container is guaranteed to be consistent up to the restore time specified. The duration of restore will depend on the amount of data that needs to be restored.

-* Firewall, VNET, Data plane RBAC or private endpoint settings.

-* Consistency settings. By default, the account is restored with session consistency. ΓÇâ

-You can add these configurations to the restored account after the restore is completed.

-1. Sign into the [Azure portal](https://portal.azure.com/) and navigate to your subscription.

-1. Install the [latest version of Azure PowerShell](/powershell/azure/install-az-ps?view=azps-6.2.1&preserve-view=true) or any version higher than 6.2.0.

- * Before provisioning the account, install any version of Azure PowerShell higher than 6.2.0. For more information about the latest version of Azure PowerShell, see [latest version of Azure PowerShell](/powershell/azure/install-az-ps?view=azps-6.2.1&preserve-view=true).

-Before restoring the account, install the [latest version of Azure PowerShell](/powershell/azure/install-az-ps?view=azps-6.2.1&preserve-view=true) or version higher than 6.2.0. Next connect to your Azure account and select the required subscription with the following commands:

-[User Access Administrator](../../role-based-access-control/built-in-roles.md#user-access-administrator) rights are required before you can grant users or groups the Reservation Administrator and Reservation Reader roles at the tenant level. In order to get User Access Administrator rights at the tenant level, follow [Elevate access](../../role-based-access-control/elevate-access-global-admin.md) steps.

-## Add a Reservation Administrator role or Reservation Reader role at the tenant level

-2. At the top of the page, select **Role Assignment**.

-3. To make modifications, add user as a Reservation Administrator or Reservation Reader using Access control.

-## Add a Reservation Administrator role at the tenant level using Azure PowerShell script

-### Parameters

-## Assign a Reservation Reader role at the tenant level using Azure PowerShell script

-### Parameters

-* Continuous, real-time streaming is coming soon.

-* Allow schema drift is coming soon.

-## Create a linked service to Azure database for PostgreSQL using UI

-description: This tutorial provides step-by-step instructions on how to capture changed data from ADLS Gen2 to SQL DB using a Change data capture resource.

-# How to capture changed data from ADLS Gen2 to SQL DB using a Change data capture resource

-In this tutorial, you will use the Azure Data Factory user interface (UI) to create a new Change data capture resource that picks up changed data from an Azure Data Lake Storage (ADLS) Gen2 source to a SQL Database. The configuration pattern in this tutorial can be modified and expanded upon.

-* Create a change data capture resource.

-* Monitor change data capture activity.

-* **Azure SQL Database.** You will use Azure SQL DB as a target data store. If you donΓÇÖt have a SQL DB, please create one in the Azure portal first before continuing the tutorial.

-1. Navigate to the **Author** blade in your data factory. You will see a new top-level artifact under **Pipelines** called **Change data capture (preview)**.

- :::image type="content" source="media/adf-cdc/change-data-capture-resource-2.png" alt-text="Screenshot of new top level artifact shown under Factory resources panel.":::

-2. To create a new **Change data capture**, hover over **Change data capture (preview)** until you see 3 dots appear. Click on the **Change data capture actions**.

- :::image type="content" source="media/adf-cdc/change-data-capture-resource-3.png" alt-text="Screenshot of Change data capture (preview) Actions after hovering on the new top-level artifact.":::

-3. Select **New change data capture (preview)**. This will open a flyout to begin the guided process.

- :::image type="content" source="media/adf-cdc/change-data-capture-resource-4.png" alt-text="Screenshot of a list of change data capture actions.":::

- :::image type="content" source="media/adf-cdc/change-data-capture-resource-5.png" alt-text="Screenshot of the text box to update the name of the resource.":::

- :::image type="content" source="media/adf-cdc/change-data-capture-resource-6.png" alt-text="Screenshot of the guided process flyout with source options in a drop-down selection menu.":::

- :::image type="content" source="media/adf-cdc/change-data-capture-resource-7.png" alt-text="Screenshot of the selection box to choose or create a new linked service.":::

- :::image type="content" source="media/adf-cdc/change-data-capture-resource-8.png" alt-text="Screenshot of a folder icon to browse for a folder path.":::

- :::image type="content" source="media/adf-cdc/change-data-capture-resource-9.png" alt-text="Screenshot of the continue button in the guided process to proceed to select data targets.":::

- :::image type="content" source="media/adf-cdc/change-data-capture-resource-10.png" alt-text="Screenshot of a drop-down selection menu of all data target types.":::

- :::image type="content" source="media/adf-cdc/change-data-capture-resource-11.png" alt-text="Screenshot of the selection box to choose or create a new linked service to your data target.":::

-11. Create new **Target table(s)** or select an existing **Target table(s)**. Use the checkbox to make your selection(s). The **Preview** button will allow you to view your table data.

- :::image type="content" source="media/adf-cdc/change-data-capture-resource-12.png" alt-text="Screenshot of the create new tables button and the selection boxes to choose tables for your target.":::

- :::image type="content" source="media/adf-cdc/change-data-capture-resource-13.png" alt-text="Screenshot of the continue button in the guided process to proceed to the next step.":::

-> You can choose multiple target tables from your SQL DB. Use the check boxes to select all targets.

- :::image type="content" source="media/adf-cdc/change-data-capture-resource-14.png" alt-text="Screenshot of the change data capture studio.":::

- :::image type="content" source="media/adf-cdc/change-data-capture-resource-15.png" alt-text="Screenshot of the source to target mapping in the change data capture studio.":::

-15. Once youΓÇÖve selected your tables, you should see that there are columns mapped. Select the **Column mappings** button to view the column mappings.

- :::image type="content" source="media/adf-cdc/change-data-capture-resource-16.png" alt-text="Screenshot of the mapping icon to view column mappings.":::

-16. Here you can view your column mappings. Use the drop-down lists to edit your column mappings for **Mapping method**, **Source column**, and **Target** column.

- :::image type="content" source="media/adf-cdc/change-data-capture-resource-17.png" alt-text="Screenshot of the column mappings.":::

- You can add additional column mappings using the **New mapping** button. Use the drop-down lists to select the **Mapping method**, **Source column**, and **Target** column.

- :::image type="content" source="media/adf-cdc/change-data-capture-resource-18.png" alt-text="Screenshot of the Add new mapping icon to add new column mappings.":::

-17. When your mapping is complete, click the back arrow to return to the main canvas.

- :::image type="content" source="media/adf-cdc/change-data-capture-resource-19.png" alt-text="Screenshot of the arrow icon to return to the main change data capture canvas.":::

-> [!NOTE]

-> You can add additional source to target mappings in one CDC artifact. Use the edit button to select more data sources and targets. Then, click **New mapping** and use the drop-down lists to set a new source and target mapping.

- :::image type="content" source="media/adf-cdc/change-data-capture-resource-20.png" alt-text="Screenshot of the edit button to add new sources.":::

-

- :::image type="content" source="media/adf-cdc/change-data-capture-resource-21.png" alt-text="Screenshot of the new mapping button to set a new source to target mapping.":::

-18. Once your mapping complete, set your frequency using the **Set Latency** button.

- :::image type="content" source="media/adf-cdc/change-data-capture-resource-22.png" alt-text="Screenshot of the set frequency button at the top of the canvas.":::

-19. Select the cadence of your change data capture and click **Apply** to make the changes. By default, it will be set to 15 minutes.

-For example, if you select 30 minutes, every 30 minutes, your change data capture will process your source data and pick up any changed data since the last processed time.

-> The option to select Real-time to enable streaming data integration is coming soon.

-20. Once everything has been finalized, publish your changes.

-> If you do not publish your changes, you will not be able to start your CDC resource. The start button will be grayed out.

-21. Click **Start** to start running your **Change data capture**.

- :::image type="content" source="media/adf-cdc/change-data-capture-resource-25.png" alt-text="Screenshot of the start button at the top of the canvas.":::

- :::image type="content" source="media/adf-cdc/change-data-capture-resource-26.png" alt-text="Screenshot of an actively running change data capture resource.":::

-

- :::image type="content" source="media/adf-cdc/change-data-capture-resource-27.png" alt-text="Screenshot of the monitoring blade.":::

- :::image type="content" source="media/adf-cdc/change-data-capture-resource-28.png" alt-text="Screenshot of the monitoring button at the top of the change data capture canvas.":::

-2. Select **Change data capture** to view your CDC resources.

- :::image type="content" source="media/adf-cdc/change-data-capture-resource-29.png" alt-text="Screenshot of the Change data capture monitoring section.":::

- :::image type="content" source="media/adf-cdc/change-data-capture-resource-30.png" alt-text="Screenshot of an overview of the change data capture monitoring page.":::

-4. Click the name of your CDC to see more details. You can see how many rows were read and written and other diagnostic information.

- :::image type="content" source="media/adf-cdc/change-data-capture-resource-31.png" alt-text="Screenshot of the detailed monitoring of a selected change data capture.":::

- :::image type="content" source="media/adf-cdc/change-data-capture-resource-32.png" alt-text="Screenshot of the detailed monitoring page of a change data capture with multiple sources to target mappings.":::

- :::image type="content" source="media/adf-cdc/change-data-capture-resource-33.png" alt-text="Screenshot of a detailed breakdown of each mapping in the change data capture artifact.":::

-You can keep your copy of SAP data fresh and up-to-date by frequently extracting the full dataset, but this approach is expensive and inefficient. You also can use a manual, limited workaround to extract mostly new or updated records. In a process called *watermarking*, extraction requires using a timestamp column, monotonously increasing values, and continuously tracking the highest value since the last extraction. But some tables don't have a column that you can use for watermarking. This process also doesn't identify a deleted record as a change in the dataset.

-You can use this [PowerShell command](/powershell/module/az.datafactory/get-azdatafactoryv2integrationruntime?view=azps-6.1.0&preserve-view=true#example-5--get-self-hosted-integration-runtime-with-detail-status) to get the auto-update version.

-You use data transformation activities in a Data Factory or Synapse [pipeline](concepts-pipelines-activities.md) to transform and process raw data into predictions and insights. The Script activity is one of the transformation activities that pipelines support. This article builds on the [transform data article](transform-data.md), which presents a general overview of data transformation and the supported transformation activities.

-Using the script activity, you can execute common operations with Data Manipulation Language (DML), and Data Definition Language (DDL). DML statements like INSERT, UPDATE, DELETE and SELECT let users insert, modify, delete and retrieve data in the database. DDL statements like CREATE, ALTER and DROP allow a database manager to create, modify, and remove database objects such as tables, indexes, and users.

-The script may contain either a single SQL statement or multiple SQL statements that run sequentially. You can use the Execute SQL task for the following purposes:

-ΓÇ» ΓÇ» "resultSetCount": 2,

-ΓÇ» ΓÇ» "resultSets": [

-ΓÇ» ΓÇ» ΓÇ» ΓÇ» {

-ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "rowCount": 10,

-ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "rows":[

-ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» {

-ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "<columnName1>": "<value1>",

-ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "<columnName2>": "<value2>",

-ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ...

-ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» }

-ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ]

-ΓÇ» ΓÇ» ΓÇ» ΓÇ» },

-ΓÇ» ΓÇ» ΓÇ» ΓÇ» ...

-ΓÇ» ΓÇ» ],

-ΓÇ» ΓÇ» "recordsAffected": 123,

-ΓÇ» ΓÇ» "outputParameters":{

-ΓÇ» ΓÇ» ΓÇ» ΓÇ» "<parameterName1>": "<value1>",

-ΓÇ» ΓÇ» ΓÇ» ΓÇ» "<parameterName2>": "<value2>"

-ΓÇ» ΓÇ» },

-ΓÇ» ΓÇ» "outputLogs": "<logs>",

-ΓÇ» ΓÇ» "outputLogsLocation": "<folder path>",

-ΓÇ» ΓÇ» "outputTruncated": true,

-1. Login and copy script [ip_fwd.sh](https://github.com/sajitsasi/az-ip-fwd/blob/main/ip_fwd.sh) to your backend server VMs.

-2. Run the script on with the following options:<br/>

-For more information about this cmdlet, see [Get-AzVM](/powershell/module/az.compute/get-azvm?view=azps-6.1.0&preserve-view=true).

-For more information about this cmdlet, see [Start-AzVM](/powershell/module/az.compute/start-azvm?view=azps-5.9.0&preserve-view=true).

-For more information about this cmdlet, see [Stop-AzVM cmdlet](/powershell/module/az.compute/stop-azvm?view=azps-5.9.0&preserve-view=true).

-For more information about this cmdlet, see [Remove-AzVm cmdlet](/powershell/module/az.compute/remove-azvm?view=azps-5.9.0&preserve-view=true).

- > You can get the same listing by using [Get-AzResource](/powershell/module/az.resources/get-azresource?view=azps-6.1.0&preserve-view=true) in Azure PowerShell after you set up the Azure Resource Manager environment on your device. For more information, see [Connect to Azure Resource Manager](azure-stack-edge-gpu-connect-resource-manager.md).

-| SsemUserErrorInvalidKeyVaultUrl<br>(Command-line only) | An invalid key vault URI was used. | Get the correct key vault URI. To get the key vault URI, use [Get-AzKeyVault](/powershell/module/az.keyvault/get-azkeyvault?view=azps-7.1.0&preserve-view=true) in PowerShell. |

-1. Select the project that you want your development team members to be able to access.

-2. Select **Access control (IAM)** from the left menu.

- :::image type="content" source=".\media\configure-deployment-environments-user\access-control-page.png" alt-text="Screenshot that shows the link to the access control page.":::

-3. Select **Add** > **Add role assignment**.

- :::image type="content" source=".\media\configure-deployment-environments-user\add-role-assignment.png" alt-text="Screenshot that shows the menu option for adding a role assignment.":::

-4. On the **Add role assignment** page, on the **Role** tab, search for **deployment environments user**, select the **Deployment Environments User** built-in role, and then select **Next**.

-5. On the **Members** tab, select **+ Select members**.

-6. In **Select members**, select the Active Directory users or groups that you want to add, and then choose **Select**.

-7. On the **Members** tab, select **Review + assign**.

-2. Select **Environment types**, and then select the ellipsis (**...**) beside the specific environment type.

-3. Select **Access control (IAM)**.

- :::image type="content" source=".\media\configure-deployment-environments-user\access-control-page.png" alt-text="Screenshot that shows the link to the access control page.":::

-4. Select **Add** > **Add role assignment**.

- :::image type="content" source=".\media\configure-deployment-environments-user\add-role-assignment.png" alt-text="Screenshot that shows the menu option for adding a role assignment.":::

-5. On the **Add role assignment** page, on the **Role** tab, search for **deployment environments user**, select the **Deployment Environments User** built-in role, and then select **Next**.

-6. On the **Members** tab, select **+ Select members**.

-7. In **Select members**, select the Active Directory users or groups that you want to add, and then choose **Select**.

-8. On the **Members** tab, select **Review + assign**.

-2. Select **Access control (IAM)** from the left menu.

- :::image type="content" source=".\media\configure-project-admin\access-control-page.png" alt-text="Screenshot that shows the link to the access control page.":::

-3. Select **Add** > **Add role assignment**.

- :::image type="content" source=".\media\configure-project-admin\add-role-assignment.png" alt-text="Screenshot that shows the menu option for adding a role assignment.":::

-4. On the **Add role assignment** page, on the **Role** tab, search for **devcenter project admin**, select the **DevCenter Project Admin** built-in role, and then select **Next**.

- :::image type="content" source=".\media\configure-project-admin\built-in-role.png" alt-text="Screenshot that shows selecting the built-in DevCenter Project Admin role.":::

-5. On the **Members** tab, select **+ Select members**.

- :::image type="content" source=".\media\configure-project-admin\select-role-members.png" alt-text="Screenshot that shows the link for selecting role members.":::

-

-1. In **Select members**, select the Active Directory users or groups that you want to add, and then choose **Select**.

-7. On the **Members** tab, select **Review + assign**.

-3. Select **Access control (IAM)**.

- :::image type="content" source=".\media\configure-project-admin\access-control-page.png" alt-text="Screenshot that shows the link to the access control page.":::

-4. Select **Add** > **Add role assignment**.

- :::image type="content" source=".\media\configure-project-admin\add-role-assignment.png" alt-text="Screenshot that shows the menu option for adding a role assignment.":::

-5. On the **Add role assignment** page, on the **Role** tab, search for **devcenter project admin**, select the **DevCenter Project Admin** built-in role, and then select **Next**.

- :::image type="content" source=".\media\configure-project-admin\built-in-role.png" alt-text="Screenshot that shows selecting the built-in DevCenter Project Admin role.":::

-6. On the **Members** tab, select **+ Select members**.

-7. In **Select members**, select the Active Directory users or groups that you want to add, and then choose **Select**.

-8. On the **Members** tab, select **Review + assign**.

-In Azure Deployment Environments Preview, a dev infrastructure manager gives developers access to projects and the environment types associated with them. Once a developer has access, they can create deployments environments based on the pre-configured environment types. The dev infrastructure manager can also give management permissions to the creator of the environment, like Owner or Contributor.

-The developer portal provides a graphical interface for creation and management tasks and provides a visual status for your environments and dev boxes. You can create, redeploy, and delete your environments as needed.

-1. The environment resources display in the Azure portal.

-When you need to update your environment parameters, you can redeploy it. The redeployment process updates any existing resources with changed properties and creates any new resources from the catalog item in the environment resource group.

-1. The environment resources display in the Azure portal.

-1. In Azure role assignments, select **Add role assignment (Preview)**, and then enter or select the following information:

- - In **Scope**, select **Subscription**.

- - In **Subscription**, select the subscription in which to use the managed identity.

- - In **Role**, select **Owner**.

- - Select **Save**.

- :::image type="content" source="media/quickstart-create-configure-projects/project-access-control-page.png" alt-text="Screenshot that shows the Access control pane.":::

-1. In **Add role assignment**, enter the following information, and then select **Save**:

- 1. On the **Role** tab, select either [DevCenter Project Admin](how-to-configure-project-admin.md) or [Deployment Environments user](how-to-configure-deployment-environments-user.md).

- 1. On the **Members** tab, select either a **User, group, or service principal** or a **Managed identity** to assign access.

-1. Select **+ Add** > **Add role assignment**.

-1. On the Role tab, select **Reader**, and then select **Next**.

-1. On the Members tab, select **+ Select Members**.

-1. In Select members, search for *Windows 365*, select **Windows 365** from the list, and then select **Select**.

-1. On the Members tab, select **Next**.

-1. On the Review + assign tab, select **Review + assign**.

-1. Select **+ Add** > **Add role assignment**.

-1. On the Role tab, select the **Contributor** role, and then select **Next**.

-1. On the Members tab, under **Assign access to**, select **Managed Identity**, and then select **+ Select Members**.

-1. In Select managed identities, search for and select the user assigned managed identity you created in "Create a Dev center Managed Identity" and then select

-**Select**.

-1. On the Members tab, select **Next**.

-1. On the Review + assign tab, select **Review + assign**.

- :::image type="content" source="./media/how-to-dev-box-user/access-control-tab.png " alt-text="Screenshot showing the Project Access control page with the Access Control link highlighted.":::

-

- :::image type="content" source="./media/how-to-dev-box-user/add-role-assignment.png" alt-text="Screenshot showing the Add menu with Add role assignment highlighted.":::

-1. On the Add role assignment page, on the Role tab, search for *devcenter dev box user*, select the **DevCenter Dev Box User** built-in role, and then select **Next**.

-

- :::image type="content" source="./media/how-to-dev-box-user/dev-box-user-role.png" alt-text="Screenshot showing the search box.":::

-1. On the Members tab, select **+ Select Members**.

-

- :::image type="content" source="./media/how-to-dev-box-user/dev-box-user-select-members.png" alt-text="Screenshot showing the Members tab with Select members highlighted.":::

-1. In **Select members**, select the Active Directory Users or Groups you want to add, and then select **Select**.

-

- :::image type="content" source="./media/how-to-dev-box-user/select-members-search.png" alt-text="Screenshot showing the Select members pane with a user account highlighted.":::

-1. On the Members tab, select **Review + assign**.

-To learn how to add a user to the Project Admin role, see [Provide access to a dev box project](#provide-access-to-a-dev-box-project).

- :::image type="content" source="./media/how-to-manage-dev-box-projects/access-control-tab.png" alt-text="Screenshot showing the Project Access control page with the Access Control link highlighted.":::

- :::image type="content" source="./media/how-to-manage-dev-box-projects/add-role-assignment.png" alt-text="Screenshot showing the Add menu with Add role assignment highlighted.":::

-1. On the Add role assignment page, search for *devcenter dev box user*, select the **DevCenter Dev Box User** built-in role, and then select **Next**.

- :::image type="content" source="./media/how-to-manage-dev-box-projects/dev-box-user-role.png" alt-text="Screenshot showing the Add role assignment search box highlighted.":::

-1. On the Members page, select **+ Select Members**.

- :::image type="content" source="./media/how-to-manage-dev-box-projects/dev-box-user-select-members.png" alt-text="Screenshot showing the Members tab with Select members highlighted.":::

-1. On the **Select members** pane, select the Active Directory Users or Groups you want to add, and then select **Select**.

- :::image type="content" source="./media/how-to-manage-dev-box-projects/select-members-search.png" alt-text="Screenshot showing the Select members pane with a user account highlighted.":::

-1. On the Add role assignment page, select **Review + assign**.

- :::image type="content" source="./media/how-to-manage-dev-center/dev-center-access-control.png" alt-text="Screenshot showing the dev center page with the Access Control link highlighted.":::

- :::image type="content" source="./media/how-to-manage-dev-center/add-role-assignment.png" alt-text="Screenshot showing the Add menu with Add role assignment highlighted.":::

-1. On the Add role assignment page, choose the built-in role you want to assign, and then select **Next**.

- :::image type="content" source="./media/how-to-manage-dev-center/dev-center-built-in-roles.png" alt-text="Screenshot showing the Add role assignment search box highlighted.":::

-1. On the Members page, select **+ Select Members**.

- :::image type="content" source="./media/how-to-manage-dev-center/dev-center-owner-select-members.png" alt-text="Screenshot showing the Members tab with Select members highlighted.":::

-1. On the **Select members** pane, select the Active Directory Users or Groups you want to add, and then select **Select**.

- :::image type="content" source="./media/how-to-manage-dev-center/select-members-search.png" alt-text="Screenshot showing the Select members pane with a user account highlighted.":::

-1. On the Add role assignment page, select **Review + assign**.

-

- :::image type="content" source="./media/how-to-project-admin/add-role-assignment.png" alt-text="Screenshot showing the Add menu with Add role assignment highlighted.":::

-1. On the Add role assignment page, on the Role tab, search for *devcenter project admin*, select the **DevCenter Project Admin** built-in role, and then select **Next**.

-

- :::image type="content" source="./media/how-to-project-admin/project-admin-role.png" alt-text="Screenshot showing the search box highlighted.":::

-1. On the Members tab, select **+ Select Members**.

-

- :::image type="content" source="./media/how-to-project-admin/project-admin-select-members.png" alt-text="Screenshot showing the Members tab with Select members highlighted.":::

-1. In **Select members**, select the Active Directory Users or Groups you want to add, and then select **Select**.

-

- :::image type="content" source="./media/how-to-project-admin/select-members-search.png" alt-text="Screenshot showing the Select members pane with a user account highlighted.":::

-1. On the Members tab, select **Review + assign**.

-Dev box service configuration begins with the creation of a dev center, which aims to represent the units of organisation per enterprise. Dev centers are logical containers to help organize your dev box resources. ThereΓÇÖs no limit on the number of dev centers you can create, but most organizations require only one.

-Azure Network connections enable the dev boxes to communicate with your organizationΓÇÖs network. The network connection provides a link between the dev center and your organizationΓÇÖs virtual networks. In the network connection, youΓÇÖll define how the dev box will join your Azure Active Directory (AD). Use an Azure AD join to connect exclusively to cloud-based resources, or use a hybrid Azure AD join to connect to on-premises resources and cloud-based resources.

-1. Assign the following role. For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).

-

- |Setting |Value |

- |||

- |Role | DevCenter Dev Box User |

- |Assign access to | User |

- |Members | Your account |

-You can integrate Azure Digital Twins into a [Microsoft Power Platform](/power-platform) or [Azure Logic Apps](../logic-apps/logic-apps-overview.md) flow, using the *Azure Digital Twins connector*.

-For more information about the Azure Digital Twins Power Platform connector, including a complete list of the connector's actions and their parameters, see the [Azure Digital Twins connector reference documentation](/connectors/azuredigitaltwins).

-## DNS resolver endpoints

-For more information about endpoints and rulesets, see [Azure DNS Private Resolver endpoints and rulesets](private-resolver-endpoints-rulesets.md).

-### Inbound endpoints

-The inbound endpoint requires a subnet in the VNet where itΓÇÖs provisioned. The subnet can only be delegated to **Microsoft.Network/dnsResolvers** and can't be used for other services. DNS queries received by the inbound endpoint will ingress to Azure. You can resolve names in scenarios where you have Private DNS zones, including VMs that are using auto registration, or Private Link enabled services.

-### Outbound endpoints

-A DNS forwarding rule includes one or more target DNS servers that will be used for conditional forwarding, and is represented by:

-In this article, you'll learn about components of the [Azure DNS Private Resolver](dns-private-resolver-overview.md). Inbound endpoints, outbound endpoints, and DNS forwarding rulesets are discussed. Properties and settings of these components are described, and examples are provided for how to use them.

-As the name suggests, inbound endpoints will ingress to Azure. Inbound endpoints provide an IP address to forward DNS queries from on-premises and other locations outside your virtual network. DNS queries sent to the inbound endpoint are resolved using Azure DNS. Private DNS zones that are linked to the virtual network where the inbound endpoint is provisioned are resolved by the inbound endpoint.

-When you link a ruleset to a virtual network, resources within that virtual network will use the DNS forwarding rules enabled in the ruleset. The linked virtual networks are not required to peer with the virtual network where the outbound endpoint exists, but these networks can be configured as peers. This configuration is common in a hub and spoke design. In this hub and spoke scenario, the spoke vnet doesn't need to be linked to the private DNS zone in order to resolve resource records in the zone. In this case, the forwarding ruleset rule for the private zone sends queries to the hub vnet's inbound endpoint. For example: **azure.contoso.com** to **10.10.0.4**.

-The following screenshot shows a DNS forwarding ruleset linked to two virtual networks: a hub vnet: **myeastvnet**, and a spoke vnet: **myeastspoke**.

-| Destination IP:Port | The forwarding destination. One or more IP addresses and ports of DNS servers that will be used to resolve DNS queries in the specified namespace. |

-A query for `secure.store.azure.contoso.com` will match the **AzurePrivate** rule for `azure.contoso.com` and also the **Contoso** rule for `contoso.com`, but the **AzurePrivate** rule takes precedence because the prefix `azure.contoso` is longer than `contoso`.

-> - Do not use the private resolver's inbound endpoint IP address as a forwarding destination for zones that are not linked to the virtual network where the private resolver is provisioned.

- 1. Install Pre requisites Az PowerShell modules (https://learn.microsoft.com/powershell/azure/install-az-ps?view=azps-5.7.0)

-Event Hubs Capture is metered similarly to [throughput units](event-hubs-scalability.md#throughput-units) (standard tier) or [processing units](event-hubs-scalability.md#processing-units) (in premium tier): as an hourly charge. The charge is directly proportional to the number of throughput units or processing units purchased for the namespace. As throughput units or processing units are increased and decreased, Event Hubs Capture meters increase and decrease to provide matching performance. The meters occur in tandem. For pricing details, see [Event Hubs pricing](https://azure.microsoft.com/pricing/details/event-hubs/).

-> Availability zone support is only available in [Azure regions with availability zones](../availability-zones/az-overview.md#azure-regions-with-availability-zones).

-* **If you're testing PsPing from Azure to on-premises, sent results show no matches, but received results show matches**: This result indicates that traffic is coming in to on-premises but isn't returning to Azure. Work with your provider to find out why traffic isn't being routed to Azure via your ExpressRoute circuit.

-[DR-Pvt]: ./designing-for-disaster-recovery-with-expressroute-privatepeering.md

-| Port State | Indicates the status of the observed port. | Open, Closed, Filtered | `Equals` `In` |

-| Port State | Indicates the status of the observed port. | Open, Closed, Filtered | `Equals` `In` |

-description: This article describes how users will be billed for their Defender EASM resource usage, and guides them to the dashboard that displays their counts.

-When customers create their first Microsoft Defender External Attack Surface Management (Defender EASM) resource, they are automatically granted a 30-day free trial. Once the trial has completed, customers will automatically be charged based on their count of billable assets. The charged amount will appear on their core Azure billing, with ΓÇ£Defender EASMΓÇ¥ appearing as separate line item on their invoice.

-Assets are only categorized as billable if they have been placed in the Approved Inventory state. We do not charge for any other state. Additionally, duplicative host assets are NOT included in the billable asset count.

-The list is then analyzed to identify duplicate entries and eliminate duplicate hosts. If a host is a subdomain of a parent host that resolves to the same IP address, we will exclude the child from the billable host count. For example, if both www.contoso.com and contoso.com resolve to 1.2.3.4, then we will exclude www.contoso.com/ 1.2.3.4 from our Host Count list.

-Users can view their billable assets count within their Defender EASM resource to better understand how Microsoft determines their pricing. This dashboard displays the total number of assets that are billable and therefore comprise your total spend. Users should expect to see counts from the last 30 days when applicable, excluding the most recent couple days that have not yet processed.

-Prospective customers accessing Defender EASM with a 30-day trial can also see these billable asset counts. Although these users are not charged until the trial has expired, they can view the billable asset dashboard to better understand how they would be billed according to the size of their attack surface.

-

-

-

-You can enable Azure Monitor logs using the Azure PowerShell Az module [Enable-AzHDInsightAzureMonitor](/powershell/module/az.hdinsight/enable-azhdinsightazuremonitor?view=azps-6.2.1&preserve-view=true) cmdlet.

-To disable, the use the [Disable-AzHDInsightAzureMonitor](/powershell/module/az.hdinsight/disable-azhdinsightazuremonitor?view=azps-6.2.1&preserve-view=true) cmdlet:

-description: This article helps users create copies of their MedTech service device and FHIR destination mappings.

-# How to create copies of the MedTech service device and FHIR destination mappings

-This article provides steps for creating copies of your MedTech service's device and Fast Healthcare Interoperability Resources (FHIR&#174;) destination mappings that can be used outside of Azure. These copies can be used for editing, troubleshooting, and archiving.

-> [!TIP]

-> Check out the [IoMT Connector Data Mapper](https://github.com/microsoft/iomt-fhir/tree/master/tools/data-mapper) tool for editing, testing, and troubleshooting MedTech service device and FHIR destination mappings. Export mappings for uploading to the MedTech service in the Azure portal or use with the [open-source version](https://github.com/microsoft/iomt-fhir) of the MedTech service.

-> [!NOTE]

-> When opening an [Azure Technical Support](https://azure.microsoft.com/support/create-ticket/) ticket for your MedTech service, include copies of your device and FHIR destination mappings to assist in the troubleshooting process.

-## Device mappings copy creation process

-1. Select **"MedTech service"** on the left side of your Azure Health Data Services workspace under **Services**.

- :::image type="content" source="media/iot-mappings-copies/iot-mappings-copies-select-medtech-service-button-in-workspace.png" alt-text="Screenshot of select MedTech service within the workspace." lightbox="media/iot-mappings-copies/iot-mappings-copies-select-medtech-service-button-in-workspace.png":::

-2. Select the name of the **MedTech service** that you'll be copying the device mappings from. In this example, we'll be making a copy of the device mappings from a MedTech service named **mt-azuredocsdemo**. You'll be selecting your own MedTech service as part of this process.

- :::image type="content" source="media/iot-mappings-copies/iot-mappings-copies-select-medtech-service.png" alt-text="Screenshot of select the MedTech service that you'll be making mappings copies from." lightbox="media/iot-mappings-copies/iot-mappings-copies-select-medtech-service.png":::

-3. Select the **Device mapping** button under **Settings**.

- :::image type="content" source="media/iot-mappings-copies/iot-mappings-copies-select-device-mapping.png" alt-text="Screenshot of select Device mapping button." lightbox="media/iot-mappings-copies/iot-mappings-copies-select-device-mapping.png":::

- > [!TIP]

- > This process can also be used for copying and saving the contents of the also know as the FHIR destination mappings found in **Destination** which is also under **Settings** within your MedTech service.

-4. Select the contents of the device mappings (for example: press **Ctrl + a**) and do a copy operation (for example: press **Ctrl + c**).

- :::image type="content" source="media/iot-mappings-copies/iot-mappings-copies-select-device-mapping-contents.png" alt-text="Screenshot of select and copy contents of the device mappings." lightbox="media/iot-mappings-copies/iot-mappings-copies-select-device-mapping-contents.png":::

-5. Open an editor application like Notepad or [Microsoft Visual Studio Code](https://code.visualstudio.com/) and do a paste operation (for example: press **Ctrl + v**) and a save operation (for example: press **Ctrl + s**) to create a file copy of your MedTech service device mappings. For this example, we'll be using Notepad.

- :::image type="content" source="media/iot-mappings-copies/iot-mappings-copies-save-in-notepad.png" alt-text="Screenshot of using Notepad with the device mappings copy." lightbox="media/iot-mappings-copies/iot-mappings-copies-save-in-notepad.png":::

- 1. Select a folder to save the file in.

- 2. Select a name for your file.

- 3. Leave the remaining fields at their defaults (for example: **Save as type** and **Encoding**).

- 4. Select the **Save** button.

-## Next steps

-In this article, you learned about how to make copies of your MedTech service device and FHIR destination mappings.

-To learn how to troubleshoot MedTech service errors, see

-> [!div class="nextstepaction"]

-> [Troubleshoot MedTech service errors](troubleshoot-errors.md)

-(FHIR&#174;) is a registered trademark of Health Level Seven International, registered in the U.S. Trademark Office and is used with their permission.

-# Understand the MedTech service device message data transformation

- ```cmd

- > If you have multiple Python including pre-installed Python 2.7 (for example, on Ubuntu or macOS), make sure you are using `pip3` to install *IoT Edge Dev Tool (iotedgedev)*.

-

- ```cmd

- pip3 install iotedgedev

- ```

- > [!NOTE]

- >

- > If you have multiple Python including pre-installed Python 2.7 (for example, on Ubuntu or macOS), make sure you are using `pip3` to install *IoT Edge Dev Tool (iotedgedev)*. For more information setting up your development machine, see [iotedgedev development setup](https://github.com/Azure/iotedgedev/blob/main/docs/environment-setup/manual-dev-machine-setup.md).

-To test your module on a device:

-1. Create a directory for your solution.

-1. Use the **iotedgedev solution init** command to create a solution and set up your Azure IoT Hub. Use the following command to create an IoT Edge solution for a specified development language.

-After solution creation, there are four items within the solution:

- :::image type="content" source="./media/how-to-develop-csharp-module/new-solution.png" alt-text="Screenshot of how to run a new IoT Edge solution.":::

-1. Provide the name of the module's image repository. Visual Studio Code autopopulates the module name with **localhost:5000/<your module name\>**. Replace it with your own registry information. Use **localhost** if you use a local Docker registry for testing. If you use Azure Container Registry, then use sign in server from your registry's settings. The sign-in server looks like **_\<registry name\>_.azurecr.io**. Only replace the **localhost:5000** part of the string so that the final result looks like **\<*registry name*\>.azurecr.io/_\<your module name\>_**.

- :::image type="content" source="./media/how-to-develop-csharp-module/repository.png" alt-text="Screenshot of how to provide a Docker image repository.":::

- ```env

- CONTAINER_REGISTRY_SERVER="myacr.azurecr.io"

- CONTAINER_REGISTRY_USERNAME="myacr"

- CONTAINER_REGISTRY_PASSWORD="<your_acr_password>"

- ```

- In production scenarios, you should use service principals to provide access to your container registry instead of the *.env* file. For more information, see [Manage access to your container registry](production-checklist.md#manage-access-to-your-container-registry).

- > [!NOTE]

- > The environment file is only created if you provide an image repository for the module. If you accepted the localhost defaults to test and debug locally, then you don't need to declare environment variables.

-### Set IoT Edge runtime version

-The IoT Edge extension defaults to the latest stable version of the IoT Edge runtime when it creates your deployment assets.

-1. Select **View** > **Command Palette**.

-1. In the command palette, enter and run the command **Azure IoT Edge: Set default IoT Edge runtime version**.

-1. Choose the runtime version that your IoT Edge devices are running from the list.

- Currently, the extension doesn't include a selection for the latest runtime versions. If you want to set the runtime version higher than 1.2, open *deployment.debug.template.json* deployment manifest file. Change the runtime version for the system runtime module images *edgeAgent* and *edgeHub*. For example, if you want to use the IoT Edge runtime version 1.4, change the following lines in the deployment manifest file:

- ```json

- ...

- "systemModules": {

- "edgeAgent": {

- ...

- "image": "mcr.microsoft.com/azureiotedge-agent:1.4",

- ...

- "edgeHub": {

- ...

- "image": "mcr.microsoft.com/azureiotedge-hub:1.4",

- ...

- ```

-1. After you select a new runtime version, your deployment manifest is dynamically updated to reflect the change to the runtime module images.

-1. In Visual Studio Code, open *deployment.debug.template.json* deployment manifest file. The [deployment manifest](module-deployment-monitoring.md#deployment-manifest) is a JSON document that describes the modules to be configured on the targeted IoT Edge device.

-1. Change the runtime version for the system runtime module images *edgeAgent* and *edgeHub*. For example, if you want to use the IoT Edge runtime version 1.4, change the following lines in the deployment manifest file:

- ```json

- ...

- "systemModules": {

- "edgeAgent": {

- ...

- "image": "mcr.microsoft.com/azureiotedge-agent:1.4",

- ...

- "edgeHub": {

- ...

- "image": "mcr.microsoft.com/azureiotedge-hub:1.4",

- ...

- ```

-To add more modules to your solution, change to *module* directory.

-1. Download a ZIP of the contents of the [Cookiecutter Template for Azure IoT Edge Python Module](https://github.com/azure/cookiecutter-azure-iot-edge-module) from GitHub.

-1. Extract the contents of the `{{cookiecutter.module_name}}` folder in the ZIP file then copy the files into the new module directory.

-1. Update *module.json* file with correct repository. For example, if you want to use the repository defined in your environment variables, use `${CONTAINER_REGISTRY_SERVER}/cmodule`.

-```cmd

-```cmd

-In Visual Studio Code, open the *deployment.debug.template.json* deployment manifest file. The [deployment manifest](module-deployment-monitoring.md#deployment-manifest) is a JSON document that describes the modules to be configured on the targeted IoT Edge device. Before deployment, you need to update your Azure Container Registry credentials and your module images with the proper `createOptions` values. For more information about createOption values, see [How to configure container create options for IoT Edge modules](how-to-use-create-options.md).

-1. If you're using an Azure Container Registry to store your module image, add your credentials to **deployment.debug.template.json** in the *edgeAgent* settings. For example:

-1. Add or replace the following stringified content to the *createOptions* value for each system and custom module listed. Change the values if necessary.

-1. In the **Azure IoT Hub Devices** section of the Visual Studio Code Explorer view, right-click the IoT Edge device name for deployment and then choose **Create Deployment for Single Device**.

-You can check your container status by running the `docker ps` command in the terminal. If your Visual Studio Code and IoT Edge runtime are running on the same machine, you can also check the status in the Visual Studio Code Docker view.

-Use the module's Dockerfile to build the module Docker image.

-Push your module image to the local registry or a container registry.

- :::image type="content" source="media/how-to-vs-code-develop-module/vs-code-breakpoint.png" alt-text="Screenshot of Visual Studio Code attached to a Docker container on a remote device paused at a breakpoint.":::

-> The preceding example shows how to debug IoT Edge modules on remote containers. It added a remote Docker context and changes to the Docker privileges on the remote device. After you finish debugging your modules, set your Docker context to *default* and remove privileges from your user account.

-To develop modules for your IoT Edge devices, [Understand and use Azure IoT Hub SDKs](../iot-hub/iot-hub-devguide-sdks.md).

-description: Use Event Grid or heartbeat patterns to monitor IoT Hub device connection states.

-## Device heartbeat

-> [!NOTE]

-> If an IoT solution uses the connection state solely to determine whether to send cloud-to-device messages, and messages are not broadcast to large sets of devices, consider using the simpler *short expiry time* pattern. This pattern achieves the same result as maintaining a device connection state registry using the heartbeat pattern, while being more efficient. If you request message acknowledgements, IoT Hub can notify you about which devices are able to receive messages and which are not.

-description: Learn how to set up labs to teach engineering classes with Autodesk.

-# Set up labs for Autodesk

-This article describes how to set up Autodesk Inventor and Autodesk Revit software for engineering classes.

-You'll need to access a license server if you plan to use the Autodesk network licensing model. Read Autodesk's article on [Network License Administration](https://knowledge.autodesk.com/customer-service/network-license-administration/network-deployment/preparing-for-deployment/determining-installation-type) for more information.

-To use network licensing with Autodesk software, [AutoDesk provides detailed steps](https://knowledge.autodesk.com/customer-service/network-license-administration/install-and-configure-network-license) to install Autodesk Network License Manager on your license server. This license server is ordinarily located in either your on-premises network or hosted on an Azure virtual machine (VM) within in Azure virtual network.

-After your license server is set up, you'll need to enable [advanced networking](how-to-connect-vnet-injection.md#connect-the-virtual-network-during-lab-plan-creation) when creating your lab plan.

-Autodesk-generated license files embed the MAC address of the license server. If you decide to host your license server by using an Azure VM, itΓÇÖs important to make sure that your license serverΓÇÖs MAC address doesnΓÇÖt change. If the MAC address changes, you'll need to regenerate your licensing files. To prevent your MAC address from changing:

-> [Advanced networking](how-to-connect-vnet-injection.md#connect-the-virtual-network-during-lab-plan-creation) must be enabled during the creation of your lab plan. It can not be added later.

-Enable your lab plan settings as described in the following table. For more information about how to enable Azure Marketplace images, see [Specify the Azure Marketplace images available to lab creators](./specify-marketplace-images.md).

-| Lab plan setting | Instructions |

-| - | |

-|Marketplace image| Enable the Windows 10 Pro or Windows 10 Pro N image, if not done already.|

-| Lab setting | Value and description |

-| | |

-| Virtual Machine Size | **Small GPU (Visualization)**. Best suited for remote visualization, streaming, gaming, and encoding with frameworks such as OpenGL and DirectX. |

-> [!WARNING]

-> The **Small GPU (Visualization)** virtual machine size is configured to enable a high-performing graphics experience and meets [AdobeΓÇÖs system requirements for each application](https://helpx.adobe.com/creative-cloud/system-requirements.html). Make sure to choose **Small GPU (Visualization)** not **Small GPU (Compute)**. For more information about this virtual machine size, see the article on [how to set up a lab with GPUs](./how-to-setup-lab-gpu.md).

-1. Start the template VM and connect to the machine.

-1. Download and install Inventor and Revit using [instructions from AutoDesk](https://knowledge.autodesk.com/customer-service/download-install/install-software). When prompted, specify the computer name of your license server.

-1. Finally, [publish the template VM](how-to-create-manage-template.md#publish-the-template-vm) to create the studentsΓÇÖ VMs.

-LetΓÇÖs cover an example cost estimate for this class. This estimate doesnΓÇÖt include the cost of running a license server. Suppose you have a class of 25 students, each of whom has 20 hours of scheduled class time. Each student also has an extra 10 quota hours for homework or assignments outside of scheduled class time. The virtual machine size we chose was **Small GPU (Visualization)**, which is 160 lab units.

-# Attach or detach a compute gallery in Azure Lab Services

-> [!IMPORTANT]

-> Your user account must have permission to create a new Azure Compute Gallery.

- :::image type="content" source="./media/how-to-attach-detach-shared-image-gallery/create-azure-compute-gallery-window.png" alt-text="Screenshot of the Create compute gallery window.":::

- :::image type="content" source="./media/how-to-attach-detach-shared-image-gallery/attach-existing-compute-gallery.png" alt-text="Azure compute gallery page for lab plan when gallery has been attached.":::

-> [!NOTE]

-> The **Azure Lab Services** app must be assigned the **Owner** role on the compute gallery to show in the list.

-All images in the attached compute gallery are disabled by default. To enable selected images:

-1. Check images you want to enable.

-1. Select **Enable image** button.

-1. Select **Apply**.

-To disable selected images:

-1. Check images you want to disable.

-1. Select **Disable image** button.

-1. Select **Apply**.

-Only one Azure Compute Gallery can be attached to a lab. To attach another compute gallery, follow the below steps:

-1. Select **Change gallery** on the toolbar.

-1. Confirm the change operation.

-1. On the **Attach an existing compute gallery** page, select your compute gallery, and then select the **Select** button.

-description: This article describes how to configure automatic shutdown of VMs in the lab plan.

-description: Learn how to configure the number of students for a lab, get them registered with the lab, control the number of hours they can use the VM, and more.

-# Add and manage lab users

-This article describes how to add student users to a lab, register them with the lab, control the number of additional hours they can use the virtual machine (VM), and more.

-When you add users, by default, the **Restrict access** option is turned on and, unless they're in the list of users, students can't register with the lab even if they have a registration link. Only listed users can register with the lab by using the registration link you send. You can turn off **Restrict access**, which allows students to register with the lab as long as they have the registration link.

-This article shows how to add users to a lab.

-## Add users from an Azure AD group

-### Overview

-You can now sync a lab user list to an existing Azure Active Directory (Azure AD) group so that you don't have to manually add or delete users.

-An Azure AD group can be created within your organization's Azure Active Directory to manage access to organizational resources and cloud-based apps. To learn more, see [Azure AD groups](../active-directory/fundamentals/active-directory-manage-groups.md). If your organization uses Microsoft Office 365 or Azure services, your organization will already have admins who manage your Azure Active Directory.

-> [!IMPORTANT]

-> Make sure the user list is empty. If there are existing users inside a lab that you added manually or through importing a CSV file, the option to sync the lab to an existing group will not appear.

-1. In the left pane, select **Users**.

-1. Select **Sync from group**.

- :::image type="content" source="./media/how-to-configure-student-usage/add-users-sync-group.png" alt-text="Add users by syncing from an Azure AD group":::

-1. You'll be prompted to pick an existing Azure AD group to sync your lab to.

- If you don't see an Azure AD group in the list, could be because of the following reasons:

- - If you are a guest user for an Azure Active Directory (usually if you're outside the organization that owns the Azure AD), and you are not able to search for groups inside the Azure AD. In this case, you can't add an Azure AD group to the lab in this case.

- - Azure AD groups created through Teams don't show up in this list. You can add the Azure Lab Services app inside Teams to create and manage labs directly from within it. See more information about [managing a labΓÇÖs user list from within Teams](./how-to-manage-labs-within-teams.md#manage-lab-user-lists-in-teams).

-1. Once you picked the Azure AD group to sync your lab to, select **Add**.

-1. Once a lab is synced, it will pull everyone inside the Azure AD group into the lab as users, and you will see the user list updated. Only the people in this Azure AD group will have access to your lab. The user list will refresh every 24 hours to match the latest membership of the Azure AD group. You can also select the Sync button in the Users tab to manually sync to the latest changes in the Azure AD group.

-1. Invite the users to your lab by clicking on the **Invite All** button, which will send an email to all users with the registration link to the lab.

-Once the lab is synced to an Azure AD group, the number of virtual machines in the lab will automatically match the number of users in the group. You will no longer be able to manually update the lab capacity. When a user is added to the Azure AD group, a lab will automatically add a virtual machine for that user. When a user is deleted from the Azure AD group, a lab will automatically delete the userΓÇÖs virtual machine from the lab.

-## Add users manually from email(s) or CSV file

-In this section, you add students manually (by email address or by uploading a CSV file).

-1. In the left pane, select **Users**.

-1. Select **Add users manually**.

- :::image type="content" source="./media/how-to-configure-student-usage/add-users-manually.png" alt-text="Add users manually":::

-1. Select **Add by email address** (default), enter the students' email addresses on separate lines or on a single line separated by semicolons.

- :::image type="content" source="./media/how-to-configure-student-usage/add-users-email-addresses.png" alt-text="Add users' email addresses":::

-1. Select **Save**.

- The list displays the email addresses and statuses of the current users, whether they're registered with the lab or not.

- :::image type="content" source="./media/how-to-configure-student-usage/list-of-added-users.png" alt-text="Users list":::

- > [!NOTE]

- > After the students are registered with the lab, the list displays their names.

-A CSV text file is used to store comma-separated (CSV) tabular data (numbers and text). Instead of storing information in columns fields (such as in spreadsheets), a CSV file stores information separated by commas. Each line in a CSV file will have the same number of comma-separated "fields." You can use Excel to easily create and edit CSV files.

-1. Using Microsoft Excel, create a CSV file that lists students' email addresses in one column.

- :::image type="content" source="./media/how-to-configure-student-usage/csv-file-with-users.png" alt-text="List of users in a CSV file":::

-1. At the top of the **Users** pane, select **Add users**, and then select **Upload CSV**.

-1. Select the CSV file that contains the students' email addresses, and then select **Open**. The **Add users** window displays the email address list from the CSV file.

-1. Select **Save**.

-1. In the **Users** pane, view the list of added students.

- :::image type="content" source="./media/how-to-configure-student-usage/list-of-added-users.png" alt-text="List of added users in the Users pane":::

-## Send invitations to users

-To send a registration link to new users, use one of the following methods.

-This method shows you how to send email with a registration link and an optional message to all listed students.

-1. In the **Users** pane, select **Invite all**.

- 

- 

-This method shows you how to invite only certain students and get a registration link that you can share with other people.

-1. In the **Users** pane, select a student or multiple students in the list.

-1. In the row for the student you've selected, select the **envelope** icon or, on the toolbar, select **Invite**.

- 

- 

- The **Users** pane displays the status of this operation in the **Invitation** column of the table. The invitation email includes the registration link that students can use to register with the lab.

-## Get the registration link

-In this section, you can get the registration link from the portal and send it by using your own email application.

-1. In the **Users** pane, select **Registration link**.

- 

-1. In the **User registration** window, select **Copy**, and then select **Done**.

- 

- The link is copied to the clipboard.

-1. In your email application, paste the registration link, and then send the email to a student so that the student can register for the class.

-1. Go to the Lab Services web portal: [https://labs.azure.com](https://labs.azure.com).

-1. Select **Sign in**, and then enter your credentials. Azure Lab Services supports organizational accounts and Microsoft accounts.

-1. On the **My labs** page, select the lab whose usage you want to track.

-1. In the left pane, select **Users**, or select the **Users** tile. The **Users** pane displays a list of students who have registered with your lab.

- 

- > If you [republish a lab](how-to-create-manage-template.md#publish-the-template-vm) or [Reset VMs](how-to-manage-vm-pool.md#reset-vms), the students will remain registered for the labs' VMs. However, the contents of the VMs will be deleted and the VMs will be recreated with the template VM's image.

-You can set an hour quota for a student one of two ways:

-1. In the **Users** pane, select **Quota per user: \<number> hour(s)** on the toolbar.

-1. In the **Quota per user** window, specify the number of hours you want to give to each student outside the scheduled class time, and then select **Save**.

- 

- The changed values are now displayed on the **Quota per user: \<number of hours>** button on the toolbar and in the users list, as shown here:

- 

- > The [scheduled running time of VMs](how-to-create-schedules.md) does not count against the quota that's allotted to a student. The quota is for the time outside of scheduled hours that a student spends on VMs.

-## Set additional quotas for specific users

-You can specify quotas for certain students beyond the common quotas that were set for all users in the preceding section. For example, if you, as an educator, set the quota for all students to 10 hours and set an additional quota of 5 hours for a specific student, that student gets 15 (10 + 5) hours of quota. If you change the common quota later to, say, 15, the student gets 20 (15 + 5) hours of quota. Remember that this overall quota is outside the scheduled time. The time that a student spends on a lab VM during the scheduled time does not count against this quota.

-To set additional quotas, do the following:

-1. In the **Users** pane, select a student from the list, and then select **Adjust quota** on the toolbar.

- 

-1. In the **Adjust quota for \<selected user or users email address>**, enter the number of additional lab hours you want to grant to the selected student or students, and then select **Apply**.

- 

- The **Usage** column displays the updated quota for the selected students.

- 

-## Student accounts

-To add students to a lab, you use their email accounts. Students might have the following types of email accounts:

-Students can use non-Microsoft email accounts to register and sign in to a lab. However, the registration requires that they first create a Microsoft account that's linked to their non-Microsoft email address.

-Many students might already have a Microsoft account that's linked to their non-Microsoft email address. For example, students already have a Microsoft account if they've used their email address with other Microsoft products or services, such as Office, Skype, OneDrive, or Windows.

-When students use the registration link to sign in to a classroom, they're prompted for their email address and password. Students who attempt to sign in with a non-Microsoft account that's not linked to a Microsoft account will receive the following error message:

-

-Here's a link for students to [sign up for a Microsoft account](http://signup.live.com).

-> When students sign in to a lab, they aren't given the option to create a Microsoft account. For this reason, we recommend that you include this sign-up link, `http://signup.live.com`, in the lab registration email that you send to students who are using non-Microsoft accounts.

-Students can also use an existing GitHub account to register and sign in to a lab. If they already have a Microsoft account linked to their GitHub account, students can sign in and provide their password as shown in the preceding section.

-If they haven't yet linked their GitHub account to a Microsoft account, they can do the following:

- 

- 

- At the prompt, students then create a Microsoft account that's linked to their GitHub account. The linking happens automatically when they select **Next**. They're then immediately signed in and connected to the lab.

-1. Go to the **Users** pane.

- 

-description: Learn how to enable or disable automatic shutdown of VMs when a remote desktop connection is disconnected.

-> [!IMPORTANT]

-> Prior to the [August 2022 Update](lab-services-whats-new.md), Linux labs only support automatic shut down when users disconnect and when VMs are started but users don't connect. Support also varies depending on [specific distributions and versions of Linux](../virtual-machines/extensions/diagnostics-linux.md#supported-linux-distributions). Shutdown settings are not supported by the [Data Science Virtual Machine - Ubuntu](https://azuremarketplace.microsoft.com/en-us/marketplace/apps?search=Data%20science%20Virtual%20machine&page=1&filters=microsoft%3Blinux) image.

-Educators can create labs containing VMs for students using the Azure Lab Services portal. This quickstart shows you how to create a lab with Windows 11 Pro image. Once a lab is created, an educator [configures the template](how-to-create-manage-template.md), [adds lab users](how-to-configure-student-usage.md#add-and-manage-lab-users), and [publishes the lab](tutorial-setup-lab.md#publish-a-lab).

- > [!IMPORTANT]

- > Make a note of user name and password. They won't be shown again.

-When no longer needed, you can delete the lab.

-On the tile for the lab, select three dots (...) in the corner, and then select **Delete**.

-On the **Delete lab** dialog box, select **Delete** to continue with the deletion.

-This quickstart shows you, as the educator or admin, how to use an Azure Resource Manager (ARM) template to create a lab. This quickstart shows you how to create a lab with Windows 11 Pro image. Once a lab is created, an educator [configures the template](how-to-create-manage-template.md), [adds lab users](how-to-configure-student-usage.md#add-and-manage-lab-users), and [publishes the lab](tutorial-setup-lab.md#publish-a-lab). For an overview of Azure Lab Services, see [An introduction to Azure Lab Services](lab-services-overview.md).

- For information about the types of accounts that students can use, see [Student accounts](./how-to-configure-student-usage.md#student-accounts).

-description: Learn how to set up a lab account and add users that can create labs in the lab account.

-In Azure Lab Services, a lab account serves as the central account in which your organization's labs are managed. In your lab account, give permission to others to create labs, and set policies that apply to all labs under the lab account. In this tutorial, learn how to create a lab account.

-If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.

-2. Select **All Services** on the left menu. Select **DevOps** from **Categories**. Then, select **Lab Services**. If you select star (`*`) next to **Lab Services**, it's added to the **FAVORITES** section on the left menu. From the next time onwards, you select **Lab Services** under **FAVORITES**.

- 

-3. On the **Lab Services** page, select **Add** on the toolbar or select **Create lab account** button on the page.

- 

-4. On the **Basics** tab of the **Create a lab account** page, do the following actions:

- 1. For **Lab account name**, enter a name.

- 2. Select the **Azure subscription** in which you want to create the lab account.

- 3. For **Resource group**, select an existing resource group or select **Create new**, and enter a name for the resource group.

- 4. For **Location**, select a location/region in which you want to create the lab account.

- 

- 5. Select **Review + create**.

- 6. Review the summary, and select **Create**.

- 

-5. When the deployment is complete, expand **Next steps**, and select **Go to resource**.

- 

-6. Confirm that you see the **Lab Account** page.

- 

-To set up a lab in a lab account, the user must be a member of the **Lab Creator** role in the lab account. To provide educators the permission to create labs for their classes, add them to the **Lab Creator** role: For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).

-> The account you used to create the lab account is automatically added to this role. If you are planning to use the same user account to create a lab in this tutorial, skip this step.

-1. On the **Lab Account** page, select **Access control (IAM)**

-1. Select **Add** > **Add role assignment**.

- 

- 

-1. On the **Members** tab, select the user you want to add to the Lab Creators role

-In this tutorial, you created a lab account. To learn about how to create a lab as an educator, advance to the next tutorial:

- > After a student registers for the lab uing the registration link, the user list also displays their name. The name that's shown in the list is constructed by using the first and last names of the student's information from Azure Active Directory or their Microsoft Account. For more information about supported account types, see [Student accounts](how-to-configure-student-usage.md#student-accounts).

- - Monitor compliance to security policies and ensure security coverage across all tenants' resources

-With all scenarios, please be aware of the following current limitations:

-description: Learn how to remove access to resources that had been delegated to a service provider for Azure Lighthouse.

-Users in a managing tenant can remove access to delegated resources if they were granted the [Managed Services Registration Assignment Delete Role](../../role-based-access-control/built-in-roles.md#managed-services-registration-assignment-delete-role) for the customer's resources. If this role was not assigned to any service provider users, the delegation can only be removed by a user in the customer's tenant.

-The example below shows an assignment granting the **Managed Services Registration Assignment Delete Role** that can be included in a parameter file during the [onboarding process](onboard-customer.md):