-| Redirect URLs | https://your-B2C-tenant-name.b2clogin.com/your-B2C-tenant-name.onmicrosoft.com/oauth2/authresp<br>For Example: `https://fabrikam.b2clogin.com/fabrikam.onmicrosoft.com/oauth2/authresp`<br>If you use a custom domain, enter https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp.<br> Replace your-domain-name with your custom domain, and your-tenant-name with the name of your tenant. |

-2. Find the `BuildingBlocks` element. This is where additional identity claims that eID-Me supports can be added. Full lists of supported eID-Me identity claims with descriptions are mentioned at [http://www.oid-info.com/get/1.3.6.1.4.1.50715](http://www.oid-info.com/get/1.3.6.1.4.1.50715) with the OIDC identifiers used here [https://eid-me.bluink.ca/.well-known/openid-configuration](https://eid-me.bluink.ca/.well-known/openid-configuration).

-## Create and export a connector configuration in MIM Sync

-If you already have MIM Sync with your ECMA connector configured, skip to step 10.

- 1. Install MIM Sync on this host. If you don't have MIM Sync binaries, you can install an evaluation by downloading the zip file from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=48244), mounting the ISO image, and copying the folder **Synchronization Service** to the Windows Server host. Then run the setup program contained in that folder. Evaluation software is time limited and will expire. It isn't intended for production use.

- 1. Install your connector on the same server as MIM Sync. For illustration purposes, this test lab guide will illustrate using one of the Microsoft-supplied connectors for download from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=51495).

- 1. Sign in to the Windows server as the account that the Azure AD ECMA Connector Host will run as.

- 1. Specify the management agent XML file that was exported from MIM Sync earlier. Continue with the configuration and schema-mapping instructions from the section "Configure a connector."

-If your federated domain(s) have SupportsMFA set to false, you are likely enforcing MFA on AD FS using claims rules.

-## Prepare Azure AD and implement

-### Ensure SupportsMFA is set to True

-For federated domains, MFA may be enforced by Azure AD Conditional Access or by the on-premises federation provider. Each federated domain in Azure AD has a SupportsMFA flag. When the SupportsMFA flag is set to True, Azure AD redirects users to MFA on AD FS or another federation providers. For example, if a user is accessing an application for which a Conditional Access policy that requires MFA has been configured, the user will be redirected to AD FS. Adding Azure AD MFA as an authentication method in AD FS, enables Azure AD MFA to be invoked once your configurations are complete.

-If the SupportsMFA flag is set to False, you're likely not using Azure MFA; you're probably using claims rules on AD FS relying parties to invoke MFA.

-You can check the status of your SupportsMFA flag with the following [Windows PowerShell cmdlet](/powershell/module/msonline/get-msoldomainfederationsettings):

-Get-MsolDomainFederationSettings ΓÇôDomainName yourdomain.com

-If the SupportsMFA flag is set to false or is blank for your federated domain, set it to true using the following Windows PowerShell cmdlet:

-Set-MsolDomainFederationSettings -DomainName contoso.com -SupportsMFA $true

-This configuration allows the decision to use MFA Server or Azure MFA to be made on AD FS.

-If your federated domain(s) have SupportsMFA set to false, analyze your claims rules on the Azure AD relying party trust and create Conditional Access policies that support the same security goals.

-

->To secure your Azure AD resource, it is recommended to require MFA through a [Conditional Access policy](../conditional-access/howto-conditional-access-policy-all-users-mfa.md), set the domain setting SupportsMfa to $True and [emit the multipleauthn claim](#secure-azure-ad-resources-using-ad-fs) when a user performs two-step verification successfully.

-Trusted IPs allow administrators to by-pass two-step verification for specific IP addresses, or for federated users that have requests originating from within their own intranet. The following sections describe how to configure Azure AD Multi-Factor Authentication Trusted IPs with federated users and by-pass two-step verification when a request originates from within a federated users intranet. This is achieved by configuring AD FS to use a pass-through or filter an incoming claim template with the Inside Corporate Network claim type.

-> [!CAUTION]

-> **This preview feature has been deprecated.** Customers should use **Filter for devices** condition in Conditional Access to satisfy scenarios, previously achieved using device state (preview) condition.

-* **Refresh tokens** - The client uses a refresh token, or *RT*, to request new access and ID tokens from the authorization server. Your code should treat refresh tokens and their string content as opaque because they're intended for use only by authorization server.

-The OAuth 2.0 client credentials grant flow permits a web service (confidential client) to use its own credentials, instead of impersonating a user, to authenticate when calling another web service. For a higher level of assurance, the Microsoft identity platform also allows the calling service to authenticate using a [certificate](#second-case-access-token-request-with-a-certificate) or federated credential instead of a shared secret. Because the applications own credentials are being used, these credentials must be kept safe - _never_ publish that credential in your source code, embed it in web pages, or use it in a widely distributed native application.

-> - You must be a Cloud Device Administrator, Intune Administrator, or Global Administrator in Azure AD to delete a device.

-As an Azure or Microsoft 365 subscriber, you can purchase the Azure Active Directory Premium editions online. For detailed steps, see How to Purchase Azure Active Directory Premium - New Customers.

-Azure Active Directory (Azure AD) is a cloud-based identity and access management service. This service helps your employees access external resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications. Azure AD also helps them access internal resources. These are resources like apps on your corporate network and intranet, along with any cloud apps developed by your own organization. For more information about creating a tenant for your organization, see [Quickstart: Create a new tenant in Azure Active Directory](active-directory-access-create-new-tenant.md).

-To learn the difference between Azure AD and Active Directory Domain Services, see [Compare Active Directory to Azure Active Directory](active-directory-compare-azure-ad-to-ad.md). You can also use the various [Microsoft Cloud for Enterprise Architects Series](/microsoft-365/solutions/cloud-architecture-models) posters to better understand the core identity services in Azure, Azure AD, and Microsoft 365.

-[Clap Your Hands](http://www.rmit.com.ar/), [Appreiz](https://microsoftteams.appreiz.com/), [Inextor Vault](https://inexto.com/inexto-suite/inextor), [Beekast](https://my.beekast.com/), [Templafy OpenID Connect](https://app.templafy.com/), [PeterConnects receptionist](https://msteams.peterconnects.com/), [AlohaCloud](https://appfusions.alohacloud.com/auth), Control Tower, [Cocoom](https://start.cocoom.com/), [COINS Construction Cloud](https://sso.coinsconstructioncloud.com/#login/), [Medxnote MT](https://task.teamsmain.medx.im/authorization), [Reflekt](https://reflekt.konsolute.com/login), [Rever](https://app.reverscore.net/access), [MyCompanyArchive](https://login.mycompanyarchive.com/), [GReminders](https://app.greminders.com/o365-oauth), [Titanfile](../saas-apps/titanfile-tutorial.md), [Wootric](../saas-apps/wootric-tutorial.md), [SolarWinds Orion](https://support.solarwinds.com/SuccessCenter/s/orion-platform?language=en_US), [OpenText Directory Services](../saas-apps/opentext-directory-services-tutorial.md), [Datasite](../saas-apps/datasite-tutorial.md), [BlogIn](../saas-apps/blogin-tutorial.md), [IntSights](../saas-apps/intsights-tutorial.md), [kpifire](../saas-apps/kpifire-tutorial.md), [Textline](../saas-apps/textline-tutorial.md), [Cloud Academy - SSO](../saas-apps/cloud-academy-sso-tutorial.md), [Community Spark](../saas-apps/community-spark-tutorial.md), [Chatwork](../saas-apps/chatwork-tutorial.md), [CloudSign](../saas-apps/cloudsign-tutorial.md), [C3M Cloud Control](../saas-apps/c3m-cloud-control-tutorial.md), [SmartHR](https://smarthr.jp/), [NumlyEngageΓäó](../saas-apps/numlyengage-tutorial.md), [Michigan Data Hub Single Sign-On](../saas-apps/michigan-data-hub-single-sign-on-tutorial.md), [Egress](../saas-apps/egress-tutorial.md), [SendSafely](../saas-apps/sendsafely-tutorial.md), [Eletive](https://app.eletive.com/), [Right-Hand Cybersecurity ADI](https://right-hand.ai/), [Fyde Enterprise Authentication](https://enterprise.fyde.com/), [Verme](../saas-apps/verme-tutorial.md), [Lenses.io](../saas-apps/lensesio-tutorial.md), [Momenta](../saas-apps/momenta-tutorial.md), [Uprise](https://app.uprise.co/sign-in), [Q](https://q.moduleq.com/login), [CloudCords](../saas-apps/cloudcords-tutorial.md), [TellMe Bot](https://tellme365liteweb.azurewebsites.net/), [Inspire](https://app.inspiresoftware.com/), [Maverics Identity Orchestrator SAML Connector](https://www.strata.io/identity-fabric/), [Smartschool (School Management System)](https://smartschoolz.com/login), [Zepto - Intelligent timekeeping](https://user.zepto-ai.com/signin), [Studi.ly](https://studi.ly/), [Trackplan](http://www.trackplanfm.com/), [Skedda](../saas-apps/skedda-tutorial.md), [WhosOnLocation](../saas-apps/whos-on-location-tutorial.md), [Coggle](../saas-apps/coggle-tutorial.md), [Kemp LoadMaster](https://kemptechnologies.com/cloud-load-balancer/), [BrowserStack Single Sign-on](../saas-apps/browserstack-single-sign-on-tutorial.md)

-[Azure AD SAML Toolkit](../saas-apps/saml-toolkit-tutorial.md), [Otsuka Shokai (大塚商会)](../saas-apps/otsuka-shokai-tutorial.md), [ANAQUA](../saas-apps/anaqua-tutorial.md), [Azure VPN Client](https://portal.azure.com/), [ExpenseIn](../saas-apps/expensein-tutorial.md), [Helper Helper](../saas-apps/helper-helper-tutorial.md), [Costpoint](../saas-apps/costpoint-tutorial.md), [GlobalOne](../saas-apps/globalone-tutorial.md), [Mercedes-Benz In-Car Office](https://me.secure.mercedes-benz.com/), [Skore](https://app.justskore.it/), [Oracle Cloud Infrastructure Console](../saas-apps/oracle-cloud-tutorial.md), [CyberArk SAML Authentication](../saas-apps/cyberark-saml-authentication-tutorial.md), [Scrible Edu](https://www.scrible.com/sign-in/#/create-account), [PandaDoc](../saas-apps/pandadoc-tutorial.md), [Perceptyx](https://apexdata.azurewebsites.net/docs.microsoft.com/azure/active-directory/saas-apps/perceptyx-tutorial), [Proptimise OS](https://www.proptimise.com/), [Vtiger CRM (SAML)](../saas-apps/vtiger-crm-saml-tutorial.md), Oracle Access Manager for Oracle Retail Merchandising, Oracle Access Manager for Oracle E-Business Suite, Oracle IDCS for E-Business Suite, Oracle IDCS for PeopleSoft, Oracle IDCS for JD Edwards

-[Embark](../saas-apps/embark-tutorial.md), [FENCE-Mobile RemoteManager SSO](../saas-apps/fence-mobile-remotemanager-sso-tutorial.md), [カオナビ](../saas-apps/kao-navi-tutorial.md), [Adobe Identity Management (OIDC)](../saas-apps/adobe-identity-management-tutorial.md), [AppRemo](../saas-apps/appremo-tutorial.md), [Live Center](https://livecenter.norkon.net/Login), [Offishall](https://app.offishall.io/), [MoveWORK Flow](https://www.movework-flow.fm/login), [Cirros SL](https://www.cirros.net/cirros-sl/), [ePMX Procurement Software](https://azure.epmxweb.com/admin/index.php?), [Vanta O365](https://app.vanta.com/connections), [Hubble](../saas-apps/hubble-tutorial.md), [Medigold Gateway](https://gateway.medigoldcore.com), [クラウドログ](../saas-apps/crowd-log-tutorial.md),[Amazing People Schools](../saas-apps/amazing-people-schools-tutorial.md), [Salus](https://salus.com/login), [XplicitTrust Network Access](https://console.xplicittrust.com/#/dashboard), [Spike Email - Mail & Team Chat](https://spikenow.com/web/), [AltheaSuite](https://planmanager.altheasuite.com/), [Balsamiq Wireframes](../saas-apps/balsamiq-wireframes-tutorial.md).

-To find your current federation settings, run the [Get-MsolDomainFederationSettings](/windows-server/identity/ad-fs/operations/ad-fs-prompt-login) cmdlet.

-Verify any settings that might have been customized for your federation design and deployment documentation. Specifically, look for customizations in **PreferredAuthenticationProtocol**, **SupportsMfa**, and **PromptLoginBehavior**.

-After migrating to cloud authentication, the user sign in experience for accessing Microsoft 365 and other resources that are authenticated through Azure AD changes. Users who are outside the network see only the Azure AD sign in page.

-#### Sign in experience

-You cannot customize Azure AD sign in experience. No matter how your users signed-in earlier, you need a fully qualified domain name such as User Principal Name (UPN) or email to sign into Azure AD.

-You can [customize the Azure AD sign in page](../fundamentals/customize-branding.md). Some visual changes from AD FS on sign in pages should be expected after the conversion.

-Each federated domain in Azure AD has a SupportsMFA flag.

-**If the SupportsMFA flag is set to True**, Azure AD redirects users to perform MFA on AD FS or other federation providers. For example, if a user is accessing an application for which a Conditional Access policy that requires MFA has been configured, the user will be redirected to AD FS. Adding Azure AD MFA as an authentication method in AD FS, enables Azure AD MFA to be invoked once your configurations are complete.

-**If the SupportsMFA flag is set to False**, youΓÇÖre likely not using Azure MFA; youΓÇÖre probably using claims rules on AD FS relying parties to trigger MFA.

-You can check the status of your **SupportsMFA** flag with the following Windows PowerShell cmdlet:

- Get-MsolDomainFederationSettings ΓÇôDomainName yourdomain.com

- ```

-This section includes pre-work before you switch your sign in method and convert the domains.

-Depending on the choice of sign in method, complete the [pre-work for PHS](how-to-connect-staged-rollout.md#pre-work-for-password-hash-sync) or [for PTA](how-to-connect-staged-rollout.md#pre-work-for-pass-through-authentication).

-Finally, you switch the sign in method to PHS or PTA, as planned and convert the domains from federation to cloud authentication.

-**Switch from federation to the new sign in method by using Azure AD Connect**

- - Two Kerberos service principal names (SPNs) are created to represent two URLs that are used during Azure AD sign in.

- > At this point, all your federated domains will change to managed authentication. Your selected User sign in method is the new method of authentication.

-**Switch from federation to the new sign in method by using Azure AD Connect and PowerShell**

-### Test the new sign in method

-When your tenant used federated identity, users were redirected from the Azure AD sign in page to your AD FS environment. Now that the tenant is configured to use the new sign in method instead of federated authentication, users arenΓÇÖt redirected to AD FS.

-Follow the steps in this link - [Validate sign in with PHS/ PTA and seamless SSO](how-to-connect-staged-rollout.md#validation) (where required)

-To download all assignments for a specific role, on the **Roles and administrators** page, select a role, and then select **Download role assignments**. A CSV file that lists assignments at all scopes for that role is downloaded.

-

-Example of listing the role assignments.

-``` PowerShell

-$role = Get-AzureADMSRoleDefinition -Id "5b3fe201-fa8b-4144-b6f1-875829ff7543"

-This section describes how to list role assignments with organization-wide scope. To list single-application scope role assignments using Graph API, you can use the operations in [Assign custom roles with Graph API](custom-assign-graph.md).

-Use the [List unifiedRoleAssignments](/graph/api/rbacapplication-list-roleassignments) API to get the role assignment for a specified role definition.

-See [BIG-IP APM variable assign examples](https://devcentral.f5.com/s/articles/apm-variable-assign-examples-1107) and [F5 BIG-IP session variables reference](https://techdocs.f5.com/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/session-variables.html) for more info.

-* For ServiceNow, an instance or tenant of ServiceNow supports Calgary, Kingston, London, Madrid, New York, Orlando and Paris versions or later.

-* To install the ServiceNow Classic (Mobile) application, go to the appropriate store, and search for the ServiceNow Classic application. Then download it.

-* You can configure the ServiceNow Classic (Mobile) application with Azure AD for enabling SSO. It supports both Android and iOS users. In this tutorial, you configure and test Azure AD SSO in a test environment.

-4. [Test SSO for ServiceNow Classic (Mobile)](#test-sso-for-servicenow-classic-mobile) to verify whether the configuration works.

-## Test SSO for ServiceNow Classic (Mobile)

-1. Open your **ServiceNow Classic (Mobile)** application, and perform the following steps:

- a. Select the plus sign in the lower-right corner.

- 

- b. Enter your ServiceNow instance name, and select **Continue**.

- 

- 

- * Select **USE EXTERNAL LOGIN**. You're redirected to the Azure AD page for sign-in.

- 

-| IA-02(12)| **Accept and verify personal identity verification (PIV) credentials. This control isn't applicable if the customer doesn't deploy PIV credentials.**<p>Configure federated authentication by using Active Directory Federation Services (AD FS) to accept PIV (certificate authentication) as both primary and multifactor authentication methods and issue the multifactor authentication (MultipleAuthN) claim when PIV is used. Configure the federated domain in Azure AD with SupportsMFA to direct multifactor authentication requests originating at Azure AD to AD FS. Alternatively, you can use PIV for sign-in on Windows devices and later use integrated Windows authentication along with seamless single sign-on. Windows Server and client verify certificates by default when used for authentication. <p>Resources<br><li>[What is federation with Azure AD?](../hybrid/whatis-fed.md)<br> <li>[Configure AD FS support for user certificate authentication](/windows-server/identity/ad-fs/operations/configure-user-certificate-authentication)<br> <li>[Configure authentication policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies)<br> <li>[Secure resources with Azure AD multifactor authentication and AD FS](../authentication/howto-mfa-adfs.md)<br><li>[Set-MsolDomainFederationSettings](/powershell/module/msonline/set-msoldomainfederationsettings)<br> <li>[Azure AD Connect: Seamless single sign-on](../hybrid/how-to-connect-sso.md) |

-> [Configure Python app](configure-language-python.md)

-4. Allow inbound virtual network traffic (*VirtualNetwork* tag) on the [network security group](../virtual-network/network-security-groups-overview.md).

-Configuration as code is a practice of managing configuration files under your source control system, for example, a git repository. It gives you benefits like traceability and approval process for any configuration changes. If you adopt configuration as code, App Configuration has tools to assist you in deploying your configuration data. This way, your applications can access the latest data from your App Configuration store(s).

-Azure App Configuration supports data import and export operations. Use these operations to work with configuration data in bulk and exchange data between your App Configuration store and code project. For example, you can set up one App Configuration store for testing and another for production. You can copy application settings between them so that you don't have to enter data twice.

-This article provides a guide for importing and exporting data with App Configuration. If youΓÇÖd like to set up an ongoing sync with your GitHub repo, take a look at our [GitHub Action](./concept-github-action.md).

-Import brings configuration data into an App Configuration store from an existing source. Use the import function to migrate data into an App Configuration store or aggregate data from multiple sources. App Configuration supports importing from a JSON, YAML, or properties file.

-Import data by using either the [Azure portal](https://portal.azure.com) or the [Azure CLI](./scripts/cli-import.md). From the Azure portal, follow these steps:

-1. Browse to your App Configuration store, and select **Import/Export** from the **Operations** menu.

-1. On the **Import** tab, select **Source service** > **Configuration File**.

-1. Select **For language** and select your desired input type.

- 

-1. Select a **Separator**, and optionally enter a **Prefix** to use for imported key names.

-1. Optionally, select a **Label**.

-1. Select **Apply** to finish the import.

- 

-Export writes configuration data stored in App Configuration to another destination. Use the export function, for example, to save data in an App Configuration store to a file that's embedded with your application code during deployment.

-Export data by using either the [Azure portal](https://portal.azure.com) or the [Azure CLI](./scripts/cli-export.md). From the Azure portal, follow these steps:

-1. Browse to your App Configuration store, and select **Import/Export**.

-1. On the **Export** tab, select **Target service** > **Configuration File**.

-1. Optionally enter a **Prefix** and select a **Label** and a point-in-time for keys to be exported.

-1. Select a **File type** > **Separator**.

-1. Select **Apply** to finish the export.

- 

-> [Create an ASP.NET Core web app](./quickstart-aspnet-core-app.md)

- ```cmd

- If you use macOS or Linux, run the following command:

-2. Run the following command to build the console app:

-3. After the build successfully completes, run the following command to run the app locally:

-As described in the [Azure TLS 1.2 migration announcement](https://azure.microsoft.com/updates/azuretls12/), Live Metrics now only supports TLS 1.2 by default. If you are using an older version of TLS , Live Metrics will not display any data. For applications based on .NET Framework 4.5.1 refer to [How to enable Transport Layer Security (TLS) 1.2 on clients - Configuration Manager](/mem/configmgr/core/plan-design/security/enable-tls-1-2-client#bkmk_net) to support newer TLS version.

-hdbsql -U AZACSNAP "select GRANTEE,GRANTEE_TYPE,PRIVILEGE,IS_VALID,IS_GRANTABLE from sys.granted_privileges "' | grep -i -e GRANTEE -e azacsnap

-Once a Managed Application is granted an identity, it can be granted access to existing Azure resources. This process can be done through the Access control (IAM) interface in the Azure portal. The name of the Managed Application or **user-assigned identity** can be searched to add a role assignment.

-

-``` HTTP

-``` HTTP

-This sample shows how to assign a `SignalR App Server` role to a service principal (application) over a SignalR resource.

-1. On the [Azure portal](https://portal.azure.com/), navigate to your SignalR resource.

-1. Click **Access Control (IAM)** to display access control settings for the Azure SignalR.

-1. Click the **Role assignments** tab to view the role assignments at this scope.

- The following screenshot shows an example of the Access control (IAM) page for a SignalR resource.

- 

-1. Click **Add > Add role assignment**.

-1. On the **Roles** tab, select `SignalR App Server`.

-1. Click **Next**.

-

- 

-1. On the **Members** tab, under **Assign access to** section, select **User, group, or service principal**.

-1. Click **Select Members**

-3. Search for and select the application that you would like to assign the role to.

-1. Click **Select** to confirm the selection.

-4. Click **Next**.

-

- 

-5. Click **Review + assign** to confirm the change.

-## Configure you app

-This sample shows how to assign a `SignalR App Server` role to a system-assigned identity over a SignalR resource.

-1. Open [Azure portal](https://portal.azure.com/), navigate to your SignalR resource.

-1. Click **Access Control (IAM)** to display access control settings for the Azure SignalR.

- The following shows an example of the Access control (IAM) page for a resource group.

-1. Click the **Role assignments** tab to view the role assignments at this scope.

- The following screenshot shows an example of the Access control (IAM) page for a SignalR resource.

- 

-1. Click **Add > Add role assignment**.

-1. On the **Roles** tab, select `SignalR App Server`.

-1. Click **Next**.

- 

-1. On the **Members** tab, under **Assign access to** section, select **Managed identity**.

-1. Click **Select Members**.

-1. In the **Select managed identities** pane, select **System-assigned managed identity > Virtual machine**

-1. Search for and select the virtual machine that you would like to assign the role to.

-1. Click **Select** to confirm the selection.

-2. Click **Next**.

- 

-3. Click **Review + assign** to confirm the change.

-|`widgets` | Strings separated by comma | Allows you to control the insights that you want to render.<br/>Example: `https://www.videoindexer.ai/embed/insights/<accountId>/<videoId>/?widgets=people,keywords` renders only people and keywords UI insights.<br/>Available options: people, animatedCharacters, keywords, labels, sentiments, emotions, topics, keyframes, transcript, ocr, speakers, scenes, and namedEntities.|

-|`search`|A free text for search |Allows you to control the initial search term. Example - `https://www.videoindexer.ai/embed/insights/<accountId>/<videoId>/?search=vi` renders the insights filtered by the word "vi".|

-|`captions` | A language code | Fetches the caption in the specified language during the widget loading to be available on the **Captions** menu.<br/> Example: `captions=en-US`. |

-**How do you onboard a customer?**

-Fill in the [Customer Enrollment form](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR0SUP-7nYapHr1Tk0MFNflVUNEJQNzFONVhVOUlVTVk3V1hNTjJPVDM5WS4u) and we'll be in touch.

-description: This article contains news about QnA Maker feature changes.

-# QnA Maker managed is now renamed to custom question answering

-[QnA Maker managed (preview)](https://techcommunity.microsoft.com/t5/azure-ai/introducing-qna-maker-managed-now-in-public-preview/ba-p/1845575) was launched in November 2020 as a free public preview offering. It introduced several new features including enhanced relevance using a deep learning ranker, precise answers, and end-to-end region support.

-As part of our effort to consolidate the language offerings from Cognitive Services, QnA Maker managed is now a feature within Text Analytics, and it has been renamed to custom question answering.

-## Creating a new custom question answering service

-[Create a Text Analytics resource](https://portal.azure.com/?quickstart=true#create/Microsoft.CognitiveServicesTextAnalytics) to use question answering and other features such as entity recognition, sentiment analysis, etc.

-Now when you create a new Text Analytics resource, you can select features that you want included. Select **custom question answering (preview)** and continue to create your resource.

-> [!div class="mx-imgBorder"]

-> [  ]( ./media/select-feature.png#lightbox)

-You can no longer create a QnA Maker managed resource from the QnA Maker create flow, instead you will be redirected to the Text Analytics service. There is no change to the QnA Maker stable release.

-> [!div class="mx-imgBorder"]

-> [  ]( ./media/create-resource.png#lightbox)

-## Details

- - South Central US

- - North Europe

- - Australia East.

-## Next steps

-* [Get started with QnA Maker client library](./quickstarts/quickstart-sdk.md)

-* [Get started with QnA Maker portal](./quickstarts/create-publish-knowledge-base.md)

-You can use the Speech SDK or Speech Command Line Interface (CLI). The Batch transcription API does not support phrase lists.

-You can use Speech Studio to test how phrase list would help improve recognition for your audio. To implement a phrase list with your application in production, you'll use the Speech SDK or Speech CLI.

-> You may be prompted to select your Azure subscription and Speech resource, and then acknowledge billing for your region. If you are new to Azure or Speech, see [Try the Speech service for free](overview.md#try-the-speech-service-for-free).

-This [SDK Migration Guide](https://github.com/Azure/azure-sdk-for-net/blob/Azure.AI.Language.QuestionAnswering_1.1.0-beta.1/sdk/cognitivelanguage/Azure.AI.Language.QuestionAnswering/MigrationGuide.md) is intended to assist in the migration to the new Question Answering client library, Azure.AI.Language.QuestionAnswering, from the old one, Microsoft.Azure.CognitiveServices.Knowledge.QnAMaker. It will focus on side-by-side comparisons for similar operations between the two packages.

-| | Add metadata to chat messages | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ✔️ |

-| | Add display name to typing indicator notification | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ✔️ |

-> Note that while Communication Services is available in multiple geographies, in order to get a phone number the resource must have a data location set to 'US'.

-> Also note it is not possible to create a resource group at the same time as a resource for Azure Communication Services. When creating a resource, a resource group that has been created already must be used.

-If you want to clean up and remove a Communication Services subscription, you can delete the resource or resource group. Deleting the resource group also deletes any other resources associated with it.

-Azure Container Apps runs replicas of your application based on the [scaling rules and replica count limits](scale-app.md) you configure. You're charged for the amount of resources allocated to each replica while it's running.

-There are two meters for resource consumption:

-The rate you pay for resource consumption depends on the state of your container app and replicas. By default, replicas are charged at an *active* rate. However, in certain conditions, a replica can enter an *idle* state. While in an *idle* state, resources are billed at a reduced rate.

-When your container app is scaled down to zero replicas, no resource consumption charges are incurred.

-Idle usage charges are applied when your replicas are running under a specific set of circumstances. The criteria for idle charges include:

-When your container app<sup>1</sup> is scaled above the [minimum replica count](scale-app.md), all running replicas are charged for resource consumption at the active rate.

-<sup>1</sup> For container apps in multiple revision mode, charges are based on the current replica count in a revision relative to its configured minimum replica count.

-1. Create a pull request to merge the changes to the collaboration branch

-| **[Neutrona Networks](https://www.neutrona.com/index.php/azure-expressroute/)** |Supported |Supported |Dallas, Los Angeles, Miami, Sao Paulo, Washington DC |

-|DNATRc1 |DNAT rule collection | 600 | 7 |Parent policy|

-## 3-way handshake behavior

-As a stateful service, Azure Firewall completes a TCP 3-way handshake for allowed traffic, from a source to the destination. For example, VNet-A to VNet-B.

-Creating an allow rule from VNet-A to VNet-B does not mean that new initiated connections from VNet-B to VNet-A are allowed.

-As a result, there is no need to create an explicit deny rule from VNet-B to VNet-A. If you create this deny rule, you'll interrupt the 3-way handshake from the initial allow rule from VNet-A to VNet-B.

-|[Diagnostic logs in App Services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb607c5de-e7d9-4eee-9e5c-83f1bcee4fa0) |Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit.json) |

-|[Diagnostic logs in App Services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb607c5de-e7d9-4eee-9e5c-83f1bcee4fa0) |Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit.json) |

-|[Diagnostic logs in App Services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb607c5de-e7d9-4eee-9e5c-83f1bcee4fa0) |Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit.json) |

-|[Diagnostic logs in App Services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb607c5de-e7d9-4eee-9e5c-83f1bcee4fa0) |Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit.json) |

-|Returned `BadRequestException` with valid message when input JSON body is invalid |For invalid JSON body requests, the FHIR server was returning a 500 error. Now we will return a `BadRequestException` with a valid message instead of 500. [#2239](https://github.com/microsoft/fhir-server/pull/2239) |

-|`_sort` can cause `ChainedSearch` to return incorrect results |Previously, the sort options from the chained search's `SearchOption` object was not cleared, causing the sorting options to be passed through to the chained sub-search, which are not valid. This could result in no results when there should be results. This bug is now fixed [#2347](https://github.com/microsoft/fhir-server/pull/2347). It addressed GitHub bug [#2344](https://github.com/microsoft/fhir-server/issues/2344). |

-|Log 500's to `RequestMetric` |Previously, 500s or any unknown/unhandled errors were not getting logged in `RequestMetric`. They're now getting logged [#2240](https://github.com/microsoft/fhir-server/pull/2240). For more information, see [Enable diagnostic settings in Azure API for FHIR](../../healthcare-apis/azure-api-for-fhir/enable-diagnostic-logging.md) |

-|New audit event sub-types |Related information |

-|Added new audit event [OperationName sub-types](./././azure-api-for-fhir/enable-diagnostic-logging.md#audit-log-details)| [#2170](https://github.com/microsoft/fhir-server/pull/2170) |

- :::image type="content" source="media/how-to-connect-iot-edge-transparent-gateway/iot-edge-runtime.png" alt-text="Screenshot showing the $edgeAgent and $edgeHub modules running on the IoT Edge gateway.":::

- :::image type="content" source="media/how-to-connect-iot-edge-transparent-gateway/downstream-device-telemetry.png" alt-text="Screenshot showing telemetry from the downstream device.":::

-| user1@contoso.com | Org Administrator | Contoso Inc/Lamna Health |

-| user1@contoso.com | Org Viewer | Contoso Inc/Adatum Solar |

-To create a custom theme, navigate to the **Appearance** page in the **Customization** section under **Settings**:

-> You can always revert back to the default options on the **Customize your application** page.

-If an administrator creates a custom theme, then operators and other users of your application can no longer choose a theme in **Settings**.

-To modify the help links, navigate to the **Help links** page in the **Customization** section under **Settings**:

-> You can always revert back to the default help links on the **Customize help** page.

-To change text labels in the application, navigate to the **Text** page in the **Customization** section under **Settings**.

-You can reupload the customization file with further changes by selecting the relevant language from the list on the **Text** page in the **Customization** section.

-* Plot the telemetry location history om a map.

-* [Create and connect a client application to your Azure IoT Central application](tutorial-connect-device.md)

-Connectivity issues for IoT devices can be difficult to troubleshoot because there are many possible points of failures such as attestation failures, registration failures etc. This article provides guidance on how to detect and troubleshoot device connectivity issues via [Azure Monitor](../azure-monitor/overview.md).

-The following procedure describes how to view and set up alert on IoT Hub Device Provisioning Service metric.

-4. Select the desired metric.

- <br />Currently there are three metrics for DPS:

- | Metric Name | Description |

- |-||

- | Attestation attempts | Number of devices that attempted to authenticate with Device Provisioning Service|

- | Registration attempts | Number of devices that attempted to register to IoT Hub after successful authentication|

- | Device assigned | Number of devices that successfully assigned to IoT Hub|

-To learn more, see [alerts in Azure Monitor](../azure-monitor/alerts/alerts-overview.md).

-## Using Log Analytic to view and resolve errors

-5. Configure the desired logs to be collected.

- | Log Name | Description |

- |-||

- | DeviceOperations | Logs related to device connection events |

- | ServiceOperations | Event logs related to using service SDK (e.g. Creating or updating enrollment groups)|

->[!Note]

->If IP filtering is enabled, you'll no longer be able use the Azure portal to perform service operations (i.e. managing enrollments). To perform service operations using the portal, you'll have to temporarily deactivate IP filtering, complete your work, and then re-enable the IP filtering feature. If you want to use your own clients and avoid the deactivation of the IP filter, you can choose to add your machine's IP address to the `ipFilterRules` and manage the enrollments in the DPS through CLI.

-## Access the DPS after disabling the public network access

-After public network access is disabled, the DPS instance is accessible only through [its VNet private endpoint using Azure private link](virtual-network-support.md). This restriction includes accessing through the Azure portal.

-* Install [.NET Core 3.1 SDK](https://dotnet.microsoft.com/download) or later on your Windows-based machine. You can use the following command to check your version.

-* Install [.NET Core 3.1 SDK](https://dotnet.microsoft.com/download) or later on your Windows-based machine. You can use the following command to check your version.

-* Install [.NET Core 3.1 SDK](https://dotnet.microsoft.com/download) or later on your Windows-based machine. You can use the following command to check your version.

- Last updated 10/06/2021

-* The lowest latency allocation policy is used to assign a device to the IoT hub with the lowest latency. This allocation policy is not reliable in a virtual network environment.

-| "UpdateNameCompatibility" | Cannot import additional update name with the specified compatibility. | Same as for UpdateProviderCompatibility.ContentLimitNamespaceCompatibility. |

-| "UpdateVersionCompatibility" | Cannot import additional update version with the specified compatibility. | Same as for UpdateProviderCompatibility.ContentLimitNamespaceCompatibility. |

-**Operations monitoring**: Turn the different monitoring categories on or off, such as logging for events related to device-to-cloud messages or cloud-to-device messages.

-

- * *Receive operations monitoring events*. This endpoint allows you to receive operations monitoring events if your IoT hub has been configured to emit them. For more information, see [IoT Hub operations monitoring](iot-hub-operations-monitoring.md).

-| Operations monitoring messages |All unread messages are lost |

-description: How to update Azure IoT Hub to use Azure Monitor instead of operations monitoring to monitor the status of operations on your IoT hub in real time.

-# Migrate your IoT Hub from operations monitoring to Azure Monitor resource logs

-Customers using [operations monitoring](iot-hub-operations-monitoring.md) to track the status of operations in IoT Hub can migrate that workflow to [Azure Monitor resource logs](../azure-monitor/essentials/platform-logs-overview.md), a feature of Azure Monitor. Resource logs supply resource-level diagnostic information for many Azure services.

->[!IMPORTANT]

->**IoT Hub operations monitoring is retired and was removed from IoT Hub on March 10, 2019.** Accordingly, this article is no longer being updated. IoT Hub operations monitoring was replaced by Azure Monitor. To learn about monitoring the operations and health of IoT Hub with Azure Monitor, see [Monitor IoT Hub](monitor-iot-hub.md).

-This article provides steps to move your workloads from operations monitoring to Azure Monitor resource logs.

-## Update IoT Hub

-To update your IoT Hub in the Azure portal, first create a diagnostic setting, then turn off operations monitoring.

-### Create a diagnostic setting

-1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to your IoT hub.

-1. On the left pane, under **Monitoring**, select **Diagnostics settings**. Then select **Add diagnostic setting**.

- :::image type="content" source="media/iot-hub-migrate-to-diagnostics-settings/open-diagnostic-settings.png" alt-text="Screenshot that highlights Diagnostic settings in the Monitoring section.":::

-1. On the **Diagnostic setting** pane, give the diagnostic setting a name.

-1. Under **Category details**, select the categories for the operations you want to monitor. For more information about the categories of operations available with IoT Hub, see [Resource logs](monitor-iot-hub-reference.md#resource-logs).

-1. Under **Destination details**, choose where you want to send the logs. You can select any combination of these destinations:

- * Archive to a storage account

- * Stream to an event hub

- * Send to Azure Monitor Logs via a Log Analytics workspace

- The following screenshot shows a diagnostic setting that routes operations in the Connections and Device telemetry categories to a Log Analytics workspace:

- :::image type="content" source="media/iot-hub-migrate-to-diagnostics-settings/add-diagnostic-setting.png" alt-text="Screenshot showing a completed diagnostic setting.":::

-1. Select **Save** to save the settings.

-New settings take effect in about 10 minutes. After that, logs appear in the configured destination. For more information about configuring diagnostics, see [Collect and consume log data from your Azure resources](../azure-monitor/essentials/platform-logs-overview.md).

-For more detailed information about how to create diagnostic settings, including with PowerShell and the Azure CLI, see [Diagnostic settings](../azure-monitor/essentials/diagnostic-settings.md) in the Azure Monitor documentation.

-### Turn off operations monitoring

-> [!NOTE]

-> As of March 11, 2019, the operations monitoring feature is removed from IoT Hub's Azure portal interface. The steps below no longer apply. To migrate, make sure that the correct categories are routed to a destination with an Azure Monitor diagnostic setting above.

-Once you test the new diagnostics settings in your workflow, you can turn off the operations monitoring feature.

-1. In your IoT Hub menu, select **Operations monitoring**.

-2. Under each monitoring category, select **None**.

-3. Save the operations monitoring changes.

-## Update applications that use operations monitoring

-The schemas for operations monitoring and resource logs vary slightly. It's important that you update the applications that use operations monitoring today to map to the schema used by resource logs.

-Also, IoT Hub resource logs offers five new categories for tracking. After you update applications for the existing schema, add the new categories as well:

-* Cloud-to-device twin operations

-* Device-to-cloud twin operations

-* Twin queries

-* Jobs operations

-* Direct Methods

-For the specific schema structures, see [Resource logs](monitor-iot-hub-reference.md#resource-logs).

-## Monitoring device connect and disconnect events with low latency

-To monitor device connect and disconnect events in production, we recommend subscribing to the [**device disconnected** event](iot-hub-event-grid.md#event-types) on Event Grid to get alerts and monitor the device connection state. Use this [tutorial](iot-hub-how-to-order-connection-state-events.md) to learn how to integrate Device Connected and Device Disconnected events from IoT Hub in your IoT solution.

-## Next steps

-[Monitor IoT Hub](monitor-iot-hub.md)

-

-For MQTT connect and disconnect packets, IoT Hub issues an event on the **Operations Monitoring** channel. This event has additional information that can help you to troubleshoot connectivity issues.

-description: How to use Azure IoT Hub operations monitoring to monitor the status of operations on your IoT hub in real time.

-# IoT Hub operations monitoring (retired)

-IoT Hub operations monitoring enables you to monitor the status of operations on your IoT hub in real time. IoT Hub tracks events across several categories of operations. You can opt into sending events from one or more categories to an endpoint of your IoT hub for processing. You can monitor the data for errors or set up more complex processing based on data patterns.

->[!IMPORTANT]

->**IoT Hub operations monitoring is retired and was removed from IoT Hub on March 10, 2019.** Accordingly, this article is no longer being updated. IoT Hub operations monitoring was replaced by Azure Monitor. To learn about monitoring the operations and health of IoT Hub with Azure Monitor, see [Monitor IoT Hub](monitor-iot-hub.md).

-IoT Hub monitors six categories of events:

-* Device identity operations

-* Device telemetry

-* Cloud-to-device messages

-* Connections

-* File uploads

-* Message routing

-> [!IMPORTANT]

-> IoT Hub operations monitoring does not guarantee reliable or ordered delivery of events. Depending on IoT Hub underlying infrastructure, some events might be lost or delivered out of order. Use operations monitoring to generate alerts based on error signals such as failed connection attempts, or high-frequency disconnections for specific devices. You should not rely on operations monitoring events to create a consistent store for device state, e.g. a store tracking connected or disconnected state of a device.

-## How to enable operations monitoring

-1. Create an IoT hub. You can find instructions on how to create an IoT hub in the [Get Started](../iot-develop/quickstart-send-telemetry-iot-hub.md?pivots=programming-language-csharp) guide.

-2. Open the blade of your IoT hub. From there, click **Operations monitoring**.

- 

-3. Select the monitoring categories you wish to monitor, and then click **Save**. The events are available for reading from the Event Hub-compatible endpoint listed in **Monitoring settings**. The IoT Hub endpoint is called `messages/operationsmonitoringevents`.

- 

-> [!NOTE]

-> Selecting **Verbose** monitoring for the **Connections** category causes IoT Hub to generate additional diagnostics messages. For all other categories, the **Verbose** setting changes the quantity of information IoT Hub includes in each error message.

-## Event categories and how to use them

-Each operations monitoring category tracks a different type of interaction with IoT Hub, and each monitoring category has a schema that defines how events in that category are structured.

-### Device identity operations

-The device identity operations category tracks errors that occur when you attempt to create, update, or delete an entry in your IoT hub's identity registry. Tracking this category is useful for provisioning scenarios.

-```json

-{

- "time": "UTC timestamp",

- "operationName": "create",

- "category": "DeviceIdentityOperations",

- "level": "Error",

- "statusCode": 4XX,

- "statusDescription": "MessageDescription",

- "deviceId": "device-ID",

- "durationMs": 1234,

- "userAgent": "userAgent",

- "sharedAccessPolicy": "accessPolicy"

-}

-```

-### Device telemetry

-The device telemetry category tracks errors that occur at the IoT hub and are related to the telemetry pipeline. This category includes errors that occur when sending telemetry events (such as throttling) and receiving telemetry events (such as unauthorized reader). This category cannot catch errors caused by code running on the device itself.

-```json

-{

- "messageSizeInBytes": 1234,

- "batching": 0,

- "protocol": "Amqp",

- "authType": "{\"scope\":\"device\",\"type\":\"sas\",\"issuer\":\"iothub\"}",

- "time": "UTC timestamp",

- "operationName": "ingress",

- "category": "DeviceTelemetry",

- "level": "Error",

- "statusCode": 4XX,

- "statusType": 4XX001,

- "statusDescription": "MessageDescription",

- "deviceId": "device-ID",

- "EventProcessedUtcTime": "UTC timestamp",

- "PartitionId": 1,

- "EventEnqueuedUtcTime": "UTC timestamp"

-}

-```

-### Cloud-to-device commands

-The cloud-to-device commands category tracks errors that occur at the IoT hub and are related to the cloud-to-device message pipeline. This category includes errors that occur when sending cloud-to-device messages (such as unauthorized sender), receiving cloud-to-device messages (such as delivery count exceeded), and receiving cloud-to-device message feedback (such as feedback expired). This category does not catch errors from a device that improperly handles a cloud-to-device message if the cloud-to-device message was delivered successfully.

-```json

-{

- "messageSizeInBytes": 1234,

- "authType": "{\"scope\":\"hub\",\"type\":\"sas\",\"issuer\":\"iothub\"}",

- "deliveryAcknowledgement": 0,

- "protocol": "Amqp",

- "time": " UTC timestamp",

- "operationName": "ingress",

- "category": "C2DCommands",

- "level": "Error",

- "statusCode": 4XX,

- "statusType": 4XX001,

- "statusDescription": "MessageDescription",

- "deviceId": "device-ID",

- "EventProcessedUtcTime": "UTC timestamp",

- "PartitionId": 1,

- "EventEnqueuedUtcTime": "UTC timestamp"

-}

-```

-### Connections

-The connections category tracks errors that occur when devices connect or disconnect from an IoT hub. Tracking this category is useful for identifying unauthorized connection attempts and for tracking when a connection is lost for devices in areas of poor connectivity.

-```json

-{

- "durationMs": 1234,

- "authType": "{\"scope\":\"hub\",\"type\":\"sas\",\"issuer\":\"iothub\"}",

- "protocol": "Amqp",

- "time": " UTC timestamp",

- "operationName": "deviceConnect",

- "category": "Connections",

- "level": "Error",

- "statusCode": 4XX,

- "statusType": 4XX001,

- "statusDescription": "MessageDescription",

- "deviceId": "device-ID"

-}

-```

-### File uploads

-The file upload category tracks errors that occur at the IoT hub and are related to file upload functionality. This category includes:

-* Errors that occur with the SAS URI, such as when it expires before a device notifies the hub of a completed upload.

-* Failed uploads reported by the device.

-* Errors that occur when a file is not found in storage during IoT Hub notification message creation.

-This category cannot catch errors that directly occur while the device is uploading a file to storage.

-```json

-{

- "authType": "{\"scope\":\"hub\",\"type\":\"sas\",\"issuer\":\"iothub\"}",

- "protocol": "HTTP",

- "time": " UTC timestamp",

- "operationName": "ingress",

- "category": "fileUpload",

- "level": "Error",

- "statusCode": 4XX,

- "statusType": 4XX001,

- "statusDescription": "MessageDescription",

- "deviceId": "device-ID",

- "blobUri": "http//bloburi.com",

- "durationMs": 1234

-}

-```

-### Message routing

-The message routing category tracks errors that occur during message route evaluation and endpoint health as perceived by IoT Hub. This category includes events such as when a rule evaluates to "undefined", when IoT Hub marks an endpoint as dead, and any other errors received from an endpoint. This category does not include specific errors about the messages themselves (such as device throttling errors), which are reported under the "device telemetry" category.

-```json

-{

- "messageSizeInBytes": 1234,

- "time": "UTC timestamp",

- "operationName": "ingress",

- "category": "routes",

- "level": "Error",

- "deviceId": "device-ID",

- "messageId": "ID of message",

- "routeName": "myroute",

- "endpointName": "myendpoint",

- "details": "ExternalEndpointDisabled"

-}

-```

-## Connect to the monitoring endpoint

-The monitoring endpoint on your IoT hub is an Event Hub-compatible endpoint. You can use any mechanism that works with Event Hubs to read monitoring messages from this endpoint. The following sample creates a basic reader that is not suitable for a high throughput deployment. For more information about how to process messages from Event Hubs, see the [Get Started with Event Hubs](../event-hubs/event-hubs-dotnet-standard-getstarted-send.md) tutorial.

-To connect to the monitoring endpoint, you need a connection string and the endpoint name. The following steps show you how to find the necessary values in the portal:

-1. In the portal, navigate to your IoT Hub resource blade.

-2. Choose **Operations monitoring**, and make a note of the **Event Hub-compatible name** and **Event Hub-compatible endpoint** values:

- 

-3. Choose **Shared access policies**, then choose **service**. Make a note of the **Primary key** value:

- 

-The following C# code sample is taken from a Visual Studio **Windows Classic Desktop** C# console app. The project has the **WindowsAzure.ServiceBus** NuGet package installed.

-* Replace the connection string placeholder with a connection string that uses the **Event Hub-compatible endpoint** and service **Primary key** values you noted previously as shown in the following example:

- ```csharp

- "Endpoint={your Event Hub-compatible endpoint};SharedAccessKeyName=service;SharedAccessKey={your service primary key value}"

- ```

-* Replace the monitoring endpoint name placeholder with the **Event Hub-compatible name** value you noted previously.

-```csharp

-class Program

-{

- static string connectionString = "{your monitoring endpoint connection string}";

- static string monitoringEndpointName = "{your monitoring endpoint name}";

- static EventHubClient eventHubClient;

- static void Main(string[] args)

- {

- Console.WriteLine("Monitoring. Press Enter key to exit.\n");

- eventHubClient = EventHubClient.CreateFromConnectionString(connectionString, monitoringEndpointName);

- var d2cPartitions = eventHubClient.GetRuntimeInformation().PartitionIds;

- CancellationTokenSource cts = new CancellationTokenSource();

- var tasks = new List<Task>();

- foreach (string partition in d2cPartitions)

- {

- tasks.Add(ReceiveMessagesFromDeviceAsync(partition, cts.Token));

- }

- Console.ReadLine();

- Console.WriteLine("Exiting...");

- cts.Cancel();

- Task.WaitAll(tasks.ToArray());

- }

- private static async Task ReceiveMessagesFromDeviceAsync(string partition, CancellationToken ct)

- {

- var eventHubReceiver = eventHubClient.GetDefaultConsumerGroup().CreateReceiver(partition, DateTime.UtcNow);

- while (true)

- {

- if (ct.IsCancellationRequested)

- {

- await eventHubReceiver.CloseAsync();

- break;

- }

- EventData eventData = await eventHubReceiver.ReceiveAsync(new TimeSpan(0,0,10));

- if (eventData != null)

- {

- string data = Encoding.UTF8.GetString(eventData.GetBytes());

- Console.WriteLine("Message received. Partition: {0} Data: '{1}'", partition, data);

- }

- }

- }

-}

-```

-## Next steps

-To further explore using Azure Monitor to monitor IoT Hub, see:

-* [Monitor IoT Hub](monitor-iot-hub.md)

-* [Migrate from IoT Hub operations monitoring to Azure Monitor](iot-hub-migrate-to-diagnostics-settings.md)

-Lastly, consider using the [Purge Queue API](/azure/iot-hub/iot-c-sdk-ref/iothub-registrymanager-h/iothubregistrymanager-deletedevice) to periodically clean up pending messages before the limit is reached.

-Azure Standard Load Balancer helps you load-balance **all** protocol flows on **all** ports simultaneously when you're using an internal Load Balancer via HA Ports.

-High availability (HA) ports is a type of load balancing rule that provides an easy way to load-balance **all** flows that arrive on **all** ports of an internal Standard Load Balancer. The load-balancing decision is made per flow. This action is based on the following five-tuple connection: source IP address, source port, destination IP address, destination port, and protocol

-The HA ports load-balancing rules is configured when you set the front-end and back-end ports to **0** and the protocol to **All**. The internal load balancer resource then balances all TCP and UDP flows, regardless of port number

-### <a name="nva"></a>Network virtual appliances

-You can use NVAs to help secure your Azure workload from multiple types of security threats. When you use NVAs in these scenarios, they must be reliable and highly available, and they must scale out for demand.

-You can achieve these goals simply by adding NVA instances to the back-end pool of your internal load balancer and configuring an HA ports load-balancer rule.

-<a name="diagram"></a>

-

-### Load-balancing large numbers of ports

-You can also use HA ports for applications that require load balancing of large numbers of ports. You can simplify these scenarios by using an internal [Standard Load Balancer](./load-balancer-overview.md) with HA ports. A single load-balancing rule replaces multiple individual load-balancing rules, one for each port.

-### A single, non-floating IP (non-Direct Server Return) HA-ports configuration on an internal Standard Load Balancer

-This configuration is a basic HA ports configuration. You can configure an HA ports load-balancing rule on a single front-end IP address by doing the following:

-1. While configuring Standard Load Balancer, select the **HA ports** check box in the Load Balancer rule configuration.

-This configuration does not allow any other load-balancing rule configuration on the current load balancer resource. It also allows no other internal load balancer resource configuration for the given set of back-end instances.

-### A single, floating IP (Direct Server Return) HA-ports configuration on an internal Standard Load Balancer

-By using this configuration, you can add more floating IP load-balancing rules and/or a public load balancer. However, you cannot use a non-floating IP, HA-ports load-balancing configuration on top of this configuration.

-### Multiple HA-ports configurations on an internal Standard Load Balancer

-If your scenario requires that you configure more than one HA port front end for the same back-end pool, you can do the following:

-### An internal load balancer with HA ports and a public load balancer on the same back-end instance

-You can configure *one* public Standard Load Balancer resource for the backend resources, along with a single internal Standard Load Balancer with HA ports.

-* [Unable to download resources](#unable-to-download-resources)

-#### Unable to download resources

-During this process, you can run into a few different issues depending on which stage the operation failed at:

-* [Unable to download user container image](#unable-to-download-user-container-image)

-* [Unable to download user model or code artifacts](#unable-to-download-user-model-or-code-artifacts)

-To get more details about these errors, run:

-```azurecli

-az ml online-deployment get-logs -n <endpoint-name> --deployment <deployment-name> --l 100

-```

-It is possible that the user container could not be found.

-It is possible that the user model or code artifacts can't be found.

-### Markets

-### Pricing

-Some things to consider when selecting a pricing option:

-> [!IMPORTANT]

-> Occasionally, Microsoft expands the list of supported core sizes available. When this occurs, we will notify you and request that you take action on your offer within a specified timeframe. If you do not review your offer within the timeframe specified, weΓÇÖll publish the new core sizes at the price that we have calculated for you. For details about updating core sizes, see [Update core size for an Azure virtual machine offer](azure-vm-plan-manage.md).

-### Free Trial

-### Plan visibility

-### Hide plan

-VM offers require at least one plan. A plan defines the solution scope and limits, and the associated pricing. You can create multiple plans for your offer to give your customers different technical and licensing options, as well as trial opportunities. For VM offers with more than one plan, you can change the order that your plans are shown to customers. The first plan listed will become the default plan that customers will see. For info about how to reorder plans, see [Reorder plans](azure-vm-plan-reorder-plans.md). For general guidance about plans, including pricing models, free trials, and private plans, see [Plans and pricing for commercial marketplace offers](plans-pricing.md).

-# Configure built-in container registry for Azure Red Hat OpenShift 4

-Azure Red Hat OpenShift provides an integrated container image registry called [OpenShift Container Registry (OCR)](https://docs.openshift.com/container-platform/4.5/registry/architecture-component-imageregistry.html) that adds the ability to automatically provision new image repositories on demand. This provides users with a built-in location for their application builds to push the resulting images.

-> * Set up Azure AD

-> * Set up OpenID Connect

-> * Access the built-in container image registry

-This article assumed you have an existing ARO cluster. If you need an ARO cluster, see the ARO tutorial, [Create an Azure Red Hat OpenShift 4 cluster](./tutorial-create-cluster.md). Make sure to create the cluster with the `--pull-secret` argument to `az aro create`. This is necessary to configure Azure Active Directory authentication and the built-in container registry.

-Once you have your cluster, connect to the cluster by following the steps in [Connect to an Azure Red Hat OpenShift 4 cluster](./tutorial-connect-cluster.md).

- * Be sure to follow the steps in "Install the OpenShift CLI" because we'll use the `oc` command later in this article.

- * Make note of the cluster console URL, which looks like `https://console-openshift-console.apps.<random>.<region>.aroapp.io/`. The values for `<random>` and `<region>` will be used later in this article.

- * Note the `kubeadmin` credentials. They will also be used later in this article.

-### Configure Azure Active Directory authentication

-Azure Active Directory (Azure AD) implements OpenID Connect (OIDC). OIDC lets you use Azure AD to sign in to the ARO cluster. Follow the steps in [Configure Azure Active Directory authentication](configure-azure-ad-cli.md) to set up your cluster.

-## Access the built-in container image registry

-Now that you've set up the authentication methods to the ARO cluster, let's enable access to the built-in registry.

-#### Define the Azure AD user to be an administrator

-1. Sign in to the OpenShift web console from your browser using the credentials of an Azure AD user. We'll leverage the OpenShift OpenID authentication against Azure Active Directory to use OpenID to define the administrator.

- 1. Use an InPrivate, Incognito or other equivalent browser window feature to sign in to the console. The window will look different after having enabled OIDC.

-

- :::image type="content" source="media/built-in-container-registry/oidc-enabled-login-window.png" alt-text="OpenID Connect enabled sign in window.":::

- 1. Select **AAD**

- > [!NOTE]

- > Take note of the username and password you use to sign in here. This username and password will function as an administrator for other actions in this and other articles.

-2. Sign in with the OpenShift CLI by using the following steps. For discussion, this process is known as `oc login`.

- 1. At the right-top of the web console, expand the context menu of the signed-in user, then select **Copy Login Command**.

- 2. Sign in to a new tab window with the same user if necessary.

- 3. Select **Display Token**.

- 4. Copy the value listed below **Login with this token** to the clipboard and run it in a shell, as shown here.

- ```bash

- oc login --token=XOdASlzeT7BHT0JZW6Fd4dl5EwHpeBlN27TAdWHseob --server=https://api.aqlm62xm.rnfghf.aroapp.io:6443

- Logged into "https://api.aqlm62xm.rnfghf.aroapp.io:6443" as "kube:admin" using the token provided.

- You have access to 57 projects, the list has been suppressed. You can list all projects with 'oc projects'

- Using project "default".

- ```

-3. Run `oc whoami` in the console and note the output as **\<aad-user>**. We'll use this value later in the article.

-4. Sign out of the OpenShift web console. Select the button in the top right of the browser window labeled as the **\<aad-user>** and choose **Log Out**.

-#### Grant the Azure AD user the necessary roles for registry interaction

-1. Sign in to the OpenShift web console from your browser using the `kubeadmin` credentials.

-1. Sign in to the OpenShift CLI with the token for `kubeadmin` by following the steps for `oc login` above, but do them after signing in to the web console with `kubeadmin`.

-1. Execute the following commands to enable the access to the built-in registry for the **aad-user**.

- # Switch to project "openshift-image-registry"

- oc project openshift-image-registry

-

- # Output should look similar to the following.

- # Now using project "openshift-image-registry" on server "https://api.x8xl3f4y.eastus.aroapp.io:6443".

- ```bash

- # Expose the registry using "DefaultRoute"

- oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge

- # Output should look similar to the following.

- # config.imageregistry.operator.openshift.io/cluster patched

- ```

- # Add roles to "aad-user" for pulling and pushing images

- # Note: replace "<aad-user>" with the one you wrote down before

- oc policy add-role-to-user registry-viewer <aad-user>

- # Output should look similar to the following.

- # clusterrole.rbac.authorization.k8s.io/registry-viewer added: "kaaIjx75vFWovvKF7c02M0ya5qzwcSJ074RZBfXUc34"

- ```

- ```bash

- oc policy add-role-to-user registry-editor <aad-user>

- # Output should look similar to the following.

- # clusterrole.rbac.authorization.k8s.io/registry-editor added: "kaaIjx75vFWovvKF7c02M0ya5qzwcSJ074RZBfXUc34"

-#### Obtain the container registry URL

-Use the `oc get route` command as shown next to get the container registry URL.

-```bash

-# Note: the value of "Container Registry URL" in the output is the fully qualified registry name.

-HOST=$(oc get route default-route --template='{{ .spec.host }}')

-echo "Container Registry URL: $HOST"

-```

- > [!NOTE]

- > Note the console output of **Container Registry URL**. It will be used as the fully qualified registry name for this guide and subsequent ones.

-* **API Visibility** - Set the API visibility when running the [az are create command](tutorial-create-cluster.md#create-the-cluster).

-For more information on outbound traffic and what Azure Red Hat OpenShift supports for egress, see the [support policies](support-policies-v4.md) documentation.

-> [Tutorial: Create a Web Application Firewall policy on Azure Front Door using the Azure portal](../web-application-firewall/afds/waf-front-door-create-portal.md)

-description: 'How to cancel a scheduled contact'

-description: This article describes how to delete auto-generated self-service policies

-In an Azure Purview catalog, you can now request access to datasets and self-service policies get auto-generated if the data source is enabled for **data use governance**.

-This guide describes how to delete self-service data access policies that have been auto-generated when data access request is approved.

-Self-service policies must exist for them to be deleted. Refer to the articles below to create

-self-service policies

-### Step 1: Open the Azure portal and launch the Azure purview studio

-The Azure Purview studio can be launched as shown below or by using using the url directly.

-### Step 2: Open the policy management tab

-Click the policy management tab to launch the self-service access policies.

-### Step 3: Open the self-service access policies tab

-### Step 4: Select the policies to be deleted

-The policies can be sorted by the different fields. once sorted, select the policies that need to be deleted.

-### Step 5: Delete the policy

-Click the delete button to delete policies that need to be removed.

-click **OK** on the confirmation dialog box to delete the policy. Refresh the screen to check whether the policies have been deleted.

-description: This article describes how to view auto-generated self-service policies

-In an Azure Purview catalog, you can now request access to datasets and self-service policies get auto-generated if the data source is enabled for **data use governance**.

-This guide describes how to view self-service data access policies that have been auto-generated when data access request is approved.

-Self-service policies must exist for them to be viewed. Refer to the articles below to create

-self-service policies

-Only users with **Policy Admin** privilege can delete self-service data access policies.

-## Steps to view self-service data access policies

-### Step 1: Open the Azure portal and launch the Azure purview studio

-The Azure Purview studio can be launched as shown below or by using using the url directly.

-### Step 2: Open the policy management tab

-Click the policy management tab to launch the self-service access policies.

-### Step 3: Open the self-service access policies tab

-### Step 4: View the self-service policies

-The policies can be sorted by the different fields.The policy can be filtered based on data source type and sorted by any of the columns on display

-You can use a system-assigned managed identity or a user-assigned managed identity (preview). Managed identities are Azure AD logins and require Azure role assignments to access data in Cosmos DB.

-You can use a system-assigned managed identity or a user-assigned managed identity (preview). Managed identities are Azure AD logins and require Azure role assignments to access data in Azure Storage.

-SAS guards access to Service Bus based on authorization rules. Those are configured either on a namespace, or a messaging entity (queue, or topic). An authorization rule has a name, is associated with specific rights, and carries a pair of cryptographic keys. You use the rule's name and key via the Service Bus SDK or in your own code to generate a SAS token. A client can then pass the token to Service Bus to prove authorization for the requested operation.

-A namespace or entity policy can hold up to 12 Shared Access Authorization rules, providing room for three sets of rules, each covering the basic rights and the combination of Send and Listen. This limit underlines that the SAS policy store is not intended to be a user or service account store. If your application needs to grant access to Service Bus based on user or service identities, it should implement a security token service that issues SAS tokens after an authentication and access check.

-An authorization rule is assigned a *Primary Key* and a *Secondary Key*. These are cryptographically strong keys. Don't lose them or leak them - they'll always be available in the [Azure portal][Azure portal]. You can use either of the generated keys, and you can regenerate them at any time. If you regenerate or change a key in the policy, all previously issued tokens based on that key become instantly invalid. However, ongoing connections created based on such tokens will continue to work until the token expires.

-When you create a Service Bus namespace, a policy rule named **RootManageSharedAccessKey** is automatically created for the namespace. This policy has Manage permissions for the entire namespace. It's recommended that you treat this rule like an administrative **root** account and don't use it in your application. You can create additional policy rules in the **Configure** tab for the namespace in the portal, via PowerShell or Azure CLI.

-It is recommended that you periodically regenerate the keys used in the Shared Access Authorization Policy. The primary and secondary key slots exist so that you can rotate keys gradually. If your application generally uses the primary key, you can copy the primary key into the secondary key slot, and only then regenerate the primary key. The new primary key value can then be configured into the client applications, which have continued access using the old primary key in the secondary slot. Once all clients are updated, you can regenerate the secondary key to finally retire the old primary key.

-Now that you know how to create Shared Access Signatures for any entities in Service Bus, you are ready to perform an HTTP POST:

-If you give a sender or client a SAS token, they don't have the key directly, and they cannot reverse the hash to obtain it. As such, you have control over what they can access, and for how long. An important thing to remember is that if you change the primary key in the policy, any Shared Access Signatures created from it are invalidated.

-Before starting to send data to Service Bus, the publisher must send the SAS token inside an AMQP message to a well-defined AMQP node named **$cbs** (you can see it as a "special" queue used by the service to acquire and validate all the SAS tokens). The publisher must specify the **ReplyTo** field inside the AMQP message; this is the node in which the service replies to the publisher with the result of the token validation (a simple request/reply pattern between publisher and service). This reply node is created "on the fly," speaking about "dynamic creation of remote node" as described by the AMQP 1.0 specification. After checking that the SAS token is valid, the publisher can go forward and start to send data to the service.

-The following steps show how to send the SAS token with AMQP protocol using the [AMQP.NET Lite](https://github.com/Azure/amqpnetlite) library. This is useful if you can't use the official Service Bus SDK (for example on WinRT, .NET Compact Framework, .NET Micro Framework and Mono) developing in C\#. Of course, this library is useful to help understand how claims-based security works at the AMQP level, as you saw how it works at the HTTP level (with an HTTP POST request and the SAS token sent inside the "Authorization" header). If you don't need such deep knowledge about AMQP, you can use the official Service Bus SDK in any of the supported languages like .NET, Java, JavaScript, Python and Go, which will do it for you.

-After sending the SAS token on the sender link, the publisher must read the reply on the receiver link. The reply is a simple AMQP message with an application property named **"status-code"** that can contain the same values as an HTTP status code.

-| DOWN | The app instance isn't registered to Eureka or is registered but not able to receive traffic. |

-For applications with multiple instances, Dynatrace has several ways to group them. `DT_CLUSTER_ID` is one of the ways. For more information, see [Customize the structure of process groups](https://www.dynatrace.com/support/help/how-to-use-dynatrace/process-groups/configuration/adapt-the-composition-of-default-process-groups/).

-* [Spring framework](https://cloud.spring.io/spring-cloud-azure/)

-This app will have access to get secrets from Azure Key Vault. Use the starter app: [Azure Key Vault Secrets Spring boot starter](https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/spring/azure-spring-boot-starter-keyvault-secrets). Azure Key Vault is added as an instance of Spring **PropertySource**. Secrets stored in Azure Key Vault can be conveniently accessed and used like any externalized configuration property, such as properties in files.

-To configure a SAS expiration policy for a storage account, use the Azure portal, PowerShell, or Azure CLI.

-1. Locate the setting for **Allow recommended upper limit for shared access signature (SAS) expiry interval**, and set it to **Enabled**.

-For more information, see the [SLA for Storage Accounts](/support/legal/sla/storage/v1_5/).

-> [!IMPORTANT]

-> Authorization with Azure AD for tables is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-2. Select **Access Control (IAM)** on the left-hand side.

-3. Under the "Add a role assignment" section click **Add**.

-4. In the role assignment pane:

- 1. Set the **Role** to "Storage Blob Data Contributor"

- 2. Ensure the **Assign access to** dropdown is set to "Azure AD user, group, or service principal".

- 3. Type the name of your Stream Analytics job in the search field.

- 4. Select your Stream Analytics job and click **Save**.

- 

-2. Select **Access Control (IAM)** on the left-hand side.

-3. Under the "Add a role assignment" section click **Add**.

-4. In the role assignment pane:

- 1. Set the **Role** to "Storage Blob Data Contributor"

- 2. Ensure the **Assign access to** dropdown is set to "Azure AD user, group, or service principal".

- 3. Type the name of your Stream Analytics job in the search field.

- 4. Select your Stream Analytics job and click **Save**.

- 

-You can copy or back up your deployed Azure Stream Analytics jobs using Visual Studio Code or Visual Studio. Copying a job to another region does not copy the last output time. Therefore, you cannot use [**When last stopped**](./start-job.md#start-options) option when starting the copied job.

-1. Go to **Access Control (IAM)** in your Event Hub.

-1. Select **+ Add** and **Add role assignment**.

-1. On the **Add role assignment** page, enter the following options:

- |Parameter|Value|

- ||--|

- |Role|Azure Event Hubs Data Owner|

- |Assign access to|User, group, or service principal|

- |Select|Enter the name of your Stream Analytics job|

- :::image type="content" source="media/event-hubs-managed-identity/add-role-assignment.png" alt-text="Add role assignment":::

-1. Select **Save** and wait a minute or so for changes to propagate.

-The `-AsJob` parameter creates the VM as a background task, so the PowerShell prompts return to you. You can view details of background jobs with the `Get-Job` cmdlet.

-You can use service tags to define network access controls on [network security groups](./network-security-groups-overview.md#security-rules), [Azure Firewall](../firewall/service-tags.md), and [user-defined routes](./virtual-networks-udr-overview.md#service-tags-for-user-defined-routes). Use service tags in place of specific IP addresses when you create security rules and routes. By specifying the service tag name, such as **ApiManagement**, in the appropriate *source* or *destination* field of a security rule, you can allow or deny the traffic for the corresponding service. By specifying the service tag name in the address prefix of a route, you can route traffic intended for any of the prefixes encapsulated by the service tag to a desired next hop type.

-You can now specify a [Service Tag](service-tags-overview.md) as the address prefix for a user-defined route instead of an explicit IP range. A Service Tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to user-defined routes and reducing the number of routes you need to create. You can currently create 25 or less routes with Service Tags in each route table. </br>

-> If a Point-to-site VPN configuration used for a global profile is configured to authenticate users using the RADIUS protocol, make sure "Use Remote/On-premises RADIUS server" is turned on for all Point-to-site VPN Gateways using that configuration. Additionally, ensure your RADIUS server is configured to accept authentication requests from theRADIUS proxy IP addresses of **all** Point-to-site VPN Gateways using this VPN configuration.

-> A virtual network can only be connected to one virtual hub at a time.

->