+|  is an identity verification and decentralized digital identity solution for Canadian citizens. It enables organizations to meet Identity Assurance Level (IAL) 2 and Know Your Customer (KYC) requirements. |

+Select a partner in the tables mentioned to learn how to integrate their solution with Azure AD B2C.

+# OAuth 2.0 and OpenID Connect (OIDC) in the Microsoft identity platform

+You don't need to learn OAuth or OpenID Connect (OIDC) at the protocol level to use the Microsoft identity platform. You will, however, encounter these and other protocol terms and concepts as you use the identity platform to add auth functionality to your apps.

+As you work with the Azure portal, our documentation, and our authentication libraries, knowing a few basics like these can make your integration and debugging tasks easier.

+The Microsoft identity platform offers authentication and authorization services using standards-compliant implementations of OAuth 2.0 and OpenID Connect (OIDC) 1.0. Standards-compliant authorization servers like the Microsoft identity platform provide a set of HTTP endpoints for use by the parties in an auth flow to execute the flow.

+**Azure Active Directory** > **App registrations** > \<YOUR-APPLICATION\> > **Endpoints**

+* [Microsoft Authentication Library (MSAL)](msal-overview.md)

+**We strongly advise against crafting your own library or raw HTTP calls to execute authentication flows.** A [Microsoft authentication library](reference-v2-libraries.md) is safer and much easier. However, if your scenario prevents you from using our libraries or you'd just like to learn more about the identity platform's implementation, we have protocol reference:

+* [On-behalf-of (OBO) flow](v2-oauth2-on-behalf-of-flow.md) - Web APIs that call another web API on a user's behalf

+* [OpenID Connect](v2-protocols-oidc.md) - User sign-in, sign-out, and single sign-on (SSO)

+This article describes how to create a trust relationship between an application in Azure Active Directory (Azure AD) and an external identity provider (IdP). You can then configure an external software workload to exchange a token from the external IdP for an access token from Microsoft identity platform. The external workload can access Azure AD protected resources without needing to manage secrets (in supported scenarios). To learn more about the token exchange workflow, read about [workload identity federation](workload-identity-federation.md). You establish the trust relationship by configuring a federated identity credential on your app registration by using Microsoft Graph or the Azure portal.

+The Microsoft Graph beta endpoint (`https://graph.microsoft.com/beta`) exposes REST APIs to create, update, delete [federatedIdentityCredentials](/graph/api/resources/federatedidentitycredential?view=graph-rest-beta&preserve-view=true) on applications. Launch [Azure Cloud Shell](https://portal.azure.com/#cloudshell/) and sign in to your tenant in order to run Microsoft Graph commands from AZ CLI.

+## Configure a federated identity credential on an app

+When you configure a federated identity credential on an app, there are several important pieces of information to provide.

+# [Azure CLI](#tab/azure-cli)

+Run the [create a new federated identity credential](/graph/api/application-post-federatedidentitycredentials?view=graph-rest-beta&preserve-view=true) command on your app (specified by the object ID of the app). Specify the *name*, *issuer*, *subject*, and other parameters.

+For examples, see [Configure an app to trust a GitHub repo](workload-identity-federation-create-trust-github.md?tabs=microsoft-graph).

+# [Portal](#tab/azure-portal)

+Find your app registration in the [App Registrations](https://aka.ms/appregistrations) experience of the Azure portal. Select **Certificates & secrets** in the left nav pane, select the **Federated credentials** tab, and select **Add credential**.

+Select the **GitHub Actions deploying Azure resources** scenario from the dropdown menu. Fill in the **Organization**, **Repository**, **Entity type**, and other fields.

+For examples, see [Configure an app to trust a GitHub repo](workload-identity-federation-create-trust-github.md?tabs=azure-portal).

+### Kubernetes example

+# [Azure CLI](#tab/azure-cli)

+Run the following command to configure a federated identity credential on an app and create a trust relationship with a Kubernetes service account. Specify the following parameters:

+- *issuer* is your service account issuer URL (the [OIDC issuer URL](/azure/aks/cluster-configuration#oidc-issuer-preview) for the managed cluster or the [OIDC Issuer URL](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/oidc-issuer.html) for a self-managed cluster).

+- *subject* is the subject name in the tokens issued to the service account. Kubernetes uses the following format for subject names: `system:serviceaccount:<SERVICE_ACCOUNT_NAMESPACE>:<SERVICE_ACCOUNT_NAME>`.

+- *name* is the name of the federated credential, which cannot be changed later.

+- *audiences* lists the audiences that can appear in the 'aud' claim of the external token. This field is mandatory, and defaults to "api://AzureADTokenExchange".

+az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/f6475511-fd81-4965-a00e-41e7792b7b9c/federatedIdentityCredentials' --body '{"name":"Kubernetes-federated-credential","issuer":"https://aksoicwesteurope.blob.core.windows.net/9d80a3e1-2a87-46ea-ab16-e629589c541c/","subject":"system:serviceaccount:erp8asle:pod-identity-sa","description":"Kubernetes service account federated credential","audiences":["api://AzureADTokenExchange"]}'

+ "description": "Kubernetes service account federated credential",

+ "id": "51ecf9c3-35fc-4519-a28a-8c27c6178bca",

+ "issuer": "https://aksoicwesteurope.blob.core.windows.net/9d80a3e1-2a87-46ea-ab16-e629589c541c/",

+ "name": "Kubernetes-federated-credential",

+ "subject": "system:serviceaccount:erp8asle:pod-identity-sa"

+# [Portal](#tab/azure-portal)

+Find your app registration in the [App Registrations](https://aka.ms/appregistrations) experience of the Azure portal. Select **Certificates & secrets** in the left nav pane, select the **Federated credentials** tab, and select **Add credential**.

+Select the **Kubernetes accessing Azure resources** scenario from the dropdown menu.

+Fill in the **Cluster issuer URL**, **Namespace**, **Service account name**, and **Name** fields:

+- **Cluster issuer URL** is the [OIDC issuer URL](/azure/aks/cluster-configuration#oidc-issuer-preview) for the managed cluster or the [OIDC Issuer URL](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/oidc-issuer.html) for a self-managed cluster.

+- **Service account name** is the name of the Kubernetes service account, which provides an identity for processes that run in a Pod.

+- **Namespace** is the service account namespace.

+- **Name** is the name of the federated credential, which cannot be changed later.

+### Other identity providers example

+# [Azure CLI](#tab/azure-cli)

+Run the following command to configure a federated identity credential on an app and create a trust relationship with an external identity provider. Specify the following parameters (using a software workload running in Google Cloud as an example):

+- *name* is the name of the federated credential, which cannot be changed later.

+- *ObjectID*: the object ID of the app (not the application (client) ID) you previously registered in Azure AD.

+- *subject*: must match the `sub` claim in the token issued by the external identity provider. In this example using Google Cloud, *subject* is the Unique ID of the service account you plan to use.

+- *issuer*: must match the `iss` claim in the token issued by the external identity provider. A URL that complies with the OIDC Discovery spec. Azure AD uses this issuer URL to fetch the keys that are necessary to validate the token. In the case of Google Cloud, the *issuer* is "https://accounts.google.com".

+- *audiences*: must match the `aud` claim in the external token. For security reasons, you should pick a value that is unique for tokens meant for Azure AD. The Microsoft recommended value is "api://AzureADTokenExchange".

+az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<ObjectID>/federatedIdentityCredentials' --body '{"name":"GcpFederation","issuer":"https://accounts.google.com","subject":"112633961854638529490","description":"Testing","audiences":["api://AzureADTokenExchange"]}'

+ "description": "Testing",

+ "issuer": "https://accounts.google.com"",

+ "name": "GcpFederation",

+ "subject": "112633961854638529490"

+# [Portal](#tab/azure-portal)

+Find your app registration in the [App Registrations](https://aka.ms/appregistrations) experience of the Azure portal. Select **Certificates & secrets** in the left nav pane, select the **Federated credentials** tab, and select **Add credential**.

+Select the **Other issuer** scenario from the dropdown menu.

+Specify the following fields (using a software workload running in Google Cloud as an example):

+- **Name** is the name of the federated credential, which cannot be changed later.

+- **Subject identifier**: must match the `sub` claim in the token issued by the external identity provider. In this example using Google Cloud, *subject* is the Unique ID of the service account you plan to use.

+- **Issuer**: must match the `iss` claim in the token issued by the external identity provider. A URL that complies with the OIDC Discovery spec. Azure AD uses this issuer URL to fetch the keys that are necessary to validate the token. In the case of Google Cloud, the *issuer* is "https://accounts.google.com".

+# [Azure CLI](#tab/azure-cli)

+# [Portal](#tab/azure-portal)

+Find your app registration in the [App Registrations](https://aka.ms/appregistrations) experience of the Azure portal. Select **Certificates & secrets** in the left nav pane and select the **Federated credentials** tab. The federated credentials that are configured on your app are listed.

+# [Azure CLI](#tab/azure-cli)

+# [Portal](#tab/azure-portal)

+Find your app registration in the [App Registrations](https://aka.ms/appregistrations) experience of the Azure portal. Select **Certificates & secrets** in the left nav pane and select the **Federated credentials** tab. The federated credentials that are configured on your app are listed.

+To delete a federated identity credential, select the **Delete** icon for the credential.

+# B2B direct connect overview (Preview)

+# Configure cross-tenant access settings for B2B direct connect (Preview)

+Your first 50,000 MAUs per month are free for both Premium P1 and Premium P2 features. To determine the total number of MAUs, we combine MAUs from all your tenants (both Azure AD and Azure AD B2C) that are linked to the same subscription.

+An Azure AD tenant must be linked to a resource group within an Azure subscription for proper billing and access to features.

+2. Select the directory you want to link: In the Azure portal toolbar, select the **Directories + subscriptions** icon in the portal toolbar. Then on the **Portal settings | Directories + subscriptions** page, find your directory in the **Directory name** list, and then select **Switch**.

+7. In the **Link a subscription** pane, select a **Subscription** and a **Resource group**. Then select **Apply**. (If there are no subscriptions listed, see [What if I can't find a subscription?](#what-if-i-cant-find-a-subscription).)

+## What if I can't find a subscription?

+If no subscriptions are available in the **Link a subscription** pane, here are some possible reasons:

+- You don't have the appropriate permissions. Be sure to sign in with an Azure account that's been assigned at least the [Contributor](../../role-based-access-control/built-in-roles.md) role within the subscription or a resource group within the subscription.

+- A subscription exists, but it hasn't been associated with your directory yet. You can [associate an existing subscription to your tenant](../fundamentals/active-directory-how-subscriptions-associated-directory.md) and then repeat the steps for [linking it to your tenant](#link-your-azure-ad-tenant-to-a-subscription).

+- No subscription exists. In the **Link a subscription** pane, you can create a subscription by selecting the link **if you don't already have a subscription you may create one here**. After you create a new subscription, you'll need to [create a resource group](../../azure-resource-manager/management/manage-resource-groups-portal.md) in the new subscription, and then repeat the steps for [linking it to your tenant](#link-your-azure-ad-tenant-to-a-subscription).

+For the latest pricing information, see [Azure Active Directory pricing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).

+Learn more about [managing Azure resources](../../azure-resource-manager/management/overview.md).

+## Guest sign-in fails with error code AADSTS50020

+When a guest user from an identity provider (IdP) can't sign in to a resource tenant in Azure AD and receives an error code AADSTS50020, there are several possible causes. See the troubleshooting article for error [AADSTS50020](/troubleshoot/azure/active-directory/error-code-aadsts50020-user-account-identity-provider-does-not-exist).

+>Azure AD Connect v1.6.xx.x uses the ADAL library. The ADAL library is being depricated and support will end in June 2022. Microsoft recommends that you upgrade to the latest version of [Azure AD Connect v2](whatis-azure-ad-connect-v2.md).

+ Title: Overview of admin consent workflow

+description: Learn about the admin consent workflow in Azure Active Directory

+#customer intent: As an admin, I want to learn about the admin consent workflow and how it affects end-user and admin consent experience

+# Overview of admin consent workflow

+There may be situations where your end-users need to consent to permissions for applications that they're creating or using with their work accounts. However, non-admin users aren't allowed to consent to permissions that require admin consent. Also, users canΓÇÖt consent to applications when [user consent](configure-user-consent.md) is disabled in the userΓÇÖs tenant.

+

+In such situations where user consent is disabled, an admin can grant users the ability to make requests for gaining access to applications by enabling the admin consent workflow. In this article, youΓÇÖll learn about the user and admin experience when the admin consent workflow is disabled vs when it's enabled.

+When attempting to sign in, users may see a consent prompt like the one in the following screenshot:

+If the user doesnΓÇÖt know who to contact to grant them access, they may be unable to use the application. This situation also requires administrators to create a separate workflow to track requests for applications if they're open to receiving them.

+As an admin, the following options exist for you to determine how users consent to applications:

+- Disable user consent. For example, a high school may want to turn off user consent so that the school IT administration has full control over all the applications that are used in their tenant.

+- Allow users to consent to the required permissions. It's NOT recommended to keep user consent open if you have sensitive data in your tenant.

+- If you still want to retain admin-only consent for certain permissions but want to assist your end-users in onboarding their application, you can use the admin consent workflow to evaluate and respond to admin consent requests. This way, you can have a queue of all the requests for admin consent for your tenant and can track and respond to them directly through the Azure portal.

+To learn how to configure the admin consent workflow, see [configure-admin-consent-workflow.md](configure-admin-consent-workflow.md).

+## How the admin consent workflow works

+When you configure the admin consent workflow, your end users can request for consent directly through the prompt. The users may see a consent prompt like the one in the following screenshot:

+When an administrator responds to a request, the user receives an email alert informing them that the request has been processed.

+When the user submits a consent request, the request shows up in the admin consent request page in the Azure portal. Administrators and designated reviewers sign in to [view and act on the new requests](review-admin-consent-requests.md). Reviewers only see consent requests that were created after they were designated as reviewers. Requests show up in the following two tabs in the admin consent requests blade.

+- My pending: This shows any active requests that have the signed-in user designated as a reviewer. Although reviewers can block or deny requests, only people with the correct RBAC permissions to consent to the requested permissions can do so.

+- All(Preview): All requests, active or expired, that exist in the tenant.

+Each request includes information about the application and the user(s) requesting the application.

+## Email notifications

+If configured, all reviewers will receive email notifications when:

+- A new request has been created

+- A request has expired

+- A request is nearing the expiration date.

+Requestors will receive email notifications when:

+- They submit a new request for access

+- Their request has expired

+- Their request has been denied or blocked

+- Their request has been approved

+## Audit logs

+The table below outlines the scenarios and audit values available for the admin consent workflow.

+|Scenario |Audit Service |Audit Category |Audit Activity |Audit Actor |Audit log limitations |

+|||||||

+|Admin enabling the consent request workflow |Access Reviews |UserManagement |Create governance policy template |App context |Currently you canΓÇÖt find the user context |

+|Admin disabling the consent request workflow |Access Reviews |UserManagement |Delete governance policy template |App context |Currently you canΓÇÖt find the user context |

+|Admin updating the consent workflow configurations |Access Reviews |UserManagement |Update governance policy template |App context |Currently you canΓÇÖt find the user context |

+|End user creating an admin consent request for an app |Access Reviews |Policy |Create request |App context |Currently you canΓÇÖt find the user context |

+|Reviewers approving an admin consent request |Access Reviews |UserManagement |Approve all requests in business flow |App context |Currently you canΓÇÖt find the user context or the app ID that was granted admin consent. |

+|Reviewers denying an admin consent request |Access Reviews |UserManagement |Approve all requests in business flow |App context | Currently you canΓÇÖt find the user context of the actor that denied an admin consent request |

+## Next steps

+- [Enable the admin consent request workflow](configure-admin-consent-workflow.md)

+- [Review admin consent request](review-admin-consent-requests.md)

+- [Manage consent requests](manage-consent-requests.md)

+- You must be a global administrator to turn on the admin consent workflow.

+ - **Select users, groups, or roles that will be designated as reviewers for admin consent requests** - Reviewers can view, block, or deny admin consent requests, but only global administrators can approve admin consent requests. People designated as reviewers can view incoming requests in the **My Pending** tab after they have been set as reviewers. Any new reviewers won't be able to act on existing or expired admin consent requests.

+1. Select **Save**. It can take up to an hour for the workflow to become enabled.

+> You can add or remove reviewers for this workflow by modifying the **Select admin consent requests reviewers** list. A current limitation of this feature is that a reviewer can retain the ability to review requests that were made while they were designated as a reviewer.

+- An Azure AD user account with one of the following roles:

+ - Global Administrator or Privileged Role Administrator, for granting consnet for apps requesting any permission, for any API.

+ - Cloud Application Administrator or Application Administrator, for granting consnet for apps requesting any permission for any API, _except_ Azure AD Graph or Microsoft Graph app roles (application permissions).

+ - A custom directory role that includes the [permission to grant permissions to applications](../roles/custom-consent-permissions.md), for the permissions required by the application.

+# Review admin consent requests

+1. Select **All services** at the top of the left-hand navigation menu.

+1. In the filter search box, type and select **Azure Active Directory**.

+1. From the navigation menu, select **Enterprise applications**.

+1. Under **Activity**, select **Admin consent requests**.

+1. Select the application that is being requested.

+1. Review details about the request:

+

+1. Evaluate the request and take the appropriate action:

+ - **Approve the request**. To approve a request, grant admin consent to the application. Once a request is approved, all requestors are notified that they have been granted access. Approving a request allows all users in your tenant to access the application unless otherwise restricted with user assignment.

+ Title: "Tutorial: Manage federation certificates"

+description: In this tutorial, you'll learn how to customize the expiration date for your federation certificates, and how to renew certificates that will soon expire.

+#customer intent: As an admin of an application, I want to learn how to manage federated SAML certificates by customizing expiration dates and renewing certificates.

+# Tutorial: Manage certificates for federated single sign-on

+In this article, we cover common questions and information related to certificates that Azure Active Directory (Azure AD) creates to establish federated single sign-on (SSO) to your software as a service (SaaS) applications. Add applications from the Azure AD app gallery or by using a non-gallery application template. Configure the application by using the federated SSO option.

+This tutorial is relevant only to apps that are configured to use Azure AD SSO through [Security Assertion Markup Language](https://wikipedia.org/wiki/Security_Assertion_Markup_Language) (SAML) federation.

+## Auto-generated certificate for gallery and non-gallery applications

+When you add a new application from the gallery and configure a SAML-based sign-on (by selecting **Single sign-on** > **SAML** from the application overview page), Azure AD generates a certificate for the application that is valid for three years. To download the active certificate as a security certificate (**.cer**) file, return to that page (**SAML-based sign-on**) and select a download link in the **SAML Signing Certificate** heading. You can choose between the raw (binary) certificate or the Base64 (base 64-encoded text) certificate. For gallery applications, this section might also show a link to download the certificate as federation metadata XML (an **.xml** file), depending on the requirement of the application.

+You can also download an active or inactive certificate by selecting the **SAML Signing Certificate** heading's **Edit** icon (a pencil), which displays the **SAML Signing Certificate** page. Select the ellipsis (**...**) next to the certificate you want to download, and then choose which certificate format you want. You have the additional option to download the certificate in privacy-enhanced mail (PEM) format. This format is identical to Base64 but with a **.pem** file name extension, which isn't recognized in Windows as a certificate format.

+## Customize the expiration date for your federation certificate and roll it over to a new certificate

+By default, Azure configures a certificate to expire after three years when it's created automatically during SAML single sign-on configuration. Because you can't change the date of a certificate after you save it, you have to:

+1. Create a new certificate with the desired date.

+1. Save the new certificate.

+1. Download the new certificate in the correct format.

+1. Upload the new certificate to the application.

+1. Make the new certificate active in the Azure Active Directory portal.

+The following two sections help you perform these steps.

+### Create a new certificate

+First, create and save new certificate with a different expiration date:

+1. Sign in to the [Azure Active Directory portal](https://aad.portal.azure.com/). The **Azure Active Directory admin center** page appears.

+1. Select **Enterprise applications**.

+1. From the list of applications, select your desired application.

+1. Under the **Manage** section, select **Single sign-on**.

+1. If the **Select a single sign-on method** page appears, select **SAML**.

+1. In the **Set up Single Sign-On with SAML** page, find the **SAML Signing Certificate** heading and select the **Edit** icon (a pencil). The **SAML Signing Certificate** page appears, which displays the status (**Active** or **Inactive**), expiration date, and thumbprint (a hash string) of each certificate.

+1. Select **New Certificate**. A new row appears below the certificate list, where the expiration date defaults to exactly three years after the current date. (Your changes haven't been saved yet, so you can still modify the expiration date.)

+1. In the new certificate row, hover over the expiration date column and select the **Select Date** icon (a calendar). A calendar control appears, displaying the days of a month of the new row's current expiration date.

+1. Use the calendar control to set a new date. You can set any date between the current date and three years after the current date.

+1. Select **Save**. The new certificate now appears with a status of **Inactive**, the expiration date that you chose, and a thumbprint.

+ > [!NOTE]

+ > When you have an existing certificate that is already expired and you generate a new certificate, the new certificate will be considered for signing tokens, even though you haven't activated it yet.

+1. Select the **X** to return to the **Set up Single Sign-On with SAML** page.

+### Upload and activate a certificate

+Next, download the new certificate in the correct format, upload it to the application, and make it active in Azure Active Directory:

+1. View the application's additional SAML sign-on configuration instructions by either:

+ - Selecting the **configuration guide** link to view in a separate browser window or tab, or

+ - Going to the **set up** heading and selecting **View step-by-step instructions** to view in a sidebar.

+1. In the instructions, note the encoding format required for the certificate upload.

+1. Follow the instructions in the [Auto-generated certificate for gallery and non-gallery applications](#auto-generated-certificate-for-gallery-and-non-gallery-applications) section earlier. This step downloads the certificate in the encoding format required for upload by the application.

+1. When you want to roll over to the new certificate, go back to the **SAML Signing Certificate** page, and in the newly saved certificate row, select the ellipsis (**...**) and select **Make certificate active**. The status of the new certificate changes to **Active**, and the previously active certificate changes to a status of **Inactive**.

+1. Continue following the application's SAML sign-on configuration instructions that you displayed earlier, so that you can upload the SAML signing certificate in the correct encoding format.

+If your application doesn't have any validation for the certificate's expiration, and the certificate matches in both Azure Active Directory and your application, your app is still accessible despite having an expired certificate. Ensure your application can validate the certificate's expiration date.

+## Add email notification addresses for certificate expiration

+Azure AD will send an email notification 60, 30, and 7 days before the SAML certificate expires. You may add more than one email address to receive notifications. To specify the email address(es) you want the notifications to be sent to:

+1. In the **SAML Signing Certificate** page, go to the **notification email addresses** heading. By default, this heading uses only the email address of the admin who added the application.

+1. Below the final email address, type the email address that should receive the certificate's expiration notice, and then press Enter.

+1. Repeat the previous step for each email address you want to add.

+1. For each email address you want to delete, select the **Delete** icon (a garbage can) next to the email address.

+1. Select **Save**.

+You can add up to five email addresses to the Notification list (including the email address of the admin who added the application). If you need more people to be notified, use the distribution list emails.

+You'll receive the notification email from azure-noreply@microsoft.com. To avoid the email going to your spam location, add this email to your contacts.

+## Renew a certificate that will soon expire

+If a certificate is about to expire, you can renew it using a procedure that results in no significant downtime for your users. To renew an expiring certificate:

+1. Follow the instructions in the [Create a new certificate](#create-a-new-certificate) section earlier, using a date that overlaps with the existing certificate. That date limits the amount of downtime caused by the certificate expiration.

+1. If the application can automatically roll over a certificate, set the new certificate to active by following these steps:

+ 1. Go back to the **SAML Signing Certificate** page.

+ 1. In the newly saved certificate row, select the ellipsis (**...**) and then select **Make certificate active**.

+ 1. Skip the next two steps.

+1. If the app can only handle one certificate at a time, pick a downtime interval to perform the next step. (Otherwise, if the application doesnΓÇÖt automatically pick up the new certificate but can handle more than one signing certificate, you can perform the next step anytime.)

+1. Before the old certificate expires, follow the instructions in the [Upload and activate a certificate](#upload-and-activate-a-certificate) section earlier. If your application certificate isn't updated after a new certificate is updated in Azure Active Directory, authentication on your app may fail.

+1. Sign in to the application to make sure that the certificate works correctly.

+If your application doesn't validate the certificate expiration configured in Azure Active Directory, and the certificate matches in both Azure Active Directory and your application, your app is still accessible despite having an expired certificate. Ensure your application can validate certificate expiration.

+## Related articles

+- [Tutorials for integrating SaaS applications with Azure Active Directory](../saas-apps/tutorial-list.md)

+- [Application management with Azure Active Directory](what-is-application-management.md)

+- [Single sign-on to applications in Azure Active Directory](what-is-single-sign-on.md)

+- [Debug SAML-based single sign-on to applications in Azure Active Directory](./debug-saml-sso-issues.md)

+ Title: Azure Active Directory recommendation - Minimize MFA prompts from known devices in Azure AD | Microsoft Docs

+description: Learn why you should minimize MFA prompts from known devices in Azure AD.

+documentationcenter: ''

+editor: ''

+ms.assetid: 9b88958d-94a2-4f4b-a18c-616f0617a24e

+ na

+# Azure AD recommendation: Minimize MFA prompts from known devices

+[Azure AD recommendations](overview-recommendations.md) is a feature that provides you with personalized insights and actionable guidance to align your tenant with recommended best practices.

+This article covers the recommendation to convert minimize multi-factor authentication (MFA) prompts from known devices.

+## Description

+As an admin, you want to maintain security for my companyΓÇÖs resources, but you also want your employees to easily access resources as needed.

+MFA enables you to enhance the security posture of your tenant. While enabling MFA is a good practice, you should try to keep the number of MFA prompts your users have to go through at a minimum. One option you have to accomplish this goal is to **allow users to remember multi-factor authentication on devices they trust**.

+The remember multi-factor authentication feature sets a persistent cookie on the browser when a user selects the Don't ask again for X days option at sign-in. The user isn't prompted again for MFA from that browser until the cookie expires. If the user opens a different browser on the same device or clears the cookies, they're prompted again to verify.

+

+For more information, see [Configure Azure AD Multi-Factor Authentication settings](../authentication/howto-mfa-mfasettings.md).

+## Logic

+This recommendation shows up, if you have set the remember multi-factor authentication feature to less than 30 days.

+## Value

+This recommendation improves your user's productivity and minimizes the sign-in time with fewer MFA prompts. Ensure that your most sensitive resources can have the tightest controls, while your least sensitive resources can be more freely accessible.

+## Action plan

+1. Review [configure Azure AD Multi-Factor Authentication settings](../authentication/howto-mfa-mfasettings.md).

+2. Set the remember multi-factor authentication feature to 90 days.

+

+## Next steps

+- [What is Azure Active Directory recommendations](overview-recommendations.md)

+- [Azure AD reports overview](overview-reports.md)

+ Title: Azure Active Directory recommendation - Migrate apps from ADFS to Azure AD in Azure AD | Microsoft Docs

+description: Learn why you should migrate apps from ADFS to Azure AD in Azure AD

+documentationcenter: ''

+editor: ''

+ms.assetid: 9b88958d-94a2-4f4b-a18c-616f0617a24e

+ na

+# Azure AD recommendation: Migrate apps from ADFS to Azure AD

+[Azure AD recommendations](overview-recommendations.md) is a feature that provides you with personalized insights and actionable guidance to align your tenant with recommended best practices.

+This article covers the recommendation to migrate apps from ADFS to Azure AD.

+## Description

+As an admin responsible for managing applications, I want my applications to use Azure ADΓÇÖs security features and maximize their value.

+## Logic

+If a tenant has apps on AD FS, and any of these apps are deemed 100% migratable, this recommendation shows up.

+## Value

+Using Azure AD gives you granular per-application access controls to secure access to applications. With Azure AD's B2B collaboration, you can increase user productivity. Automated app provisioning automates the user identity lifecycle in cloud SaaS apps such as Dropbox, Salesforce and more.

+## Action plan

+1. [Install Azure AD Connect Health](../hybrid/how-to-connect-install-roadmap.md) on your AD FS server. Azure AD Connect Health installation.

+2. [Review the AD FS application activity report](../manage-apps/migrate-adfs-application-activity.md) to get insights about your AD FS applications.

+3. Read the solution guide for [migrating applications to Azure AD](../manage-apps/migrate-adfs-apps-to-azure.md).

+4. Migrate applications to Azure AD. For more information, use [the deployment plan for enabling single sign-on](https://go.microsoft.com/fwlink/?linkid=2110877&amp;clcid=0x409).

+

+

+## Next steps

+- [What is Azure Active Directory recommendations](overview-recommendations.md)

+- [Azure AD reports overview](overview-reports.md)

+ Title: Azure Active Directory recommendation - Turn off per user MFA in Azure AD | Microsoft Docs

+description: Learn why you should turn off per user MFA in Azure AD

+documentationcenter: ''

+editor: ''

+ms.assetid: 9b88958d-94a2-4f4b-a18c-616f0617a24e

+ na

+# Azure AD recommendation: Turn off per user MFA

+[Azure AD recommendations](overview-recommendations.md) is a feature that provides you with personalized insights and actionable guidance to align your tenant with recommended best practices.

+This article covers the recommendation to turn off per user MFA.

+## Description

+As an admin, you want to maintain security for my companyΓÇÖs resources, but you also want your employees to easily access resources as needed.

+Multi-factor authentication (MFA) enables you to enhance the security posture of your tenant. In your tenant, you can enable MFA on a per-user basis. In this scenario, your users perform MFA each time they sign in (with some exceptions, such as when they sign in from trusted IP addresses or when the remember MFA on trusted devices feature is turned on).

+While enabling MFA is a good practice, you can reduce the number of times your users are prompted for MFA by converting per-user MFA to MFA based on conditional access.

+## Logic

+This recommendation shows up, if:

+- You have per-user MFA configured for at least 5% of your users

+- Conditional access policies are active for more than 1% of your users (indicating familiarity with CA policies).

+## Value

+This recommendation improves your user's productivity and minimizes the sign-in time with fewer MFA prompts. Ensure that your most sensitive resources can have the tightest controls, while your least sensitive resources can be more freely accessible.

+## Action plan

+1. To get started, confirm that there's an existing conditional access policy with an MFA requirement. Ensure that you're covering all resources and users you would like to secure with MFA. Review your [conditional access policies](https://portal.azure.com/?Microsoft_AAD_IAM_enableAadvisorFeaturePreview=true&amp%3BMicrosoft_AAD_IAM_enableAadvisorFeature=true#blade/Microsoft_AAD_IAM/PoliciesTemplateBlade).

+2. To require MFA using a conditional access policy, follow the steps in [Secure user sign-in events with Azure AD Multi-Factor Authentication](../authentication/tutorial-enable-azure-mfa.md).

+3. Ensure that the per-user MFA configuration is turned off.

+

+## Next steps

+- [Tutorials for integrating SaaS applications with Azure Active Directory](../saas-apps/tutorial-list.md)

+- [Azure AD reports overview](overview-reports.md)

+ Title: Configure F5 BIG-IP Easy Button for SSO to SAP ERP using Azure AD

+description: Learn to secure SAP ERP using Azure Active Directory, through F5ΓÇÖs BIG-IP Easy Button guided configuration.

+# Tutorial: Configure F5ΓÇÖs BIG-IP Easy Button for SSO to SAP ERP using Azure AD

+In this article, learn to secure SAP ERP using Azure Active Directory (Azure AD), through F5ΓÇÖs BIG-IP Easy Button guided configuration.

+Integrating a BIG-IP with Azure Active Directory (Azure AD) provides many benefits, including:

+* [Improved Zero Trust governance](https://www.microsoft.com/security/blog/2020/04/02/announcing-microsoft-zero-trust-assessment-tool/) through Azure AD pre-authentication and [Conditional Access](../conditional-access/overview.md)

+* Full SSO between Azure AD and BIG-IP published services

+* Manage identities and access from a single control plane, the [Azure portal](https://portal.azure.com/)

+To learn about all the benefits, see the article on [F5 BIG-IP and Azure AD integration](/azure/active-directory/manage-apps/f5-aad-integration) and [what is application access and single sign-on with Azure AD](/azure/active-directory/active-directory-appssoaccess-whatis).

+## Scenario description

+This scenario looks at the classic **SAP ERP application using Kerberos authentication** to manage access to protected content.

+Being legacy, the application lacks modern protocols to support a direct integration with Azure AD. The application can be modernized, but it is costly, requires careful planning, and introduces risk of potential downtime. Instead, an F5 BIG-IP Application Delivery Controller (ADC) is used to bridge the gap between the legacy application and the modern ID control plane, through protocol transitioning.

+Having a BIG-IP in front of the application enables us to overlay the service with Azure AD pre-authentication and headers-based SSO, significantly improving the overall security posture of the application.

+## Scenario architecture

+The SHA solution for this scenario is made up of the following:

+**SAP ERP application:** BIG-IP published service to be protected by and Azure AD SHA.

+**Azure AD:** Security Assertion Markup Language (SAML) Identity Provider (IdP) responsible for verification of user credentials, Conditional Access (CA), and SAML based SSO to the BIG-IP.

+**BIG-IP:** Reverse proxy and SAML service provider (SP) to the application, delegating authentication to the SAML IdP before performing header-based SSO to the SAP service.

+SHA for this scenario supports both SP and IdP initiated flows. The following image illustrates the SP initiated flow.

+

+| Steps| Description|

+| -- |-|

+| 1| User connects to application endpoint (BIG-IP) |

+| 2| BIG-IP APM access policy redirects user to Azure AD (SAML IdP) |

+| 3| Azure AD pre-authenticates user and applies any enforced Conditional Access policies |

+| 4| User is redirected to BIG-IP (SAML SP) and SSO is performed using issued SAML token |

+| 5| BIG-IP requests Kerberos ticket from KDC |

+| 6| BIG-IP sends request to backend application, along with Kerberos ticket for SSO |

+| 7| Application authorizes request and returns payload |

+## Prerequisites

+Prior BIG-IP experience isnΓÇÖt necessary, but you will need:

+* An Azure AD free subscription or above

+* An existing BIG-IP or [deploy a BIG-IP Virtual Edition (VE) in Azure](/azure/active-directory/manage-apps/f5-big-ip-kerberos-advanced/f5-bigip-deployment-guide)

+* Any of the following F5 BIG-IP license offers

+ * F5 BIG-IP® Best bundle

+ * F5 BIG-IP APM standalone license

+ * F5 BIG-IP APM add-on license on an existing BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM)

+ * 90-day BIG-IP full feature [trial license](https://www.f5.com/trial/big-ip-trial.php).

+* User identities [synchronized](../hybrid/how-to-connect-sync-whatis.md) from an on-premises directory to Azure AD, or created directly within Azure AD and flowed back to your on-premises directory

+* An account with Azure AD Application admin [permissions](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#application-administrator)

+* An [SSL Web certificate](/azure/active-directory/manage-apps/f5-bigip-deployment-guide#ssl-profile) for publishing services over HTTPS, or use default BIG-IP certs while testing

+* An existing SAP ERP environment configured for Kerberos authentication

+## BIG-IP configuration methods

+There are many methods to configure BIG-IP for this scenario, including two template-based options and an advanced configuration. This tutorial covers the latest Guided Configuration 16.1 offering an Easy button template.

+With the Easy Button, admins no longer go back and forth between Azure AD and a BIG-IP to enable services for SHA. The deployment and policy management is handled directly between the APMΓÇÖs Guided Configuration wizard and Microsoft Graph. This rich integration between BIG-IP APM and Azure AD ensures that applications can quickly, easily support identity federation, SSO, and Azure AD Conditional Access, reducing administrative overhead.

+>[!NOTE]

+> All example strings or values referenced throughout this guide should be replaced with those for your actual environment.

+## Register Easy Button

+Before a client or service can access Microsoft Graph, it must be trusted by the [Microsoft identity platform.](../develop/quickstart-register-app.md)

+The Easy Button client must also be registered in Azure AD, before it is allowed to establish a trust between each SAML SP instance of a BIG-IP published application, and Azure AD as the SAML IdP.

+1. Sign-in to the [Azure AD portal](https://portal.azure.com/) using an account with Application Administrative rights

+2. From the left navigation pane, select the **Azure Active Directory** service

+3. Under Manage, select **App registrations > New registration**

+4. Enter a display name for your application. For example, *F5 BIG-IP Easy Button*

+5. Specify who can use the application > **Accounts in this organizational directory only**

+6. Select **Register** to complete the initial app registration

+7. Navigate to **API permissions** and authorize the following Microsoft Graph **Application permissions**:

+ * Application.Read.All

+ * Application.ReadWrite.All

+ * Application.ReadWrite.OwnedBy

+ * Directory.Read.All

+ * Group.Read.All

+ * IdentityRiskyUser.Read.All

+ * Policy.Read.All

+ * Policy.ReadWrite.ApplicationConfiguration

+ * Policy.ReadWrite.ConditionalAccess

+ * User.Read.All

+8. Grant admin consent for your organization

+9. In the **Certificates & Secrets** blade, generate a new **client secret** and note it down

+10. From the **Overview** blade, note the **Client ID** and **Tenant ID**

+## Configure Easy Button

+Initiate the APM's **Guided Configuration** to launch the **Easy Button** Template.

+1. From a browser, sign-in to the **F5 BIG-IP management console**

+2. Navigate to **Access > Guided Configuration > Microsoft Integration** and select **Azure AD Application**.

+ 

+3. Review the list of configuration steps and select **Next**

+ 

+4. Follow the sequence of steps required to publish your application.

+ 

+

+### Configuration Properties

+These are general and service account properties. The **Configuration Properties** tab creates a BIG-IP application config and SSO object. Consider the **Azure Service Account Details** section to represent the client you registered in your Azure AD tenant earlier, as an application. These settings allow a BIG-IP's OAuth client to individually register a SAML SP directly in your tenant, along with the SSO properties you would normally configure manually. Easy Button does this for every BIG-IP service being published and enabled for SHA.

+Some of these are global settings so can be re-used for publishing more applications, further reducing deployment time and effort.

+1. Provide a unique **Configuration Name** so admins can easily distinguish between Easy Button configurations

+2. Enable **Single Sign-On (SSO) & HTTP Headers**

+3. Enter the **Tenant Id, Client ID,** and **Client Secret** you noted when registering the Easy Button client in your tenant

+4. Confirm the BIG-IP can successfully connect to your tenant and select **Next**

+ 

+

+### Service Provider

+The Service Provider settings define the properties for the SAML SP instance of the application protected through SHA.

+1. Enter **Host**. This is the public FQDN of the application being secured

+2. Enter **Entity ID.** This is the identifier Azure AD will use to identify the SAML SP requesting a token

+ 

+ The optional **Security Settings** specify whether Azure AD should encrypt issued SAML assertions. Encrypting assertions between Azure AD and the BIG-IP APM provides additional assurance that the content tokens canΓÇÖt be intercepted, and personal or corporate data be compromised.

+3. From the **Assertion Decryption Private Key** list, select **Create New**

+

+ 

+4. Select **OK**. This opens the **Import SSL Certificate and Keys** dialog in a new tab

+5. Select **PKCS 12 (IIS)** to import your certificate and private key. Once provisioned close the browser tab to return to the main tab

+ 

+6. Check **Enable Encrypted Assertion**

+7. If you have enabled encryption, select your certificate from the **Assertion Decryption Private Key** list. This is the private key for the certificate that BIG-IP APM will use to decrypt Azure AD assertions

+8. If you have enabled encryption, select your certificate from the **Assertion Decryption Certificate** list. This is the certificate that BIG-IP will upload to Azure AD for encrypting the issued SAML assertions

+ 

+### Azure Active Directory

+This section defines all properties that you would normally use to manually configure a new BIG-IP SAML application within your Azure AD tenant.

+Easy Button provides a set of pre-defined application templates for Oracle PeopleSoft, Oracle E-business Suite, Oracle JD Edwards, SAP ERP as well as generic SHA template for any other apps. For this scenario, select **SAP ERP Central Component > Add** to start the Azure configurations.

+ 

+#### Azure Configuration

+1. Enter **Display Name** of app that the BIG-IP creates in your Azure AD tenant, and the icon that the users will see in [MyApps portal](https://myapplications.microsoft.com/)

+2. Leave the **Sign On URL (optional)** blank to enable IdP initiated sign-on

+ 

+3. Select the refresh icon next to the **Signing Key** and **Signing Certificate** to locate the certificate you imported earlier

+

+5. Enter the certificateΓÇÖs password in **Signing Key Passphrase**

+6. Enable **Signing Option** (optional). This ensures that BIG-IP only accepts tokens and claims that are signed by Azure AD

+ 

+7. **User and User Groups** are dynamically queried from your Azure AD tenant and used to authorize access to the application. Add a user or group that you can use later for testing, otherwise all access will be denied

+ 

+#### User Attributes & Claims

+When a user successfully authenticates to Azure AD, it issues a SAML token with a default set of claims and attributes uniquely identifying the user. The **User Attributes & Claims tab** shows the default claims to issue for the new application. It also lets you configure more claims.

+As our example AD infrastructure is based on a .com domain suffix used both, internally and externally, we donΓÇÖt require any additional attributes to achieve a functional KCD SSO implementation. See the [advanced tutorial](/azure/active-directory/manage-apps/f5-big-ip-kerberos-advanced/f5-big-ip-kerberos-advanced) for cases where you have multiple domains or userΓÇÖs log-in using an alternate suffix.

+ 

+

+You can include additional Azure AD attributes, if necessary, but for this scenario SAP ERP only requires the default attributes.

+#### Additional User Attributes

+The **Additional User Attributes** tab can support a variety of distributed systems requiring attributes stored in other directories, for session augmentation. Attributes fetched from an LDAP source can then be injected as additional SSO headers to further control access based on roles, Partner IDs, etc.

+ 

+>[!NOTE]

+>This feature has no correlation to Azure AD but is another source of attributes.

+#### Conditional Access Policy

+CA policies are enforced post Azure AD pre-authentication, to control access based on device, application, location, and risk signals.

+The **Available Policies** view, by default, will list all CA policies that do not include user based actions.

+The **Selected Policies** view, by default, displays all policies targeting All cloud apps. These policies cannot be deselected or moved to the Available Policies list as they are enforced at a tenant level.

+To select a policy to be applied to the application being published:

+1. Select the desired policy in the **Available Policies** list

+2. Select the right arrow and move it to the **Selected Policies** list

+Selected policies should either have an **Include** or **Exclude** option checked. If both options are checked, the selected policy is not enforced.

+

+>[!NOTE]

+>The policy list is enumerated only once when first switching to this tab. A refresh button is available to manually force the wizard to query your tenant, but this button is displayed only when the application has been deployed.

+### Virtual Server Properties

+A virtual server is a BIG-IP data plane object represented by a virtual IP address listening for client requests to the application. Any received traffic is processed and evaluated against the APM profile associated with the virtual server, before being directed according to the policy results and settings.

+1. Enter **Destination Address**. This is any available IPv4/IPv6 address that the BIG-IP can use to receive client traffic. A corresponding record should also exist in DNS, enabling clients to resolve the external URL of your BIG-IP published application to this IP, instead of the application itself. Using a test PC's localhost DNS is fine for testing

+2. Enter **Service Port** as *443* for HTTPS

+3. Check **Enable Redirect Port** and then enter **Redirect Port**. It redirects incoming HTTP client traffic to HTTPS

+4. The Client SSL Profile enables the virtual server for HTTPS, so that client connections are encrypted over TLS. Select the **Client SSL Profile** you created as part of the prerequisites or leave the default whilst testing

+ 

+### Pool Properties

+The **Application Pool tab** details the services behind a BIG-IP, represented as a pool containing one or more application servers.

+1. Choose from **Select a Pool.** Create a new pool or select an existing one

+2. Choose the **Load Balancing Method** as *Round Robin*

+3. For **Pool Servers** select an existing server node or specify an IP and port for the backend node hosting the header-based application

+ 

+#### Single Sign-On & HTTP Headers

+Enabling SSO allows users to access BIG-IP published services without having to enter credentials. The **Easy Button wizard** supports Kerberos, OAuth Bearer, and HTTP authorization headers for SSO. You will need the Kerberos delegation account created earlier to complete this step.

+Enable **Kerberos** and **Show Advanced Setting** to enter the following:

+* **Username Source:** Specifies the preferred username to cache for SSO. You can provide any session variable as the source of the user ID, but *session.saml.last.identity* tends to work best as it holds the Azure AD claim containing the logged in user ID

+* **User Realm Source:** Required if the user domain is different to the BIG-IPΓÇÖs kerberos realm. In that case, the APM session variable would contain the logged in user domain. For example,*session.saml.last.attr.name.domain*

+ 

+* **KDC:** IP of a Domain Controller (Or FQDN if DNS is configured & efficient)

+* **UPN Support:** Enable for the APM to use the UPN for kerberos ticketing

+* **SPN Pattern:** Use HTTP/%h to inform the APM to use the host header of the client request and build the SPN that it is requesting a kerberos token for.

+* **Send Authorization:** Disable for applications that prefer negotiating authentication instead of receiving the kerberos token in the first request. For example, *Tomcat.*

+ 

+

+### Session Management

+The BIG-IPs session management settings are used to define the conditions under which user sessions are terminated or allowed to continue, limits for users and IP addresses, and corresponding user info. Consult [F5 documentation]( https://support.f5.com/csp/article/K18390492) for details on these settings.

+What isnΓÇÖt covered however is Single Log-Out (SLO) functionality, which ensures all sessions between the IdP, the BIG-IP, and the user agent are terminated as users log off.

+ When the Easy Button deploys a SAML application to your Azure AD tenant, it also populates the Logout Url with the APMΓÇÖs SLO endpoint. That way IdP initiated sign-outs from the Microsoft [MyApps portal]( https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510) also terminate the session between the BIG-IP and a client.

+During deployment, the SAML federation metadata for the published application is imported from your tenant, providing the APM the SAML logout endpoint for Azure AD. This helps SP initiated sign-outs terminate the session between a client and Azure AD.

+## Summary

+This last step provides a breakdown of your configurations. Select **Deploy** to commit all settings and verify that the application now exists in your tenants list of Enterprise applications.

+## Next steps

+From a browser, **connect** to the applicationΓÇÖs external URL or select the **applicationΓÇÖs icon** in the [Microsoft MyApps portal](https://myapps.microsoft.com/). After authenticating to Azure AD, youΓÇÖll be redirected to the BIG-IP virtual server for the application and automatically signed in through SSO.

+For increased security, organizations using this pattern could also consider blocking all direct access to the application, thereby forcing a strict path through the BIG-IP.

+## Advanced deployment

+There may be cases where the Guided Configuration templates lack the flexibility to achieve more specific requirements. For those scenarios, see [Advanced Configuration for kerberos-based SSO](/azure/active-directory/manage-apps/f5-big-ip-kerberos-advanced).

+Alternatively, the BIG-IP gives you the option to disable **Guided ConfigurationΓÇÖs strict management mode**. This allows you to manually tweak your configurations, even though bulk of your configurations are automated through the wizard-based templates.

+You can navigate to **Access > Guided Configuration** and select the **small padlock icon** on the far right of the row for your applicationsΓÇÖ configs.

+

+ 

+At that point, changes via the wizard UI are no longer possible, but all BIG-IP objects associated with the published instance of the application will be unlocked for direct management.

+>[!NOTE]

+>Re-enabling strict mode and deploying a configuration will overwrite any settings performed outside of the Guided Configuration UI, therefore we recommend the advanced configuration method for production services.

+## Troubleshooting

+You can fail to access the SHA protected application due to any number of factors, including a misconfiguration.

+* Kerberos is time sensitive, so requires that servers and clients be set to the correct time and where possible synchronized to a reliable time source

+* Ensure the hostname for the domain controller and web application are resolvable in DNS

+* Ensure there are no duplicate SPNs in your AD environment by executing the following query at the command line on a domain PC: setspn -q HTTP/my_target_SPN

+You can refer to our [App Proxy guidance](../app-proxy/application-proxy-back-end-kerberos-constrained-delegation-how-to.md) to validate an IIS application is configured appropriately for KCD. F5ΓÇÖs article on [how the APM handles Kerberos SSO](https://techdocs.f5.com/bigip-15-1-0/big-ip-access-policy-manager-single-sign-on-concepts-configuration/kerberos-single-sign-on-method.html) is also a valuable resource.

+### Log analysis

+BIG-IP logging can help quickly isolate all sorts of issues with connectivity, SSO, policy violations, or misconfigured variable mappings. Start troubleshooting by increasing the log verbosity level.

+1. Navigate to **Access Policy > Overview > Event Logs > Settings**

+2. Select the row for your published application, then **Edit > Access System Logs**

+3. Select **Debug** from the SSO list, and then select **OK**

+Reproduce your issue, then inspect the logs, but remember to switch this back when finished as verbose mode generates lots of data.

+If you see a BIG-IP branded error immediately after successful Azure AD pre-authentication, itΓÇÖs possible the issue relates to SSO from Azure AD to the BIG-IP.

+1. Navigate to **Access > Overview > Access reports**

+2. Run the report for the last hour to see logs provide any clues. The **View session variables** link for your session will also help understand if the APM is receiving the expected claims from Azure AD.

+If you donΓÇÖt see a BIG-IP error page, then the issue is probably more related to the backend request or SSO from the BIG-IP to the application.

+1. Navigate to **Access Policy > Overview > Active Sessions**

+2. Select the link for your active session. The **View Variables** link in this location may also help determine root cause KCD issues, particularly if the BIG-IP APM fails to obtain the right user and domain identifiers from session variables

+See [BIG-IP APM variable assign examples]( https://devcentral.f5.com/s/articles/apm-variable-assign-examples-1107) and [F5 BIG-IP session variables reference]( https://techdocs.f5.com/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/session-variables.html) for more info.

+* Make sure you can edit the DNS records for your custom domain. To edit DNS records, you need access to the DNS registry for your domain provider, such as GoDaddy. For example, to add DNS entries for `contoso.com` and `www.contoso.com`, you must be able to configure the DNS settings for the `contoso.com` root domain. Your custom domains must be in a public DNS zone; private DNS zone is only supported on Internal Load Balancer (ILB) App Service Environment (ASE).

+> Private Endpoint is available for Windows and Linux Web App, containerized or not, hosted on these App Service Plans : **Basic**, **Standard**, **PremiumV2**, **PremiumV3**, **IsolatedV2**, **Functions Premium** (sometimes referred to as the Elastic Premium plan).

+**Run your application**

+Once you've added a code sample to your application, choose the green **Start** button next to formRecognizer_quickstart to build and run your program, or press **F5**.

+ :::image type="content" source="../media/quickstarts/run-visual-studio.png" alt-text="Screenshot: run your Visual Studio program.":::

+**Run your application**

+Once you've added a code sample to your application, choose the green **Start** button next to formRecognizer_quickstart to build and run your program, or press **F5**.

+ :::image type="content" source="../media/quickstarts/run-visual-studio.png" alt-text="Screenshot: run your Visual Studio program.":::

+**Run your application**

+Once you've added a code sample to your application, choose the green **Start** button next to formRecognizer_quickstart to build and run your program, or press **F5**.

+ :::image type="content" source="../media/quickstarts/run-visual-studio.png" alt-text="Screenshot: run your Visual Studio program.":::

+<!-- markdownlint-disable MD036 -->

+**Build and run the application**

+Once you've added a code sample to your application, navigate back to your main project directoryΓÇö**form-recognizer-app**.

+1. Build your application with the `build` command:

+ ```console

+ gradle build

+ ```

+1. Run your application with the `run` command:

+ ```console

+ gradle run

+ ```

+**Build and run the application**

+Once you've added a code sample to your application, navigate back to your main project directoryΓÇö**form-recognizer-app**.

+1. Build your application with the `build` command:

+ ```console

+ gradle build

+ ```

+1. Run your application with the `run` command:

+ ```console

+ gradle run

+ ```

+**Build and run the application**

+Once you've added a code sample to your application, navigate back to your main project directoryΓÇö**form-recognizer-app**.

+1. Build your application with the `build` command:

+ ```console

+ gradle build

+ ```

+1. Run your application with the `run` command:

+ ```console

+ gradle run

+ ```

+<!-- markdownlint-disable MD036 -->

+ const client = new DocumentAnalysisClient(endpoint, new AzureKeyCredential(key));

+**Run your application**

+Once you've added a code sample to your application, run your program:

+1. Navigate to the folder where you have your form recognizer application (form-recognizer-app).

+1. Type the following command in your terminal:

+ ```console

+ node index.js

+ ```

+ const client = new DocumentAnalysisClient(endpoint, new AzureKeyCredential(key));

+**Run your application**

+Once you've added a code sample to your application, run your program:

+1. Navigate to the folder where you have your form recognizer application (form-recognizer-app).

+1. Type the following command in your terminal:

+ ```console

+ node index.js

+ ```

+ // using the PrebuiltModels object, rather than the raw model ID, adds strong typing to the model's output

+ const client = new DocumentAnalysisClient(endpoint, new AzureKeyCredential(key));

+**Run your application**

+Once you've added a code sample to your application, run your program:

+1. Navigate to the folder where you have your form recognizer application (form-recognizer-app).

+1. Type the following command in your terminal:

+ ```console

+ node index.js

+ ```

+<!-- markdownlint-disable MD036 -->

+**Run the application**

+Once you've added a code sample to your application, build and run your program:

+1. Navigate to the folder where you have your **form_recognizer_quickstart.py** file.

+1. Type the following command in your terminal:

+ ```console

+ python form_recognizer_quickstart.py

+ ```

+**Run the application**

+Once you've added a code sample to your application, build and run your program:

+1. Navigate to the folder where you have your **form_recognizer_quickstart.py** file.

+1. Type the following command in your terminal:

+ ```console

+ python form_recognizer_quickstart.py

+ ```

+**Run the application**

+Once you've added a code sample to your application, build and run your program:

+1. Navigate to the folder where you have your **form_recognizer_quickstart.py** file.

+1. Type the following command in your terminal:

+ ```console

+ python form_recognizer_quickstart.py

+ ```

+> [!NOTE]

+> When you use the webhook with PowerShell 7 runbook, it auto-converts the webhook input parameter to an invalid JSON. For more information, see [Known issues - 7.1 (preview)](/azure/automation/automation-runbook-types#known-issues71-preview). We recommend that you use the webhook with PowerShell 5 runbook.

+1. Create PowerShell runbook with the following code:

+ ```powershell

+ param

+ (

+ [Parameter(Mandatory=$false)]

+ [object] $WebhookData

+ )

+ write-output "start"

+ write-output ("object type: {0}" -f $WebhookData.gettype())

+ write-output $WebhookData

+ #write-warning (Test-Json -Json $WebhookData)

+ $Payload = $WebhookData | ConvertFrom-Json

+ write-output "`n`n"

+ write-output $Payload.WebhookName

+ write-output $Payload.RequestBody

+ write-output $Payload.RequestHeader

+ write-output "end"

+ if ($Payload.RequestBody) {

+ $names = (ConvertFrom-Json -InputObject $Payload.RequestBody)

+ foreach ($x in $names)

+ {

+ $name = $x.Name

+ Write-Output "Hello $name"

+ }

+ }

+ else {

+ Write-Output "Hello World!"

+ }

+ ```

+1. Create a webhook using the Azure portal, or PowerShell or REST API. A webhook requires a published runbook. This walk through uses a modified version of the runbook created from [Create an Azure Automation runbook](./learn/powershell-runbook-managed-identity.md).

+ # [Azure portal](#tab/portal)

+ 1. Sign in to the [Azure portal](https://portal.azure.com/).

+ 1. In the Azure portal, navigate to your Automation account.

+ 1. Under **Process Automation**, select **Runbooks** to open the **Runbooks** page.

+ 1. Select your runbook from the list to open the Runbook **Overview** page.

+ 1. Select **Add webhook** to open the **Add Webhook** page.

+ :::image type="content" source="media/automation-webhooks/add-webhook-icon.png" alt-text="Runbook overview page with Add webhook highlighted.":::

+ 1. On the **Add Webhook** page, select **Create new webhook**.

+ :::image type="content" source="media/automation-webhooks/add-webhook-page-create.png" alt-text="Add webhook page with create highlighted.":::

+ 1. Enter in the **Name** for the webhook. The expiration date for the field **Expires** defaults to one year from the current date.

+ 1. Click the copy icon or press <kbd>Ctrl + C</kbd> copy the URL of the webhook. Then save the URL to a secure location.

+ :::image type="content" source="media/automation-webhooks/create-new-webhook.png" alt-text="Creaye webhook page with URL highlighted.":::

+ > [!IMPORTANT]

+ > Once you create the webhook, you cannot retrieve the URL again. Make sure you copy and record it as above.

+ 1. Select **OK** to return to the **Add Webhook** page.

+ 1. From the **Add Webhook** page, select **Configure parameters and run settings** to open the **Parameters** page.

+ :::image type="content" source="media/automation-webhooks/add-webhook-page-parameters.png" alt-text="Add webhook page with parameters highlighted.":::

+ 1. Review the **Parameters** page. For the example runbook used in this article, no changes are needed. Select **OK** to return to the **Add Webhook** page.

+ 1. From the **Add Webhook** page, select **Create**. The webhook is created and you're returned to the Runbook **Overview** page.

+ # [PowerShell](#tab/powershell)

+ 1. Verify you have the latest version of the PowerShell [Az Module](/powershell/azure/new-azureps-module-az) installed.

+ 1. Sign in to Azure interactively using the [Connect-AzAccount](/powershell/module/Az.Accounts/Connect-AzAccount) cmdlet and follow the instructions.

+ ```powershell

+ # Sign in to your Azure subscription

+ $sub = Get-AzSubscription -ErrorAction SilentlyContinue

+ if(-not($sub))

+ {

+ Connect-AzAccount

+ ```

+ 1. Use the [New-AzAutomationWebhook](/powershell/module/az.automation/new-azautomationwebhook) cmdlet to create a webhook for an Automation runbook. Provide an appropriate value for the variables and then execute the script.

+ ```powershell

+ # Initialize variables with your relevant values

+ $resourceGroup = "resourceGroupName"

+ $automationAccount = "automationAccountName"

+ $runbook = "runbookName"

+ $psWebhook = "webhookName"

+

+ # Create webhook

+ $newWebhook = New-AzAutomationWebhook `

+ -ResourceGroup $resourceGroup `

+ -AutomationAccountName $automationAccount `

+ -Name $psWebhook `

+ -RunbookName $runbook `

+ -IsEnabled $True `

+ -ExpiryTime "12/31/2022" `

+ -Force

+

+ # Store URL in variable; reveal variable

+ $uri = $newWebhook.WebhookURI

+ $uri

+ ```

+ The output will be a URL that looks similar to: `https://ad7f1818-7ea9-4567-b43a.webhook.wus.azure-automation.net/webhooks?token=uTi69VZ4RCa42zfKHCeHmJa2W9fd`

+ 1. You can also verify the webhook with the PowerShell cmdlet [Get-AzAutomationWebhook](/powershell/module/az.automation/get-azautomationwebhook).

+ ```powershell

+ Get-AzAutomationWebhook `

+ -ResourceGroup $resourceGroup `

+ -AutomationAccountName $automationAccount `

+ -Name $psWebhook

+ ```

+ # [REST API](#tab/rest)

+ The PUT command is documented at [Webhook - Create Or Update](/rest/api/automation/webhook/create-or-update). This example uses the PowerShell cmdlet [Invoke-RestMethod](/powershell/module/microsoft.powershell.utility/invoke-restmethod) to send the PUT request.

+ 1. Create a file called `webhook.json` and then paste the following code:

+ ```json

+ {

+ "name": "RestWebhook",

+ "properties": {

+ "isEnabled": true,

+ "expiryTime": "2022-03-29T22:18:13.7002872Z",

+ "runbook": {

+ "name": "runbookName"

+ }

+ }

+ }

+ ```

+ Before running, modify the value for the **runbook:name** property with the actual name of your runbook. Review [Webhook properties](#webhook-properties) for more information about these properties.

+ 1. Verify you have the latest version of the PowerShell [Az Module](/powershell/azure/new-azureps-module-az) installed.

+ 1. Sign in to Azure interactively using the [Connect-AzAccount](/powershell/module/Az.Accounts/Connect-AzAccount) cmdlet and follow the instructions.

+ ```powershell

+ # Sign in to your Azure subscription

+ $sub = Get-AzSubscription -ErrorAction SilentlyContinue

+ if(-not($sub))

+ {

+ Connect-AzAccount

+ }

+ ```

+ 1. Provide an appropriate value for the variables and then execute the script.

+ ```powershell

+ # Initialize variables

+ $subscription = "subscriptionID"

+ $resourceGroup = "resourceGroup"

+ $automationAccount = "automationAccount"

+ $runbook = "runbookName"

+ $restWebhook = "webhookName"

+ $file = "path\webhook.json"

+ # consume file

+ $body = Get-Content $file

+

+ # Craft Uri

+ $restURI = "https://management.azure.com/subscriptions/$subscription/resourceGroups/$resourceGroup/providers/Microsoft.Automation/automationAccounts/$automationAccount/webhooks/$restWebhook`?api-version=2015-10-31"

+ ```

+ 1. Run the following script to obtain an access token. If your access token expired, you need to rerun the script.

+ ```powershell

+ # Obtain access token

+ $azContext = Get-AzContext

+ $azProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile

+ $profileClient = New-Object -TypeName Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient -ArgumentList ($azProfile)

+ $token = $profileClient.AcquireAccessToken($azContext.Subscription.TenantId)

+ $authHeader = @{

+ 'Content-Type'='application/json'

+ 'Authorization'='Bearer ' + $token.AccessToken

+ }

+ ```

+ 1. Run the following script to create the webhook using the REST API.

+ ```powershell

+ # Invoke the REST API

+ # Store URL in variable; reveal variable

+ $response = Invoke-RestMethod -Uri $restURI -Method Put -Headers $authHeader -Body $body

+ $webhookURI = $response.properties.uri

+ $webhookURI

+ ```

+ The output is a URL that looks similar to: `https://ad7f1818-7ea9-4567-b43a.webhook.wus.azure-automation.net/webhooks?token=uTi69VZ4RCa42zfKHCeHmJa2W9fd`

+ 1. You can also use [Webhook - Get](/rest/api/automation/webhook/get) to retrieve the webhook identified by its name. You can run the following PowerShell commands:

+ ```powershell

+ $response = Invoke-RestMethod -Uri $restURI -Method GET -Headers $authHeader

+ $response | ConvertTo-Json

+ ```

+ When you trigger a runbook created in the previous step, it will create a job and the output should look similar to the following:

+## Scenario: Unable to create an Automation account when GUID is used as account name

+### Issue

+When you create an Automation account with a GUID as an account name, you encounter an error.

+### Cause

+An *accountid* is a unique identifier across all Automation accounts in a region and when the account name is a GUID, we keep both Automation *accountid* and *name* as GUID. In this scenario, when you create a new Automation account and specify a GUID (as an account name) and, if it conflicts with any existing Automation *accountid*, you encounter an error.

+For example, when you try to create an Automation account with the name *8a2f48c1-9e99-472c-be1b-dcc11429c9ff* and if there is already an existing Automation *accountid* across all Automation accounts in that region, then the account creation will fail and you will see the following error:

+ ```error

+ {

+ "code": "BadRequest",

+ "message": Automation account already exists with this account id. AccountId: 8a2f48c1-9e99-472c-be1b-dcc11429c9ff.

+ }

+```

+ ### Resolution

+Ensure that you create an Automation account with a new name.

+Azure provides the most extensive global footprint of any cloud provider and is rapidly opening new regions and availability zones. The following regions currently support availability zones.

+| US Gov Virginia | Sweden Central | | China North 3 |

+| West US 2 | Switzerland North* | | |

+\* To learn more about Availability Zones and available services support in these regions, contact your Microsoft sales or customer representative. For the upcoming regions that will support Availability Zones, see [Azure geographies](https://azure.microsoft.com/global-infrastructure/geographies/).

+\* To learn more about Availability Zones and available services support in these regions, contact your Microsoft sales or customer representative. For the upcoming regions that will support Availability Zones, see [Azure geographies](https://azure.microsoft.com/global-infrastructure/geographies/).

+> This article covers data sources for the legacy [Log Analytics agent](./log-analytics-agent.md) which is one of the agents used by Azure Monitor. This agent **will be deprecated by August, 2024**. Please plan to [migrate to Azure Monitor agent](./azure-monitor-agent-migration.md) before that. Other agents collect different data and are configured differently. See [Overview of Azure Monitor agents](agents-overview.md) for a list of the available agents and the data they can collect.

+* Configure [alerts](../alerts/alerts-overview.md) to proactively notify you of critical data collected from data sources and monitoring solutions.

+The [Azure Monitor agent (AMA)](azure-monitor-agent-overview.md) collects monitoring data from the guest operating system of Azure and hybrid virtual machines and delivers it to Azure Monitor where it can be used by different features, insights, and other services such as [Microsoft Sentinel](../../sentintel/../sentinel/overview.md) and [Microsoft Defender for Cloud](../../defender-for-cloud/defender-for-cloud-introduction.md). All of the data collection configuration is handled via [Data Collection Rules](../essentials/data-collection-rule-overview.md). The Azure Monitor agent is meant to replace the Log Analytics agent (also known as MMA and OMS) for both Windows and Linux machines. This article provides high-level guidance on when and how to migrate to the new Azure Monitor agent (AMA) and the data collection rules (DCR) that define the data the agent should collect.

+## Why should I migrate to the Azure Monitor agent?

+- **Security and performance**

+ - AMA uses Managed Identity or AAD tokens (for clients) which are much more secure than the legacy authentication methods.

+ - AMA can provide higher events per second (EPS) upload rate compared to legacy agents

+- **Cost savings** via efficient data collection [using Data Collection Rules](data-collection-rule-azure-monitor-agent.md). This is one of the most useful advantages of using AMA.

+ - DCRs allow granular targeting of machines connected to a workspace to collect data from as compared to the ΓÇ£all or nothingΓÇ¥ mode that legacy agents have.

+ - Using DCRs, you can filter out data to remove unused events and save additional costs.

+- **Simpler management** of data collection, including ease of troubleshooting

+ - **Multihoming** on both Windows and Linux is possible easily

+ - Every action across the data collection lifecycle, from onboarding/setup to deployment to updates and changes over time, is significantly easier and scalable thanks to agent configuration becoming centralized and ΓÇÿin the cloudΓÇÖ as compared to configuring things on every machine.

+ - Enabling/disabling of additional capabilities or services (Sentinel, Defender for Cloud, VM Insights, etc) is more transparent and controlled, using the extensibility architecture of AMA.

+- **A single agent** that will consolidate all the features necessary to address all telemetry data collection needs across servers and client devices (running Windows 10, 11) as compared to running various different monitoring agents. This is the eventual goal, though AMA is currently converging with the Log Analytics agents.

+## When should I migrate to the Azure Monitor agent?

+Your migration plan to the Azure Monitor agent should include the following considerations:

+|Consideration |Description |

+|||

+|**Environment requirements** | Verify that your environment is currently supported by the AMA. For more information, see [Supported operating systems](./agents-overview.md#supported-operating-systems). |

+|**Current and new feature requirements** | While the AMA provides [several new features](#current-capabilities), such as filtering, scoping, and multihoming, it is not yet at parity with the legacy Log Analytics agent.As you plan your migration, make sure that the features your organization requires are already supported by the AMA. You may decide to continue using the Log Analytics agent for now, and migrate at a later date. See [Supported services and features](./azure-monitor-agent-overview.md#supported-services-and-features) for a current status of features that are supported and that may be in preview. |

+- [Frequently asked questions for AMA migration](/azure/azure-monitor/faq#azure-monitor-agent)

+The Azure Monitor agent can coexist (run side by side on the same machine) with the legacy Log Analytics agents so that you can continue to use their existing functionality during evaluation or migration. While this allows you to begin transition given the limitations, you must review the below points carefully:

+- Running two telemetry agents on the same machine would result in double the resource consumption, including but not limited to CPU, memory, storage space and network bandwidth.

+> [!NOTE]

+> When using both agents during evaluation or migration, you can use the **'Category'** column of the [Heartbeat](/azure/azure-monitor/reference/tables/Heartbeat) table in your Log Analytics workspace, and filter for 'Azure Monitor Agent'.

+<sup>2</sup> Azure Monitor Linux Agent v1.15.2 or higher supports syslog RFC formats including **Cisco Meraki, Cisco ASA, Cisco FTD, Sophos XG, Juniper Networks, Corelight Zeek, CipherTrust, NXLog, McAfee and CEF (Common Event Format)**.

+| [Microsoft Sentinel](../../sentinel/overview.md) | <ul><li>Windows DNS logs: Private preview</li><li>Linux Syslog CEF (Common Event Format): Private preview</li><li>Windows Forwarding Event (WEF): [Public preview](../../sentinel/data-connectors-reference.md#windows-forwarded-events-preview)</li><li>Windows Security Events: [Generally available](../../sentinel/connect-windows-security-events.md?tabs=AMA)</li></ul> | <ul><li>[Sign-up link](https://aka.ms/AMAgent)</li><li>[Sign-up link](https://aka.ms/AMAgent)</li><li>No sign-up needed </li><li>No sign-up needed</li></ul> |

+Set-AzVMExtension -ExtensionName AzureMonitorWindowsAgent -ExtensionType AzureMonitorWindowsAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -VMName <virtual-machine-name> -Location <location> -TypeHandlerVersion 1.0 -SettingString $settingsString -ProtectedSettingString $protectedSettingsString

+$settingsString = '{"proxy":{"mode":"application","address":"http://[address]:[port]","auth": true}}';

+$protectedSettingsString = '{"proxy":{"username":"[username]","password": "[password]"}}';

+Set-AzVMExtension -ExtensionName AzureMonitorLinuxAgent -ExtensionType AzureMonitorLinuxAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -VMName <virtual-machine-name> -Location <location> -TypeHandlerVersion 1.5 -SettingString $settingsString -ProtectedSettingString $protectedSettingsString

+New-AzConnectedMachineExtension -Name AzureMonitorWindowsAgent -ExtensionType AzureMonitorWindowsAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -MachineName <arc-server-name> -Location <arc-server-location> -Setting $settingsString -ProtectedSetting $protectedSettingsString

+New-AzConnectedMachineExtension -Name AzureMonitorLinuxAgent -ExtensionType AzureMonitorLinuxAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -MachineName <arc-server-name> -Location <arc-server-location> -Setting $settingsString -ProtectedSetting $protectedSettingsString

+Application Map helps you spot performance bottlenecks or failure hotspots across all components of your distributed application. Each node on the map represents an application component or its dependencies; and has health KPI and alerts status. You can select any component to get more detailed diagnostics, such as Application Insights events. If your app uses Azure services, you can also select Azure diagnostics, such as SQL Database Advisor recommendations.

+* Components are different from "observed" external dependencies such as SQL, Event Hubs etc. which your team/organization may not have access to (code or telemetry).

+* Components can be separate Application Insights resources (even if subscriptions are different) or different roles reporting to a single Application Insights resource. The preview map experience shows the components regardless of how they're set up.

+This experience starts with progressive discovery of the components. When you first load the application map, a set of queries is triggered to discover the components related to this component. A button at the top-left corner will update with the number of components in your application as they're discovered.

+If all of the components are roles within a single Application Insights resource, then this discovery step isn't required. The initial load for such an application will have all its components.

+Select any component to see related insights and go to the performance and failure triage experience for that component.

+Select **go to details** to explore the end-to-end transaction experience, which can offer views to the call stack level.

+To query and investigate your applications data further, select **view in Logs (Analytics)**.

+In ApplicationInsights.config:

+If you're using the SDK, starting with Application Insights Java SDK 2.5.0, you can specify the cloud role name

+by adding `<RoleName>` to your `ApplicationInsights.xml` file, for example.

+Alternatively, **cloud role instance** can be helpful for scenarios where **cloud role name** tells you the problem is somewhere in your web front-end, but you might be running your web front-end across multiple load-balanced servers so being able to drill in a layer deeper via Kusto queries and knowing if the issue is impacting all web front-end servers/instances or just one can be important.

+Application Map constructs an application node for each unique cloud role name present in your request telemetry and a dependency node for each unique combination of type, target, and cloud role name in your dependency telemetry. If there are more than 10,000 nodes in your telemetry, Application Map won't be able to fetch all the nodes and links, so your map will be incomplete. If this happens, a warning message will appear when viewing the map.

+* Dependency target should represent the logical name of a dependency. In many cases, it's equivalent to the server or resource name of the dependency. For example, in the case of HTTP dependencies it's set to the hostname. It shouldn't contain unique IDs or parameters that change from one request to another.

+* Dependency type should represent the logical type of a dependency. For example, HTTP, SQL or Azure Blob are typical dependency types. It shouldn't contain unique IDs.

+The unified diagnostics experience automatically correlates server-side telemetry from across all your Application Insights monitored components into a single view. It doesn't matter if you have multiple resources. Application Insights detects the underlying relationship and allows you to easily diagnose the application component, dependency, or exception that caused a transaction slowdown or failure.

+* Components are different from "observed" external dependencies such as SQL, Event Hubs etc. which your team/organization may not have access to (code or telemetry).

+This chart provides a timeline with horizontal bars during requests and dependencies across components. Any exceptions that are collected are also marked on the timeline.

+## All telemetry with this Operation ID

+This collapsible pane shows the detail of any selected item from the transaction chart, or the list. "Show all" lists all of the standard attributes that are collected. Any custom attributes are separately listed below the standard set. Select the "..." below the stack trace window to get an option to copy the trace. "Open profiler traces" or "Open debug snapshot" shows code level diagnostics in corresponding detail panes.

+This collapsible pane shows the other results that meet the filter criteria. Select any result to update the respective details the three sections listed above. We try to find samples that are most likely to have the details available from all components even if sampling is in effect in any of them. These are shown as "suggested" samples.

+[Application Insights profiler](./profiler.md) or [snapshot debugger](snapshot-debugger.md) help with code-level diagnostics of performance and failure issues. With this experience, you can see profiler traces or snapshots from any component with a single selection.

+If you couldn't get Profiler working, contact **serviceprofilerhelp\@microsoft.com**

+If you couldn't get Snapshot Debugger working, contact **snapshothelp\@microsoft.com**

+At this time, we're showing the outbound dependency call separate from the inbound request. Typically, the two calls look identical with only the duration value being different due to the network round trip. The leading icon and distinct styling of the duration bars help differentiate between them. Is this presentation of the data confusing? Give us your feedback!

+The transaction diagnostics experience shows all telemetry in a [single operation](correlation.md#data-model-for-telemetry-correlation) that share an [Operation ID](data-model-context.md#operation-id). By default, the Application Insights SDK for JavaScript creates a new operation for each unique page view. In a Single Page Application (SPA), only one page view event will be generated and a single Operation ID will be used for all telemetry generated, this can result in many events being correlated to the same operation. In these scenarios, you can use Automatic Route Tracking to automatically create new operations for navigation in your single page app. You must turn on [enableAutoRouteTracking](javascript.md#single-page-applications) so a page view is generated every time the URL route is updated (logical page view occurs). If you want to manually refresh the Operation ID, you can do so by calling `appInsights.properties.context.telemetryTrace.traceID = Microsoft.ApplicationInsights.Telemetry.Util.generateW3CId()`. Manually triggering a PageView event will also reset the Operation ID.

+Time not explained in the gantt chart, is time that isn't covered by a tracked dependency.

+This can be due to either external calls that weren't instrumented (automatically or manually), or that the time taken was in process rather than because of an external call.

+The right-hand side of [let](/azure/data-explorer/kusto/query/letstatement) can be a scalar expression, a tabular expression or a user-defined function. Only user-defined functions with scalar arguments are supported.

+* West US 2

+- **br** is the scheme name for a Bicep registry.

+ Title: Move Azure App Service resources across resource groups or subscriptions

+# Move App Service resources to a new resource group or subscription

+This article describes the steps to move App Service resources between resource groups or Azure subscriptions. There are specific requirements for moving App Service resources to a new subscription.

+If you want to move App Services to a new region, see [Move an App Service resource to another region](../../../app-service/manage-move-across-regions.md).

+When you move a Web App across subscriptions, the following guidance applies:

+# Move networking resources to new resource group or subscription

+This article describes how to move virtual networks and other networking resources to a new resource group or Azure subscription.

+If you want to move networking resources to a new region, see [Tutorial: Move Azure VMs across regions](../../../resource-mover/tutorial-move-region-virtual-machines.md).

+# Move virtual machines to resource group or subscription

+This article describes how to move a virtual machine to a new resource group or Azure subscription.

+If you want to move a virtual machine to a new region, see [Tutorial: Move Azure VMs across regions](../../../resource-mover/tutorial-move-region-virtual-machines.md).

+Local SSD storage is also used by databases in service tiers other than Premium and Business Critical for the tempdb database and Hyperscale RBPEX cache. As databases are created, deleted, and increase or decrease in size, total local storage consumption on a machine fluctuates over time. If the system detects that available local storage on a machine is low, and a database or an elastic pool is at risk of running out of space, it will move the database or elastic pool to a different machine with sufficient local storage available.

+Because all data is copied to local storage volumes on different machines, moving larger databases in Premium and Business Critical service tiers may require a substantial amount of time. During that time, if local space consumption by a database or an elastic pool, or by the `tempdb` database grows rapidly, the risk of running out of space increases. The system initiates database movement in a balanced fashion to minimize out-of-space errors while avoiding unnecessary failovers.

+ :::image type="content" source="./media/single-database-create-quickstart/select-deployment.png" alt-text="Add to Azure SQL" lightbox="media/single-database-create-quickstart/select-deployment.png":::

+ - **Location**: Select a location from the dropdown list.

+ - **Authentication method**: Select **Use SQL authentication**.

+

+1. This quickstart uses a serverless database, so leave **Service tier** set to **General Purpose (Scalable compute and storage options)** and set **Compute tier** to **Serverless**. Select **Apply**.

+ :::image type="content" source="./media/single-database-create-quickstart/configure-database.png" alt-text="configure serverless database" lightbox="media/single-database-create-quickstart/configure-database.png":::

+ :::image type="content" source="./media/single-database-create-quickstart/new-sql-database-basics.png" alt-text="New SQL database - Basic tab":::

+1. Select **Next: Security** at the bottom of the page.

+ :::image type="content" source="./media/single-database-create-quickstart/networking.png" alt-text="Networking tab":::

+1. On the **Security tab**, you have the option to enable [Microsoft Defender for SQL](../database/azure-defender-for-sql.md). Select **Next: Additional settings** at the bottom of the page.

+ :::image type="content" source="./media/single-database-create-quickstart/additional-settings.png" alt-text="Additional settings tab":::

+ :::image type="content" source="./media/single-database-create-quickstart/query-editor-login.png" alt-text="Sign in to Query editor":::

+ :::image type="content" source="./media/single-database-create-quickstart/query-editor-results.png" alt-text="Query editor results" lightbox="media/single-database-create-quickstart/query-editor-results.png":::

+Azure VMware Solution provides you with private clouds that contain VMware vSphere clusters built from dedicated bare-metal Azure infrastructure. The minimum initial deployment is three hosts, but additional hosts can be added one at a time, up to a maximum of 16 hosts per cluster. All provisioned private clouds have VMware vCenter Server, VMware vSAN, VMware vSphere, and VMware NSX-T Data Center. As a result, you can migrate workloads from your on-premises environments, deploy new virtual machines (VMs), and consume Azure services from your private clouds. In addition, Azure VMware Solution management tools (vCenter Server and NSX Manager) are available at least 99.9% of the time. For more information, see [Azure VMware Solution SLA](https://azure.microsoft.com/support/legal/sla/azure-vmware/v1_1/).

+Azure VMware Solution is a VMware validated solution with ongoing validation and testing of enhancements and upgrades. Microsoft manages and maintains the private cloud infrastructure and software. It allows you to focus on developing and running workloads in your private clouds to deliver business value.

+ 1. Generate the catalog file for restore. Extract the **BackupId** from the JSON metadata file for the full backup, which will be used later in the restore operation. Make sure that the full and log backups (not present for Full Backup Recovery) are in different folders and delete the JSON metadata files in these folders.

+ * `<DataFileDir>` - the folder that contains the full backups.

+ * `<LogFilesDir>` - the folder that contains the log backups, differential and incremental backups. For Full BackUp Restore, Log folder isn't created. Add an empty directory in that case.

+ * `<PathToPlaceCatalogFile>` - the folder where the catalog file generated must be placed.

+ * To open hdsql prompt, run the following command:

+ ```bash

+ hdbsql -U AZUREWLBACKUPHANAUSER -d systemDB

+ ```

+ * To restore to a point-in-time:

+ If you're creating a new restored database, run the HDBSQL command to create a new database `<DatabaseName>` and then stop the database for restore using the command `ALTER SYSTEM STOP DATABASE <db> IMMEDIATE`. However, if you're only restoring an existing database, run the HDBSQL command to stop the database.

+ RECOVER DATABASE FOR <db> UNTIL TIMESTAMP <t1> USING CATALOG PATH <path> USING LOG PATH <path> USING DATA PATH <path> USING BACKUP_ID <bkId> CHECK ACCESS USING FILE

+ If you're creating a new restored database, run the HDBSQL command to create a new database `<DatabaseName>` and then stop the database for restore using the command `ALTER SYSTEM STOP DATABASE <db> IMMEDIATE`. However, if you're only restoring an existing database, run the HDBSQL command to stop the database:

+ * To restore using backup ID:

+ ```hdbsql

+ RECOVER DATA FOR <db> USING BACKUP_ID <bkId> USING CATALOG PATH <path> USING LOG PATH <path> USING DATA PATH <path> CHECK ACCESS USING FILE

+ ```

+

+ Examples:

+ SAP HANA SYSTEM restoration on same server

+ ```hdbsql

+ RECOVER DATABASE FOR SYSTEM UNTIL TIMESTAMP '2022-01-12T08:51:54.023' USING CATALOG PATH ('/restore/catalo_gen') USING LOG PATH ('/restore/Log/') USING DATA PATH ('/restore/Data_2022-01-12_08-51-54/') USING BACKUP_ID 1641977514020 CHECK ACCESS USING FILE

+ ```

+ SAP HANA tenant restoration on same server

+ ```hdbsql

+ RECOVER DATABASE FOR DHI UNTIL TIMESTAMP '2022-01-12T08:51:54.023' USING CATALOG PATH ('/restore/catalo_gen') USING LOG PATH ('/restore/Log/') USING DATA PATH ('/restore/Data_2022-01-12_08-51-54/') USING BACKUP_ID 1641977514020 CHECK ACCESS USING FILE

+ ```

+ SAP HANA SYSTEM restoration on different server

+ ```hdbsql

+ RECOVER DATABASE FOR SYSTEM UNTIL TIMESTAMP '2022-01-12T08:51:54.023' USING SOURCE <sourceSID> USING CATALOG PATH ('/restore/catalo_gen') USING LOG PATH ('/restore/Log/') USING DATA PATH ('/restore/Data_2022-01-12_08-51-54/') USING BACKUP_ID 1641977514020 CHECK ACCESS USING FILE

+ ```

+ SAP HANA tenant restoration on different server

+ ```hdbsql

+ RECOVER DATABASE FOR DHI UNTIL TIMESTAMP '2022-01-12T08:51:54.023' USING SOURCE <sourceSID> USING CATALOG PATH ('/restore/catalo_gen') USING LOG PATH ('/restore/Log/') USING DATA PATH ('/restore/Data_2022-01-12_08-51-54/') USING BACKUP_ID 1641977514020 CHECK ACCESS USING FILE

+ ```

+ Title: 'Configure Bastion for Kerberos authentication: Azure portal'

+description: Learn how to configure Bastion to use Kerberos authentication via the Azure portal.

+# How to configure Bastion for Kerberos authentication using the Azure portal (Preview)

+This article shows you how to configure Azure Bastion to use Kerberos authentication. Kerberos authentication can be used with both the Basic and the Standard Bastion SKUs. For more information about Kerberos authentication, see the [Kerberos authentication overview](/windows-server/security/kerberos/kerberos-authentication-overview). For more information about Azure Bastion, see [What is Azure Bastion?](bastion-overview.md)

+> [!NOTE]

+> During Preview, the Kerberos setting for Azure Bastion can be configured in the Azure portal only.

+>

+## <a name="prereq"></a>Prerequisites

+* An Azure account with an active subscription. If you don't have one, [create one for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio). To be able to connect to a VM through your browser using Bastion, you must be able to sign in to the Azure portal.

+* An Azure virtual network. For steps to create a VNet, see [Quickstart: Create a virtual network](../virtual-network/quick-create-portal.md).

+## <a name="vnet"></a>Update VNet DNS servers

+In this section, the following steps help you update your virtual network to specify custom DNS settings.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Go to the virtual network for which you want to deploy the Bastion resources.

+1. Go to the **DNS servers** page for your VNet and select **Custom**. Add the IP address of your Azure-hosted domain controller and **Save**.

+ :::image type="content" source="./media/kerberos-authentication-portal/dns-servers.png" alt-text="Screenshot of DNS servers page." lightbox="./media/kerberos-authentication-portal/dns-servers.png":::

+## <a name="deploy"></a>Deploy Bastion

+In this section, the following steps help you deploy Bastion to your virtual network.

+1. Deploy Bastion to your VNet using the steps in [Tutorial: Deploy Bastion using manual configuration settings](tutorial-create-host-portal.md). Configure the settings on the **Basics** tab. Then, select the **Advanced** tab.

+1. On the **Advanced** tab, select **Kerberos**. Then select the **Review + create** and **Create** to deploy Bastion to your virtual network.

+ :::image type="content" source="./media/kerberos-authentication-portal/select-kerberos.png" alt-text="Screenshot of Advanced tab." lightbox="./media/kerberos-authentication-portal/select-kerberos.png":::

+1. Once the deployment completes, you can use it to sign in to any reachable Windows VMs joined to the custom DNS you specified in the earlier steps.

+## <a name="modify"></a>To modify an existing Bastion deployment

+In this section, the following steps help you modify your virtual network and existing Bastion deployment for Kerberos authentication.

+1. [Update the DNS settings](#vnet) for your virtual network.

+1. Go to the portal page for your Bastion deployment and select **Configuration**.

+1. On the Configuration page, select **Kerberos authentication**, then select **Apply**.

+1. Bastion will update with the new configuration settings.

+## <a name="verify"></a>To verify Bastion is using Kerberos

+Once you have enabled Kerberos on your Bastion resource, you can verify that it's actually using Kerberos for authentication to the target domain-joined VM.

+1. Sign into the target VM (either via Bastion or not). Search for "Edit Group Policy" from the taskbar and open the **Local Group Policy Editor**.

+1. Select **Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options**.

+1. Find the policy **Networking security: Restrict NTLM: Incoming NTLM Traffic** and set it to **Deny all domain accounts**. Because Bastion uses NTLM for authentication when Kerberos is disabled, this setting ensures that NTLM-based authentication is unsuccessful for future sign-in attempts on the VM.

+1. End the VM session.

+1. Connect to the target VM again using Bastion. Sign-in should succeed, indicating that Bastion used Kerberos (and not NTLM) for authentication.

+## Next steps

+For more information about Azure Bastion, see [What is Azure Bastion?](bastion-overview.md)

+To specify a blob's `Cache-Control` header by using .NET code, use the [Azure Storage Client Library for .NET](../storage/blobs/storage-quickstart-blobs-dotnet.md) to set the [BlobHttpHeaders.CacheControl](/dotnet/api/azure.storage.blobs.models.blobhttpheaders.cachecontrol?view=azure-dotnet) property.

+ class Program

+ const string containerName = "<container name>";

+ const string blobName = "<blob name>";

+ const string connectionString = "<storage connection string>";

+ static void Main()

+ {

+ // Retrieve storage account information from connection string

+ BlobContainerClient container = new BlobContainerClient(connectionString, containerName);

+ // Create a blob client for interacting with the blob service.

+ BlobClient blob = container.GetBlobClient(blobName);

+ // Set the CacheControl property to expire in 1 hour (3600 seconds)

+ blob.SetHttpHeaders(new BlobHttpHeaders {CacheControl = "max-age=3600" });

+ }

+## ar-EG/ar-SA

+## bg-BG

+## cs-CZ

+## da-DK

+## de-DE/de-CH/de-AT

+## el-GR

+## en-GB/en-IE/en-AU

+## en-US/en-CA

+## fi-FI

+## fr-FR/fr-CA/fr-CH

+## he-IL

+## hr-HR

+## hu-HU

+## id-ID

+## ko-KR

+## ms-MY

+## nb-NO

+## nl-NL/nl-BE

+## pl-PL

+## ro-RO

+## sk-SK

+## sl-SI

+## sv-SE

+## th-TH

+## tr-TR

+## vi-VN

+## Android API emulators

+When utilizing Android API emulators on Android 5.0 (API level 21) and Android 5.1 (API level 22) some crashes are expected.

+ Title: Billing in Azure Container Apps preview

+description: Learn how billing is calculated in Azure Container Apps preview

+# Billing in Azure Container Apps preview

+Azure Container Apps billing consists of two types of charges:

+- **[Resource consumption](#resource-consumption-charges)**: The amount of resources allocated to your container app on a per-second basis, billed in vCPU-seconds and GiB-seconds.

+- **[HTTP requests](#request-charges)**: The number of HTTP requests your container app receives.

+The following resources are free during each calendar month, per subscription:

+- The first 180,000 vCPU-seconds

+- The first 360,000 GiB-seconds

+- The first 2 million HTTP requests

+This article describes how to calculate the cost of running your container app. For pricing details in your account's currency, see [Azure Container Apps Pricing](https://azure.microsoft.com/pricing/details/container-apps/).

+## Resource consumption charges

+Azure Container Apps runs replicas of your application based on the [scaling rules and replica count limits](scale-app.md) you configure. You're charged for the amount of resources allocated to each replica while it's running.

+There are two meters for resource consumption:

+- **vCPU-seconds**: The amount of vCPU cores allocated to your container app on a per-second basis.

+- **GiB-seconds**: The amount of memory allocated to your container app on a per-second basis.

+The first 180,000 vCPU-seconds and 360,000 GiB-seconds in each subscription per calendar month are free.

+The rate you pay for resource consumption depends on the state of your container app and replicas. By default, replicas are charged at an *active* rate. However, in certain conditions, a replica can enter an *idle* state. While in an *idle* state, resources are billed at a reduced rate.

+### No replicas are running

+When your container app is scaled down to zero replicas, no resource consumption charges are incurred.

+### Minimum number of replicas are running

+Idle usage charges are applied when your replicas are running under a specific set of circumstances. The criteria for idle charges include:

+- When your container app¹ is configured with a [minimum replica count](scale-app.md) of at least one.

+- The app is scaled down to the minimum replica count.

+Usage charges are calculated individually for each replica. A replica is considered idle when *all* of the following conditions are true:

+- All of the containers in the replica have started and are running.

+- The replica isn't processing any HTTP requests.

+- The replica is using less than 0.01 vCPU cores.

+- The replica is receiving less than 1,000 bytes per second of network traffic.

+When a replica is idle, resource consumption charges are calculated at the reduced idle rates. When a replica is not idle, the active rates apply.

+### More than the minimum number of replicas are running

+When your container app¹ is scaled above the [minimum replica count](scale-app.md), all running replicas are charged for resource consumption at the active rate.

+¹ For container apps in multiple revision mode, charges are based on the current replica count in a revision relative to its configured minimum replica count.

+## Request charges

+In addition to resource consumption, Azure Container Apps also charges based on the number of HTTP requests received by your container app.

+The first 2 million requests in each subscription per calendar month are free.

+ "s3:ListBucket",

+ "iam:ListAttachedRolePolicies"

+ "arn:aws:s3:::bucketname/*",

+## March 2022

+<br>

+<table>

+<tr><td><b>Service Category</b></td><td><b>Service improvements</b></td><td><b>Details</b></td></tr>

+<tr><td rowspan=5><b>Data Flow</b></td><td>ScriptLines and Parameterized Linked Service support added mapping data flows</td><td>It is now super-easy to detect changes to your data flow script in Git with ScriptLines in your data flow JSON definition. Parameterized Linked Services can now also be used inside your data flows for flexible generic connection patterns.<br><a href="https://techcommunity.microsoft.com/t5/azure-data-factory-blog/adf-mapping-data-flows-adds-scriptlines-and-link-service/ba-p/3249929#M589">Learn more</a></td></tr>

+<tr><td>Flowlets General Availability (GA)</td><td>Flowlets is now generally available to create reusable portions of data flow logic that you can share in other pipelines as inline transformations. Flowlets enable ETL jobs to be composed of custom or common logic components.<br><a href="https://techcommunity.microsoft.com/t5/azure-data-factory-blog/flowlets-and-change-feed-now-ga-in-azure-data-factory/ba-p/3267450">Learn more</a></td></tr>

+

+<tr><td>Change Feed connectors are available in 5 data flow source transformations</td><td>Change Feed connectors are available in data flow source transformations for Cosmos DB, Blob store, ADLS Gen1, ADLS Gen2, and CDM.<br><a href="https://techcommunity.microsoft.com/t5/azure-data-factory-blog/flowlets-and-change-feed-now-ga-in-azure-data-factory/ba-p/3267450">Learn more</a></td></tr>

+

+<tr><td>Data Preview and Debug Improvements in Mapping Data Flows</td><td>A few new exciting features were added to data preview and the debug experience in Mapping Data Flows.<br><a href="https://techcommunity.microsoft.com/t5/azure-data-factory-blog/data-preview-and-debug-improvements-in-mapping-data-flows/ba-p/3268254">Learn more</a></td></tr>

+

+<tr><td>SFTP connector for Mapping Data Flow</td><td>The SFTP connector is now available for Mapping Data Flows.<br><a href="connector-sftp.md?tabs=data-factory#mapping-data-flow-properties">Learn more</a></td></tr>

+

+<tr><td><b>Data Movement</b></td><td>Support Always Encrypted for SQL related connectors in Lookup Activity under Managed VNET</td><td>Always Encrypted is supported for SQL Server, Azure SQL DB, Azure SQL MI, Azure Synapse Analytics in Lookup Activity under Managed VNET.<br><a href="control-flow-lookup-activity.md">Learn more</a></td></tr>

+

+<tr><td><b>Integration Runtime</b></td><td>New UI layout in Azure integration runtime creation and edit page</td><td>The UI layout of the integration runtime creation/edit page has been changed to tab style including Settings, Virtual Network and Data flow runtime.<br><a href="https://techcommunity.microsoft.com/t5/azure-data-factory-blog/new-ui-layout-in-azure-integration-runtime-creation-and-edit/ba-p/3248237">Learn more</a></td></tr>

+

+<tr><td rowspan=2><b>Orchestration</b></td><td>Transform data using the Script activity</td><td>You can use a Script activity to invoke a SQL script in Azure SQL Database, Azure Synapse Analytics, SQL Server Database, Oracle, or Snowflake.<br><a href="https://techcommunity.microsoft.com/t5/azure-data-factory-blog/execute-sql-statements-using-the-new-script-activity-in-azure/ba-p/3239969">Learn more</a></td></tr>

+

+<tr><td>Web activity timeout improvement</td><td>You can configure response timeout in a Web activity to prevent it from timing out if the response period is more than 1 minute, especially in the case of synchronous APIs.<br><a href="https://techcommunity.microsoft.com/t5/azure-data-factory-blog/web-activity-response-timeout-improvement/ba-p/3260307">Learn more</a></td></tr>

+</table>

+Microsoft Defender for Cloud's features covers the two broad pillars of cloud security: cloud security posture management and cloud workload protection.

+1. **Generate a secure score** for your subscriptions based on an assessment of your connected resources compared with the guidance in [Azure Security Benchmark](/security/benchmark/azure/overview). Use the score to understand your security posture, and the compliance dashboard to review your compliance with the built-in benchmark. When you've enabled the enhanced security features, you can customize the standards used to assess your compliance, and add other regulations (such as NIST and Azure CIS) or organization-specific security requirements. You can also apply recommendations, and score based on the AWS Foundational Security Best practices standards.

+Defender for Cloud continuously discovers new resources that are being deployed across your workloads and assesses whether they're configured according to security best practices. If not, they're flagged and you get a prioritized list of recommendations for what you need to fix. Recommendations help you reduce the attack surface across each of your resources.

+An alternative is to enable Microsoft Defender for servers at the Log Analytics workspace level. If you do this, only servers reporting to that workspace will be protected and billed. However, several capabilities will be unavailable. These include Microsoft Defender for Endpoint, VA solution (TVM/Qualys), just-in-time VM access, and more.

+- [Global availability of Secure Score for AWS and GCP environments](#global-availability-of-secure-score-for-aws-and-gcp-environments)

+- [Registry scan for Windows images in ACR added support for national clouds](#registry-scan-for-windows-images-in-acr-added-support-for-national-clouds)

+### Global availability of Secure Score for AWS and GCP environments

+The cloud security posture management capabilities provided by Microsoft Defender for Cloud, has now added support for your AWS and GCP environments within your Secure Score.

+Enterprises can now view their overall security posture, across various environments, such as Azure, AWS and GCP.

+The Secure Score page has been replaced with the Security posture dashboard. The Security posture dashboard allows you to view an overall combined score for all of your environments, or a breakdown of your security posture based on any combination of environments that you choose.

+The Recommendations page has also been redesigned to provide new capabilities such as: cloud environment selection, advanced filters based on content (resource group, AWS account, GCP project and more), improved user interface on low resolution, support for open query in resource graph, and more. You can learn more about your overall [security posture](secure-score-security-controls.md) and [security recommendations](review-security-recommendations.md).

+Changes in our roadmap and priorities have removed the need for the network traffic data collection agent. The following two recommendations and their related policies were deprecated.

+The current user experience only provides the score when all compliance checks have passed. Most customers have difficulties with meeting all the required checks. We're working on an improved experience for this recommendation, and once released the recommendation will be moved back to the secure score.

+All Microsoft Defenders for IoT device alerts are no longer visible in Microsoft Defender for Cloud. These alerts are still available on Microsoft Defender for IoT's Alert page, and in Microsoft Sentinel.

+### Registry scan for Windows images in ACR added support for national clouds

+Registry scan for Windows images is now supported in Azure Government and Azure China 21Vianet. This addition is currently in preview.

+Learn more about our [feature's availability](supported-machines-endpoint-solutions-clouds-containers.md).

+The cloud management layer is a crucial service connected to all your cloud resources. Because of this, it's also a potential target for attackers. We recommend security operations teams closely monitor the resource management layer.

+Defender for Cloud's auto provisioning settings has a toggle for each type of supported extension, including the Log Analytics agent.

+The new plan is free for the month of December 2021. For the potential changes to the billing from the old plans to Defender for Containers, and for more information on the benefits introduced with this plan, see [Introducing Microsoft Defender for Containers](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/introducing-microsoft-defender-for-containers/ba-p/2952317).

+This article explains how to view and understand the recommendations in Microsoft Defender for Cloud to help you protect your multi-cloud resources.

+## View your recommendations <a name="monitor-recommendations"></a>

+**To view your Secure score recommendations**:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Navigate to **Microsoft Defender for Cloud** > **Recommendations**.

+ :::image type="content" source="media/review-security-recommendations/recommendations-view.png" alt-text="Screenshot of the recommendations page.":::

+ Here you'll see the recommendations applicable to your environment(s). Recommendations are grouped into security controls.

+1. Select **Secure score recommendations**.

+ :::image type="content" source="media/review-security-recommendations/secure-score-recommendations.png" alt-text="Screenshot showing the location of the secure score recommendations tab.":::

+ > [!NOTE]

+ > Custom recommendations can be found under the All recommendations tab. Learn how to [Create custom security initiatives and policies](custom-security-policies.md).

+ Secure score recommendations affect the secure score and are mapped to the various security controls. The All recommendations tab, allows you to see all of the recommendations including recommendations that are part of different regulatory compliance standards.

+1. (Optional) Select a relevant environment(s).

+ :::image type="content" source="media/review-security-recommendations/environment-filter.png" alt-text="Screenshot of the environment filter, to select your filters.":::

+1. Select the :::image type="icon" source="media/review-security-recommendations/drop-down-arrow.png" border="false"::: to expand the control, and view a list of recommendations.

+ :::image type="content" source="media/review-security-recommendations/list-recommendations.png" alt-text="Screenshot showing how to see the full list of recommendations by selecting the drop-down menu icon." lightbox="media/review-security-recommendations/list-recommendations-expanded.png":::

+1. Select a specific recommendation to view the recommendation details page.

+ :::image type="content" source="./media/review-security-recommendations/recommendation-details-page.png" alt-text="Recommendation details page." lightbox="./media/review-security-recommendations/recommendation-details-page-expanded.png":::

+ 1. **Mapping to MITRE ATT&CK ® tactics and techniques** if a recommendation has defined tactics and techniques, select the icon for links to the relevant pages on MITRE's site. This applies only to Azure scored recommendations.

+ - **Alternative** - A different recommendation, which provides another way of achieving the goals of the selected recommendation

+ - **Healthy resources** ΓÇô Relevant resources, which either aren't impacted or on which you've already remediated the issue.

+ - **Unhealthy resources** ΓÇô Resources that are still impacted by the identified issue.

+## Search for a recommendation

+You can search for specific recommendations by name. The search box and filters above the list of recommendations can be used to help locate a specific recommendation.

+Custom recommendations only appear under the All recommendations tab.

+**To search for recommendations**:

+1. On the recommendation page, select an environment from the environment filter.

+ :::image type="content" source="media/review-security-recommendations/environment-filter.png" alt-text="Screenshot of the environmental filter on the recommendation page.":::

+ You can select 1, 2, or all options at a time. The page's results will automatically reflect your choice.

+1. Enter a name in the search box, or select one of the available filters.

+ :::image type="content" source="media/review-security-recommendations/search-filters.png" alt-text="Screenshot of the search box and filter list.":::

+1. Select :::image type="icon" source="media/review-security-recommendations/add-filter.png" border="false"::: to add more filter(s).

+1. Select a filter from the drop-down menu.

+ :::image type="content" source="media/review-security-recommendations/filter-drop-down.png" alt-text="Screenshot of the available filters to select.":::

+1. Select a value from the drop-down menu.

+1. Select **OK**.

+You can review recommendations in ARG both on the recommendations page or on an individual recommendation.

+The toolbar on the recommendation details page includes an **Open query** button to explore the details in [Azure Resource Graph (ARG)](../governance/resource-graph/index.yml), an Azure service that gives you the ability to query - across multiple subscriptions - Defender for Cloud's security posture data.

+For example, this recommendation details page shows 15 affected resources:

+When you open the underlying query, and run it, Azure Resource Graph Explorer returns the same 15 resources and their health status for this recommendation:

+## Recommendation insights

+The Insights column of the page gives you more details for each recommendation. The options available in this section include:

+| Icon | Name | Description |

+|--|--|--|

+| :::image type="icon" source="media/secure-score-security-controls/preview-icon.png" border="false"::: | *Preview recommendation** | This recommendation won't affect your secure score until it's GA. |

+| :::image type="icon" source="media/secure-score-security-controls/fix-icon.png" border="false"::: | **Fix** | From within the recommendation details page, you can use 'Fix' to resolve this issue. |

+| :::image type="icon" source="media/secure-score-security-controls/enforce-icon.png" border="false"::: | **Enforce** | From within the recommendation details page, you can automatically deploy a policy to fix this issue whenever someone creates a non-compliant resource. |

+| :::image type="icon" source="media/secure-score-security-controls/deny-icon.png" border="false"::: | **Deny** | From within the recommendation details page, you can prevent new resources from being created with this issue. |

+Recommendations that aren't included in the calculations of your secure score, should still be remediated wherever possible, so that when the period ends they'll contribute towards your score instead of against it.

+## Download recommendations in a CSV report

+Recommendations can be downloaded to a CSV report from the Recommendations page.

+**To download a CSV report of your recommendations**:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Navigate to **Microsoft Defender for Cloud** > **Recommendations**.

+1. Select **Download CSV report**.

+ :::image type="content" source="media/review-security-recommendations/download-csv.png" alt-text="Screenshot showing you where to select the Download CSV report from.":::

+You'll know the report is being prepared by the pop-up.

+When the report is ready, you'll be notified by a second pop-up.

+ Title: Security posture for Microsoft Defender for Cloud

+# Security posture for Microsoft Defender for Cloud

+The central feature in Defender for Cloud that enables you to achieve those goals is the **secure score**.

+Defender for Cloud continually assesses your cross-cloud resources for security issues. It then aggregates all the findings into a single score so that you can tell, at a glance, your current security situation: the higher the score, the lower the identified risk level.

+For more information, see [How your secure score is calculated](secure-score-security-controls.md#how-your-secure-score-is-calculated) below.

+## Manage your security posture

+On the Security posture page, you're able to see the secure score for your entire subscription, and each environment in your subscription. By default all environments are shown.

+| Page section | Description |

+|--|--|

+| :::image type="content" source="media/secure-score-security-controls/select-environment.png" alt-text="Screenshot showing the different environment options."::: | Select your environment to see its secure score, and details. Multiple environments can be selected at once. The page will change based on your selection here.|

+| :::image type="content" source="media/secure-score-security-controls/environment.png" alt-text="Screenshot of the environment section of the security posture page."::: | Shows the total number of subscriptions, accounts and projects that affect your overall score. It also shows how many unhealthy resources and how many recommendations exist in your environments. |

+The bottom half of the page allows you to view, and manage all of your individual subscriptions, accounts, and projects, by viewing their individual secure scores, number of unhealthy resources and even view their recommendations.

+You can group this section by environment by selecting the Group by Environment checkbox.

+- **Remediate vulnerabilities security control** - This control groups multiple recommendations related to discovering and resolving known vulnerabilities.

+- **Max score** - :::image type="icon" source="media/secure-score-security-controls/max-score.png" border="false":::

+ The maximum number of points you can gain by completing all recommendations within a control. The maximum score for a control indicates the relative significance of that control and is fixed for every environment. Use the max score values to triage the issues to work on first.<br>For a list of all controls and their max scores, see [Security controls and their recommendations](#security-controls-and-their-recommendations).

+- **Current score** - :::image type="icon" source="media/secure-score-security-controls/current-score.png" border="false":::

+ The current score for this control.<br>Current score=[Score per resource]*[Number of healthy resources].

+ Each control contributes towards the total score. In this example, the control is contributing 2.00 points to current total secure score.

+- **Potential score increase** - :::image type="icon" source="media/secure-score-security-controls/potential-increase.png" border="false":::

+ The remaining points available to you within the control. If you remediate all the recommendations in this control, your score will increase by 9%.

+ For example, Potential score increase=[Score per resource]*[Number of unhealthy resources] or 0.1714 x 30 unhealthy resources = 5.14.

+- **Insights** - :::image type="icon" source="media/secure-score-security-controls/insights.png" border="false":::

+ Gives you extra details for each recommendation. Which can be:

+ - :::image type="icon" source="media/secure-score-security-controls/preview-icon.png" border="false"::: Preview recommendation - This recommendation won't affect your secure score until it's GA.

+ - :::image type="icon" source="media/secure-score-security-controls/fix-icon.png" border="false"::: Fix - From within the recommendation details page, you can use 'Fix' to resolve this issue.

+ - :::image type="icon" source="media/secure-score-security-controls/enforce-icon.png" border="false"::: Enforce - From within the recommendation details page, you can automatically deploy a policy to fix this issue whenever someone creates a non-compliant resource.

+ - :::image type="icon" source="media/secure-score-security-controls/deny-icon.png" border="false"::: Deny - From within the recommendation details page, you can prevent new resources from being created with this issue.

+### Calculations - understanding your score

+|Metric|Formula and example|

+|-|-|

+|**Security control's current score**|<br><br><br>Each individual security control contributes towards the Security Score. Each resource affected by a recommendation within the control, contributes towards the control's current score. The current score for each control is a measure of the status of the resources *within* the control.<br><br>In this example, the max score of 6 would be divided by 78 because that's the sum of the healthy and unhealthy resources.<br>6 / 78 = 0.0769<br>Multiplying that by the number of healthy resources (4) results in the current score:<br>0.0769 * 4 = **0.31**<br><br>|

+|**Secure score**<br>Single subscription, or connector|<br><br><br><br>In this example, there's a single subscription, or connector with all security controls available (a potential maximum score of 60 points). The score shows 28 points out of a possible 60 and the remaining 32 points are reflected in the "Potential score increase" figures of the security controls.<br> <br> This equation is the same equation for a connector with just the word subscription being replaced by the word connector. |

+|**Secure score**<br>Multiple subscriptions, and connectors|<br><br><br>When calculating the combined score for multiple subscriptions, and connectors, Defender for Cloud includes a *weight* for each subscription, and connector. The relative weights for your subscriptions, and connectors are determined by Defender for Cloud based on factors such as the number of resources.<br>The current score for each subscription, a dn connector is calculated in the same way as for a single subscription, or connector, but then the weight is applied as shown in the equation.<br>When viewing multiple subscriptions, and connectors, the secure score evaluates all resources within all enabled policies and groups their combined impact on each security control's maximum score.<br><br>The combined score is **not** an average; rather it's the evaluated posture of the status of all resources across all subscriptions, and connectors.<br><br>Here too, if you go to the recommendations page and add up the potential points available, you'll find that it's the difference between the current score (22) and the maximum score available (58).|

+

+Recommendations flagged as **Preview** aren't included in the calculations of your secure score. They should still be remediated wherever possible, so that when the preview period ends they'll contribute towards your score.

+Even though Defender for Cloud's default security initiative is based on industry best practices and standards, there are scenarios in which the built-in recommendations listed below might not completely fit your organization. It's sometimes necessary to adjust the default initiative - without compromising security - to ensure it's aligned with your organization's own policies, industry standards, regulatory standards, and benchmarks.<br><br>

+## Legacy Defender for IoT micro-agent

+The Defender-IoT-micro-agent has been replaced by our newer micro-agent experience.

+For more information, see [Tutorial: Create a DefenderIotMicroAgent module twin (Preview)](tutorial-create-micro-agent-module-twin.md) and [Tutorial: Install the Defender for IoT micro agent (Preview)](tutorial-standalone-agent-binary-installation.md).

+### Timeline

+Microsoft Defender for IoT will continue to support the legacy agent until March 31, 2023.

+1. Select **Internet of Things**, then search for **Azure Security Center for IoT** and select it.

+ Title: Set up a lab & lab VM & lab user

+description: Use the Azure portal to create a lab, create a virtual machine in the lab, and add a lab user in Azure DevTest Labs.

+# Tutorial: Create a DevTest Labs lab and VM and add a user in the Azure portal

+In this Azure DevTest Labs tutorial, you learn how to:

+> * Create a lab in DevTest Labs.

+> * Add an Azure virtual machine (VM) to the lab.

+> * Add a user in the DevTest Labs User role.

+> * Delete the lab when no longer needed.

+In the [next tutorial](tutorial-use-custom-lab.md), lab users, such as developers, testers, and trainees, learn how to connect to the lab VM and claim and unclaim lab VMs.

+## Prerequisite

+- To create a lab, you need at least [Contributor](/azure/role-based-access-control/built-in-roles#contributor) role in an Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- To add users to a lab, you must have [User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator) or [Owner](/azure/role-based-access-control/built-in-roles.md#owner) role in the subscription the lab is in.

+To create a lab in Azure DevTest Labs, follow these steps.

+1. In the [Azure portal](https://portal.azure.com), search for and select **DevTest Labs**.

+ :::image type="content" source="./media/tutorial-create-custom-lab/portal-search-devtest-labs.png" alt-text="Screenshot of searching for DevTest Labs in the portal.":::

+1. On the **DevTest Labs** page, select **Create**.

+1. On the **Create Devtest Lab** page, on the **Basic Settings** tab, provide the following information:

+ |Setting|Value|

+ |||

+ |**Subscription**|Change the subscription if you want to use a different subscription for the lab.|

+ |**Resource group**|Select an existing resource group from the dropdown list, or select **Create new** to create a new resource group so it's easy to delete later.|

+ |**Lab name**|Enter a name for the lab.|

+ |**Location**|If you're creating a new resource group, select an Azure region for the resource group and lab.|

+ |**Public environments**|Leave **On** for access to the [DevTest Labs public environment repository](https://github.com/Azure/azure-devtestlab/tree/master/Environments). Set to **Off** to disable access. For more information, see [Enable public environments when you create a lab](devtest-lab-create-environment-from-arm.md#enable-public-environments-when-you-create-a-lab).|

+ :::image type="content" source="./media/tutorial-create-custom-lab/create-custom-lab-blade.png" alt-text="Screenshot of the Basic Settings tab of the Create DevTest Labs form.":::

+1. Optionally, select the [Auto-shutdown](devtest-lab-create-lab.md#auto-shutdown-tab), [Networking](devtest-lab-create-lab.md#networking-tab), or [Tags](devtest-lab-create-lab.md#tags-tab) tabs at the top of the page, and customize those settings. You can also apply or change most of these settings after lab creation.

+1. After you complete all settings, select **Review + create** at the bottom of the page.

+1. If the settings are valid, **Succeeded** appears at the top of the **Review + create** page. Review the settings, and then select **Create**.

+ > [!TIP]

+ > Select **Download a template for automation** at the bottom of the page to view and download the lab configuration as an Azure Resource Manager (ARM) template. You can use the ARM template to create more labs.

+1. After the creation process finishes, from the deployment notification, select **Go to resource**.

+ :::image type="content" source="./media/tutorial-create-custom-lab/creation-notification.png" alt-text="Screenshot of the DevTest Labs deployment notification.":::

+To add a VM to the lab, follow these steps. For more information, see [Create lab virtual machines in Azure DevTest Labs](devtest-lab-add-vm.md).

+1. On the new lab's **Overview** page, select **Add** on the toolbar.

+ :::image type="content" source="./media/tutorial-create-custom-lab/add-vm-to-lab-button.png" alt-text="Screenshot of a lab Overview page with Add highlighted.":::

+1. On the **Choose a base** page, select **Windows Server 2019 Datacenter** as a Marketplace image for the VM. Some of the following options might be different if you use a different image.

+1. On the **Basic Settings** tab of the **Create lab resource** screen, provide the following information:

+ |Setting|Value|

+ |||

+ |**Virtual machine name**|Keep the autogenerated name, or enter another unique VM name.|

+ |**User name**|Keep the autogenerated user name, or enter another user name to grant administrator privileges on the VM.|

+ |**Use a saved secret**|You can select this checkbox to use a secret from Azure Key Vault instead of a password to access the VM. For more information, see [Store secrets in a key vault](devtest-lab-store-secrets-in-key-vault.md). For this tutorial, don't select the checkbox.|

+ |**Password**|If you don't use a secret, enter a VM password between 8 and 123 characters long.|

+ |**Save as default password**|Select this checkbox to save the password in the Key Vault associated with the lab.|

+ |**Virtual machine size**|Keep the default value for the base, or select **Change Size** to select a different size.|

+ |**OS disk type**|Keep the default value for the base, or select a different option from the dropdown list.|

+ |**Artifacts**|Optionally, select **Add or Remove Artifacts** to [select and configure artifacts](devtest-lab-add-vm.md#add-artifacts-during-installation) to add to the VM.|

+ :::image type="content" source="./media/tutorial-create-custom-lab/portal-lab-vm-basic-settings.png" alt-text="Screenshot of the Basic Settings tab of the Create lab resource page.":::

+1. Select the **Advanced Settings** tab on the **Create lab resource** screen, and change any of the following values:

+ |Setting|Value|

+ |||

+ |**Virtual network**|Keep the default, or select a network from the dropdown list. For more information, see [Add a virtual network](devtest-lab-configure-vnet.md).|

+ |**Subnet**|If necessary, select a different subnet from the dropdown list.|

+ |**IP address**|Leave at **Shared**, or select **Public** or **Private**. For more information, see [Understand shared IP addresses](devtest-lab-shared-ip.md).|

+ |**Expiration date**|Leave at **Will not expire**, or [set an expiration date](devtest-lab-use-resource-manager-template.md#set-vm-expiration-date) and time for the VM.|

+ |**Make this machine claimable**|The default is **No**, to keep the VM creator as the owner of the VM. For this tutorial, select **Yes**, so that another lab user can claim the VM after creation. For more information, see [Create and manage claimable VMs](devtest-lab-add-claimable-vm.md).|

+ |**Number of instances**|To create more than one VM with this configuration, enter the number of VMs to create.|

+ |**View ARM template**|Select to view and save the VM configuration as an Azure Resource Manager (ARM) template. You can use the ARM template to [deploy new VMs with Azure PowerShell](../azure-resource-manager/templates/overview.md).|

+ :::image type="content" source="./media/tutorial-create-custom-lab/portal-lab-vm-advanced-settings.png" alt-text="Screenshot of the Advanced Settings tab of the Create lab resource page.":::

+1. After you configure all settings, on the **Basic Settings** tab of the **Create lab resource** screen, select **Create**.

+During VM deployment, you can select the **Notifications** icon at the top of the screen to see progress. Creating a VM takes a while.

+From the lab **Overview** page, you can select **Claimable virtual machines** in the left navigation to see the VM listed on the **Claimable virtual machines** page. Select **Refresh** if the VM doesn't appear. To take ownership of a VM in the claimable list, see [Use a claimable VM](devtest-lab-add-claimable-vm.md#use-a-claimable-vm).

+To add users to a lab, you must be a [User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator) or [Owner](/azure/role-based-access-control/built-in-roles.md#owner) of the subscription the lab is in. For more information, see [Add lab owners, contributors, and users in Azure DevTest Labs](devtest-lab-add-devtest-user.md).

+1. On the lab's **Overview** page, under **Settings**, select **Configuration and policies**.

+1. On the **Configuration and policies** page, select **Access control (IAM)** from the left navigation.

+1. Select **Add**, and then select **Add role assignment**.

+ :::image type="content" source="media/tutorial-create-custom-lab/add-role-assignment-menu-generic.png" alt-text="Screenshot of the Access control (IAM) page with the Add role assignment menu open.":::

+ :::image type="content" source="media/tutorial-create-custom-lab/add-role-assignment-role-generic.png" alt-text="Screenshot of the Add role assignment page with the Role tab selected.":::

+1. On the **Members** tab, select the user to assign the role to.

+Use this lab for the next tutorial, [Access a lab in Azure DevTest Labs](tutorial-use-custom-lab.md). When you're done using the lab, delete it and its resources to avoid further charges.

+1. On the lab **Overview** page, select **Delete** from the top menu.

+ :::image type="content" source="./media/tutorial-create-custom-lab/portal-lab-delete.png" alt-text="Screenshot of the lab Delete button.":::

+1. On the **Are you sure you want to delete it** page, enter the lab name, and then select **Delete**.

+ During the deletion process, you can select **Notifications** at the top of your screen to view progress. Deleting a lab can take a while.

+If you created the lab in an existing resource group, deleting the lab removes all of the lab resources.

+If you created a resource group for the lab, you can now delete that resource group. You can't delete a resource group that has a lab in it. Deleting the resource group that contained the lab deletes all resources in the resource group. To delete the resource group:

+1. Select the resource group that contained the lab from your subscription's **Resource groups** list.

+1. At the top of the page, select **Delete resource group**.

+1. On the **Are you sure you want to delete "\<resource group name>"** page, enter the resource group name, and then select **Delete**.

+To learn how to access the lab and VMs as a lab user, go on to the next tutorial:

+ Title: Access a lab and lab VM

+description: Learn how to access a lab in Azure DevTest Labs, and claim, connect to, and unclaim a lab virtual machine.

+In this tutorial, you learn how to:

+> * Claim a lab virtual machine (VM) in Azure DevTest Labs.

+> * Connect to the lab VM.

+> * Unclaim the lab VM.

+> * Delete the lab VM when no longer needed.

+You need at least [DevTest Labs User](/azure/role-based-access-control/built-in-roles#devtest-labs-user) access to the lab created in [Tutorial: Set up a lab in Azure DevTest Labs](tutorial-create-custom-lab.md), or to another lab that has a claimable VM.

+The owner or administrator of the lab can give you the URL to access the lab in the Azure portal, and the username and password to access the lab VM.

+## Claim a lab VM

+To claim a lab VM, follow these steps. For more information about claiming VMs, see [Use claim capabilities in Azure DevTest Labs](devtest-lab-use-claim-capabilities.md).

+1. Go to the URL for your lab in the Azure portal.

+1. On the lab **Overview** page, select **Claimable virtual machines** under **My Lab** in the left navigation.

+1. On the **Claimable virtual machines** page, select the ellipsis **...** next to the listing for an available VM, and select **Claim machine** from the context menu.

+ :::image type="content" source="./media/tutorial-use-custom-lab/claimable-virtual-machines-claimed.png" alt-text="Screenshot showing Claim machine in the context menu.":::

+1. On the lab **Overview** page, confirm that you now see the VM in the list under **My virtual machines**.

+ :::image type="content" source="./media/tutorial-use-custom-lab/my-virtual-machines-2.png" alt-text="Screenshot showing the claimed V M in the My virtual machines list.":::

+## Connect to a lab VM

+You can connect to any running lab VM. A claimable but unclaimed VM is stopped, so you must claim it to connect to it.

+To connect to a Windows machine through Remote Desktop Protocol (RDP), follow these steps. For steps to connect to a Linux VM, see [Connect to a Linux VM in your lab](connect-linux-virtual-machine.md).

+1. On the lab **Overview** page, select the VM from the list under **My virtual machines**.

+ :::image type="content" source="./media/tutorial-use-custom-lab/my-virtual-machines.png" alt-text="Screenshot of VM under My virtual machines.":::

+1. On the VM's **Overview** page, select **Connect** from the top menu.

+1. Open the *\*.rdp* file that downloads to your machine.

+ :::image type="content" source="./media/tutorial-use-custom-lab/vm-connect.png" alt-text="Screenshot of the V M Connect button and the downloaded R D P file.":::

+1. On the **Remote Desktop Connection** dialog box, select **Connect**.

+1. On the **Enter your credentials** dialog box, enter the username and password for the VM, and then select **OK**.

+1. If you receive a dialog box that states, **The identity of the remote computer cannot be verified**, select the check box for **Don't ask me again for connections to this computer**. Then select **Yes**.

+ :::image type="content" source="./media/tutorial-use-custom-lab/remote-computer-verification.png" alt-text="Screenshot of remote computer verification.":::

+Once you connect to the VM, you can use it to do your work. You have [Owner](/azure/role-based-access-control/built-in-roles.md#owner) role on all lab VMs you claim or create, unless you unclaim them.

+## Unclaim a lab VM

+After you're done using the VM, unclaim the VM so someone else can claim it, by following these steps:

+1. On the lab **Overview** page, select the VM from the list under **My virtual machines**.

+1. On the VM's **Overview** page, select **Unclaim** from the top menu.

+ :::image type="content" source="./media/tutorial-use-custom-lab/virtual-machine-unclaim.png" alt-text="Screenshot of Unclaim on the V M's Overview page.":::

+1. The VM is shut down and unclaimed. You can select the **Notifications** icon at the top of the screen to see progress.

+1. Return to the lab **Overview** page and confirm that the VM no longer appears under **My virtual machines**.

+1. Select **Claimable virtual machines** in the left navigation and confirm that the VM is now available to be claimed.

+ :::image type="content" source="./media/tutorial-use-custom-lab/claimable-virtual-machines.png" alt-text="Screenshot of the Claimable virtual machines page.":::

+## Delete a lab VM

+When you're done using a VM, you can delete it. Or, the lab owner can delete the entire lab when it's no longer needed, which deletes all lab VMs and resources. To delete an individual lab VM, follow these steps:

+1. Select the ellipsis **...** next to the VM in the **My virtual machines** list or on the **Claimable virtual machines** page, and select **Delete** from the context menu.

+1. On the **Are you sure you want to delete it** page, select **Delete**.

+## Next steps

+In this tutorial, you learned how to claim and connect to claimable VMs in Azure DevTest Labs. To create your own lab VMs, see [Create lab virtual machines in Azure DevTest Labs](devtest-lab-add-vm.md).

+> IoT Hub **device twins** are different from Azure Digital Twins **digital twins**. While *IoT Hub device twins* are maintained by your IoT hub for each IoT device that you connect to it, *digital twins* in Azure Digital Twins can be representations of anything defined by digital models and instantiated within Azure Digital Twins.

+DTDL is also used for data models throughout other Azure IoT services, including [IoT Plug and Play](../iot-develop/overview-iot-plug-and-play.md) and [Time Series Insights](../time-series-insights/overview-what-is-tsi.md). This compatibility helps you connect your Azure Digital Twins solution with other parts of the Azure ecosystem.

+You'll also need to download the materials for the sample graph used in the quickstart. Use the instructions below to download the three required files. Later, you'll follow more instructions to upload them to Azure Digital Twins.

+* [Floor.json](https://raw.githubusercontent.com/Azure-Samples/digital-twins-explorer/main/client/examples/Floor.json): This is a model file representing a floor in a building. Navigate to the link, right-click anywhere on the screen, and select **Save as** in your browser's right-click menu. Use the following Save As window to save the file to the same location as *Room.json*, under the name *Floor.json*.

+>[!TIP]

+> These files are from the [Azure Digital Twins Explorer repository in GitHub](https://github.com/Azure-Samples/digital-twins-explorer). You can visit the repo for other sample files, explorer code, and more.

+3. Fill in the fields on the **Basics** tab of setup, including your Subscription, Resource group, a Resource name for your new instance, and Region. Check the **Assign Azure Digital Twins Data Owner Role** box to give yourself permissions to manage data in the instance.

+ :::image type="content" source="media/quickstart-azure-digital-twins-explorer/create-azure-digital-twins-basics.png" alt-text="Screenshot of the Create Resource process for Azure Digital Twins in the Azure portal. The described values are filled in.":::

+This will take you to an Overview page tracking the deployment status of the instance.

+Wait for the page to say that your deployment is complete.

+After deployment completes, use the **Go to resource** button to navigate to the instance's Overview page in the portal.

+The first step in an Azure Digital Twins solution is to define the vocabulary for your environment. You'll create custom *models* that describe the types of entity that exist in your environment.

+Each model is written in a language like [JSON-LD](https://json-ld.org/) called *Digital Twin Definition Language (DTDL)*. Each model describes a single type of entity in terms of its properties, telemetry, relationships, and components. Later, you'll use these models as the basis for digital twins that represent specific instances of these types.

+Azure Digital Twins Explorer will upload these model files to your Azure Digital Twins instance. They should show up in the **Models** panel and display their friendly names and full model IDs.

+You can select **View Model** for either model to see the DTDL code behind it.

+Now that some models have been uploaded to your Azure Digital Twins instance, you can add *digital twins* based on the model definitions.

+*Digital twins* represent the actual entities within your business environment. They can be things like sensors on a farm, lights in a car, orΓÇöin this quickstartΓÇörooms on a building floor. You can create many twins of any given model type, such as multiple rooms that all use the Room model. You connect them with relationships into a *twin graph* that represents the full environment.

+3. To finish importing the graph, select the **Save** icon in the upper-right corner of the graph preview panel.

+4. Azure Digital Twins Explorer will use the uploaded file to create the requested twins and relationships between them. Make sure you see the following dialog box indicating that the import was successful before moving on.

+ Select **Close**.

+If you're using a mouse, you can click and drag in the graph to move elements around.

+You can select a twin to see a list of its properties and their values in the **Twin Properties** panel.

+ :::image type="content" source="media/quickstart-azure-digital-twins-explorer/properties-room0.png" alt-text="Screenshot of the Azure Digital Twins Explorer highlighting the Twin Properties panel, which shows $dtId, Temperature, and Humidity properties for Room0." lightbox="media/quickstart-azure-digital-twins-explorer/properties-room0.png":::

+ :::image type="content" source="media/quickstart-azure-digital-twins-explorer/properties-room1.png" alt-text="Screenshot of the Azure Digital Twins Explorer highlighting the Twin Properties panel, which shows $dtId, Temperature, and Humidity properties for Room1." lightbox="media/quickstart-azure-digital-twins-explorer/properties-room1.png":::

+In Azure Digital Twins, you can query your twin graph to answer questions about your environment, using the SQL-style *Azure Digital Twins query language*.

+One way to query the twins in your graph is by their properties. Querying based on properties can help answer questions about your environment. For example, you can find outliers in your environment that might need attention.

+Recall from viewing the twin properties earlier that Room0 has a temperature of 70, and Room1 has a temperature of 80. The Floor twins don't have a Temperature property at all. For these reasons, only Room1 shows up in the results here.

+In a fully connected Azure Digital Twins solution, the twins in your graph can receive live updates from real IoT devices and update their properties to stay synchronized with your real-world environment. You can also manually set the properties of the twins in your graph, using Azure Digital Twins Explorer or another development interface (like the APIs or Azure CLI).

+For simplicity, you'll use Azure Digital Twins Explorer here to manually set the temperature of Room0 to 76.

+First, rerun the following query to select all digital twins. This will display the full graph once more in the **Twin Graph** panel.

+Select **Room0** to bring up its property list in the **Twin Properties** panel.

+The properties in this list are editable. Select the temperature value of **70** to enable entering a new value. Enter *76* and select the **Save** icon to update the temperature.

+ :::image type="content" source="media/quickstart-azure-digital-twins-explorer/new-properties-room0.png" alt-text="Screenshot of the Azure Digital Twins Explorer highlighting that the Twin Properties panel is showing properties that can be edited for Room0." lightbox="media/quickstart-azure-digital-twins-explorer/new-properties-room0.png":::

+After a successful property update, you'll see a **Patch Information** box showing the patch code that was used behind the scenes with the [Azure Digital Twins APIs](concepts-apis-sdks.md) to make the update.

+ :::column:::

+ :::image type="content" source="media/quickstart-azure-digital-twins-explorer/patch-information.png" alt-text="Screenshot of the Azure Digital Twins Explorer showing Patch Information for the temperature update." lightbox="media/quickstart-azure-digital-twins-explorer/patch-information.png":::

+ :::column-end:::

+ :::column:::

+ :::column-end:::

+**Close** the patch information.

+* If you don't need your Azure Digital Twins instance anymore, you can delete it using the Azure portal.

+

+ Navigate back to the instance's **Overview** page in the portal. (If you've already closed that tab, you can find the instance again by searching for its name in the Azure portal search bar and selecting it from the search results.)

+ Select **Delete** to delete the instance, including all of its models and twins.

+ :::image type="content" source="media/quickstart-azure-digital-twins-explorer/delete-instance.png" alt-text="Screenshot of the Overview page for an Azure Digital Twins instance in the Azure portal. The Delete button is highlighted.":::

+`request.timeout.ms` | 60000 | > 20000| Event Hubs will internally default to a minimum of 20,000 ms. *While requests with lower timeout values are accepted, client behavior isn't guaranteed.*. <p>Make sure that your **request.timeout.ms** is at least the recommended value of 60000 and your **session.timeout.ms** is at least the recommended value of 30000. Having these settings too low could cause consumer timeouts, which then cause rebalances (which then cause more timeouts, which cause more rebalancing, and so on).</p>

+`session.timeout.ms` | 30000 |6000 .. 300000| Start with 30000, increase if seeing frequent rebalancing because of missed heartbeats.<p>Make sure that your request.timeout.ms is at least the recommended value of 60000 and your session.timeout.ms is at least the recommended value of 30000. Having these settings too low could cause consumer timeouts, which then cause rebalances (which then cause more timeouts, which cause more rebalancing, and so on).</p>

+`request.timeout.ms` | 30000 .. 60000 | > 20000| Event Hubs will internally default to a minimum of 20,000 ms. `librdkafka` default value is 5000, which can be problematic. *While requests with lower timeout values are accepted, client behavior isn't guaranteed.*

+

+### IP address limits

+| ExpressRoute SKU | Bandwidth | FathPath IP limit |

+| -- | -- | -- |

+| ExpressRoute Direct Port | 100Gbps | 200,000 |

+| ExpressRoute Direct Port | 10Gbps | 100,000 |

+| ExpressRoute provider circuit | 10Gbps and lower | 25,000 |

+> [!NOTE]

+> * ExpressRoute Direct has a cumulative limit at the port level.

+> * Traffic will flow through the ExpressRoute gateway when these limits are reached.

+>

+Azure Front Door supports URL rewrite to change the path of a request that is being routed to your origin. URL rewrite also allows you to add conditions to make sure that the URL or the specified headers gets rewritten only when certain conditions get met. These conditions are based on the request and response information.

+The robust part of URL rewrite is that the custom forwarding path will copy any part of the incoming path that matches the wildcard path to the forwarded path.

+For example, if you have a **match path** of `/foo/*` and configured `/fwd/` for the **custom forwarding path**, any path segment from the wildcard onward will be copied to the forwarding path, shown in orange in the diagram below. In this example, when the **incoming URL path** is `/foo/a/b/c` you'll have a **forwarded path** of `/fwd/a/b/c`. Noticed that the `a/b/c` path segment will replace the wildcard, which is show in green in the below diagram.

+> [!NOTE]

+> In order to switch between tiers, you will need to recreate the Azure Front Door profile.

+>

+* Learn how to [create an Azure Front Door](create-front-door-portal.md)

+* Learn how about the [Azure Front Door architecture](../front-door-routing-architecture.md)

+ In the portal, use a toggle button to turn this setting on or off in the Azure Front Door (classic) **Design** pane.

+ For Azure Front Door Standard and Premium tier, this setting can be found in the origin settings when you add an origin to an origin group or configuring a route.

+ :::image type="content" source="./media/troubleshoot-issues/validation-checkbox.png" alt-text="Screenshot of the certificate subject name validation checkbox.":::

+* [Create Apache Hadoop cluster in HDInsight using ARM template](../hadoop/apache-hadoop-linux-tutorial-get-started.md)

+* [Use Azure Storage Shared Access Signatures to restrict access to data with HDInsight](hdinsight-storage-sharedaccesssignature-permissions.md)

+* [Analyze Apache Kafka logs](apache-kafka-log-analytics-operations-management.md)

+Base64-encoded file hashes with algorithm name as key. At least SHA-256 algorithm must be specified, and additional algorithm may be specified if supported by agent. For an example of how to calculate the hash correctly, see the [AduUpdate.psm1 script](https://github.com/Azure/iot-hub-device-update/blob/main/tools/AduCmdlets/AduUpdate.psm1).

+.md)

+.md)

+.md)

+description: Overview of the Managed HSM Security Domain, a set of artifacts needed to recover a Managed HSM

+A managed HSM is a single-tenant, [FIPS (Federal Information Processing Standards) 140-2 validated](https://csrc.nist.gov/publications/detail/fips/140/2/final), highly available hardware security module (HSM), with a customer-controlled security domain.

+Every managed HSM must have a security domain to operate. The security domain is an encrypted blob file that contains artifacts such as the HSM backup, user credentials, the signing key, and the data encryption key unique to your managed HSM. It serves the following purposes:

+- Establishes "ownership" by cryptographically tying each managed HSM to a root of trust keys under your sole control,. This ensures that Microsoft does not have access to your cryptographic key material on the managed HSM.

+- Sets the cryptographic boundary for key material in a managed HSM instance

+- Allows you to fully recover a managed HSM instance if there is a disaster. The following disaster scenarios are covered:

+ - A catastrophic failure where all member HSM instances of a managed HSM instance are destroyed.

+ - The managed HSM instance was soft deleted by a customer and the resource was purged after the expiry of the mandatory retention period.

+ - The end customer archived a project by performing a backup that included the managed HSM instance and all data, then deleted all Azure resources associated with the project.

+Without the security domain, disaster recovery is not possible. And Microsoft has no way of recovering the security domain, nor can it access your keys without the security domain. Protection of the security domain is of therefore of the utmost importance for business continuity, and to ensure you are not cryptographically locked out.

+## Security domain protection best practices

+### Downloading the encrypted security domain

+The security domain is generated in the managed HSM hardware, and the service software enclaves at the initialization time. Once the managed HSM is provisioned, you must create at least 3 RSA key pairs and send the public keys to the service when requesting the security domain download. You also need to specify the minimum number of keys required (quorum) to decrypt the Security Domain in the future. The managed HSM will initialize the Security Domain and encrypt it with the public keys you provide using Shamir's Secret Sharing Algorithm. Once the security domain is downloaded, the Managed HSM moves into an activated state and ready for consumption.

+### Storing the security domain keys

+The keys to a security domain must be held in offline storage (such as an encrypted USB drive), with each split of the quorum on a separate storage device. The storage devices must be held at separate geographical locations, and in a physical safe or a lock box. For ultra-sensitive and high assurance use cases, you may even choose to store your security domain private keys on your on-premises, offline HSM.

+It is again especially important to periodically review your security policy around the managed HSM quorum. Your security policy must be accurate, you must have up-to-date records of where the security domain and its private keys are stored, and you must know who has control of the security domain.

+Security domain key handling prohibitions:

+- One person should never be allowed to have physical access to all quorum keys. In other words, `m` must be greater that 1 (and should ideally be >= 3).

+- The security domain keys must never be stored on a computer with an internet connection. A computer with internet connection is exposed to various threats, such as viruses and malicious hackers. You significantly reduce your risk by storing the security domain keys offline

+### Establishing a security domain quorum

+The best way to protect a security domain and prevent crypto lockout is to implement multi-person control, using the managed HSM concept called a "quorum". A quorum is split-secret threshold to divide the key encrypting the security domain among multiple persons to enforce multi-person control. In this way, the security domain is not dependent on a single person, who could leave the organization or have malicious intent.

+We recommend implementing a quorum of `m` persons, where `m` is greater than or equal to 3. The maximum quorum size of the security domain for the managed HSM is 10.

+Although a greater (`m`) size provides additional security, it imposes additional administrative overhead in terms of handling the security domain. It is therefore imperative that the security domain quorum be carefully chosen, with at least `m` >= 3. The security domain quorum size should also be periodically reviewed and updated (in the case of personnel changes, for example). It is especially important to keep records of security domain holders; your records should document every hand-off or change of possession, and your policy should enforce a rigorous adherence to quorum and documentation requirements.

+The security domain private keys must be held by trusted and key employees of an organization, as it contains the most sensitive and critical information of your managed HSM. Security domain holders should have separate roles and be geographically separated within your organization.

+For example, a security domain quorum could comprise four key pairs, with each private key given to a different person. A minimum of two people would have to come together to reconstruct a security domain. The parts could be given to key personnel, such as:

+- Business Unit Technical Lead

+- Security Architect

+- Security Engineer

+- Application Developer

+Every organization is different and enforces a different security policy based on their needs. We recommend that you periodically review your security policy for compliance and for making decisions on the quorum and its size.

+The security domain quorum must be periodically reviewed. Timing depends on your organization, but we recommend that you conduct a security domain review at least once every quarter, as well as when:

+- A member of the quorum leaves the organization.

+- A new or emerging threat makes you decide to increase the size of the quorum.

+- There is a process change in implementing the quorum.

+- A USB drive or HSM belonging to a member of the security domain quorum is lost or compromised.

+### Security domain compromise or loss

+If your security domain is compromised, a malicious actor could use it to create their own managed HSM instance. The malicious actor could use the access to the key backups to start decrypting the data protected with the keys on the managed HSM instance. A lost security domain is considered compromised.

+After a security domain compromise, all data encrypted with the current managed HSM instance must be decrypted with current key material. A new managed HSM instance must be provisioned, and a new security domain, pointing to the new URL, must be implemented.

+Because there is no way to migrate key material from a managed HSM instance to another with a different security domain, implementing the security domain must be well thought-out, and protected with accurate, periodically reviewed record keeping.

+## Summary

+The security domain and its corresponding private keys play an important part in managed HSM operations. These artifacts are analogous to the combination of a safe, and poor management may easily comprise strong algorithms and systems. If a safe combination is known to an adversary, the strongest safe provides no security. The proper management of the security domain and its private keys is essential to the effective use of the managed HSM.

+It is highly recommended that you review [NIST Special Publication 800-57](https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final) for key management best practices, before developing and implementing the policies, systems, and standards necessary to meet and enhance your organization's security goals.

+ Title: Deploy IPv6 dual stack application - Basic Load Balancer - PowerShell

+description: This article shows how deploy an IPv6 dual stack application in Azure virtual network using Azure PowerShell.

+# Deploy an IPv6 dual stack application using Basic Load Balancer - PowerShell

+This article shows you how to deploy a dual stack (IPv4 + IPv6) application with Basic Load Balancer using Azure PowerShell that includes a dual stack virtual network and subnet, a Basic Load Balancer with dual (IPv4 + IPv6) front-end configurations, VMs with NICs that have a dual IP configuration, network security group, and public IPs.

+To deploy a dual stack (IPV4 + IPv6) application using Standard Load Balancer, see [Deploy an IPv6 dual stack application with Standard Load Balancer using Azure PowerShell](../virtual-network-ipv4-ipv6-dual-stack-standard-load-balancer-powershell.md).

+If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 6.9.0 or later. Run `Get-Module -ListAvailable Az` to find the installed version. If you need to upgrade, see [Install Azure PowerShell module](/powershell/azure/install-Az-ps). If you are running PowerShell locally, you also need to run `Connect-AzAccount` to create a connection with Azure.

+## Create a resource group

+Before you can create your dual-stack virtual network, you must create a resource group with [New-AzResourceGroup](/powershell/module/az.resources/new-azresourcegroup). The following example creates a resource group named *myRGDualStack* in the *east us* location:

+```azurepowershell-interactive

+ $rg = New-AzResourceGroup `

+ -ResourceGroupName "dsRG1" `

+ -Location "east us"

+```

+## Create IPv4 and IPv6 public IP addresses

+To access your virtual machines from the Internet, you need IPv4 and IPv6 public IP addresses for the load balancer. Create public IP addresses with [New-AzPublicIpAddress](/powershell/module/az.network/new-azpublicipaddress). The following example creates IPv4 and IPv6 public IP address named *dsPublicIP_v4* and *dsPublicIP_v6* in the *dsRG1* resource group:

+```azurepowershell-interactive

+$PublicIP_v4 = New-AzPublicIpAddress `

+ -Name "dsPublicIP_v4" `

+ -ResourceGroupName $rg.ResourceGroupName `

+ -Location $rg.Location `

+ -AllocationMethod Dynamic `

+ -IpAddressVersion IPv4

+

+$PublicIP_v6 = New-AzPublicIpAddress `

+ -Name "dsPublicIP_v6" `

+ -ResourceGroupName $rg.ResourceGroupName `

+ -Location $rg.Location `

+ -AllocationMethod Dynamic `

+ -IpAddressVersion IPv6

+```

+To access your virtual machines using a RDP connection, create a IPV4 public IP addresses for the virtual machines with [New-AzPublicIpAddress](/powershell/module/az.network/new-azpublicipaddress).

+```azurepowershell-interactive

+ $RdpPublicIP_1 = New-AzPublicIpAddress `

+ -Name "RdpPublicIP_1" `

+ -ResourceGroupName $rg.ResourceGroupName `

+ -Location $rg.Location `

+ -AllocationMethod Dynamic `

+ -IpAddressVersion IPv4

+

+ $RdpPublicIP_2 = New-AzPublicIpAddress `

+ -Name "RdpPublicIP_2" `

+ -ResourceGroupName $rg.ResourceGroupName `

+ -Location $rg.Location `

+ -AllocationMethod Dynamic `

+ -IpAddressVersion IPv4

+```

+## Create Basic Load Balancer

+In this section, you configure dual frontend IP (IPv4 and IPv6) and the back-end address pool for the load balancer and then create a Basic Load Balancer.

+### Create front-end IP

+Create a front-end IP with [New-AzLoadBalancerFrontendIpConfig](/powershell/module/az.network/new-azloadbalancerfrontendipconfig). The following example creates IPv4 and IPv6 frontend IP configurations named *dsLbFrontEnd_v4* and *dsLbFrontEnd_v6*:

+```azurepowershell-interactive

+$frontendIPv4 = New-AzLoadBalancerFrontendIpConfig `

+ -Name "dsLbFrontEnd_v4" `

+ -PublicIpAddress $PublicIP_v4

+$frontendIPv6 = New-AzLoadBalancerFrontendIpConfig `

+ -Name "dsLbFrontEnd_v6" `

+ -PublicIpAddress $PublicIP_v6

+```

+### Configure back-end address pool

+Create a back-end address pool with [New-AzLoadBalancerBackendAddressPoolConfig](/powershell/module/az.network/new-azloadbalancerbackendaddresspoolconfig). The VMs attach to this back-end pool in the remaining steps. The following example creates back-end address pools named *dsLbBackEndPool_v4* and *dsLbBackEndPool_v6* to include VMs with both IPV4 and IPv6 NIC configurations:

+```azurepowershell-interactive

+$backendPoolv4 = New-AzLoadBalancerBackendAddressPoolConfig `

+-Name "dsLbBackEndPool_v4"

+$backendPoolv6 = New-AzLoadBalancerBackendAddressPoolConfig `

+-Name "dsLbBackEndPool_v6"

+```

+### Create a health probe

+Use [Add-AzLoadBalancerProbeConfig](/powershell/module/az.network/add-azloadbalancerprobeconfig) to create a health probe to monitor the health of the VMs.

+```azurepowershell

+$probe = New-AzLoadBalancerProbeConfig -Name MyProbe -Protocol tcp -Port 3389 -IntervalInSeconds 15 -ProbeCount 2

+```

+### Create a load balancer rule

+A load balancer rule is used to define how traffic is distributed to the VMs. You define the frontend IP configuration for the incoming traffic and the backend IP pool to receive the traffic, along with the required source and destination port. To make sure only healthy VMs receive traffic, you can optionally define a health probe. Basic load balancer uses an IPv4 probe to assess health for both IPv4 and IPv6 endpoints on the VMs. Standard load balancer includes support for explicitly IPv6 health probes.

+Create a load balancer rule with [Add-AzLoadBalancerRuleConfig](/powershell/module/az.network/add-azloadbalancerruleconfig). The following example creates load balancer rules named *dsLBrule_v4* and *dsLBrule_v6* and balances traffic on *TCP* port *80* to the IPv4 and IPv6 frontend IP configurations:

+```azurepowershell-interactive

+$lbrule_v4 = New-AzLoadBalancerRuleConfig `

+ -Name "dsLBrule_v4" `

+ -FrontendIpConfiguration $frontendIPv4 `

+ -BackendAddressPool $backendPoolv4 `

+ -Protocol Tcp `

+ -FrontendPort 80 `

+ -BackendPort 80 `

+ -probe $probe

+$lbrule_v6 = New-AzLoadBalancerRuleConfig `

+ -Name "dsLBrule_v6" `

+ -FrontendIpConfiguration $frontendIPv6 `

+ -BackendAddressPool $backendPoolv6 `

+ -Protocol Tcp `

+ -FrontendPort 80 `

+ -BackendPort 80 `

+ -probe $probe

+```

+### Create load balancer

+Create the Basic Load Balancer with [New-AzLoadBalancer](/powershell/module/az.network/new-azloadbalancer). The following example creates a public Basic Load Balancer named *myLoadBalancer* using the IPv4 and IPv6 frontend IP configurations, backend pools, and load-balancing rules that you created in the preceding steps:

+```azurepowershell-interactive

+$lb = New-AzLoadBalancer `

+-ResourceGroupName $rg.ResourceGroupName `

+-Location $rg.Location `

+-Name "MyLoadBalancer" `

+-Sku "Basic" `

+-FrontendIpConfiguration $frontendIPv4,$frontendIPv6 `

+-BackendAddressPool $backendPoolv4,$backendPoolv6 `

+-LoadBalancingRule $lbrule_v4,$lbrule_v6

+```

+## Create network resources

+Before you deploy some VMs and can test your balancer, you must create supporting network resources - availability set, network security group, virtual network, and virtual NICs.

+### Create an availability set

+To improve the high availability of your app, place your VMs in an availability set.

+Create an availability set with [New-AzAvailabilitySet](/powershell/module/az.compute/new-azavailabilityset). The following example creates an availability set named *myAvailabilitySet*:

+```azurepowershell-interactive

+$avset = New-AzAvailabilitySet `

+ -ResourceGroupName $rg.ResourceGroupName `

+ -Location $rg.Location `

+ -Name "dsAVset" `

+ -PlatformFaultDomainCount 2 `

+ -PlatformUpdateDomainCount 2 `

+ -Sku aligned

+```

+### Create network security group

+Create a network security group for the rules that will govern inbound and outbound communication in your VNET.

+#### Create a network security group rule for port 3389

+Create a network security group rule to allow RDP connections through port 3389 with [New-AzNetworkSecurityRuleConfig](/powershell/module/az.network/new-aznetworksecurityruleconfig).

+```azurepowershell-interactive

+$rule1 = New-AzNetworkSecurityRuleConfig `

+-Name 'myNetworkSecurityGroupRuleRDP' `

+-Description 'Allow RDP' `

+-Access Allow `

+-Protocol Tcp `

+-Direction Inbound `

+-Priority 100 `

+-SourceAddressPrefix * `

+-SourcePortRange * `

+-DestinationAddressPrefix * `

+-DestinationPortRange 3389

+```

+#### Create a network security group rule for port 80

+Create a network security group rule to allow internet connections through port 80 with [New-AzNetworkSecurityRuleConfig](/powershell/module/az.network/new-aznetworksecurityruleconfig).

+```azurepowershell-interactive

+$rule2 = New-AzNetworkSecurityRuleConfig `

+ -Name 'myNetworkSecurityGroupRuleHTTP' `

+ -Description 'Allow HTTP' `

+ -Access Allow `

+ -Protocol Tcp `

+ -Direction Inbound `

+ -Priority 200 `

+ -SourceAddressPrefix * `

+ -SourcePortRange 80 `

+ -DestinationAddressPrefix * `

+ -DestinationPortRange 80

+```

+#### Create a network security group

+Create a network security group with [New-AzNetworkSecurityGroup](/powershell/module/az.network/new-aznetworksecuritygroup).

+```azurepowershell-interactive

+$nsg = New-AzNetworkSecurityGroup `

+-ResourceGroupName $rg.ResourceGroupName `

+-Location $rg.Location `

+-Name "dsNSG1" `

+-SecurityRules $rule1,$rule2

+```

+### Create a virtual network

+Create a virtual network with [New-AzVirtualNetwork](/powershell/module/az.network/new-azvirtualnetwork). The following example creates a virtual network named *myVnet* with *mySubnet*:

+```azurepowershell-interactive

+# Create dual stack subnet

+$subnet = New-AzVirtualNetworkSubnetConfig `

+-Name "dsSubnet" `

+-AddressPrefix "10.0.0.0/24","fd00:db8:deca:deed::/64"

+# Create the virtual network

+$vnet = New-AzVirtualNetwork `

+ -ResourceGroupName $rg.ResourceGroupName `

+ -Location $rg.Location `

+ -Name "dsVnet" `

+ -AddressPrefix "10.0.0.0/16","fd00:db8:deca::/48" `

+ -Subnet $subnet

+```

+### Create NICs

+Create virtual NICs with [New-AzNetworkInterface](/powershell/module/az.network/new-aznetworkinterface). The following example creates two virtual NICs both with IPv4 and IPv6 configurations. (One virtual NIC for each VM you create for your app in the following steps).

+```azurepowershell-interactive

+ $Ip4Config=New-AzNetworkInterfaceIpConfig `

+ -Name dsIp4Config `

+ -Subnet $vnet.subnets[0] `

+ -PrivateIpAddressVersion IPv4 `

+ -LoadBalancerBackendAddressPool $backendPoolv4 `

+ -PublicIpAddress $RdpPublicIP_1

+

+ $Ip6Config=New-AzNetworkInterfaceIpConfig `

+ -Name dsIp6Config `

+ -Subnet $vnet.subnets[0] `

+ -PrivateIpAddressVersion IPv6 `

+ -LoadBalancerBackendAddressPool $backendPoolv6

+

+ $NIC_1 = New-AzNetworkInterface `

+ -Name "dsNIC1" `

+ -ResourceGroupName $rg.ResourceGroupName `

+ -Location $rg.Location `

+ -NetworkSecurityGroupId $nsg.Id `

+ -IpConfiguration $Ip4Config,$Ip6Config

+

+ $Ip4Config=New-AzNetworkInterfaceIpConfig `

+ -Name dsIp4Config `

+ -Subnet $vnet.subnets[0] `

+ -PrivateIpAddressVersion IPv4 `

+ -LoadBalancerBackendAddressPool $backendPoolv4 `

+ -PublicIpAddress $RdpPublicIP_2

+ $NIC_2 = New-AzNetworkInterface `

+ -Name "dsNIC2" `

+ -ResourceGroupName $rg.ResourceGroupName `

+ -Location $rg.Location `

+ -NetworkSecurityGroupId $nsg.Id `

+ -IpConfiguration $Ip4Config,$Ip6Config

+```

+### Create virtual machines

+Set an administrator username and password for the VMs with [Get-Credential](/powershell/module/microsoft.powershell.security/get-credential):

+```azurepowershell-interactive

+$cred = get-credential -Message "DUAL STACK VNET SAMPLE: Please enter the Administrator credential to log into the VMs."

+```

+Now you can create the VMs with [New-AzVM](/powershell/module/az.compute/new-azvm). The following example creates two VMs and the required virtual network components if they do not already exist.

+```azurepowershell-interactive

+$vmsize = "Standard_A2"

+$ImagePublisher = "MicrosoftWindowsServer"

+$imageOffer = "WindowsServer"

+$imageSKU = "2019-Datacenter"

+$vmName= "dsVM1"

+$VMconfig1 = New-AzVMConfig -VMName $vmName -VMSize $vmsize -AvailabilitySetId $avset.Id 3> $null | Set-AzVMOperatingSystem -Windows -ComputerName $vmName -Credential $cred -ProvisionVMAgent 3> $null | Set-AzVMSourceImage -PublisherName $ImagePublisher -Offer $imageOffer -Skus $imageSKU -Version "latest" 3> $null | Set-AzVMOSDisk -Name "$vmName.vhd" -CreateOption fromImage 3> $null | Add-AzVMNetworkInterface -Id $NIC_1.Id 3> $null

+$VM1 = New-AzVM -ResourceGroupName $rg.ResourceGroupName -Location $rg.Location -VM $VMconfig1

+$vmName= "dsVM2"

+$VMconfig2 = New-AzVMConfig -VMName $vmName -VMSize $vmsize -AvailabilitySetId $avset.Id 3> $null | Set-AzVMOperatingSystem -Windows -ComputerName $vmName -Credential $cred -ProvisionVMAgent 3> $null | Set-AzVMSourceImage -PublisherName $ImagePublisher -Offer $imageOffer -Skus $imageSKU -Version "latest" 3> $null | Set-AzVMOSDisk -Name "$vmName.vhd" -CreateOption fromImage 3> $null | Add-AzVMNetworkInterface -Id $NIC_2.Id 3> $null

+$VM2 = New-AzVM -ResourceGroupName $rg.ResourceGroupName -Location $rg.Location -VM $VMconfig2

+```

+## Determine IP addresses of the IPv4 and IPv6 endpoints

+Get all Network Interface Objects in the resource group to summarize the IP's used in this deployment with `get-AzNetworkInterface`. Also, get the Load Balancer's frontend addresses of the IPv4 and IPv6 endpoints with `get-AzpublicIpAddress`.

+```azurepowershell-interactive

+$rgName= "dsRG1"

+$NICsInRG= get-AzNetworkInterface -resourceGroupName $rgName

+write-host `nSummary of IPs in this Deployment:

+write-host ******************************************

+foreach ($NIC in $NICsInRG) {

+

+ $VMid= $NIC.virtualmachine.id

+ $VMnamebits= $VMid.split("/")

+ $VMname= $VMnamebits[($VMnamebits.count-1)]

+ write-host `nPrivate IP addresses for $VMname

+ $IPconfigsInNIC= $NIC.IPconfigurations

+ foreach ($IPconfig in $IPconfigsInNIC) {

+

+ $IPaddress= $IPconfig.privateipaddress

+ write-host " "$IPaddress

+ IF ($IPconfig.PublicIpAddress.ID) {

+

+ $IDbits= ($IPconfig.PublicIpAddress.ID).split("/")

+ $PipName= $IDbits[($IDbits.count-1)]

+ $PipObject= get-azPublicIpAddress -name $PipName -resourceGroup $rgName

+ write-host " "RDP address: $PipObject.IpAddress

+ }

+ }

+ }

+

+

+

+ write-host `nPublic IP addresses on Load Balancer:

+

+ (get-AzpublicIpAddress -resourcegroupname $rgName | where { $_.name -notlike "RdpPublicIP*" }).IpAddress

+```

+The following figure shows a sample output that lists the private IPv4 and IPv6 addresses of the two VMs, and the frontend IPv4 and IPv6 IP addresses of the Load Balancer.

+

+## View IPv6 dual stack virtual network in Azure portal

+You can view the IPv6 dual stack virtual network in Azure portal as follows:

+1. In the portal's search bar, enter *dsVnet*.

+2. When **myVirtualNetwork** appears in the search results, select it. This launches the **Overview** page of the dual stack virtual network named *dsVnet*. The dual stack virtual network shows the two NICs with both IPv4 and IPv6 configurations located in the dual stack subnet named *dsSubnet*.

+ 

+## Clean up resources

+When no longer needed, you can use the [Remove-AzResourceGroup](/powershell/module/az.resources/remove-azresourcegroup) command to remove the resource group, VM, and all related resources.

+```azurepowershell-interactive

+Remove-AzResourceGroup -Name dsRG1

+```

+## Next steps

+In this article, you created a Basic Load Balancer with a dual frontend IP configuration (IPv4 and IPv6). You also created a two virtual machines that included NICs with dual IP configurations (IPV4 + IPv6) that were added to the back-end pool of the load balancer. To learn more about IPv6 support in Azure virtual networks, see [What is IPv6 for Azure Virtual Network?](../../virtual-network/ip-services/ipv6-overview.md)

+The test results contain a comma-separated values (CSV) file with details of each application request. See [Apache JMeter CSV log format](https://jmeter.apache.org/usermanual/listeners.html#csvlogformat) and the [Apache JMeter Glossary](https://jmeter.apache.org/usermanual/glossary.html) for details about the different fields.

+You can also use the test results to diagnose errors during a load test. The `responseCode` and `responseMessage` fields give you more information about failed requests. For more information about investigating errors, see [Troubleshoot test execution errors](./how-to-find-download-logs.md).

+In addition, all files for running the Apache JMeter dashboard locally are included.

+ The *testreport.csv* file contains details of each request that the test engine executed during the load test. The Apache JMeter dashboard, which is also included in the zip file, uses this file for its graphs.

+- Learn more about [Troubleshooting test execution errors](./how-to-find-download-logs.md).

+ * Set up your SAP gateway security logging to help find Access Control List (ACL) issues. For more information, review the [SAP help topic for setting up gateway logging](https://help.sap.com/viewer/62b4de4187cb43668d15dac48fc00732/7.31.25/en-US/48b2a710ca1c3079e10000000a42189b.html).

+To use the available [SAP trigger](#triggers) and [SAP actions](#actions), you need to first authenticate your connection. You can authenticate your connection with a username and password. The SAP connector also supports [SAP Secure Network Communications (SNC)](https://help.sap.com/viewer/e73bba71770e4c0ca5fb2a3c17e8e229/7.31.25/en-US/e656f466e99a11d1a5b00000e835363f.html) for authentication. You can use SNC for SAP NetWeaver single sign-on (SSO), or for additional security capabilities from external products. If you use SNC, review the [SNC prerequisites](#snc-prerequisites) and the [SNC prerequisites for the ISE connector](#snc-prerequisites-ise).

+| <*ocurrence*> | Yes | Integer | A positive number that specifies the *n*th occurrence of the substring to find. |

+parseDateTime('<timestamp>', '<locale>'?, '<format>'?)

+| <*locale*> | No | String | The locale to use. <br><br>If not specified, default locale is used. <br><br>If *locale* isn't a valid value, an error is generated that the provided locale isn't valid or doesn't have an associated locale. |

+| <*format*> | No | String | Either a [single format specifier](/dotnet/standard/base-types/standard-date-and-time-format-strings) or a [custom format pattern](/dotnet/standard/base-types/custom-date-and-time-format-strings). The default format for the timestamp is ["o"](/dotnet/standard/base-types/standard-date-and-time-format-strings) (yyyy-MM-ddTHH:mm:ss.fffffffK), which complies with [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601) and preserves time zone information. <br><br> If not specified, the parsing will be attempted with multiple compatible with the provided locale. <br><br>If the format isn't a valid value, an error is generated that the provided format isn't valid and must be a numeric format string. |

+slice('<text>', <startIndex>, <endIndex>?)

+ In the list of assets under *Text Analytics*, drag and drop the **Latent Dirichlet Allocation** component onto the canvas.

+ - `azureml_py38`: environment based on Python 3.8 with preinstalled [AzureML SDK](/python/api/overview/azure/ml/?view=azure-ml-py&preserve-view=true) containing also [AutoML](/azure/machine-learning/concept-automated-ml) environment

+> [!WARNING]

+> Make sure you close any unused sessions to preserve your compute instance's resources. Idle terminals may impact performance of compute instances.

+| Create new workspace ₁ | Not required | Owner or contributor | N/A (becomes Owner or inherits higher scope role after creation) |

+| Attach an AKS resource ₂ | Not required | Owner or contributor on the resource group that contains AKS |

+1: If you receive a failure when trying to create a workspace for the first time, make sure that your role allows `Microsoft.MachineLearningServices/register/action`. This action allows you to register the Azure Machine Learning resource provider with your Azure subscription.

+2: When attaching an AKS cluster, you also need to the [Azure Kubernetes Service Cluster Admin Role](/azure/role-based-access-control/built-in-roles#azure-kubernetes-service-cluster-admin-role) on the cluster.

+### Create a workspace using a customer-managed key

+When using a customer-managed key (CMK), an Azure Key Vault is used to store the key. The user or service principal used to create the workspace must have owner or contributor access to the key vault.

+Within the key vault, the user or service principal must have create, get, delete, and purge access to the key through a key vault access policy. For more information, see [Azure Key Vault security](/azure/key-vault/general/security-features#controlling-access-to-key-vault-data).

+ az ml workspace update --name myworkspace --public-network-access enabled

+- To attach an AKS cluster, the service principal/user performing the operation must be assigned the __Owner or contributor__ Azure role-based access control (Azure RBAC) role on the Azure resource group that contains the cluster. The service principal/user must also be assigned [Azure Kubernetes Service Cluster Admin Role](/azure/role-based-access-control/built-in-roles#azure-kubernetes-service-cluster-admin-role) on the cluster.

+ az ml workspace update --name myworkspace --public-network-access enabled

+* **Connecting to a notebook**: If you can't connect to a notebook, ensure that web socket communication is **not** disabled. For compute instance Jupyter functionality to work, web socket communication must be enabled. Ensure your [network allows websocket connections](how-to-access-azureml-behind-firewall.md?tabs=ipaddress#microsoft-hosts) to *.instances.azureml.net and *.instances.azureml.ms.

+* **Private endpoint**: When a compute instance is deployed in a workspace with a private endpoint, it can be only be [accessed from within virtual network](./how-to-secure-training-vnet.md). If you are using custom DNS or hosts file, add an entry for < instance-name >.< region >.instances.azureml.ms with the private IP address of your workspace private endpoint. For more information see the [custom DNS](./how-to-custom-dns.md?tabs=azure-cli) article.

+* **Kernel crash**: If your kernel crashed and was restarted, you can run the following command to look at jupyter log and find out more details: `sudo journalctl -u jupyter`. If kernel issues persist, consider using a compute instance with more memory.

+* **Kernel not found** or **Kernel operations were disabled**: When using the default Python 3.8 kernel on a compute instance, you may get an error such as "Kernel not found" or "Kernel operations were disabled". To fix, use one of the following methods:

+ * Create a new compute instance. This will use a new image where this problem has been resolved.

+ * Use the Py 3.6 kernel on the existing compute instance.

+ * From a terminal in the default py38 environment, run ```pip install ipykernel==6.6.0``` OR ```pip install ipykernel==6.0.3```

+* **Expired token**: If you run into an expired token issue, sign out of your Azure ML studio, sign back in, and then restart the notebook kernel.

+* **File upload limit**: When uploading a file through the notebook's file explorer, you are limited files that are smaller than 5TB. If you need to upload a file larger than this, we recommend that you use one of the following methods:

+* [Tutorial: Create a secure workspace](tutorial-create-secure-workspace.md)

+* [Tutorial: Create a secure workspace using a template](tutorial-create-secure-workspace-template.md)

+`SELECT Date,OfferName,ReferralDomain,CountryName,PageVisits,GetItNow,ContactMe,TestDrive, FreeTrial FROM ISVMarketplaceInsights TIMESPAN LAST_6_MONTHS`

+**QueryID**: `bf54dde4-7dc4-492f-a69a-f45de049bfcb`

+On the applications side, the application is typically developed in Java or PHP and migrated to run on Azure virtual machine scale sets or Azure App Services or are containerized to run on Azure Kubernetes Service (AKS). With virtual machine scale set, App Service or AKS as underlying infrastructure, application scaling is simplified by instantaneously provisioning new VMs and replicating the stateless components of applications to cater to the requests but often, database ends up being a bottleneck as centralized stateful component.

+> 2. For newer Gateway versions, the IkeErrors.txt, Scrubbed-wfpdiag.txt and wfpdiag.txt.sum have been replaced by an IkeLogs.txt file that contains the whole IKE activity (not just errors).

+[1]: ./media/network-watcher-troubleshoot-overview/gateway-tenant-worker-logs-new.png

+* [**Microsoft.Network/virtualNetworks/providers/roleAssignments**](/azure/templates/microsoft.authorization/roleassignments)

+* [Microsoft.Network/virtualNetworks/providers/roleAssignments](/azure/templates/microsoft.authorization/roleassignments)

+* [Configure authentication with Azure Active Directory using the Azure portal and OpenShift web console](configure-azure-ad-cli.md)i

+You must have completed all of the steps in [Allocate subnets and IP addresses](complete-private-mobile-network-prerequisites.md#allocate-subnets-and-ip-addresses), [Allocate User Equipment (UE) IP address pools](complete-private-mobile-network-prerequisites.md#allocate-user-equipment-ue-ip-address-pools), and [Order and set up your Azure Stack Edge Pro device(s)](complete-private-mobile-network-prerequisites.md#order-and-set-up-your-azure-stack-edge-pro-devices) for your new site.

+> Where noted, you must use the same values you used when deploying the AKS-HCI cluster on your Azure Stack Edge Pro device. You did this as part of the steps in [Order and set up your Azure Stack Edge Pro device(s)](complete-private-mobile-network-prerequisites.md#order-and-set-up-your-azure-stack-edge-pro-devices).

+ | The network address of the subnet from which dynamic IP addresses must be allocated to User Equipment (UEs), given in CIDR notation. You won't need this if you don't want to support dynamic IP address allocation. You identified this in [Allocate User Equipment (UE) IP address pools](complete-private-mobile-network-prerequisites.md#allocate-user-equipment-ue-ip-address-pools). The following example shows the network address format. </br></br>`198.51.100.0/24` </br></br>Note that the UE subnets aren't related to the access subnet. |**Dynamic UE IP pool prefixes**|

+ | The network address of the subnet from which static IP addresses must be allocated to User Equipment (UEs), given in CIDR notation. You won't need this if you don't want to support static IP address allocation. You identified this in [Allocate User Equipment (UE) IP address pools](complete-private-mobile-network-prerequisites.md#allocate-user-equipment-ue-ip-address-pools). The following example shows the network address format. </br></br>`198.51.100.0/24` </br></br>Note that the UE subnets aren't related to the access subnet. |**Static UE IP pool prefixes**|

+- Importing a JSON file containing values for one or more SIM resources. This option is best when provisioning a large number of SIMs. The file format required for this JSON file is given in [JSON file format for provisioning SIMs](#json-file-format-for-provisioning-sims).

+### JSON file format for provisioning SIMs

+## Decide whether you want to use the default service and SIM policy

+You'll be given the option of creating a default service and SIM policy as part of deploying your private mobile network. They allow all traffic in both directions for all the SIMs you provision. They're designed to allow you to quickly deploy a private mobile network and bring SIMs into service automatically, without the need to design your own policy control configuration.

+Decide whether the default service and SIM policy are suitable for the initial use of your private mobile network. You can find information on each of the specific settings for these resources in [Default service and SIM policy](default-service-sim-policy.md) if you need it.

+If they aren't suitable, you can choose to deploy the private mobile network without any services or SIM policies. In this case, any SIMs you provision won't be brought into service when you create your private mobile network. You'll need to create your own services and SIM policies later.

+For detailed information on services and SIM policies, see [Policy control](policy-control.md).

+- Default gateway.

+## Allocate user equipment (UE) IP address pools

+Azure Private 5G Core supports the following IP address allocation methods for UEs.

+- Dynamic. Dynamic IP address allocation automatically assigns a new IP address to a UE each time it connects to the private mobile network.

+- Static. Static IP address allocation ensures that a UE receives the same IP address every time it connects to the private mobile network. This is useful when you want Internet of Things (IoT) applications to be able to consistently connect to the same device. For example, you may configure a video analysis application with the IP addresses of the cameras providing video streams. If these cameras have static IP addresses, you will not need to reconfigure the video analysis application with new IP addresses each time the cameras restart. You'll allocate static IP addresses to a UE as part of [provisioning its SIM](provision-sims-azure-portal.md).

+You can choose to support one or both of these methods for each site in your private mobile network.

+For each site you're deploying, do the following:

+- Decide which IP address allocation methods you want to support.

+- For each method you want to support, identify an IP address pool from which IP addresses can be allocated to UEs. You'll need to provide each IP address pool in CIDR notation.

+ If you decide to support both methods for a particular site, ensure that the IP address pools are of the same size and do not overlap.

+Do the following for each site you want to add to your private mobile network. Detailed instructions for how to carry out each step are included in the **Detailed instructions** column where applicable.

+- Decide whether you want to assign this SIM policy to any SIMs as part of configuring it. If you do, you must have provisioned these SIMs following the instructions in [Provision SIMs - Azure portal](provision-sims-azure-portal.md).

+- [Learn more about policy control](policy-control.md)

+- Complete the steps in [Allocate subnets and IP addresses](complete-private-mobile-network-prerequisites.md#allocate-subnets-and-ip-addresses), [Allocate user equipment (UE) IP address pools](complete-private-mobile-network-prerequisites.md#allocate-user-equipment-ue-ip-address-pools), and [Order and set up your Azure Stack Edge Pro device(s)](complete-private-mobile-network-prerequisites.md#order-and-set-up-your-azure-stack-edge-pro-devices) for your new site.

+ :::image type="content" source="media/how-to-guide-deploy-a-private-mobile-network-azure-portal/site-related-resources.png" alt-text="Screenshot of the Azure portal showing a resource group containing a site and its related resources." lightbox="media/how-to-guide-deploy-a-private-mobile-network-azure-portal/site-related-resources.png":::

+ Title: Default service and SIM policy

+description: Information on the default service and SIM policy that can be created as part of deploying a private mobile network.

+# Default service and SIM policy

+You're given the option of creating a default service and SIM policy when you first create a private mobile network using the instructions in [Deploy a private mobile network through Azure Private 5G Core Preview - Azure portal](how-to-guide-deploy-a-private-mobile-network-azure-portal.md).

+- The default service allows all traffic in both directions.

+- The default SIM policy is automatically assigned to all SIMs you provision as part of creating the private mobile network, and applies the default service to these SIMs.

+They're designed to allow you to quickly deploy a private mobile network and bring SIMs into service automatically, without the need to design your own policy control configuration.

+The following sections provide the settings for the default service and SIM policy. You can use these to decide whether they're suitable for the initial deployment of your private mobile network. If you need more information on any of these settings, see [Collect the required information for a service](collect-required-information-for-service.md) and [Collect the required information for a SIM policy](collect-required-information-for-sim-policy.md).

+## Default service

+The following tables provide the settings for the default service and its associated data flow policy rule and data flow policy template.

+### Service settings

+|Setting |Value |

+|||

+|The service name. |*Allow-all-traffic* |

+|A precedence value that the packet core instance must use to decide between services when identifying the QoS values to offer.|*253* |

+|The Maximum Bit Rate (MBR) for uploads across all service data flows that will be included in data flow policy rules configured on this service.|*2 Gbps* |

+|The Maximum Bit Rate (MBR) for downloads across all service data flows that will be included in data flow policy rules configured on this service. |*2 Gbps* |

+|The default QoS Flow Allocation and Retention Policy (ARP) priority level.| *9* |

+|The default 5G QoS Indicator (5QI) value for this service. The 5QI identifies a set of 5G QoS characteristics that control QoS forwarding treatment for QoS Flows, such as limits for Packet Error Rate. | *9* |

+|The default QoS Flow preemption capability for QoS Flows for this service. The preemption capability of a QoS Flow controls whether it can preempt another QoS Flow with a lower priority level. |*May not preempt* |

+|The default QoS Flow preemption vulnerability for QoS Flows for this service. The preemption vulnerability of a QoS Flow controls whether it can be preempted another QoS Flow with a higher priority level. |*Preemptable* |

+### Data flow policy rule settings

+|Setting |Value |

+|||

+|The name of the rule. | *All-traffic* |

+|A precedence value that the packet core instance must use to decide between data flow policy rules. | *253* |

+|A traffic control setting determining whether flows that match the data flow template on this data flow policy rule are permitted. | *Enabled* |

+### Data flow template settings

+|Setting |Value |

+|||

+|The name of the template. | *Any-traffic* |

+|A list of allowed protocol(s) for this flow. | *All* |

+|The direction of this flow. | *Bidirectional* |

+|The remote IP address(es) to which SIMs will connect for this flow. | *any* |

+## Default SIM policy

+The following tables provide the settings for the default SIM policy and its associated network scope.

+### SIM policy settings

+|Setting |Value |

+|||

+|The SIM policy name. | *Default-policy* |

+|The UE Aggregated Maximum Bit Rate (UE-AMBR) for uplink traffic (traveling away from SIMs) across all Non-GBR QoS Flows for a SIM to which this SIM policy is assigned. | *2 Gbps* |

+|The UE Aggregated Maximum Bit Rate (UE-AMBR) for downlink traffic (traveling towards SIMs) across all Non-GBR QoS Flows for a SIM to which this SIM policy is assigned. | *2 Gbps* |

+|The interval between UE registrations for SIMs to which this SIM policy is assigned, given in seconds. | *3240* |

+### Network scope settings

+|Setting |Value |

+|||

+|The names of the services permitted on this data network. | *Allow-all-traffic* |

+|The maximum bitrate for uplink traffic (traveling away from SIMs) across all Non-GBR QoS Flows of a given PDU session on this data network. | *2 Gbps* |

+|The maximum bitrate for downlink traffic (traveling towards SIMs) across all Non-GBR QoS Flows of a given PDU session on this data network. | *2 Gbps* |

+|The default 5G QoS Indicator (5QI) value for this data network. The 5QI identifies a set of 5G QoS characteristics that control QoS forwarding treatment for QoS Flows, such as limits for Packet Error Rate. | *9* |

+|The default QoS Flow Allocation and Retention Policy (ARP) priority level for this data network. Flows with a higher ARP priority level preempt those with a lower ARP priority level. | *1* |

+|The default QoS Flow preemption capability for QoS Flows on this data network. The preemption capability of a QoS Flow controls whether it can preempt another QoS Flow with a lower priority level. | *May not preempt* |

+|The default QoS Flow preemption vulnerability for QoS Flows on this data network. The preemption vulnerability of a QoS Flow controls whether it can be preempted another QoS Flow with a higher priority level. | *Preemptable* |

+## Next steps

+Once you've decided whether the default service and SIM policy are suitable, you can start deploying your private mobile network.

+- [Collect the required information to deploy a private mobile network](collect-required-information-for-private-mobile-network.md)

+- [Deploy a private mobile network through Azure Private 5G Core Preview - Azure portal](how-to-guide-deploy-a-private-mobile-network-azure-portal.md)

+ Title: Export, upload and share traces

+description: In this how-to guide, learn how to export, upload and share your detailed traces for diagnostics.

+# Export, upload and share traces

+Azure Private 5G Core Preview offers a distributed tracing web GUI, which you can use to collect detailed traces for signaling flows involving packet core instances. You can export these traces and upload them to a storage account to allow your support representative to access them and provide troubleshooting assistance.

+## Prerequisites

+- Ensure you can sign in to the Azure portal using an account with access to the active subscription you identified in [Complete the prerequisite tasks for deploying a private mobile network](complete-private-mobile-network-prerequisites.md). This account must have the built-in Contributor role at the subscription scope.

+- Ensure you can sign in to the distributed tracing web GUI as described in [Distributed tracing](distributed-tracing.md).

+## Create a storage account and blob container in Azure

+ When uploading and sharing a trace for the first time, you'll need to create a storage account and a container resource to store your traces. You can skip this step if this has already been done.

+1. [Create a storage account](../storage/common/storage-account-create.md) with the following additional configuration:

+ 1. In the **Advanced** tab, select **Enable storage account key access**. This will allow your support representative to download traces stored in this account using the URLs you share with them.

+ 1. In the **Data protection** tab, under **Access control**, select **Enable version-level immutability support**. This will allow you to specify a time-based retention policy for the account in the next step.

+1. If you would like the traces in your storage account to be automatically deleted after a period of time, [configure a default time-based retention policy](../storage/blobs/immutable-policy-configure-version-scope.md#configure-a-default-time-based-retention-policy) for your storage account.

+1. [Create a container](../storage/blobs/storage-quickstart-blobs-portal.md#create-a-container) for your traces.

+## Export trace from the distributed tracing web GUI

+In this step, you'll export the trace from the distributed tracing web GUI and save it locally.

+1. Sign in to the distributed tracing web GUI at https://*\<LocalMonitoringIP\>*/sas, where *\<LocalMonitoringIP\>* is the IP address you set up for accessing local monitoring tools.

+1. In the **Search** tab, specify the SUPI and time for the event you're interested in and select **Search**.

+

+ :::image type="content" source="media\distributed-tracing-share-traces\distributed-tracing-search.png" alt-text="Screenshot of the Search display in the distributed tracing web G U I, showing the S U P I search field and date and time range options.":::

+1. Find the relevant trace in the **Diagnostics Search Results** tab and select it.

+ :::image type="content" source="media\distributed-tracing\distributed-tracing-search-results.png" alt-text="Screenshot of search results on a specific S U P I in the distributed tracing web G U I. It shows matching Successful P D U Session Establishment records.":::

+1. Select **Export** and save the file locally.

+ :::image type="content" source="media\distributed-tracing-share-traces\distributed-tracing-summary-view-export.png" alt-text="Screenshot of the Summary view of a specific trace in the distributed tracing web G U I, providing information on a Successful P D U Session Establishment record. The Export button in the top ribbon is highlighted." lightbox="media\distributed-tracing-share-traces\distributed-tracing-summary-view-export.png":::

+## Upload trace to your blob container

+You can now upload the trace to the container you created in [Create a storage account and blob container in Azure](#create-a-storage-account-and-blob-container-in-azure).

+1. Sign in to the Azure portal at [https://aka.ms/AP5GCPortal](https://aka.ms/AP5GCPortal).

+1. Navigate to your Storage account resource.

+1. In the **Resource** menu, select **Containers**.

+ :::image type="content" source="media\distributed-tracing-share-traces\containers-resource-menu.png" alt-text="Screenshot of the Azure portal showing the Containers option in the resource menu of a Storage account resource." lightbox="media\distributed-tracing-share-traces\containers-resource-menu.png":::

+1. Select the container you created for your traces.

+1. Select **Upload**. In the **Upload blob** window, search for the trace file you exported in the previous step and upload it.

+ :::image type="content" source="media\distributed-tracing-share-traces\upload-blob-tab.png" alt-text="Screenshot of the Azure portal showing the Overview display of a Container resource. The Upload button is highlighted." lightbox="media\distributed-tracing-share-traces\upload-blob-tab.png":::

+## Create URL for sharing the trace

+You'll now generate a shared access signature (SAS) URL for your trace. Once you create the URL, you can share it with your support representative for assistance with troubleshooting.

+1. Navigate to your Container resource.

+

+ :::image type="content" source="media\distributed-tracing-share-traces\container-overview-tab.png" alt-text="Screenshot of the Azure portal showing the Overview display of a Container resource.":::

+1. Select the trace you'd like to share.

+1. Select the **Generate SAS** tab.

+ :::image type="content" source="media\distributed-tracing-share-traces\generate-shared-access-signature-tab.png" alt-text="Screenshot of the Azure portal showing the container overview and the trace blob information window. The Generate S A S tab is highlighted." lightbox="media\distributed-tracing-share-traces\generate-shared-access-signature-tab.png":::

+1. Fill out the fields with the following configuration:

+ 1. Under **Signing method**, select **Account key**. This means anyone with access to the URL you generate will be able to paste it into a browser and download the trace.

+ 1. Under **Permissions**, select **Read**.

+ 1. Under **Start and expiry date/time**, set an expiration window of 48 hours for your token and URL.

+ 1. If you know the IP address from which your support representative will download the trace, set it under **Allowed IP addresses**. Otherwise, you can leave this blank.

+1. Select **Generate SAS token and URL**.

+ :::image type="content" source="media\distributed-tracing-share-traces\generate-shared-access-signature-token-url.png" alt-text="Screenshot of the Azure portal showing the Generate S A S tab in the trace blob information window. The Generate S A S token and U R L button is highlighted." lightbox="media\distributed-tracing-share-traces\generate-shared-access-signature-token-url.png":::

+1. Copy the contents of the **Blob SAS URL** field and share the URL with your support representative.

+## Delete trace

+You should free up space in your blob storage by deleting the traces you'll no longer need. To delete a trace:

+1. Navigate to your Container resource.

+1. Choose the trace you want to delete.

+1. Select **Delete**.

+## Next steps

+- [Learn more about the distributed tracing web GUI](distributed-tracing.md)

+## Access the distributed tracing web GUI

+To sign in to the distributed tracing web GUI:

+1. In your browser, enter https://*\<LocalMonitoringIP\>*/sas, where *\<LocalMonitoringIP\>* is the IP address for accessing the local monitoring tools that you set up in [Management network](complete-private-mobile-network-prerequisites.md#management-network).

+ :::image type="content" source="media\distributed-tracing\distributed-tracing-sign-in.png" alt-text="Screenshot of the distributed tracing web G U I sign in page, with fields for the username and password.":::

+1. Sign in using your credentials.

+ If you're accessing the distributed tracing web GUI for the first time after installing the packet core instance, you should fill in the fields with the default username and password. Afterwards, follow the prompts to set up a new password that you will use from the next time you sign in.

+ - **Name**: *admin*

+ - **Password**: *packetCoreAdmin*

+Once you're signed in to the distributed tracing web GUI, you can use the top-level menu to sign out or change your credentials. Select **Logout** to end your current session, and **Change Password** to update your password.

+## Search for specific information

+Once youΓÇÖve entered your chosen search parameters, select **Search**. The following image shows an example of the results returned for a search on a particular SUPI.

+You can select an entry in the search results to view detailed information for that call flow or error.

+## View diagnostics details

+When you select a specific result, the display shows the following tabs containing different categories of information.

+- **Black lines** indicate packet core Network Functions that have logged sending or receiving messages for this flow.

+- **Gray lines** indicate other components that don't log messages.

+## View help information

+- [Learn how to export, upload and share your traces for diagnostics](distributed-tracing-share-traces.md)

+- [Learn more about how you can monitor your deployment using the packet core dashboards](packet-core-dashboards.md)

+ Title: Enable Log Analytics for a packet core instance

+description: In this how-to guide, you'll learn how to enable Log Analytics to allow you to monitor and analyze activity for a packet core instance.

+# Enable Log Analytics for a packet core instance

+Log Analytics is a tool in the Azure portal used to edit and run log queries with data in Azure Monitor Logs. You can write queries to retrieve records or visualize data in charts, allowing you to monitor and analyze activity in your private mobile network. In this how-to guide, you'll learn how to enable Log Analytics for a packet core instance.

+> [!IMPORTANT]

+> Log Analytics is part of Azure Monitor and is chargeable. [Estimate costs](monitor-private-5g-core-with-log-analytics.md#estimate-costs) provides information on estimating the cost of using Log Analytics to monitor your private mobile network. You shouldn't enable Log Analytics if you don't want to incur any costs. If you don't enable Log Analytics, you can still monitor your packet core instances from the local network using the [packet core dashboards](packet-core-dashboards.md).

+## Prerequisites

+- Identify the Kubernetes - Azure Arc resource representing the Azure Arc-enabled Kubernetes cluster on which your packet core instance is running.

+- Ensure you have [Contributor](../role-based-access-control/built-in-roles.md#contributor) role assignment on the Azure subscription containing the Kubernetes - Azure Arc resource.

+- Ensure your local machine has kubectl access to the Azure Arc-enabled Kubernetes cluster.

+## Create an Azure Monitor extension

+Follow the steps in [Azure Monitor Container Insights for Azure Arc-enabled Kubernetes clusters](../azure-monitor/containers/container-insights-enable-arc-enabled-clusters.md) to create an Azure Monitor extension for the Azure Arc-enabled Kubernetes cluster. Ensure that you use the instructions for the Azure CLI, and that you choose **Option 4 - On Azure Stack Edge** when you carry out [Create extension instance using Azure CLI](../azure-monitor/containers/container-insights-enable-arc-enabled-clusters.md#create-extension-instance-using-azure-cli).

+## Configure and deploy the ConfigMap

+In this step, you'll configure and deploy a ConfigMap which will allow Container Insights to collect Prometheus metrics from the Azure Arc-enabled Kubernetes cluster.

+1. Copy the following yaml file into a text editor and save it as *99-azure-monitoring-configmap.yml*.

+ ```yml

+ kind: ConfigMap

+ apiVersion: v1

+ data:

+ schema-version:

+ # string.used by agent to parse config. supported versions are {v1}. Configs with other schema versions will be

+ # rejected by the agent.

+ v1

+ config-version:

+ # string.used by customer to keep track of this config file's version in their source control/repository (max

+ # allowed 10 chars, other chars will be truncated)

+ ver1

+ log-data-collection-settings: |-

+ # Log data collection settings

+ # Any errors related to config map settings can be found in the KubeMonAgentEvents table in the Log Analytics

+ # workspace that the cluster is sending data to.

+

+ [log_collection_settings]

+ [log_collection_settings.stdout]

+ # In the absense of this configmap, default value for enabled is true

+ enabled = false

+ # exclude_namespaces setting holds good only if enabled is set to true.

+ # kube-system log collection is disabled by default in the absence of 'log_collection_settings.stdout'

+ # setting. If you want to enable kube-system, remove it from the following setting.

+ # If you want to continue to disable kube-system log collection keep this namespace in the following setting

+ # and add any other namespace you want to disable log collection to the array.

+ # In the absense of this configmap, default value for exclude_namespaces = ["kube-system"].

+ exclude_namespaces = ["kube-system"]

+

+ [log_collection_settings.stderr]

+ # Default value for enabled is true

+ enabled = false

+ # exclude_namespaces setting holds good only if enabled is set to true.

+ # kube-system log collection is disabled by default in the absence of 'log_collection_settings.stderr'

+ # setting. If you want to enable kube-system, remove it from the following setting.

+ # If you want to continue to disable kube-system log collection keep this namespace in the following setting

+ # and add any other namespace you want to disable log collection to the array.

+ # In the absense of this cofigmap, default value for exclude_namespaces = ["kube-system"].

+ exclude_namespaces = ["kube-system"]

+

+ [log_collection_settings.env_var]

+ # In the absense of this configmap, default value for enabled is true

+ enabled = false

+

+ [log_collection_settings.enrich_container_logs]

+ # In the absense of this configmap, default value for enrich_container_logs is false.

+ # When this is enabled (enabled = true), every container log entry (both stdout & stderr)

+ # will be enriched with container Name & container Image.

+ enabled = false

+

+ [log_collection_settings.collect_all_kube_events]

+ # In the absense of this configmap, default value for collect_all_kube_events is false.

+ # When the setting is set to false, only the kube events with !normal event type will be collected.

+ # When this is enabled (enabled = true), all kube events including normal events will be collected.

+ enabled = false

+

+ prometheus-data-collection-settings: |-

+ # Custom Prometheus metrics data collection settings

+ [prometheus_data_collection_settings.cluster]

+ # Cluster level scrape endpoint(s). These metrics will be scraped from agent's Replicaset (singleton)

+ # Any errors related to prometheus scraping can be found in the KubeMonAgentEvents table in the Log Analytics

+ # workspace that the cluster is sending data to.

+

+ # Interval specifying how often to scrape for metrics. This is duration of time and can be specified for

+ # supporting settings by combining an integer value and time unit as a string value. Valid time units are ns,

+ # us (or ┬╡s), ms, s, m, h.

+ interval = "1m"

+

+ ## Uncomment the following settings with valid string arrays for prometheus scraping

+ fieldpass = ["subscribers_count", "amf_registered_subscribers", "amf_registered_subscribers_connected", "amf_connected_gnb", "subgraph_counts", "cppe_bytes_total", "amfcc_mm_initial_registration_failure", "amfcc_n1_auth_failure", "amfcc_n1_auth_reject", "amfn2_n2_pdu_session_resource_setup_request", "amfn2_n2_pdu_session_resource_setup_response", "amfn2_n2_pdu_session_resource_modify_request", "amfn2_n2_pdu_session_resource_modify_response", "amfn2_n2_pdu_session_resource_release_command", "amfn2_n2_pdu_session_resource_release_response", "amfcc_n1_service_reject", "amfn2_n2_pathswitch_request_failure", "amfn2_n2_handover_failure"]

+

+ #fielddrop = ["metric_to_drop"]

+

+ # An array of urls to scrape metrics from.

+ # urls = ["http://myurl:9101/metrics"]

+

+ # An array of Kubernetes services to scrape metrics from.

+ # kubernetes_services = ["http://my-service-dns.my-namespace:9102/metrics"]

+

+ # When monitor_kubernetes_pods = true, replicaset will scrape Kubernetes pods for the following prometheus

+ # annotations:

+ # - prometheus.io/scrape: Enable scraping for this pod

+ # - prometheus.io/scheme: If the metrics endpoint is secured then you will need to

+ # set this to `https` & most likely set the tls config.

+ # - prometheus.io/path: If the metrics path is not /metrics, define it with this annotation.

+ # - prometheus.io/port: If port is not 9102 use this annotation

+ monitor_kubernetes_pods = true

+

+ ## Restricts Kubernetes monitoring to namespaces for pods that have annotations set and are scraped using the

+ ## monitor_kubernetes_pods setting.

+ ## This will take effect when monitor_kubernetes_pods is set to true

+ ## ex: monitor_kubernetes_pods_namespaces = ["default1", "default2", "default3"]

+ # monitor_kubernetes_pods_namespaces = ["default1"]

+

+ [prometheus_data_collection_settings.node]

+ # Node level scrape endpoint(s). These metrics will be scraped from agent's DaemonSet running in every node in

+ # the cluster

+ # Any errors related to prometheus scraping can be found in the KubeMonAgentEvents table in the Log Analytics

+ # workspace that the cluster is sending data to.

+

+ # Interval specifying how often to scrape for metrics. This is duration of time and can be specified for

+ # supporting settings by combining an integer value and time unit as a string value. Valid time units are ns,

+ # us (or ┬╡s), ms, s, m, h.

+ interval = "1m"

+

+ ## Uncomment the following settings with valid string arrays for prometheus scraping

+

+ # An array of urls to scrape metrics from. $NODE_IP (all upper case) will substitute of running Node's IP

+ # address

+ # urls = ["http://$NODE_IP:9103/metrics"]

+

+ #fieldpass = ["metric_to_pass1", "metric_to_pass12"]

+

+ #fielddrop = ["metric_to_drop"]

+

+ metric_collection_settings: |-

+ # Metrics collection settings for metrics sent to Log Analytics and MDM

+ [metric_collection_settings.collect_kube_system_pv_metrics]

+ # In the absense of this configmap, default value for collect_kube_system_pv_metrics is false

+ # When the setting is set to false, only the persistent volume metrics outside the kube-system namespace will be

+ # collected

+ enabled = false

+ # When this is enabled (enabled = true), persistent volume metrics including those in the kube-system namespace

+ # will be collected

+

+ alertable-metrics-configuration-settings: |-

+ # Alertable metrics configuration settings for container resource utilization

+ [alertable_metrics_configuration_settings.container_resource_utilization_thresholds]

+ # The threshold(Type Float) will be rounded off to 2 decimal points

+ # Threshold for container cpu, metric will be sent only when cpu utilization exceeds or becomes equal to the

+ # following percentage

+ container_cpu_threshold_percentage = 95.0

+ # Threshold for container memoryRss, metric will be sent only when memory rss exceeds or becomes equal to the

+ # following percentage

+ container_memory_rss_threshold_percentage = 95.0

+ # Threshold for container memoryWorkingSet, metric will be sent only when memory working set exceeds or becomes

+ # equal to the following percentage

+ container_memory_working_set_threshold_percentage = 95.0

+

+ # Alertable metrics configuration settings for persistent volume utilization

+ [alertable_metrics_configuration_settings.pv_utilization_thresholds]

+ # Threshold for persistent volume usage bytes, metric will be sent only when persistent volume utilization

+ # exceeds or becomes equal to the following percentage

+ pv_usage_threshold_percentage = 60.0

+ integrations: |-

+ [integrations.azure_network_policy_manager]

+ collect_basic_metrics = false

+ collect_advanced_metrics = false

+ metadata:

+ name: container-azm-ms-agentconfig

+ namespace: kube-system

+ ```

+1. In a command line with kubectl access to the Azure Arc-enabled Kubernetes cluster, navigate to the folder containing the *99-azure-monitoring-configmap.yml* file and run the following command.

+

+ `kubectl apply -f 99-azure-monitoring-configmap.yml`

+ The configuration change can take a few minutes to finish before taking effect, and all omsagent pods in the cluster will restart. The restart is a rolling restart for all omsagent pods, not all restart at the same time. When the restarts are finished, a message is displayed that's similar to the following and includes the result: `configmap "container-azm-ms-agentconfig" created`.

+## Run a query

+In this step, you'll run a query in the Log Analytics workspace to confirm that you can retrieve logs for the packet core instance.

+1. Sign in to the Azure portal at [https://aka.ms/AP5GCPortal](https://aka.ms/AP5GCPortal).

+1. Search for and select the Log Analytics workspace you used when creating the Azure Monitor extension in [Create an Azure Monitor extension](#create-an-azure-monitor-extension).

+1. Select **Logs** from the resource menu.

+ :::image type="content" source="media/log-analytics-workspace.png" alt-text="Screenshot of the Azure portal showing a Log Analytics workspace resource. The Logs option is highlighted.":::

+1. If it appears, select **X** to dismiss the **Queries** window.

+1. Select **Select scope**.

+ :::image type="content" source="media/enable-log-analytics-for-private-5g-core/select-scope.png" alt-text="Screenshot of the Log Analytics interface. The Select scope option is highlighted.":::

+1. Under **Select a scope**, deselect the Log Analytics workspace.

+1. Search for and select the **Kubernetes - Azure Arc** resource representing the Azure Arc-enabled Kubernetes cluster.

+1. Select **Apply**.

+ :::image type="content" source="media/enable-log-analytics-for-private-5g-core/select-kubernetes-cluster-scope.png" alt-text="Screenshot of the Azure portal showing the Select a scope screen. The search bar, Kubernetes - Azure Arc resource and Apply option are highlighted.":::

+1. Copy and paste the following query into the query window, and then select **Run**.

+ ```kusto

+ InsightsMetrics

+ | where Namespace == "prometheus"

+ | where Name == "amf_connected_gnb"

+ | extend Time=TimeGenerated

+ | extend GnBs=Val

+ | project GnBs, Time

+ ```

+ :::image type="content" source="media/enable-log-analytics-for-private-5g-core/run-query.png" alt-text="Screenshot of the Log Analytics interface. The Run option is highlighted." lightbox="media/enable-log-analytics-for-private-5g-core/run-query.png":::

+1. Verify that the results window displays the results of the query, showing how many gNodeBs have been connected to the packet core instance in the last 24 hours.

+ :::image type="content" source="media/enable-log-analytics-for-private-5g-core/query-results.png" alt-text="Screenshot of the results window displaying results from a query.":::

+## Next steps

+- [Learn more about monitoring Azure Private 5G Core using Log Analytics](monitor-private-5g-core-with-log-analytics.md)

+- [Learn more about Log Analytics in Azure Monitor](../azure-monitor/logs/log-analytics-overview.md)

+ Title: Deploy a private mobile network - Azure portal

+- Collect all of the information listed in [Collect the required information to deploy a private mobile network - Azure portal](collect-required-information-for-private-mobile-network.md). You may also need to take the following steps based on the decisions you made when collecting this information.

+

+ - If you decided you wanted to provision SIMs using a JSON file, ensure you've prepared this file and made it available on the machine you'll use to access the Azure portal. For more information on the file format, see [JSON file format for provisioning SIMs](collect-required-information-for-private-mobile-network.md#json-file-format-for-provisioning-sims).

+ - If you decided you want to use the default service and SIM policy, identify the name of the data network to which your private mobile network will connect.

+## Deploy your private mobile network

+In this step, you'll create the Mobile Network resource representing your private mobile network as a whole. You can also provision one or more SIMs, and / or create the default service and SIM policy.

+ :::image type="content" source="media/mobile-networks-search.png" alt-text="Screenshot of the Azure portal showing a search for the Mobile Networks service.":::

+

+ :::image type="content" source="media/how-to-guide-deploy-a-private-mobile-network-azure-portal/create-private-mobile-network-sims-tab.png" alt-text="Screenshot of the Azure portal showing the SIMs configuration tab.":::

+1. If you want to use the default service and SIM policy, set **Do you wish to create a basic, default SIM policy and assign it these SIMs?** to **Yes**, and then enter the name of the data network into the **Data network name** field that appears.

+1. Select **Review + create**.

+ Select **Go to resource group**, and then check that your new resource group contains the correct **Mobile Network** resource. It may also contain the following, depending on the choices you made during the procedure.

+ - One or more **SIM** resources (if you provisioned any).

+ - **Service**, **SIM Policy**, **Data Network**, and **Slice** resources (if you decided to use the default service and SIM policy).

+ :::image type="content" source="media/pmn-deployment-resource-group.png" alt-text="Screenshot of the Azure portal showing a resource group containing Mobile Network, SIM, Service, SIM policy, Data Network, and Slice resources.":::

+You can either begin designing policy control to determine how your private mobile network will handle traffic, or you can start adding sites to your private mobile network.

+ Title: Monitor Azure Private 5G Core Preview with Log Analytics

+description: Information on using Log Analytics to monitor and analyze activity in your private mobile network.

+# Monitor Azure Private 5G Core Preview with Log Analytics

+Log Analytics is a tool in the Azure portal used to edit and run log queries with data in Azure Monitor Logs. You can write queries to retrieve records or visualize data in charts, allowing you to monitor and analyze activity in your private mobile network.

+## Enable Log Analytics

+You'll need to carry out the steps in [Enabling Log Analytics for Azure Private 5G Core](enable-log-analytics-for-private-5g-core.md) before you can use Log Analytics with Azure Private 5G Core.

+> [!IMPORTANT]

+> Log Analytics is part of Azure Monitor and is chargeable. [Estimate costs](#estimate-costs) provides information on estimating the cost of using Log Analytics to monitor your private mobile network. You shouldn't enable Log Analytics if you don't want to incur any costs. If you don't enable Log Analytics, you can still monitor your packet core instances from the local network using the [packet core dashboards](packet-core-dashboards.md).

+## Access Log Analytics for a packet core instance

+Once you've enabled Log Analytics, you can begin working with it in the Azure portal. Navigate to the Log Analytics workspace you assigned to the Kubernetes cluster on which a packet core instance is running. Select **Logs** from the left hand menu.

+You'll then be shown the Log Analytics tool where you can enter your queries.

+For detailed information on using the Log Analytics tool, see [Overview of Log Analytics in Azure Monitor](../azure-monitor/logs/log-analytics-overview.md).

+## Construct queries

+You can find a tutorial for writing queries using the Log Analytics tool at [Get started with log queries in Azure Monitor](../azure-monitor/logs/get-started-queries.md). Each packet core instance streams the following logs to the Log Analytics tool. You can use these logs to construct queries that will allow you to monitor your private mobile network. You'll need to run all queries at the scope of the **Kubernetes - Azure Arc** resource that represents the Kubernetes cluster on which your packet core instance is running.

+| Log name | Description |

+|--|--|

+| subscribers_count | Number of successfully provisioned SIMs. |

+| amf_registered_subscribers | Number of currently registered SIMs. |

+| amf_connected_gnb | Number of gNodeBs that are currently connected to the Access and Mobility Management Function (AMF). |

+| subgraph_counts | Number of active PDU sessions being handled by the User Plane Function (UPF). |

+| cppe_bytes_total | Total number of bytes received or transmitted by the UPF at each interface since the UPF last restarted. The value is given as a 64-bit unsigned integer. |

+| amfcc_mm_initial_registration_failure | Total number of failed initial registration attempts handled by the AMF. |

+| amfcc_n1_auth_failure | Counter of Authentication Failure Non-Access Stratum (NAS) messages. The Authentication Failure NAS message is sent by the user equipment (UE) to the AMF to indicate that authentication of the network has failed. |

+| amfcc_n1_auth_reject | Counter of Authentication Reject NAS messages. The Authentication Reject NAS message is sent by the AMF to the UE to indicate that the authentication procedure has failed and that the UE shall abort all activities. |

+| amfn2_n2_pdu_session_resource_setupΓÇï_request | Total number of PDU SESSION RESOURCE SETUP REQUEST Next Generation Application Protocol (NGAP) messages received by the AMF. |

+| amfn2_n2_pdu_session_resource_setupΓÇï_response | Total number of PDU SESSION RESOURCE SETUP RESPONSE NGAP messages received by the AMF. |

+| amfn2_n2_pdu_session_resource_modifyΓÇï_request | Total number of PDU SESSION RESOURCE MODIFY REQUEST NGAP messages received by the AMF. |

+| amfn2_n2_pdu_session_resource_modifyΓÇï_response | Total number of PDU SESSION RESOURCE MODIFY RESPONSE NGAP messages received by the AMF. |

+| amfn2_n2_pdu_session_resource_releaseΓÇï_command | Total number of PDU SESSION RESOURCE RELEASE COMMAND NGAP messages received by the AMF. |

+| amfn2_n2_pdu_session_resource_releaseΓÇï_response | Total number of PDU SESSION RESOURCE RELEASE RESPONSE NGAP messages received by the AMF. |

+| amfcc_n1_service_reject | Total number of Service reject NAS messages received by the AMF. |

+| amfn2_n2_pathswitch_request_failure | Total number of PATH SWITCH REQUEST FAILURE NGAP messages received by the AMF. |

+| amfn2_n2_handover_failure | Total number of HANDOVER FAILURE NGAP messages received by the AMF. |

+

+## Example queries

+The following are some example queries you can run to retrieve logs relating to Key Performance Indicators (KPIs) for your private mobile network. You should run all of these queries at the scope of the **Kubernetes - Azure Arc** resource that represents the Kubernetes cluster on which your packet core instance is running.

+### PDU sessions

+```Kusto

+InsightsMetrics

+ | where Namespace == "prometheus"

+ | where Name == "subgraph_counts"

+ | summarize PduSessions=max(Val) by Time=TimeGenerated

+```

+### Registered UEs

+```Kusto

+let Time = InsightsMetrics

+ | where Namespace == "prometheus"

+ | summarize by Time=TimeGenerated;

+let RegisteredDevices = InsightsMetrics

+ | where Namespace == "prometheus"ΓÇ»

+ | where Name == "amf_registered_subscribers"

+ | summarize by RegisteredDevices=Val, Time=TimeGenerated;

+Time

+ | join kind=leftouter (RegisteredDevices) on Time

+ | project Time, RegisteredDevices

+```

+### Connected gNodeBs

+```kusto

+InsightsMetrics

+ | where Namespace == "prometheus"

+ | where Name == "amf_connected_gnb"

+ | extend Time=TimeGenerated

+ | extend GnBs=Val

+ | project GnBs, Time

+```

+## Log Analytics dashboards

+Log Analytics dashboards can visualize all of your saved log queries, giving you the ability to find, correlate, and share data about your private mobile network.

+You can find information on how to create a Log Analytics dashboard in [Create and share dashboards of Log Analytics data](../azure-monitor/visualize/tutorial-logs-dashboards.md).

+## Estimate costs

+Log Analytics will ingest an average of 8GB of data a day for each log streamed to it by a single packet core instance. [Monitor usage and estimated costs in Azure Monitor](../azure-monitor/usage-estimated-costs.md) provides information on how to estimate the cost of using Log Analytics to monitor Azure Private 5G Core.

+## Next steps

+- [Enable Log Analytics for Azure Private 5G Core](enable-log-analytics-for-private-5g-core.md)

+- [Learn more about Log Analytics in Azure Monitor](../azure-monitor/logs/log-analytics-overview.md)

+## Access the packet core dashboards

+To sign in to the packet core dashboards:

+1. In your browser, enter https://*\<LocalMonitoringIP\>*/grafana, where *\<LocalMonitoringIP\>* is the IP address for accessing the local monitoring tools that you set up in [Management network](complete-private-mobile-network-prerequisites.md#management-network).

+ :::image type="content" source="media\packet-core-dashboards\grafana-sign-in.png" alt-text="Screenshot of the Grafana sign in page, with fields for the username and password.":::

+1. Sign in using your credentials.

+ If you're accessing the packet core dashboards for the first time after installing the packet core instance, you should fill in the fields with the default username and password. Afterwards, follow the prompts to set up a new password that you will use from the next time you sign in.

+ - **Email or username**: *admin*

+ - **Password**: *admin*

+Once you're signed in to the packet core dashboards, you can hover over your user icon in the left pane to access the options to sign out or change your password.

+## Switch between dashboards

+## Adjust the time range

+Azure Private 5G Core is integrated with Log Analytics in Azure Monitor, as described in [Monitor Azure Private 5G Core with Log Analytics](monitor-private-5g-core-with-log-analytics.md). You can write queries to retrieve records or visualize data in charts. This lets you monitor and analyze activity in your private mobile network directly from the Azure portal.

+*SIM resources* represent physical SIMs or eSIMs used by user equipment (UEs) served by the private mobile network. In this how-to guide, we'll provision new SIMs for an existing private mobile network. You can also choose to assign static IP addresses and a SIM policy to the SIMs you provision.

+- For each SIM you want to provision, decide whether you want to assign a SIM policy to it. If you do, you must have already created the relevant SIM policies using the instructions in [Configure a SIM policy - Azure portal](configure-sim-policy-azure-portal.md). SIMs can't access your private mobile network unless they have an assigned SIM policy.

+- If you've configured static IP address allocation for your packet core instance(s), decide whether you want to assign a static IP address to any of the SIMs you're provisioning. If you have multiple sites in your private mobile network, you can assign a different static IP address for each site to the same SIM.

+ Each IP address must come from the pool you assigned for static IP address allocation when creating the relevant site, as described in [Collect data network values](collect-required-information-for-a-site.md#collect-data-network-values). For more information, see [Allocate User Equipment (UE) IP address pools](complete-private-mobile-network-prerequisites.md#allocate-user-equipment-ue-ip-address-pools).

+ If you're assigning a static IP address to a SIM, you'll also need the following information.

+ - The SIM policy to assign to the SIM. You won't be able to set a static IP address for a SIM without also assigning a SIM policy.

+ - The name of the data network the SIM will use.

+ - The site at which the SIM will use this static IP address.

+## Create the JSON file

+1. In **Add SIMs** on the right, select **Browse** and then select the JSON file you created in [Create the JSON file](#create-the-json-file).

+## Assign static IP addresses

+In this step, you'll assign static IP addresses to your SIMs. You can skip this step if you don't want to assign any static IP addresses.

+1. Search for and select the **Mobile Network** resource representing the private mobile network containing your SIMs.

+ :::image type="content" source="media/mobile-network-search.png" alt-text="Screenshot of the Azure portal. It shows the results of a search for a Mobile Network resource.":::

+1. In the resource menu, select **SIMs**.

+1. You'll see a list of provisioned SIMs in the private mobile network. Select each SIM to which you want to assign a static IP address, and then select **Assign Static IPs**.

+ :::image type="content" source="media/provision-sims-azure-portal/assign-static-ips.png" alt-text="Screenshot of the Azure portal showing a list of provisioned SIMs. Selected SIMs and the Assign Static I Ps button are highlighted.":::

+1. In **Assign static IP configurations** on the right, run the following steps for each SIM in turn. If your private mobile network has multiple sites and you want to assign a different static IP address for each site to the same SIM, you'll need to repeat these steps on the same SIM for each IP address.

+ 1. Set **SIM name** your chosen SIM.

+ 1. Set **SIM policy** to the SIM policy you want to assign to this SIM.

+ 1. Set **Slice** to **slice-1**.

+ 1. Set **Data network name** to the name of the data network this SIM will use.

+ 1. Set **Site** to the site at which the SIM will use this static IP address.

+ 1. Set **Static IP** to your chosen IP address.

+ 1. Select **Save static IP configuration**. The SIM will then appear in the list under **Number of pending changes**.

+ :::image type="content" source="media/provision-sims-azure-portal/assign-static-ip-configurations.png" alt-text="Screenshot of the Azure portal showing the Assign static I P configurations screen.":::

+1. Once you have assigned static IP addresses to all of your chosen SIMs, select **Assign static IP configurations**.

+1. The Azure portal will now begin deploying the configuration change. When the deployment is complete, select **Go to resource** (if you have assigned a static IP address to a single SIM) or **Go to resource group** (if you have assigned static IP addresses to multiple SIMs).

+ - If you assigned a static IP address to a single SIM, you'll be taken to that SIM resource. Check the **SIM policy** field in the **Management** section and the list under the **Static IP Configuration** section to confirm that the correct SIM policy and static IP address have been assigned successfully.

+ - If you assigned a SIM policy to multiple SIMs, you'll be taken to the resource group containing your private mobile network. Select the **Mobile Network** resource, and then select **SIMs** in the resource menu. Check the **SIM policy** column in the SIMs list to confirm the correct SIM policy has been assigned to your chosen SIMs. You can then select an individual SIM and check the **Static IP Configuration** section to confirm that the correct static IP address has been assigned to that SIM.

+## Assign SIM policies

+In this step, you'll assign SIM policies to your SIMs. SIMs need an assigned SIM policy before they can use your private mobile network. You can skip this step and come back to it later if you don't want the SIMs to be able to access the private mobile network straight away. You can also skip this step for any SIMs to which you've assigned a static IP address, as these SIMs will already have an assigned SIM policy.

+1. Search for and select the **Mobile Network** resource representing the private mobile network containing your SIMs.

+ 1. Tick the checkbox next to the name of each SIM to which you want to assign the SIM policy.

+- [Learn more about policy control](policy-control.md)

+## Collection

+An organization-defined grouping of assets, terms, annotations, and sources. Collections allow for easier fine-grained access control and discoverability of assets within a data catalog.

+## Root collection

+A system-generated collection that has the same friendly name as the Azure Purview account. All assets belong to the root collection by default.

+To get started with Azure Purview, see [Quickstart: Create an Azure Purview account](create-catalog-portal.md).

+When scanning Azure SQL Database, Azure Purview supports:

+- Extracting technical metadata including:

+ - Server

+ - Database

+ - Schemas

+ - Tables including the columns

+ - Views including the columns

+ - Store procedures (with lineage extraction enabled)

+ - Store procedure runs (with lineage extraction enabled)

+When setting up scan, you can further scope the scan after providing the database name by selecting tables and views as needed.

+8. From Azure Active Directory dashboard, select newly created application and then select **App permissions**. Assign the application the following delegated permissions and grant admin consent for the tenant:

+[Azure role-based access control (Azure RBAC)](overview.md) is an authorization system that helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. In most cases, Azure RBAC will provide the access management you need by using role definitions and role assignments. However, in some cases you might want to provide more fined-grained access management or simplify the management of hundreds of role assignments.

+This article describes how to set up an Azure Cognitive Search indexer connection to an Azure Cosmos DB database using a managed identity instead of providing credentials in the connection string.

+You can use a system-assigned managed identity or a user-assigned managed identity (preview). Managed identities are Azure AD logins and require Azure role assignments to access data in Cosmos DB.

+This article describes how to set up an Azure Cognitive Search indexer connection to Azure SQL Database using a managed identity instead of providing credentials in the connection string.

+You can use a system-assigned managed identity or a user-assigned managed identity (preview). Managed identities are Azure AD logins and require Azure role assignments to access data in Azure SQL.

+This article describes how to set up an Azure Cognitive Search indexer connection to an Azure Storage account using a managed identity instead of providing credentials in the connection string.

+You can use a system-assigned managed identity or a user-assigned managed identity (preview). Managed identities are Azure AD logins and require Azure role assignments to access data in Azure Storage.

+## Prerequisites

+The storage account and the search service must be in different regions. If your setup doesn't permit this, try the [trusted service exception](search-indexer-howto-access-trusted-service-exception.md) or [resource instance rule](../storage/common/storage-network-security.md#grant-access-from-azure-resource-instances-preview).

+| Maximum simple fields per index&nbsp;² |1000 |100 |3000 |3000 |3000 |1000 |1000 |1000 |

+¹ Basic services created before December 2017 have lower limits (5 instead of 15) on indexes. Basic tier is the only SKU with a lower limit of 100 fields per index. You might find some variation in maximum limits for Basic if your service is provisioned on a more powerful cluster. The limits here represent the common denominator. Indexes built to the above specifications will be portable across service tiers in any region.

+Outbound requests from a search service to other applications are typically made by indexers for text-based indexing and some aspects of AI enrichment. Outbound requests include both read and write operations.

+Outbound requests are made by the search service on its own behalf, and on the behalf of an indexer or skillset:

+Internal requests are secured and managed by Microsoft. Internal traffic consists of:

+1. Make sure that you've considered your environmental requirements and understand the gaps between the different agents. For more information, see [When should I migrate](../azure-monitor/agents/azure-monitor-agent-migration.md#when-should-i-migrate-to-the-azure-monitor-agent) in the Azure Monitor documentation.

+- An **Owner** role in the resource group that contains your Microsoft Sentinel workspace. This role is required to create the connection between Microsoft Sentinel and your source control repository. If you are unable to use the Owner role in your environment, you can instead use the combination of **User Access Administrator** and **Sentinel Contributor** roles to create the connection.

+The related training videos mentioned below detail the application, packaging, deployment, abstractions, and terminology used by Service Fabric:

+* [<b>Service Fabric concepts:</b>](/shows/building-microservices-applications-on-azure-service-fabric/what-is-a-service-fabric-cluster)

+* [<b>Design time concepts:</b>](/shows/building-microservices-applications-on-azure-service-fabric/design-time-concepts)

+* [<b>Runtime concepts</b>](/shows/building-microservices-applications-on-azure-service-fabric/run-time-concepts)

+## Upload a new blob with index tags

+This task can be performed by a [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner) or a security principal that has been given permission to the `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write` [Azure resource provider operation](../../role-based-access-control/resource-provider-operations.md#microsoftstorage) via a custom Azure role.

+### [Portal](#tab/azure-portal)

+1. In the [Azure portal](https://portal.azure.com/), select your storage account.

+2. Navigate to the **Containers** option under **Data storage**, and select your container.

+3. Select the **Upload** button and browse your local file system to find a file to upload as a block blob.

+4. Expand the **Advanced** dropdown and go to the **Blob Index Tags** section.

+5. Input the key/value blob index tags that you want applied to your data.

+6. Select the **Upload** button to upload the blob.

+ :::image type="content" source="media/storage-blob-index-concepts/blob-index-upload-data-with-tags.png" alt-text="Screenshot of the Azure portal showing how to upload a blob with index tags.":::

+### [PowerShell](#tab/azure-powershell)

+1. Sign in to your Azure subscription with the `Connect-AzAccount` command and follow the on-screen directions.

+ ```powershell

+ Connect-AzAccount

+ ```

+2. If your identity is associated with more than one subscription, then set your active subscription. Then, get the storage account context.

+ ```powershell

+ $context = Get-AzSubscription -SubscriptionId <subscription-id>

+ Set-AzContext $context

+ $storageAccount = Get-AzStorageAccount -ResourceGroupName "<resource-group-name>" -AccountName "<storage-account-name>"

+ $ctx = $storageAccount.Context

+ ```

+3. Upload a blob by using the `Set-AzStorageBlobContent` command. Set tags by using the `-Tag` parameter.

+ ```powershell

+ $containerName = "myContainer"

+ $file = "C:\demo-file.txt"

+ Set-AzStorageBlobContent -File $file -Container $containerName -Context $ctx -Tag @{"tag1" = "value1"; "tag2" = "value2" }

+ ```

+### [Azure CLI](#tab/azure-cli)

+1. Open the [Azure Cloud Shell](../../cloud-shell/overview.md), or if you've [installed](/cli/azure/install-azure-cli) the Azure CLI locally, open a command console application such as Windows PowerShell.

+2. Install the `storage-preview` extension.

+ ```azurecli

+ az extension add -n storage-preview

+ ```

+2. If you're using Azure CLI locally, run the login command.

+ ```azurecli

+ az login

+ ```

+3. If your identity is associated with more than one subscription, then set your active subscription to subscription of the storage account.

+ ```azurecli

+ az account set --subscription <subscription-id>

+ ```

+ Replace the `<subscription-id>` placeholder value with the ID of your subscription.

+3. Upload a blob by using the `az storage blob upload` command. Set tags by using the `--tags` parameter.

+ ```azurecli

+ az storage blob upload --account-name mystorageaccount --container-name myContainer --name demo-file.txt --file C:\demo-file.txt --tags tag1=value1 tag2=value2 --auth-mode login

+ ```

+### [Portal](#tab/azure-portal)

+ :::image type="content" source="media/storage-blob-index-concepts/blob-index-get-set-tags.png" alt-text="Screenshot of the Azure portal showing how to get, set, update, and delete index tags on blobs.":::

+### [PowerShell](#tab/azure-powershell)

+1. Sign in to your Azure subscription with the `Connect-AzAccount` command and follow the on-screen directions.

+ ```powershell

+ Connect-AzAccount

+ ```

+2. If your identity is associated with more than one subscription, then set your active subscription. Then, get the storage account context.

+ ```powershell

+ $context = Get-AzSubscription -SubscriptionId <subscription-id>

+ Set-AzContext $context

+ $storageAccount = Get-AzStorageAccount -ResourceGroupName "<resource-group-name>" -AccountName "<storage-account-name>"

+ $ctx = $storageAccount.Context

+ ```

+3. To get the tags of a blob, use the `Get-AzStorageBlobTag` command and set the `-Blob` parameter to the name of the blob.

+ ```powershell

+ $containerName = "myContainer"

+ $blobName = "myBlob"

+ Get-AzStorageBlobTag -Context $ctx -Container $containerName -Blob $blobName

+ ```

+4. To set the tags of a blob, use the `Set-AzStorageBlobTag` command. Set the `-Blob` parameter to the name of the blob, and set the `-Tag` parameter to a collection of name and value pairs.

+ ```powershell

+ $containerName = "myContainer"

+ $blobName = "myBlob"

+ $tags = @{"tag1" = "value1"; "tag2" = "value2" }

+ Set-AzStorageBlobTag -Context $ctx -Container $containerName -Blob $blobName -Tag $tags

+ ```

+### [Azure CLI](#tab/azure-cli)

+1. Open the [Azure Cloud Shell](../../cloud-shell/overview.md), or if you've [installed](/cli/azure/install-azure-cli) the Azure CLI locally, open a command console application such as Windows PowerShell.

+2. Install the `storage-preview` extension.

+ ```azurecli

+ az extension add -n storage-preview

+ ```

+2. If you're using Azure CLI locally, run the login command.

+ ```azurecli

+ az login

+ ```

+3. If your identity is associated with more than one subscription, then set your active subscription to subscription of the storage account.

+ ```azurecli

+ az account set --subscription <subscription-id>

+ ```

+ Replace the `<subscription-id>` placeholder value with the ID of your subscription.

+3. To get the tags of a blob, use the `az storage blob tag list` command and set the `--name` parameter to the name of the blob.

+ ```azurecli

+ az storage blob tag list --account-name mystorageaccount --container-name myContainer --name demo-file.txt --auth-mode login

+ ```

+4. To set the tags of a blob, use the `az storage blob tag set` command. Set the `--name` parameter to the name of the blob, and set the `--tags` parameter to a collection of name and value pairs.

+ ```azurecli

+ az storage blob tag set --account-name mystorageaccount --container-name myContainer --name demo-file.txt --tags tag1=value1 tag2=value2 --auth-mode login

+ ```

+### [Portal](#tab/azure-portal)

+ :::image type="content" source="media/storage-blob-index-concepts/blob-index-tag-filter-within-container.png" alt-text="Screenshot of the Azure portal showing how to Filter and find tagged blobs using index tags":::

+### [PowerShell](#tab/azure-powershell)

+1. Sign in to your Azure subscription with the `Connect-AzAccount` command and follow the on-screen directions.

+ ```powershell

+ Connect-AzAccount

+ ```

+2. If your identity is associated with more than one subscription, then set your active subscription. Then, get the storage account context.

+ ```powershell

+ $context = Get-AzSubscription -SubscriptionId <subscription-id>

+ Set-AzContext $context

+ $storageAccount = Get-AzStorageAccount -ResourceGroupName "<resource-group-name>" -AccountName "<storage-account-name>"

+ $ctx = $storageAccount.Context

+ ```

+3. To find all blobs that match a specific blob tag, use the `Get-AzStorageBlobByTag` command.

+ ```powershell

+ $filterExpression = """tag1""='value1'"

+ Get-AzStorageBlobByTag -TagFilterSqlExpression $filterExpression -Context $ctx

+ ```

+4. To find blobs only in a specific container, include the container name in the `-TagFilterSqlExpression`.

+ ```powershell

+ $filterExpression = "@container='myContainer' AND ""tag1""='value1'"

+ Get-AzStorageBlobByTag -TagFilterSqlExpression $filterExpression -Context $ctx

+ ```

+### [Azure CLI](#tab/azure-cli)

+1. Open the [Azure Cloud Shell](../../cloud-shell/overview.md), or if you've [installed](/cli/azure/install-azure-cli) the Azure CLI locally, open a command console application such as Windows PowerShell.

+2. Install the `storage-preview` extension.

+ ```azurecli

+ az extension add -n storage-preview

+ ```

+2. If you're using Azure CLI locally, run the login command.

+ ```azurecli

+ az login

+ ```

+3. If your identity is associated with more than one subscription, then set your active subscription to subscription of the storage account.

+ ```azurecli

+ az account set --subscription <subscription-id>

+ ```

+ Replace the `<subscription-id>` placeholder value with the ID of your subscription.

+3. To find all blobs that match a specific blob tag, use the `az storage blob filter` command.

+ ```azurecli

+ az storage blob filter --account-name mystorageaccount --tag-filter ""tag1"='value1' and "tag2"='value2'" --auth-mode login

+ ```

+4. To find blobs only in a specific container, include the container name in the `--tag-filter` parameter.

+ ```azurecli

+ az storage blob filter --account-name mystorageaccount --tag-filter ""@container"='myContainer' and "tag1"='value1' and "tag2"='value2'" --auth-mode login

+ ```

+ > [!NOTE]

+ > We strongly recommend using [**Stream Analytics tools for Visual Studio Code**](./quick-create-visual-studio-code.md) for best local development experience. There are known feature gaps in Stream Analytics tools for Visual Studio 2019 (version 2.6.3000.0) and it won't be improved going forward.

+ Title: Custom .NET deserializers for Azure Stream Analytics cloud jobs

+description: This doc demonstrates how to create a custom .NET deserializer for an Azure Stream Analytics cloud job using Visual Studio.

+# Custom .NET deserializers for Azure Stream Analytics in Visual Studio

+> [!NOTE]

+> We strongly recommend using [**Stream Analytics tools for Visual Studio Code**](./quick-create-visual-studio-code.md) for best local development experience. There are known feature gaps in Stream Analytics tools for Visual Studio 2019 (version 2.6.3000.0) and it won't be improved going forward.

+You can use the [Azure portal](stream-analytics-quick-create-portal.md#configure-job-input), [Azure PowerShell](/powershell/module/az.streamanalytics/New-azStreamAnalyticsInput), [.NET API](/dotnet/api/microsoft.azure.management.streamanalytics.inputsoperationsextensions), [REST API](/rest/api/streamanalytics/2020-03-01/inputs), [Visual Studio](stream-analytics-tools-for-visual-studio-install.md), and [Visual Studio Code](./quick-create-visual-studio-code.md) to create, edit, and test Stream Analytics job inputs.

+> [!NOTE]

+> We strongly recommend using [**Stream Analytics tools for Visual Studio Code**](./quick-create-visual-studio-code.md) for best local development experience. There are known feature gaps in Stream Analytics tools for Visual Studio 2019 (version 2.6.3000.0) and it won't be improved going forward.

+> [!NOTE]

+> We strongly recommend using [**Stream Analytics tools for Visual Studio Code**](./quick-create-visual-studio-code.md) for best local development experience. There are known feature gaps in Stream Analytics tools for Visual Studio 2019 (version 2.6.3000.0) and it won't be improved going forward.

+To create, edit, and test Stream Analytics job outputs, you can use the [Azure portal](stream-analytics-quick-create-portal.md#configure-job-output), [Azure PowerShell](stream-analytics-quick-create-powershell.md#configure-output-to-the-job), [.NET API](/dotnet/api/microsoft.azure.management.streamanalytics.ioutputsoperations), [REST API](/rest/api/streamanalytics/), [Visual Studio](stream-analytics-quick-create-vs.md), and [Visual Studio Code](./quick-create-visual-studio-code.md).

+> [!NOTE]

+> We strongly recommend using [**Stream Analytics tools for Visual Studio Code**](./quick-create-visual-studio-code.md) for best local development experience. There are known feature gaps in Stream Analytics tools for Visual Studio 2019 (version 2.6.3000.0) and it won't be improved going forward.

+> [!NOTE]

+> We strongly recommend using [**Stream Analytics tools for Visual Studio Code**](./quick-create-visual-studio-code.md) for best local development experience. There are known feature gaps in Stream Analytics tools for Visual Studio 2019 (version 2.6.3000.0) and it won't be improved going forward.

+ Title: Tutorial - Create custom .NET deserializers for Azure Stream Analytics cloud jobs using Visual Studio Code

+# Tutorial: Custom .NET deserializers for Azure Stream Analytics in Visual Studio Code

+This tutorial demonstrates how to create, test, and debug a custom .NET deserializer for an Azure Stream Analytics cloud job using Visual Studio Code. To learn how to create .NET deserializers in Visual Studio, see [Create .NET deserializers for Azure Stream Analytics jobs in Visual Studio](custom-deserializer.md).

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+> * Create a custom deserializer for protocol buffer.

+> * Create an Azure Stream Analytics job in Visual Studio.

+> * Configure your Stream Analytics job to use the custom deserializer.

+> * Run your Stream Analytics job locally to test and debug the custom deserializer.

+## Prerequisites

+## Create a custom deserializer

+## Add an Azure Stream Analytics project

+Open Visual Studio Code and select **Ctrl+Shift+P** to open the command palette. Then enter ASA and select **ASA: Create New Project**. Name it **ProtobufCloudDeserializer**.

+## Configure a Stream Analytics job

+## Execute the Stream Analytics job

+## Debug your deserializer

+workspaces/read|Synapse Administrator</br>Synapse Apache Spark Administrator</br>Synapse SQL Administrator</br>Synapse Contributor</br>Synapse Artifact Publisher</br>Synapse Artifact User</br>Synapse Compute Operator </br>Synapse Credential User</br>Synapse Linked Data Manager</br>Synapse User

+workspaces/bigDataPools/viewLogs/action|Synapse Administrator</br>Synapse Apache Spark Administrator</br>Synapse Contributor</br>Synapse Compute Operator

+workspaces/integrationRuntimes/viewLogs/action|Synapse Administrator</br>Synapse Contributor</br>Synapse Compute Operator

+workspaces/artifacts/read|Synapse Administrator</br>Synapse Apache Spark Administrator</br>Synapse SQL Administrator</br>Synapse Contributor</br>Synapse Artifact Publisher</br>Synapse Artifact User

+workspaces/notebooks/viewOutputs/action|Synapse Administrator</br>Synapse Apache Spark Administrator</br>Synapse Contributor</br>Synapse Artifact Publisher</br>Synapse Artifact User

+workspaces/pipelines/viewOutputs/action|Synapse Administrator</br>Synapse Contributor</br>Synapse Artifact Publisher</br>Synapse Artifact User

+Workspace |Synapse Administrator</br>Synapse Apache Spark Administrator</br>Synapse SQL Administrator</br>Synapse Contributor</br>Synapse Artifact Publisher</br>Synapse Artifact User</br>Synapse Compute Operator </br>Synapse Credential User</br>Synapse Linked Data Manager</br>Synapse User

+View the logs for notebook and job execution |Synapse Compute Operator|

+List and open a published notebook or job definition, including reviewing saved outputs|Synapse Artifact User, Synapse Artifact Publisher, Synapse Contributor on the workspace|artifacts/read

+Monitor Integration runtime status|Synapse Compute Operator|read, integrationRuntimes/viewLogs

+Review pipeline runs|Synapse Artifact Publisher/Synapse Contributor|read, pipelines/viewOutputs

+List and open a published pipeline |Synapse Artifact User | artifacts/read

+Once the login exists, you can create users in the individual databases within the serverless SQL pool endpoint and grant required permissions to these users. To create a user, you can use the following syntax:

+This content applies to the flexible orchestration mode. For uniform orchestration mode, go to [Associate a virtual machine scale set with uniform orchestration to a Capacity Reservation group](capacity-reservation-associate-virtual-machine-scale-set.md)

+|[Dv3-series](dv3-dsv3-series.md) | :heavy_check_mark: | :x: |

+|[Dv4-series](dv4-dsv4-series.md) | :heavy_check_mark: | :heavy_check_mark: |

+|[Dav4-series](dav4-dasv4-series.md) | :heavy_check_mark: | :x: |

+|[Ddv4-series](ddv4-ddsv4-series.md) | :heavy_check_mark: | :heavy_check_mark: |

+|[Ddsv4-series](ddv4-ddsv4-series.md) | :heavy_check_mark: | :heavy_check_mark: |

+|[Ev3-series](ev3-esv3-series.md) | :heavy_check_mark: | :x: |

+|[Ev4-series](ev4-esv4-series.md) | :heavy_check_mark:| :x: |

+> [!IMPORTANT]

+> NV and NV_Promo series Azure virtual machines (VMs) will be retired on August 31st, 2023. For more information, see the [NV and NV_Promo retirement information](nv-series-retirement.md). For how to migrate your workloads to other VM sizes, see the [NV and NV_Promo series migration guide](nv-series-migration-guide.md).

+>

+> This retirement announcement doesn't apply to NVv3 and NVv4 series VMs.

+**Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Flexible scale sets :heavy_check_mark: Uniform scale sets

+Learn more about how [Azure compute units (ACU)](acu.md) can help you compare compute performance across Azure SKUs.

+$imageResourceGroup='myWinImgBuilderRG'

+$location='WestUS2'

+$runOutputName='aibWindows'

+$imageName='aibWinImage'

+- March 30, 2022: Adding information that Red Hat Gluster Storage is being phased out [GlusterFS on Azure VMs on RHEL](./high-availability-guide-rhel-glusterfs.md)

+ * [Red Hat Gluster Storage Life Cycle](https://access.redhat.com/support/policy/updates/rhs)

+To achieve high availability, SAP NetWeaver requires shared storage. GlusterFS is configured in a separate cluster and can be used by multiple SAP systems. Be aware that Red Hat is phasing out Red Hat Gluster Storage. The configuration will be supported for SAP on Azure until it reaches end of life stage as defined in [Red Hat Gluster Storage Life Cycle](https://access.redhat.com/support/policy/updates/rhs).

+You first need to create the virtual machines for this cluster.

+ Title: Create a custom IP address prefix - Azure CLI

+description: Learn about how to create a custom IP address prefix using the Azure CLI

+# Create a custom IP address prefix using the Azure CLI

+A custom IP address prefix enables you to bring your own IP ranges to Microsoft and associate it to your Azure subscription. The range would continue to be owned by you, though Microsoft would be permitted to advertise it to the Internet. A custom IP address prefix functions as a regional resource that represents a contiguous block of customer owned IP addresses.

+The steps in this article detail the process to:

+* Prepare a range to provision

+* Provision the range for IP allocation

+* Enable the range to be advertised by Microsoft

+- This tutorial requires version 2.28 or later of the Azure CLI (you can run az version to determine which you have). If using Azure Cloud Shell, the latest version is already installed.

+- Sign in to Azure CLI and ensure you've selected the subscription with which you want to use this feature using `az account`.

+- A customer owned IP range to provision in Azure

+ - A sample customer range (1.2.3.0/24) is used for this example. This range won't be validated by Azure. Replace the example range with yours

+> [!NOTE]

+> For problems encountered during the provisioning process, please see [Troubleshooting for custom IP prefix](manage-custom-ip-address-prefix.md#troubleshooting-and-faqs).

+## Pre-provisioning steps

+To utilize the Azure BYOIP feature, you must perform the following steps prior to the provisioning of your IP address range.

+### Requirements and prefix readiness

+* The address range must be owned by you and registered under your name with the [American Registry for Internet Numbers (ARIN)](https://www.arin.net/), the [Réseaux IP Européens Network Coordination Centre (RIPE NCC)](https://www.ripe.net/), or the [Asia Pacific Network Information Centre Regional Internet Registries (APNIC)](https://www.apnic.net/). If the range is registered under the Latin America and Caribbean Network Information Centre (LACNIC) or the African Network Information Centre (AFRINIC), contact the [Microsoft Azure BYOIP team](mailto:byoipazure@microsoft.com).

+* The address range must be no smaller than a /24 so it will be accepted by Internet Service Providers.

+* A Route Origin Authorization (ROA) document that authorizes Microsoft to advertise the address range must be filled out by the customer on the appropriate Routing Internet Registry website. ARIN, RIPE, and APNIC.

+

+ For this ROA:

+

+ * The Origin AS must be listed as 8075

+

+ * The validity end date (expiration date) needs to account for the time you intend to have the prefix advertised by Microsoft. Some RIRs don't present validity end date as an option and or choose the date for you.

+

+ * The prefix length should exactly match the prefixes that can be advertised by Microsoft. For example, if you plan to bring 1.2.3.0/24 and 2.3.4.0/23 to Microsoft, they should both be named.

+

+ * After the ROA is complete and submitted, allow at least 24 hours for it to become available to Microsoft.

+### Certificate readiness

+To authorize Microsoft to associate a prefix with a customer subscription, a public certificate must be compared against a signed message.

+The following steps show the steps required to prepare sample customer range (1.2.3.0/24) for provisioning.

+> [!NOTE]

+> Execute the following commands in PowerShell with OpenSSL installed.

+

+1. A [self-signed X509 certificate](https://en.wikipedia.org/wiki/Self-signed_certificate) must be created to add to the Whois/RDAP record for the prefix. For information about RDAP, see the [ARIN](https://www.arin.net/resources/registry/whois/rdap/), [RIPE](https://www.ripe.net/manage-ips-and-asns/db/registration-data-access-protocol-rdap), and [APNIC](https://www.apnic.net/about-apnic/whois_search/about/rdap/) sites.

+ An example utilizing the OpenSSL toolkit is shown below. The following commands generate an RSA key pair and create an X509 certificate using the key pair that expires in six months:

+

+ ```powershell

+ ./openssl genrsa -out byoipprivate.key 2048

+ Set-Content -Path byoippublickey.cer (./openssl req -new -x509 -key byoipprivate.key -days 180) -NoNewline

+ ```

+

+2. After the certificate is created, update the public comments section of the Whois/RDAP record for the prefix. To display for copying, including the BEGIN/END header/footer with dashes, use the command `cat byoippublickey.cer` You should be able to perform this procedure via your Routing Internet Registry.

+ Instructions for each registry are below:

+

+ * [ARIN](https://www.arin.net/resources/registry/manage/netmod/) - edit the "Comments" of the prefix record

+

+ * [RIPE](https://www.ripe.net/manage-ips-and-asns/db/support/updating-the-ripe-database) - edit the "Remarks" of the inetnum record

+

+ * [APNIC](https://www.apnic.net/manage-ip/using-whois/updating-whois/) - in order to edit the prefix record, contact helpdesk@apnic.net

+

+ * For ranges from either LACNIC or AFRINIC registries, create a support ticket with Microsoft.

+

+ After the public comments are filled out, the Whois/RDAP record should look like the example below. Ensure there aren't spaces or carriage returns. Include all dashes:

+ :::image type="content" source="./media/create-custom-ip-address-prefix-portal/certificate-example.png" alt-text="Screenshot of example certificate comment":::

+

+3. To create the message that will be passed to Microsoft, create a string that contains relevant information about your prefix and subscription. Sign this message with the key pair generated in the steps above. Use the format shown below, substituting your subscription ID, prefix to be provisioned, and expiration date matching the Validity Date on the ROA. Ensure the format is in that order.

+ Use the following command to create a signed message that will be passed to Microsoft for verification.

+

+ > [!NOTE]

+ > If the Validity End date was not included in the original ROA, pick a date that corresponds to the time you intend to have the prefix advertised by Azure.

+

+ ```powershell

+ $byoipauth="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx|1.2.3.0/24|yyyymmdd"

+ Set-Content -Path byoipauth.txt -Value $byoipauth -NoNewline

+ ./openssl dgst -sha256 -sign byoipprivate.key -keyform PEM -out byoipauthsigned.txt byoipauth.txt

+ $byoipauthsigned=(./openssl enc -base64 -in byoipauthsigned.txt) -join ''

+ ```

+4. To view the contents of the signed message, enter the variable created from the signed message created previously and select **Enter** at the PowerShell prompt:

+ ```powershell

+ $byoipauthsigned

+ dIlwFQmbo9ar2GaiWRlSEtDSZoH00I9BAPb2ZzdAV2A/XwzrUdz/85rNkXybXw457//gHNNB977CQvqtFxqqtDaiZd9bngZKYfjd203pLYRZ4GFJnQFsMPFSeePa8jIFwGJk6JV4reFqq0bglJ3955dVz0v09aDVqjj5UJx2l3gmyJEeU7PXv4wF2Fnk64T13NESMeQk0V+IaEOt1zXgA+0dTdTLr+ab56pR0RZIvDD+UKJ7rVE7nMlergLQdpCx1FoCTm/quY3aiSxndEw7aQDW15+rSpy+yxV1iCFIrUa/4WHQqP4LtNs3FATvLKbT4dBcBLpDhiMR+j9MgiJymA==

+ ```

+## Provisioning steps

+The following steps display the procedure for provisioning a sample customer range (1.2.3.0/24) to the US West 2 region.

+> [!NOTE]

+> Clean up or delete steps aren't shown on this page given the nature of the resource. For information on removing a provisioned custom IP prefix, see [Manage custom IP prefix](manage-custom-ip-address-prefix.md).

+### Create a resource group and specify the prefix and authorization messages

+Create a resource group in the desired location for provisioning the BYOIP range.

+```azurecli-interactive

+ az group create \

+ --name myResourceGroup \

+ --location westus2

+```

+### Provision a custom IP address prefix

+The following command creates a custom IP prefix in the specified region and resource group. Specify the exact prefix in CIDR notation as a string to ensure there's no syntax error. For the `--authorization-message` parameter, use the variable **$byoipauth** that contains your subscription ID, prefix to be provisioned, and expiration date matching the Validity Date on the ROA. Ensure the format is in that order. Use the variable **$byoipauthsigned** for the `--signed-message` parameter created in the certificate readiness section.

+```azurecli-interactive

+ byoipauth="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx|1.2.3.0/24|yyyymmdd"

+

+ az network public-ip prefix create \

+ --name myCustomIpPrefix \

+ --resource-group myResourceGroup \

+ --location westus2 \

+ --cidr ΓÇÿ1.2.3.0/24ΓÇÖ \

+ --authorization-message $byoipauth \

+ --signed-message $byoipauthsigned

+```

+The range will be pushed to the Azure IP Deployment Pipeline. The deployment process is asynchronous. To determine the status, execute the following command:

+ ```azurecli-interactive

+ az network custom-ip prefix show \

+ --name myCustomIpPrefix \

+ --resource-group myResourceGroup

+```

+Sample output is shown below, with some fields removed for clarity:

+```

+{

+ "cidr": "1.2.3.0/24",

+ "commissionedState": "Provisioning",

+ "id": "/subscriptions/xxxx/resourceGroups/myResourceGroup/providers/Microsoft.Network/customIPPrefixes/myCustomIpPrefix",

+ "location": "westus2",

+ "name": myCustomIpPrefix,

+ "resourceGroup": "myResourceGroup",

+}

+```

+The **CommissionedState** field should show the range as **Provisioning** initially, followed in the future by **Provisioned**.

+> [!NOTE]

+> The estimated time to complete the provisioning process is 30 minutes.

+> [!IMPORTANT]

+> After the custom IP prefix is in a **Provisioned** state, a child public IP prefix can be created. These public IP prefixes and any public IP addresses can be attached to networking resources. For example, virtual machine network interfaces or load balancer front ends. The IPs won't be advertised and therefore won't be reachable. For more information on a migration of an active prefix, see [Manage a custom IP prefix](manage-custom-ip-address-prefix.md).

+### Commission the custom IP address prefix

+When the custom IP prefix is in **Provisioned** state, the following command updates the prefix to begin the process of advertising the range from Azure.

+```azurecli-interactive

+az network custom-ip prefix update \

+ --name myCustomIpPrefix \

+ --resource-group myResourceGroup \

+ --state commission

+```

+As before, the operation is asynchronous. Use [az network custom-ip prefix show](/cli/azure/network/custom-ip/prefix#az_network_custom_ip_prefix_show) to retrieve the status. The **CommissionedState** field will initially show the prefix as **Commissioning**, followed in the future by **Commissioned**. The advertisement rollout isn't binary and the range will be partially advertised while still in **Commissioning**.

+> [!NOTE]

+> The estimated time to fully complete the commissioning process is 3-4 hours.

+> [!IMPORTANT]

+> As the custom IP prefix transitions to a **Commissioned** state, the range is being advertised with Microsoft from the local Azure region and globally to the Internet by Microsoft's wide area network under Autonomous System Number (ASN) 8075. Advertising this same range to the Internet from a location other than Microsoft at the same time could potentially create BGP routing instability or traffic loss. For example, a customer on-premises building. Plan any migration of an active range during a maintenance period to avoid impact.

+## Next steps

+- To learn about scenarios and benefits of using a custom IP prefix, see [Custom IP address prefix (BYOIP)](custom-ip-address-prefix.md)

+- For more information on managing a custom IP prefix, see [Manage a custom IP address prefix (BYOIP)](manage-custom-ip-address-prefix.md)

+- To create a custom IP address prefix using the Azure CLI, see [Create custom IP address prefix using the Azure CLI](create-custom-ip-address-prefix-cli.md)

+- To create a custom IP address prefix using the Azure portal, see [Create a custom IP address prefix using the Azure portal](create-custom-ip-address-prefix-portal.md)

+ Title: Create a custom IP address prefix - Azure portal

+description: Learn about how to onboard a custom IP address prefix using the Azure portal

+# Create a custom IP address prefix using the Azure portal

+A custom IP address prefix enables you to bring your own IP ranges to Microsoft and associate it to your Azure subscription. The range would continue to be owned by you, though Microsoft would be permitted to advertise it to the Internet. A custom IP address prefix functions as a regional resource that represents a contiguous block of customer owned IP addresses.

+The steps in this article detail the process to:

+* Prepare a range to provision

+* Provision the range for IP allocation

+* Enable the range to be advertised by Microsoft

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F)

+- A customer owned IP range to provision in Azure

+ - A sample customer range (1.2.3.0/24) is used for this example. This range won't be validated by Azure. Replace the example range with yours

+> [!NOTE]

+> For problems encountered during the provisioning process, please see [Troubleshooting for custom IP prefix](manage-custom-ip-address-prefix.md#troubleshooting-and-faqs).

+## Pre-provisioning steps

+To utilize the Azure BYOIP feature, you must perform the following steps prior to the provisioning of your IP address range.

+### Requirements and prefix readiness

+* The address range must be owned by you and registered under your name with the [American Registry for Internet Numbers (ARIN)](https://www.arin.net/), the [Réseaux IP Européens Network Coordination Centre (RIPE NCC)](https://www.ripe.net/), or the [Asia Pacific Network Information Centre Regional Internet Registries (APNIC)](https://www.apnic.net/). If the range is registered under the Latin America and Caribbean Network Information Centre (LACNIC) or the African Network Information Centre (AFRINIC), contact the [Microsoft Azure BYOIP team](mailto:byoipazure@microsoft.com).

+* The address range must be no smaller than a /24 so it will be accepted by Internet Service Providers.

+* A Route Origin Authorization (ROA) document that authorizes Microsoft to advertise the address range must be filled out by the customer on the appropriate Routing Internet Registry website. ARIN, RIPE, and APNIC.

+

+ For this ROA:

+

+ * The Origin AS must be listed as 8075

+

+ * The validity end date (expiration date) needs to account for the time you intend to have the prefix advertised by Microsoft. Some RIRs don't present validity end date as an option and or choose the date for you.

+

+ * The prefix length should exactly match the prefixes that can be advertised by Microsoft. For example, if you plan to bring 1.2.3.0/24 and 2.3.4.0/23 to Microsoft, they should both be named.

+

+ * After the ROA is complete and submitted, allow at least 24 hours for it to become available to Microsoft.

+### Certificate readiness

+To authorize Microsoft to associate a prefix with a customer subscription, a public certificate must be compared against a signed message.

+The following steps show the steps required to prepare sample customer range (1.2.3.0/24) for provisioning.

+> [!NOTE]

+> Execute the following commands in PowerShell with OpenSSL installed.

+

+1. A [self-signed X509 certificate](https://en.wikipedia.org/wiki/Self-signed_certificate) must be created to add to the Whois/RDAP record for the prefix. For information about RDAP, see the [ARIN](https://www.arin.net/resources/registry/whois/rdap/), [RIPE](https://www.ripe.net/manage-ips-and-asns/db/registration-data-access-protocol-rdap), and [APNIC](https://www.apnic.net/about-apnic/whois_search/about/rdap/) sites.

+ An example utilizing the OpenSSL toolkit is shown below. The following commands generate an RSA key pair and create an X509 certificate using the key pair that expires in six months:

+

+ ```powershell

+ ./openssl genrsa -out byoipprivate.key 2048

+ Set-Content -Path byoippublickey.cer (./openssl req -new -x509 -key byoipprivate.key -days 180) -NoNewline

+ ```

+

+2. After the certificate is created, update the public comments section of the Whois/RDAP record for the prefix. To display for copying, including the BEGIN/END header/footer with dashes, use the command `cat byoippublickey.cer` You should be able to perform this procedure via your Routing Internet Registry.

+ Instructions for each registry are below:

+

+ * [ARIN](https://www.arin.net/resources/registry/manage/netmod/) - edit the "Comments" of the prefix record

+

+ * [RIPE](https://www.ripe.net/manage-ips-and-asns/db/support/updating-the-ripe-database) - edit the "Remarks" of the inetnum record

+

+ * [APNIC](https://www.apnic.net/manage-ip/using-whois/updating-whois/) - in order to edit the prefix record, contact helpdesk@apnic.net

+

+ * For ranges from either LACNIC or AFRINIC registries, create a support ticket with Microsoft.

+

+ After the public comments are filled out, the Whois/RDAP record should look like the example below. Ensure there aren't spaces or carriage returns. Include all dashes:

+ :::image type="content" source="./media/create-custom-ip-address-prefix-portal/certificate-example.png" alt-text="Screenshot of example certificate comment":::

+

+3. To create the message that will be passed to Microsoft, create a string that contains relevant information about your prefix and subscription. Sign this message with the key pair generated in the steps above. Use the format shown below, substituting your subscription ID, prefix to be provisioned, and expiration date matching the Validity Date on the ROA. Ensure the format is in that order.

+ Use the following command to create a signed message that will be passed to Microsoft for verification.

+

+ > [!NOTE]

+ > If the Validity End date was not included in the original ROA, pick a date that corresponds to the time you intend to have the prefix advertised by Azure.

+

+ ```powershell

+ $byoipauth="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx|1.2.3.0/24|yyyymmdd"

+ Set-Content -Path byoipauth.txt -Value $byoipauth -NoNewline

+ ./openssl dgst -sha256 -sign byoipprivate.key -keyform PEM -out byoipauthsigned.txt byoipauth.txt

+ $byoipauthsigned=(./openssl enc -base64 -in byoipauthsigned.txt) -join ''

+ ```

+4. To view the contents of the signed message, enter the variable created from the signed message created previously and select **Enter** at the PowerShell prompt:

+ ```powershell

+ $byoipauthsigned

+ dIlwFQmbo9ar2GaiWRlSEtDSZoH00I9BAPb2ZzdAV2A/XwzrUdz/85rNkXybXw457//gHNNB977CQvqtFxqqtDaiZd9bngZKYfjd203pLYRZ4GFJnQFsMPFSeePa8jIFwGJk6JV4reFqq0bglJ3955dVz0v09aDVqjj5UJx2l3gmyJEeU7PXv4wF2Fnk64T13NESMeQk0V+IaEOt1zXgA+0dTdTLr+ab56pR0RZIvDD+UKJ7rVE7nMlergLQdpCx1FoCTm/quY3aiSxndEw7aQDW15+rSpy+yxV1iCFIrUa/4WHQqP4LtNs3FATvLKbT4dBcBLpDhiMR+j9MgiJymA==

+ ```

+## Provisioning steps

+The following steps display the procedure for provisioning a sample customer range (1.2.3.0/24) to the US West 2 region.

+> [!NOTE]

+> Clean up or delete steps aren't shown on this page given the nature of the resource. For information on removing a provisioned custom IP prefix, see [Manage custom IP prefix](manage-custom-ip-address-prefix.md).

+## Sign in to Azure

+Sign in to the [Azure portal](https://portal.azure.com).

+## Create and provision a custom IP address prefix

+1. In the search box at the top of the portal, enter **Custom IP**.

+2. In the search results, select **Custom IP Prefixes**.

+3. Select **+ Create**.

+4. In **Create a custom IP prefix**, enter or select the following information in the **Basics** tab:

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your subscription |

+ | Resource group | Select **Create new**. </br> Enter **myResourceGroup**. </br> Select **OK**. |

+ | **Instance details** | |

+ | Name | Enter **myCustomIPPrefix**. |

+ | Region | Select **West US 2**. |

+ | Availability Zones | Select **Zone-redundant**. |

+ | IPv4 Prefix (CIDR) | Enter **1.2.3.0/24**. |

+ | ROA expiration date | Enter your ROA expiration date in the **yyyymmdd** format. |

+ | Signed message | Paste in the output of **$byoipauthsigned** from the earlier section. |

+ :::image type="content" source="./media/create-custom-ip-address-prefix-portal/create-custom-ip-prefix.png" alt-text="Screenshot of create custom IP prefix page in Azure portal.":::

+5. Select the **Review + create** tab or the blue **Review + create** button at the bottom of the page.

+6. Select **Create**.

+The range will be pushed to the Azure IP Deployment Pipeline. The deployment process is asynchronous. You can check the status by reviewing the **Commissioned state** field for the custom IP prefix.

+> [!NOTE]

+> The estimated time to complete the provisioning process is 30 minutes.

+> [!IMPORTANT]

+> After the custom IP prefix is in a "Provisioned" state, a child public IP prefix can be created. These public IP prefixes and any public IP addresses can be attached to networking resources. For example, virtual machine network interfaces or load balancer front ends. The IPs won't be advertised and therefore won't be reachable. For more information on a migration of an active prefix, see [Manage a custom IP prefix](manage-custom-ip-address-prefix.md).

+## Create a public IP prefix from custom IP prefix

+When you create a prefix, you must create static IP addresses from the prefix. In this section, you'll create a static IP address from the prefix you created earlier.

+1. In the search box at the top of the portal, enter **Custom IP**.

+2. In the search results, select **Custom IP Prefixes**.

+3. In **Custom IP Prefixes**, select **myCustomIPPrefix**.

+4. In **Overview** of **myCustomIPPrefix**, select **+ Add a public IP prefix**.

+5. Enter or select the following information in the **Basics** tab of **Create a public IP prefix**.

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **myResourceGroup**. |

+ | **Instance details** | |

+ | Name | Enter **myPublicIPPrefix**. |

+ | Region | Select **West US 2**. The region of the public IP prefix must match the region of the custom IP prefix. |

+ | IP version | Select **IPv4**. |

+ | Prefix ownership | Select **Custom prefix**. |

+ | Custom IP prefix | Select **myCustomIPPrefix**. |

+ | Prefix size | Select a prefix size. The size can be as large as the custom IP prefix. |

+6. Select **Review + create**, and then **Create** on the following page.

+10. Repeat steps 1-5 to return to the **Overview** page for **myCustomIPPrefix**. You'll see **myPublicIPPrefix** listed under the **Associated public IP prefixes** section. You can now allocate standard SKU public IP addresses from this prefix. For more information, see [Create a static public IP address from a prefix](manage-public-ip-address-prefix.md#create-a-static-public-ip-address-from-a-prefix).

+## Commission the custom IP address prefix

+When the custom IP prefix is in **Provisioned** state, update the prefix to begin the process of advertising the range from Azure.

+1. In the search box at the top of the portal, enter **Custom IP**.

+2. In the search results, select **Custom IP Prefixes**.

+3. In **Custom IP Prefixes**, select **myCustomIPPrefix**.

+4. In **Overview** of **myCustomIPPrefix**, select **Commission**.

+The operation is asynchronous. You can check the status by reviewing the **Commissioned state** field for the custom IP prefix. The status which will initially show the prefix as **Commissioning**, followed in the future by **Commissioned**. The advertisement rollout isn't binary and the range will be partially advertised while still in the **Commissioning** status.

+> [!NOTE]

+> The estimated time to fully complete the commissioning process is 3-4 hours.

+> [!IMPORTANT]

+> As the custom IP prefix transitions to a **Commissioned** state, the range is being advertised with Microsoft from the local Azure region and globally to the Internet by Microsoft's wide area network under Autonomous System Number (ASN) 8075. Advertising this same range to the Internet from a location other than Microsoft at the same time could potentially create BGP routing instability or traffic loss. For example, a customer on-premises building. Plan any migration of an active range during a maintenance period to avoid impact.

+## Next steps

+- To learn about scenarios and benefits of using a custom IP prefix, see [Custom IP address prefix (BYOIP)](custom-ip-address-prefix.md)

+- For more information on managing a custom IP prefix, see [Manage a custom IP address prefix (BYOIP)](manage-custom-ip-address-prefix.md)

+- To create a custom IP address prefix using the Azure CLI, see [Create custom IP address prefix using the Azure CLI](create-custom-ip-address-prefix-cli.md)

+- To create a custom IP address prefix using PowerShell, see [Create a custom IP address prefix using Azure PowerShell](create-custom-ip-address-prefix-powershell.md)

+ Title: Create a custom IP address prefix - Azure PowerShell

+description: Learn about how to create a custom IP address prefix using Azure PowerShell

+# Create a custom IP address prefix using Azure PowerShell

+A custom IP address prefix enables you to bring your own IP ranges to Microsoft and associate it to your Azure subscription. The range would continue to be owned by you, though Microsoft would be permitted to advertise it to the Internet. A custom IP address prefix functions as a regional resource that represents a contiguous block of customer owned IP addresses.

+The steps in this article detail the process to:

+* Prepare a range to provision

+* Provision the range for IP allocation

+* Enable the range to be advertised by Microsoft

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- Azure PowerShell installed locally or Azure Cloud Shell.

+- Sign in to Azure PowerShell and ensure you've selected the subscription with which you want to use this feature. For more information, see [Sign in with Azure PowerShell](/powershell/azure/authenticate-azureps).

+- Ensure your Az. Network module is 4.3.0 or later. To verify the installed module, use the command Get-InstalledModule -Name "Az.Network". If the module requires an update, use the command Update-Module -Name "Az. Network" if necessary.

+- A customer owned IP range to provision in Azure

+ - A sample customer range (1.2.3.0/24) is used for this example. This range won't be validated by Azure. Replace the example range with yours

+If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 5.4.1 or later. Run `Get-Module -ListAvailable Az` to find the installed version. If you need to upgrade, see [Install Azure PowerShell module](/powershell/azure/install-Az-ps). If you're running PowerShell locally, you also need to run `Connect-AzAccount` to create a connection with Azure.

+> [!NOTE]

+> For problems encountered during the provisioning process, please see [Troubleshooting for custom IP prefix](manage-custom-ip-address-prefix.md#troubleshooting-and-faqs).

+## Pre-provisioning steps

+To utilize the Azure BYOIP feature, you must perform the following steps prior to the provisioning of your IP address range.

+### Requirements and prefix readiness

+* The address range must be owned by you and registered under your name with the [American Registry for Internet Numbers (ARIN)](https://www.arin.net/), the [Réseaux IP Européens Network Coordination Centre (RIPE NCC)](https://www.ripe.net/), or the [Asia Pacific Network Information Centre Regional Internet Registries (APNIC)](https://www.apnic.net/). If the range is registered under the Latin America and Caribbean Network Information Centre (LACNIC) or the African Network Information Centre (AFRINIC), contact the [Microsoft Azure BYOIP team](mailto:byoipazure@microsoft.com).

+* The address range must be no smaller than a /24 so it will be accepted by Internet Service Providers.

+* A Route Origin Authorization (ROA) document that authorizes Microsoft to advertise the address range must be filled out by the customer on the appropriate Routing Internet Registry website. ARIN, RIPE, and APNIC.

+

+ For this ROA:

+

+ * The Origin AS must be listed as 8075

+

+ * The validity end date (expiration date) needs to account for the time you intend to have the prefix advertised by Microsoft. Some RIRs don't present validity end date as an option and or choose the date for you.

+

+ * The prefix length should exactly match the prefixes that can be advertised by Microsoft. For example, if you plan to bring 1.2.3.0/24 and 2.3.4.0/23 to Microsoft, they should both be named.

+

+ * After the ROA is complete and submitted, allow at least 24 hours for it to become available to Microsoft.

+### Certificate readiness

+To authorize Microsoft to associate a prefix with a customer subscription, a public certificate must be compared against a signed message.

+The following steps show the steps required to prepare sample customer range (1.2.3.0/24) for provisioning.

+> [!NOTE]

+> Execute the following commands in PowerShell with OpenSSL installed.

+

+1. A [self-signed X509 certificate](https://en.wikipedia.org/wiki/Self-signed_certificate) must be created to add to the Whois/RDAP record for the prefix. For information about RDAP, see the [ARIN](https://www.arin.net/resources/registry/whois/rdap/), [RIPE](https://www.ripe.net/manage-ips-and-asns/db/registration-data-access-protocol-rdap), and [APNIC](https://www.apnic.net/about-apnic/whois_search/about/rdap/) sites.

+ An example utilizing the OpenSSL toolkit is shown below. The following commands generate an RSA key pair and create an X509 certificate using the key pair that expires in six months:

+

+ ```powershell

+ ./openssl genrsa -out byoipprivate.key 2048

+ Set-Content -Path byoippublickey.cer (./openssl req -new -x509 -key byoipprivate.key -days 180) -NoNewline

+ ```

+

+2. After the certificate is created, update the public comments section of the Whois/RDAP record for the prefix. To display for copying, including the BEGIN/END header/footer with dashes, use the command `cat byoippublickey.cer` You should be able to perform this procedure via your Routing Internet Registry.

+ Instructions for each registry are below:

+

+ * [ARIN](https://www.arin.net/resources/registry/manage/netmod/) - edit the "Comments" of the prefix record

+

+ * [RIPE](https://www.ripe.net/manage-ips-and-asns/db/support/updating-the-ripe-database) - edit the "Remarks" of the inetnum record

+

+ * [APNIC](https://www.apnic.net/manage-ip/using-whois/updating-whois/) - in order to edit the prefix record, contact helpdesk@apnic.net

+

+ * For ranges from either LACNIC or AFRINIC registries, create a support ticket with Microsoft.

+

+ After the public comments are filled out, the Whois/RDAP record should look like the example below. Ensure there aren't spaces or carriage returns. Include all dashes:

+ :::image type="content" source="./media/create-custom-ip-address-prefix-portal/certificate-example.png" alt-text="Screenshot of example certificate comment":::

+

+3. To create the message that will be passed to Microsoft, create a string that contains relevant information about your prefix and subscription. Sign this message with the key pair generated in the steps above. Use the format shown below, substituting your subscription ID, prefix to be provisioned, and expiration date matching the Validity Date on the ROA. Ensure the format is in that order.

+ Use the following command to create a signed message that will be passed to Microsoft for verification.

+

+ > [!NOTE]

+ > If the Validity End date was not included in the original ROA, pick a date that corresponds to the time you intend to have the prefix advertised by Azure.

+

+ ```powershell

+ $byoipauth="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx|1.2.3.0/24|yyyymmdd"

+ Set-Content -Path byoipauth.txt -Value $byoipauth -NoNewline

+ ./openssl dgst -sha256 -sign byoipprivate.key -keyform PEM -out byoipauthsigned.txt byoipauth.txt

+ $byoipauthsigned=(./openssl enc -base64 -in byoipauthsigned.txt) -join ''

+ ```

+4. To view the contents of the signed message, enter the variable created from the signed message created previously and select **Enter** at the PowerShell prompt:

+ ```powershell

+ $byoipauthsigned

+ dIlwFQmbo9ar2GaiWRlSEtDSZoH00I9BAPb2ZzdAV2A/XwzrUdz/85rNkXybXw457//gHNNB977CQvqtFxqqtDaiZd9bngZKYfjd203pLYRZ4GFJnQFsMPFSeePa8jIFwGJk6JV4reFqq0bglJ3955dVz0v09aDVqjj5UJx2l3gmyJEeU7PXv4wF2Fnk64T13NESMeQk0V+IaEOt1zXgA+0dTdTLr+ab56pR0RZIvDD+UKJ7rVE7nMlergLQdpCx1FoCTm/quY3aiSxndEw7aQDW15+rSpy+yxV1iCFIrUa/4WHQqP4LtNs3FATvLKbT4dBcBLpDhiMR+j9MgiJymA==

+ ```

+## Provisioning steps

+The following steps display the procedure for provisioning a sample customer range (1.2.3.0/24) to the US West 2 region.

+> [!NOTE]

+> Clean up or delete steps aren't shown on this page given the nature of the resource. For information on removing a provisioned custom IP prefix, see [Manage custom IP prefix](manage-custom-ip-address-prefix.md).

+### Create a resource group and specify the prefix and authorization messages

+Create a resource group in the desired location for provisioning the BYOIP range.

+ ```azurepowershell-interactive

+$rg =@{

+ Name = 'myResourceGroup'

+ Location = 'WestUS2'

+}

+New-AzResourceGroup @rg

+```

+### Provision a custom IP address prefix

+The following command creates a custom IP prefix in the specified region and resource group. Specify the exact prefix in CIDR notation as a string to ensure there's no syntax error. For the `-AuthorizationMessage` parameter, substitute your subscription ID, prefix to be provisioned, and expiration date matching the Validity Date on the ROA. Ensure the format is in that order. Use the variable **$byoipauthsigned** for the `-SignedMessage` parameter created in the certificate readiness section.

+ ```azurepowershell-interactive

+$prefix =@{

+ Name = 'myCustomIPPrefix'

+ ResourceGroupName = 'myResourceGroup'

+ Location = 'WestUS2'

+ CIDR = '1.2.3.0/24'

+ AuthorizationMessage = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx|1.2.3.0/24|yyyymmdd'

+ SignedMessage = $byoipauthsigned

+}

+$myCustomIpPrefix = New-AzCustomIPPrefix @prefix -Zone 1,2,3

+```

+The range will be pushed to the Azure IP Deployment Pipeline. The deployment process is asynchronous. To determine the status, execute the following command:

+ ```azurepowershell-interactive

+Get-AzCustomIpPrefix -ResourceId $myCustomIpPrefix.Id

+```

+Sample output is shown below, with some fields removed for clarity:

+```

+Name : myCustomIpPrefix

+ResourceGroupName : myResourceGroup

+Location : westus2

+Id : /subscriptions/xxxx/resourceGroups/myResourceGroup/providers/Microsoft.Network/customIPPrefixes/MyCustomIPPrefix

+Cidr : 1.2.3.0/24

+Zones : {1, 2, 3}

+CommissionedState : Provisioning

+```

+The **CommissionedState** field should show the range as **Provisioning** initially, followed in the future by **Provisioned**.

+> [!NOTE]

+> The estimated time to complete the provisioning process is 30 minutes.

+> [!IMPORTANT]

+> After the custom IP prefix is in a **Provisioned** state, a child public IP prefix can be created. These public IP prefixes and any public IP addresses can be attached to networking resources. For example, virtual machine network interfaces or load balancer front ends. The IPs won't be advertised and therefore won't be reachable. For more information on a migration of an active prefix, see [Manage a custom IP prefix](manage-custom-ip-address-prefix.md).

+### Commission the custom IP address prefix

+When the custom IP prefix is in the **Provisioned** state, the following command updates the prefix to begin the process of advertising the range from Azure.

+```azurepowershell-interactive

+Update-AzCustomIpPrefix -ResourceId $myCustomIPPrefix.Id -Commission

+```

+As before, the operation is asynchronous. Use [Get-AzCustomIpPrefix](/powershell/module/az.network/get-azcustomipprefix) to retrieve the status. The **CommissionedState** field will initially show the prefix as **Commissioning**, followed in the future by **Commissioned**. The advertisement rollout isn't binary and the range will be partially advertised while still in **Commissioning**.

+> [!NOTE]

+> The estimated time to fully complete the commissioning process is 3-4 hours.

+> [!IMPORTANT]

+> As the custom IP prefix transitions to a **Commissioned** state, the range is being advertised with Microsoft from the local Azure region and globally to the Internet by Microsoft's wide area network under Autonomous System Number (ASN) 8075. Advertising this same range to the Internet from a location other than Microsoft at the same time could potentially create BGP routing instability or traffic loss. For example, a customer on-premises building. Plan any migration of an active range during a maintenance period to avoid impact.

+## Next steps

+- To learn about scenarios and benefits of using a custom IP prefix, see [Custom IP address prefix (BYOIP)](custom-ip-address-prefix.md)

+- For more information on managing a custom IP prefix, see [Manage a custom IP address prefix (BYOIP)](manage-custom-ip-address-prefix.md)

+- To create a custom IP address prefix using the Azure CLI, see [Create custom IP address prefix using the Azure CLI](create-custom-ip-address-prefix-cli.md)

+- To create a custom IP address prefix using the Azure portal, see [Create a custom IP address prefix using the Azure portal](create-custom-ip-address-prefix-portal.md)

+ Title: Custom IP address prefix (BYOIP)

+description: Learn about what an Azure custom IP address prefix is and how it enables customers to utilize their own ranges in Azure.

+# Custom IP address prefix (BYOIP)

+A custom IP address prefix is a contiguous range of IP addresses owned by an external customer and provisioned into a subscription. Microsoft is permitted to advertise the range. Addresses from a custom IP address prefix can be used in the same way as Azure owned public IP address prefixes. Addresses from a custom IP address prefix can be associated to Azure resources, interact with internal/private IPs and virtual networks, and reach external destinations outbound from the Azure Wide Area Network.

+## Benefits

+* Customers can retain their IP ranges (BYOIP) to maintain established reputation and continue to pass through externally controlled allowlists

+* Public IP address prefixes and standard SKU public IPs can be derived from custom IP address prefixes. These IPs can be used in the same way as Azure owned public IPs

+## Bring an IP prefix to Azure

+It's a three phase process to bring an IP prefix to Azure:

+* Validation

+* Provision

+* Commission

+### Validation

+A public IP address range that's brought to Azure must be owned by you and registered with a Routing Internet Registry such as [ARIN](https://www.arin.net/) or [RIPE](https://www.ripe.net/). When you bring an IP range to Azure, it remains under your ownership. You must authorize Microsoft to advertise the range. Your ownership of the range and its association with your Azure subscription are also verified. Some of these steps will be done outside of Azure.

+### Provision

+After the previous steps are completed, the public IP range can complete the **Provisioning** phase. The range will be created as a custom IP prefix resource in your subscription. Public IP prefixes and public IPs can be derived from your range and associated to Azure resources. The IPs won't be advertised at this point and not reachable.

+### Commission

+When ready, you can issue the command to have your range advertised from Azure and enter the **Commissioning** phase. The range will be advertised first from the Azure region where the custom IP prefix is located, and then by Microsoft's Wide Area Network (WAN) to the Internet. The specific region where the range was provisioned will be posted publicly on [Microsoft's IP Range GeoLocation page](https://www.microsoft.com/download/details.aspx?id=53601).

+## Limitations

+* A custom IP prefix must be associated with a single Azure region

+* The minimum size of an IP range is /24

+* IPv6 is currently not supported for custom IP prefixes

+* In regions with [availability zones](../../availability-zones/az-overview.md), a custom IP prefix must be specified as either zone-redundant or assigned to a specific zone. It can't be created with no zone specified in these regions. All IPs from the prefix must have the same zonal properties

+* The advertisements of IPs from a custom IP prefix over Azure ExpressRoute aren't currently supported

+* Once provisioned, custom IP prefix ranges can't be moved to another subscription. Custom IP address prefix ranges can't be moved within resource groups in a single subscription. It's possible to derive a public IP prefix from a custom IP prefix in another subscription with the proper permissions

+* Any IP addresses utilized from a custom IP prefix currently count against the standard public IP quota for a subscription and region. Contact Azure support to have quotas increased when required

+## Pricing

+* There's no charge to provision or use custom IP prefixes. There's no charge for all public IP prefixes and public IP addresses that are derived from custom IP prefixes

+* All traffic destined to a custom IP prefix range is charged the [internet egress rate](https://azure.microsoft.com/pricing/details/bandwidth/). Customers traffic to a custom IP prefix address from within Azure are charged internet egress for the source region of their traffic. Egress traffic from a custom IP address prefix range is charged the equivalent rate as an Azure public IP from the same region

+## Next steps

+- To create a custom IP address prefix using the Azure portal, see [Create custom IP address prefix using the Azure portal](create-custom-ip-address-prefix-portal.md)

+- To create a custom IP address prefix using PowerShell, see [Create a custom IP address prefix using Azure PowerShell](create-custom-ip-address-prefix-powershell.md)

+- For more information about the management of a custom IP address prefix, see [Manage a custom IP address prefix](create-custom-ip-address-prefix-powershell.md)

+ Title: Manage a custom IP address prefix

+description: Learn about custom IP address prefixes and how to manage and delete them.

+# Manage a custom IP address prefix

+A custom IP address prefix is a contiguous range of IP addresses owned by an external customer and provisioned into a subscription. The range is owned by the customer and Microsoft is permitted to advertise the range. For more information, see [Custom IP address prefix overview](custom-ip-address-prefix.md).

+This article explains how to:

+* Create public IP prefixes from provisioned custom IP prefixes

+* Migrate active IP prefixes from outside Microsoft

+* View information about a custom IP prefix

+* Decommission a custom IP prefix

+* Deprovision/delete a custom IP prefix

+For information on provisioning an IP address, see [Create a custom IP address prefix - Azure portal](create-custom-ip-address-prefix-portal.md), [Create a custom IP address prefix - Azure PowerShell](create-custom-ip-address-prefix-powershell.md), or [Create a custom IP address prefix - Azure CLI](create-custom-ip-address-prefix-cli.md).

+## Create a public IP prefix from a custom IP prefix

+When a custom IP prefix is in **Provisioned**, **Commissioning**, or **Commissioned** state, a linked public IP prefix can be created. Either as a subset of the custom IP prefix range or the entire range.

+> [!NOTE]

+> A public IP prefix can be derived from a custom IP prefix in another subscription with the appropriate permissions.

+Use the following CLI and PowerShell commands to create public IP prefixes with the `--custom-ip-prefix-name` (CLI) and `-CustomIpPrefix` (PowerShell) parameters that point to an existing custom IP prefix.

+|Tool|Command|

+|||

+|CLI|[az network public-ip prefix create](/cli/azure/network/public-ip/prefix#az_network_public_ip_prefix_create)|

+|PowerShell|[New-AzPublicIpPrefix](/powershell/module/az.network/new-azpublicipprefix)|

+Once created, the IPs in the child public IP prefix can be associated with resources like any other standard SKU static public IPs. To learn more about using IPs from a public IP prefix, including selection of a specific IP from the range, see [Create a static public IP address from a prefix](manage-public-ip-address-prefix.md#create-a-static-public-ip-address-from-a-prefix).

+## Migration of active prefixes from outside Microsoft

+If the provisioned range is being advertised to the Internet by another network, it's important to plan the migration to Azure to avoid unplanned downtime. Regardless of the method used, make the transition during a maintenance window.

+**Method 1: Create public IP prefixes and public IP addresses from the prefixes when the custom IP prefix is in a "Provisioned" state**.

+

+* The public IPs can be associated to networking resources but won't be advertised and won't be reachable. When the command to update the custom IP prefix to the **Commissioned** state is executed, the IPs will advertise from Microsoft's network. Any advertisement of this same range from a location other than Microsoft could potentially create BGP routing instability or traffic loss. For example, a customer on-premises building. The advertisement should be disabled once the Azure infrastructure has been verified as operational.

+**Method 2: Create public IP prefixes and public IP addresses from the prefixes using Microsoft ranges. Deploy an infrastructure in your subscription and verify it's operational**.

+* Create a second set of mirrored public IP prefixes and public IP addresses from the prefixes when the custom IP prefix is in a **Provisioned** state. Add the provisioned IPs to the existing infrastructure. For example, add another network interface to a virtual machine or another frontend for a load balancer. Perform a change to the desired IPs before issuing the command to move the custom IP prefix to the **Commissioned** state.

+* Alternatively, the ranges can be commissioned first and then changed. This process won't work for all resource types with public IPs. In those cases, a new resource with the provisioned public IP must be created.

+## View a custom IP prefix

+To view a custom IP prefix, the following commands can be used in Azure CLI and Azure PowerShell. All public IP prefixes created under the custom IP prefix will be displayed.

+**Commands**

+|Tool|Command|

+|||

+|CLI|[az network custom-ip prefix list](/cli/azure/network/public-ip/prefix#az_network_custom_ip_prefix_list) to list custom IP prefixes<br>[az network custom-ip prefix show](/cli/azure/network/public-ip/prefix#az_network_custom_ip_prefix_show) to show settings and any derived public IP prefixes<br>

+|PowerShell|[Get-AzCustomIpPrefix](/powershell/module/az.network/get-azcustomipprefix) to retrieve a custom IP prefix object and view its settings and any derived public IP prefixes|

+## Decommission a custom IP prefix

+A custom IP prefix must be decommissioned to turn off advertisements.

+> [!NOTE]

+> All public IP prefixes created from an provisioned custom IP prefix must be deleted before a custom IP prefix can be decommissioned.

+>

+> The estimated time to fully complete the decommissioning process is 3-4 hours.

+The following commands can be used in Azure CLI and Azure PowerShell to begin the process to stop advertising the range from Azure. The operation is asynchronous, use view commands to retrieve the status. The **CommissionedState** field will initially show the prefix as **Decommissioning**, followed by **Provisioned** as it transitions to the earlier state. Advertisement removal is a gradual process, and the range will be partially advertised while still in **Decommissioning**.

+**Commands**

+|Tool|Command|

+|||

+|Azure portal|Use the **Decommission** option in the Overview section of a Custom IP Prefix |

+|CLI|[az network custom-ip prefix update](/cli/azure/network/public-ip/prefix#az-network-custom-ip-prefix-update) with the flag to `-Decommission` |

+|PowerShell|[Update-AzCustomIpPrefix](/powershell/module/az.network/update-azcustomipprefix) with the `--state` flag set to decommission |

+Alternatively, a custom IP prefix can be decommissioned via the Azure portal using the **Decommission** button in the **Overview** section of the custom IP prefix.

+## Deprovision/Delete a custom IP prefix

+To fully remove a custom IP prefix, it must be deprovisioned and then deleted.

+> [!NOTE]

+> If there is a requirement to migrate an provisioned range from one region to the other, the original custom IP prefix must be fully removed from the fist region before a new custom IP prefix with the same address range can be created in another region.

+>

+> The estimated time to complete the deprovisioning process can range from 30 minutes to 13 hours.

+The following commands can be used in Azure CLI and Azure PowerShell to deprovision and remove the range from Microsoft. The deprovisioning operation is asynchronous. You can use the view commands to retrieve the status. The **CommissionedState** field will initially show the prefix as **Deprovisioning**, followed by **Deprovisioned** as it transitions to the earlier state. When the range is in the **Deprovisioned** state, it can be deleted by using the commands to remove.

+**Commands**

+|Tool|Command|

+|||

+|Azure portal|Use the **Deprovision** option in the Overview section of a Custom IP Prefix |

+|CLI|[az network custom-ip prefix update](/cli/azure/network/public-ip/prefix#az-network-custom-ip-prefix-update) with the flag to `-Deprovision` <br>[az network custom-ip prefix delete](/cli/azure/network/public-ip/prefix#az-network-custom-ip-prefix-delete) to remove|

+|PowerShell|[Update-AzCustomIpPrefix](/powershell/module/az.network/update-azcustomipprefix) with the `--state` flag set to deprovision<br>[Remove-AzCustomIpPrefix](/powershell/module/az.network/update-azcustomipprefix) to remove|

+Alternatively, a custom IP prefix can be decommissioned via the Azure portal using the **Deprovision** button in the **Overview** section of the custom IP prefix, and then deleted using the **Delete** button in the same section.

+## Permissions

+For permissions to manage public IP address prefixes, your account must be assigned to the [network contributor](../../role-based-access-control/built-in-roles.md?toc=%2fazure%2fvirtual-network%2ftoc.json#network-contributor) role or to a [custom](../../role-based-access-control/custom-roles.md?toc=%2fazure%2fvirtual-network%2ftoc.json) role.

+| Action | Name |

+| | - |

+| Microsoft.Network/customIPPrefixes/read | Read a custom IP address prefix |

+| Microsoft.Network/customIPPrefixes/write | Create or update a custom IP address prefix |

+| Microsoft.Network/customIPPrefixes/delete | Delete a custom IP address prefix |

+| Microsoft.Network/customIPPrefixes/join/action | Create a public IP prefix from a custom IP address prefix |

+## Troubleshooting and FAQs

+This section provides answers for common questions about custom IP prefix resources and the provisioning and removal processes.

+### A "ValidationFailed" error is returned after a new custom IP prefix creation

+A quick failure of provisioning is likely due to a prefix validation error. A prefix validation error indicates we're unable to verify your ownership of the range. A validation error can also indicate that we can't verify Microsoft permission to advertise the range, and or the association of the range with the given subscription. To view the specific error, you can use the **JSON view** of a custom IP prefix resource in the **Overview** section to see the **failedReason** field. The JSON view displays the Route Origin Authorization, the signed message on the prefix records, and other details of the submission. You should delete the custom IP prefix resource and create a new one with the correct information.

+### After updating a custom IP prefix to advertise, it transitions to a "CommissioningFailed" status

+If a custom IP prefix is unable to be fully advertised, it moves to a **CommissioningFailed** status. In these instances, it's recommended to execute the command to update the range to commissioned status again.

+### IΓÇÖm unable to decommission a custom IP prefix

+Before you decommission a custom IP prefix, ensure it has no public IP prefixes or public IP addresses.

+### How can I migrate a range from one region to another

+To migrate a custom IP prefix, it must first be deprovisioned from one region. A new custom IP prefix with the same CIDR can then be created in another region.

+## Next steps

+- To learn about scenarios and benefits of using a custom IP prefix, see [Custom IP address prefix (BYOIP)](custom-ip-address-prefix.md)

+- To create a custom IP address prefix using the Azure portal, see [Create custom IP address prefix using the Azure portal](create-custom-ip-address-prefix-portal.md)

+- To create a custom IP address prefix using PowerShell, see [Create a custom IP address prefix using Azure PowerShell](create-custom-ip-address-prefix-powershell.md)