-Sign-in frequency defines the time period before a user is asked to sign in again when attempting to access a resource.

-During an outage, Azure AD will extend access to existing sessions while enforcing Conditional Access policies. If a policy cannot be evaluated, access is determined by resilience settings.

-It might sound alarming to not ask for a user to sign back in, in reality any violation of IT policies will revoke the session. Some examples include (but are not limited to) a password change, an incompliant device, or account disable. You can also explicitly [revoke usersΓÇÖ sessions using PowerShell](/powershell/module/azuread/revoke-azureaduserallrefreshtoken). The Azure AD default configuration comes down to ΓÇ£donΓÇÖt ask users to provide their credentials if security posture of their sessions has not changedΓÇ¥.

-The sign-in frequency setting works with SAML applications as well, as long as they do not drop their own cookies and are redirected back to Azure AD for authentication on regular basis.

-The Azure AD default for browser session persistence allows users on personal devices to choose whether to persist the session by showing a ΓÇ£Stay signed in?ΓÇ¥ prompt after successful authentication. If browser persistence is configured in AD FS using the guidance in the article [AD FS Single Sign-On Settings](/windows-server/identity/ad-fs/operations/ad-fs-single-sign-on-settings#enable-psso-for-office-365-users-to-access-sharepoint-online

-), we will comply with that policy and persist the Azure AD session as well. You can also configure whether users in your tenant see the ΓÇ£Stay signed in?ΓÇ¥ prompt by changing the appropriate setting in the company branding pane in Azure portal using the guidance in the article [Customize your Azure AD sign-in page](../fundamentals/customize-branding.md).

-1. [Sign in](https://portal.azure.com) to the Azure portal.

-1. Search for **Azure AD Conditional Access**.

-1. Select **Policies**.

-1. Select **+ New policy**.

-1. Select **Create new policy**.

-1. Go to **Access Controls** > **Session** and click **Sign-in frequency**

-1. Enter the required value of days and hours in the first text box

-1. Select a value of **Hours** or **Days** from dropdown

-1. Save your policy

-On Azure AD registered Windows devices sign in to the device is considered a prompt. For example, if you have configured the sign-in frequency to 24 hours for Office apps, users on Azure AD registered Windows devices will satisfy the sign-in frequency policy by signing in to the device and will be not prompted again when opening Office apps.

-1. [Sign in](https://portal.azure.com) to the Azure portal.

-1. Search for **Azure AD Conditional Access**.

-1. Select **Policies**.

-1. Select **+ New policy**.

-1. Select **Create new policy**.

-1. Go to **Access Controls** > **Session** and click **Persistent browser session**

-1. Select a value from dropdown

-1. Save you policy

-## Validation

-## Policy deployment

-To make sure that your policy works as expected, the recommended best practice is to test it before rolling it out into production. Ideally, use a test tenant to verify whether your new policy works as intended. For more information, see the article [Plan a Conditional Access deployment](plan-conditional-access.md).

-* If you are ready to configure Conditional Access policies for your environment, see the article [Plan a Conditional Access deployment](plan-conditional-access.md).

- ```JavaScript

- const express = require('express');

- const morgan = require('morgan');

- const path = require('path');

- const argv = require('yargs')

- .usage('Usage: $0 -p [PORT]')

- .alias('p', 'port')

- .describe('port', '(Optional) Port Number - default is 3000')

- .strict()

- .argv;

- const DEFAULT_PORT = 3000;

- //initialize express.

- const app = express();

- // Initialize variables.

- let port = DEFAULT_PORT; // -p {PORT} || 3000;

- if (argv.p) {

- port = argv.p;

- }

- // Configure morgan module to log all requests.

- app.use(morgan('dev'));

- // Set the front-end folder to serve public assets.

- app.use("/lib", express.static(path.join(__dirname, "../../lib/msal-browser/lib")));

- // Setup app folders

- app.use(express.static('app'));

- // Set up a route for https://docsupdatetracker.net/index.html.

- app.get('*', function (req, res) {

- res.sendFile(path.join(__dirname + '/https://docsupdatetracker.net/index.html'));

- });

- // Start the server.

- app.listen(port);

- console.log(`Listening on port ${port}...`);

- ```

-You now have a small webserver to serve your SPA. After completing the rest of the tutorial, the file and folder structure of your project should look similar to the following:

-```

-msal-spa-tutorial/

-Γö£ΓöÇΓöÇ app

-│   ├── authConfig.js

-│   ├── authPopup.js

-│   ├── authRedirect.js

-│   ├── graphConfig.js

-│   ├── graph.js

-│   ├── https://docsupdatetracker.net/index.html

-│   └── ui.js

-ΓööΓöÇΓöÇ server.js

-```

- ```html

- <!DOCTYPE html>

- <html lang="en">

- <head>

- <meta charset="UTF-8">

- <meta name="viewport" content="width=device-width, initial-scale=1.0, shrink-to-fit=no">

- <title>Tutorial | MSAL.js JavaScript SPA</title>

- <!-- IE support: add promises polyfill before msal.js -->

- <script type="text/javascript" src="//cdn.jsdelivr.net/npm/bluebird@3.7.2/js/browser/bluebird.min.js"></script>

- <script type="text/javascript" src="https://alcdn.msauth.net/browser/2.0.0-beta.4/js/msal-browser.js" integrity="sha384-7sxY2tN3GMVE5jXH2RL9AdbO6s46vUh9lUid4yNCHJMUzDoj+0N4ve6rLOmR88yN" crossorigin="anonymous"></script>

- <!-- adding Bootstrap 4 for UI components -->

- <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/css/bootstrap.min.css" integrity="sha384-Vkoo8x4CGsO3+Hhxv8T/Q5PaXtkKtu6ug5TOeNV6gBiFeWPGFN9MuhOf23Q9Ifjh" crossorigin="anonymous">

- <link rel="SHORTCUT ICON" href="https://c.s-microsoft.com/favicon.ico?v2" type="image/x-icon">

- </head>

- <body>

- <nav class="navbar navbar-expand-lg navbar-dark bg-primary">

- <a class="navbar-brand" href="/">Microsoft identity platform</a>

- <div class="btn-group ml-auto dropleft">

- <button type="button" id="SignIn" class="btn btn-secondary" onclick="signIn()">

- Sign In

- </button>

- </div>

- </nav>

- <br>

- <h5 class="card-header text-center">JavaScript SPA calling Microsoft Graph API with MSAL.js</h5>

- <br>

- <div class="row" style="margin:auto" >

- <div id="card-div" class="col-md-3" style="display:none">

- <div class="card text-center">

- <div class="card-body">

- <h5 class="card-title" id="WelcomeMessage">Please sign-in to see your profile and read your mails</h5>

- <div id="profile-div"></div>

- <br>

- <br>

- <button class="btn btn-primary" id="seeProfile" onclick="seeProfile()">See Profile</button>

- <br>

- <br>

- <button class="btn btn-primary" id="readMail" onclick="readMail()">Read Mail</button>

- </div>

- </div>

- </div>

- <br>

- <br>

- <div class="col-md-4">

- <div class="list-group" id="list-tab" role="tablist">

- </div>

- </div>

- <div class="col-md-5">

- <div class="tab-content" id="nav-tabContent">

- </div>

- </div>

- </div>

- <br>

- <br>

- <!-- importing bootstrap.js and supporting js libraries -->

- <script src="https://code.jquery.com/jquery-3.4.1.slim.min.js" integrity="sha384-J6qa4849blE2+poT4WnyKhv5vZF5SrPo0iEjwBvKU7imGFAV0wwj1yYfoRSJoZ+n" crossorigin="anonymous"></script>

- <script src="https://cdn.jsdelivr.net/npm/popper.js@1.16.0/dist/umd/popper.min.js" integrity="sha384-Q6E9RHvbIyZFJoft+2mJbHaEWldlvI9IOYy5n3zV9zzTtmI3UksdQRVvoxMfooAo" crossorigin="anonymous"></script>

- <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/js/bootstrap.min.js" integrity="sha384-wfSDF2E50Y2D1uUdj0O3uMBJnjuUD4Ih7YwaYd1iqfktj0Uod8GCExl3Og8ifwB6" crossorigin="anonymous"></script>

- <!-- importing app scripts (load order is important) -->

- <script type="text/javascript" src="./authConfig.js"></script>

- <script type="text/javascript" src="./graphConfig.js"></script>

- <script type="text/javascript" src="./ui.js"></script>

- <!-- <script type="text/javascript" src="./authRedirect.js"></script> -->

- <!-- uncomment the above line and comment the line below if you would like to use the redirect flow -->

- <script type="text/javascript" src="./authPopup.js"></script>

- <script type="text/javascript" src="./graph.js"></script>

- </body>

- </html>

- ```

- ```JavaScript

- // Select DOM elements to work with

- const welcomeDiv = document.getElementById("WelcomeMessage");

- const signInButton = document.getElementById("SignIn");

- const cardDiv = document.getElementById("card-div");

- const mailButton = document.getElementById("readMail");

- const profileButton = document.getElementById("seeProfile");

- const profileDiv = document.getElementById("profile-div");

- function showWelcomeMessage(account) {

- // Reconfiguring DOM elements

- cardDiv.style.display = 'initial';

- welcomeDiv.innerHTML = `Welcome ${account.username}`;

- signInButton.setAttribute("onclick", "signOut();");

- signInButton.setAttribute('class', "btn btn-success")

- signInButton.innerHTML = "Sign Out";

- }

- function updateUI(data, endpoint) {

- console.log('Graph API responded at: ' + new Date().toString());

- if (endpoint === graphConfig.graphMeEndpoint) {

- const title = document.createElement('p');

- title.innerHTML = "<strong>Title: </strong>" + data.jobTitle;

- const email = document.createElement('p');

- email.innerHTML = "<strong>Mail: </strong>" + data.mail;

- const phone = document.createElement('p');

- phone.innerHTML = "<strong>Phone: </strong>" + data.businessPhones[0];

- const address = document.createElement('p');

- address.innerHTML = "<strong>Location: </strong>" + data.officeLocation;

- profileDiv.appendChild(title);

- profileDiv.appendChild(email);

- profileDiv.appendChild(phone);

- profileDiv.appendChild(address);

- } else if (endpoint === graphConfig.graphMailEndpoint) {

- if (data.value.length < 1) {

- alert("Your mailbox is empty!")

- } else {

- const tabList = document.getElementById("list-tab");

- tabList.innerHTML = ''; // clear tabList at each readMail call

- const tabContent = document.getElementById("nav-tabContent");

- data.value.map((d, i) => {

- // Keeping it simple

- if (i < 10) {

- const listItem = document.createElement("a");

- listItem.setAttribute("class", "list-group-item list-group-item-action")

- listItem.setAttribute("id", "list" + i + "list")

- listItem.setAttribute("data-toggle", "list")

- listItem.setAttribute("href", "#list" + i)

- listItem.setAttribute("role", "tab")

- listItem.setAttribute("aria-controls", i)

- listItem.innerHTML = d.subject;

- tabList.appendChild(listItem)

- const contentItem = document.createElement("div");

- contentItem.setAttribute("class", "tab-pane fade")

- contentItem.setAttribute("id", "list" + i)

- contentItem.setAttribute("role", "tabpanel")

- contentItem.setAttribute("aria-labelledby", "list" + i + "list")

- contentItem.innerHTML = "<strong> from: " + d.from.emailAddress.address + "</strong><br><br>" + d.bodyPreview + "...";

- tabContent.appendChild(contentItem);

- }

- });

- }

- }

- }

- ```

-```javascript

-const msalConfig = {

- auth: {

- clientId: "Enter_the_Application_Id_Here",

- authority: "Enter_the_Cloud_Instance_Id_Here/Enter_the_Tenant_Info_Here",

- redirectUri: "Enter_the_Redirect_Uri_Here",

- },

- cache: {

- cacheLocation: "sessionStorage", // This configures where your cache will be stored

- storeAuthStateInCookie: false, // Set this to "true" if you are having issues on IE11 or Edge

- }

-};

-// Add scopes here for ID token to be used at Microsoft identity platform endpoints.

-const loginRequest = {

- scopes: ["openid", "profile", "User.Read"]

-};

-// Add scopes here for access token to be used at Microsoft Graph API endpoints.

-const tokenRequest = {

- scopes: ["User.Read", "Mail.Read"]

-};

-```

-Modify the values in the `msalConfig` section as described here:

- - For the main (or *global*) Azure cloud, enter `https://login.microsoftonline.com`.

- - For **national** clouds (for example, China), you can find appropriate values in [National clouds](authentication-national-cloud.md).

- - If your application supports *accounts in this organizational directory*, replace this value with the **Tenant ID** or **Tenant name**. For example, `contoso.microsoft.com`.

- - If your application supports *accounts in any organizational directory*, replace this value with `organizations`.

- - If your application supports *accounts in any organizational directory and personal Microsoft accounts*, replace this value with `common`.

- - To restrict support to *personal Microsoft accounts only*, replace this value with `consumers`.

-The `authority` value in your *authConfig.js* should be similar to the following if you're using the global Azure cloud:

-```javascript

-authority: "https://login.microsoftonline.com/common",

-```

-```javascript

-// Add the endpoints here for Microsoft Graph API services you'd like to use.

-const graphConfig = {

- graphMeEndpoint: "Enter_the_Graph_Endpoint_Here/v1.0/me",

- graphMailEndpoint: "Enter_the_Graph_Endpoint_Here/v1.0/me/messages"

-};

-```

-```JavaScript

-// Create the main myMSALObj instance

-// configuration parameters are located at authConfig.js

-const myMSALObj = new msal.PublicClientApplication(msalConfig);

-let username = "";

-function loadPage() {

- /**

- * See here for more info on account retrieval:

- * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-common/docs/Accounts.md

- */

- const currentAccounts = myMSALObj.getAllAccounts();

- if (currentAccounts === null) {

- return;

- } else if (currentAccounts.length > 1) {

- // Add choose account code here

- console.warn("Multiple accounts detected.");

- } else if (currentAccounts.length === 1) {

- username = currentAccounts[0].username;

- showWelcomeMessage(currentAccounts[0]);

- }

-}

-function handleResponse(resp) {

- if (resp !== null) {

- username = resp.account.username;

- showWelcomeMessage(resp.account);

- } else {

- loadPage();

- }

-}

-function signIn() {

- myMSALObj.loginPopup(loginRequest).then(handleResponse).catch(error => {

- console.error(error);

- });

-}

-function signOut() {

- const logoutRequest = {

- account: myMSALObj.getAccountByUsername(username)

- };

- myMSALObj.logout(logoutRequest);

-}

-function getTokenPopup(request) {

- /**

- * See here for more info on account retrieval:

- * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-common/docs/Accounts.md

- */

- request.account = myMSALObj.getAccountByUsername(username);

- return myMSALObj.acquireTokenSilent(request).catch(error => {

- console.warn("silent token acquisition fails. acquiring token using redirect");

- if (error instanceof msal.InteractionRequiredAuthError) {

- // fallback to interaction when silent call fails

- return myMSALObj.acquireTokenPopup(request).then(tokenResponse => {

- console.log(tokenResponse);

- return tokenResponse;

- }).catch(error => {

- console.error(error);

- });

- } else {

- console.warn(error);

- }

- });

-}

-function seeProfile() {

- getTokenPopup(loginRequest).then(response => {

- callMSGraph(graphConfig.graphMeEndpoint, response.accessToken, updateUI);

- profileButton.classList.add('d-none');

- mailButton.classList.remove('d-none');

- }).catch(error => {

- console.error(error);

- });

-}

-function readMail() {

- getTokenPopup(tokenRequest).then(response => {

- callMSGraph(graphConfig.graphMailEndpoint, response.accessToken, updateUI);

- }).catch(error => {

- console.error(error);

- });

-}

-loadPage();

-```

-```javascript

-// Create the main myMSALObj instance

-// configuration parameters are located at authConfig.js

-const myMSALObj = new msal.PublicClientApplication(msalConfig);

-let accessToken;

-let username = "";

-// Redirect: once login is successful and redirects with tokens, call Graph API

-myMSALObj.handleRedirectPromise().then(handleResponse).catch(err => {

- console.error(err);

-});

-function handleResponse(resp) {

- if (resp !== null) {

- username = resp.account.username;

- showWelcomeMessage(resp.account);

- } else {

- /**

- * See here for more info on account retrieval:

- * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-common/docs/Accounts.md

- */

- const currentAccounts = myMSALObj.getAllAccounts();

- if (currentAccounts === null) {

- return;

- } else if (currentAccounts.length > 1) {

- // Add choose account code here

- console.warn("Multiple accounts detected.");

- } else if (currentAccounts.length === 1) {

- username = currentAccounts[0].username;

- showWelcomeMessage(currentAccounts[0]);

- }

- }

-}

-function signIn() {

- myMSALObj.loginRedirect(loginRequest);

-}

-function signOut() {

- const logoutRequest = {

- account: myMSALObj.getAccountByUsername(username)

- };

- myMSALObj.logout(logoutRequest);

-}

-function getTokenRedirect(request) {

- /**

- * See here for more info on account retrieval:

- * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-common/docs/Accounts.md

- */

- request.account = myMSALObj.getAccountByUsername(username);

- return myMSALObj.acquireTokenSilent(request).catch(error => {

- console.warn("silent token acquisition fails. acquiring token using redirect");

- if (error instanceof msal.InteractionRequiredAuthError) {

- // fallback to interaction when silent call fails

- return myMSALObj.acquireTokenRedirect(request);

- } else {

- console.warn(error);

- }

- });

-}

-function seeProfile() {

- getTokenRedirect(loginRequest).then(response => {

- callMSGraph(graphConfig.graphMeEndpoint, response.accessToken, updateUI);

- profileButton.classList.add('d-none');

- mailButton.classList.remove('d-none');

- }).catch(error => {

- console.error(error);

- });

-}

-function readMail() {

- getTokenRedirect(tokenRequest).then(response => {

- callMSGraph(graphConfig.graphMailEndpoint, response.accessToken, updateUI);

- }).catch(error => {

- console.error(error);

- });

-}

-```

-```javascript

-// Helper function to call Microsoft Graph API endpoint

-// using authorization bearer token scheme

-function callMSGraph(endpoint, token, callback) {

- const headers = new Headers();

- const bearer = `Bearer ${token}`;

- headers.append("Authorization", bearer);

- const options = {

- method: "GET",

- headers: headers

- };

- console.log('request made to Graph API at: ' + new Date().toString());

- fetch(endpoint, options)

- .then(response => response.json())

- .then(response => callback(response, endpoint))

- .catch(error => console.log(error));

-}

-```

-> Do not disable methods for your organization if you are using Security Defaults. Disabling methods may lead to locking yourself out of your tenant. Leave all **Methods available to users** enabled in the [MFA service settings portal](../authentication/howto-mfa-getstarted.md#choose-authentication-methods-for-mfa).

-There are many different services in Microsoft 365, such as Azure AD and Intune. Some of these services have their own role-based access control systems;, specifically:

-When we say separate role-based access control system. it means there is a different data store where role definitions and role assignments are stored. Similarly, there is a different policy decision point where access checks happen. For more information , see [Roles for Microsoft 365 services in Azure AD](m365-workload-docs.md) and [Classic subscription administrator roles, Azure roles, and Azure AD roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).

-Service-specific roles | Azure DevOps Administrator<br>Azure Information Protection Administrator<br>Billing Administrator<br>CRM Service Administrator<br>Customer LockBox Access Approver<br>Desktop Analytics Administrator<br>Exchange Service Administrator<br>Insights Administrator<br>Insights Business Leader<br>Intune Service Administrator<br>Kaizala Administrator<br>Lync Service Administrator<br>Message Center Privacy Reader<br>Message Center Reader<br>Modern Commerce User<br>Network Administrator<br>Office Apps Administrator<br>Power BI Service Administrator<br>Power Platform Administrator<br>Printer Administrator<br>Printer Technician<br>Search Administrator<br>Search Editor<br>SharePoint Service Administrator<br>Teams Communications Administrator<br>Teams Communications Support Engineer<br>Teams Communications Support Specialist<br>Teams Devices Administrator<br>Teams Administrator

-3. In a PowerShell window, Use [Connect-MgGraph](/graph/powershell/get-started) to sign into and use Microsoft Graph PowerShell cmdlets.

-# Tutorial: Azure Active Directory integration with LCVista

-In this tutorial, you learn how to integrate LCVista with Azure Active Directory (Azure AD).

-Integrating LCVista with Azure AD provides you with the following benefits:

-* You can control in Azure AD who has access to LCVista.

-* You can enable your users to be automatically signed-in to LCVista (Single Sign-On) with their Azure AD accounts.

-* You can manage your accounts in one central location - the Azure portal.

-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).

-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.

-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)

-* LCVista single sign-on enabled subscription

-* LCVista supports **SP** initiated SSO

-## Adding LCVista from the gallery

-**To add LCVista from the gallery, perform the following steps:**

-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.

- 

-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.

- 

-3. To add new application, click **New application** button on the top of dialog.

- 

-4. In the search box, type **LCVista**, select **LCVista** from result panel then click **Add** button to add the application.

- 

-## Configure and test Azure AD single sign-on

-In this section, you configure and test Azure AD single sign-on with LCVista based on a test user called **Britta Simon**.

-For single sign-on to work, a link relationship between an Azure AD user and the related user in LCVista needs to be established.

-To configure and test Azure AD single sign-on with LCVista, you need to complete the following building blocks:

-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.

-2. **[Configure LCVista Single Sign-On](#configure-lcvista-single-sign-on)** - to configure the Single Sign-On settings on application side.

-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.

-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.

-5. **[Create LCVista test user](#create-lcvista-test-user)** - to have a counterpart of Britta Simon in LCVista that is linked to the Azure AD representation of user.

-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.

-### Configure Azure AD single sign-on

-In this section, you enable Azure AD single sign-on in the Azure portal.

-To configure Azure AD single sign-on with LCVista, perform the following steps:

-1. In the [Azure portal](https://portal.azure.com/), on the **LCVista** application integration page, select **Single sign-on**.

- 

-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.

- 

-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.

- 

- 

- a. In the **Sign on URL** text box, type a URL using the following pattern:

- `https://<subdomain>.lcvista.com/rainier/login`

- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:

- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [LCVista Client support team](https://lcvista.com/contact) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

- a. Login URL

- b. Azure Ad Identifier

- c. Logout URL

-### Configure LCVista Single Sign-On

-1. Sign on to your LCVista application as an administrator.

- 

-### Create an Azure AD test user

-The objective of this section is to create a test user in the Azure portal called Britta Simon.

-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.

- 

-2. Select **New user** at the top of the screen.

- 

-3. In the User properties, perform the following steps.

- 

- a. In the **Name** field enter **BrittaSimon**.

-

- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**

- For example, BrittaSimon@contoso.com

- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.

- d. Click **Create**.

-### Assign the Azure AD test user

-In this section, you enable Britta Simon to use Azure single sign-on by granting access to LCVista.

-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **LCVista**.

- 

-2. In the applications list, select **LCVista**.

- 

-3. In the menu on the left, select **Users and groups**.

- 

-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.

- 

-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.

-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.

-7. In the **Add Assignment** dialog click the **Assign** button.

-### Test single sign-on

-In this section, you test your Azure AD single sign-on configuration using the Access Panel.

-When you click the LCVista tile in the Access Panel, you should be automatically signed in to the LCVista for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-## Additional Resources

-# Tutorial: Azure Active Directory integration with Manabi Pocket

-In this tutorial, you learn how to integrate Manabi Pocket with Azure Active Directory (Azure AD).

-Integrating Manabi Pocket with Azure AD provides you with the following benefits:

-* You can control in Azure AD who has access to Manabi Pocket.

-* You can enable your users to be automatically signed-in to Manabi Pocket (Single Sign-On) with their Azure AD accounts.

-* You can manage your accounts in one central location - the Azure portal.

-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).

-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.

-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)

-* Manabi Pocket single sign-on enabled subscription

-* Manabi Pocket supports **SP** initiated SSO

-## Adding Manabi Pocket from the gallery

-**To add Manabi Pocket from the gallery, perform the following steps:**

-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.

- 

-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.

- 

-3. To add new application, click **New application** button on the top of dialog.

- 

-4. In the search box, type **Manabi Pocket**, select **Manabi Pocket** from result panel then click **Add** button to add the application.

- 

-## Configure and test Azure AD single sign-on

-In this section, you configure and test Azure AD single sign-on with Manabi Pocket based on a test user called **Britta Simon**.

-For single sign-on to work, a link relationship between an Azure AD user and the related user in Manabi Pocket needs to be established.

-To configure and test Azure AD single sign-on with Manabi Pocket, you need to complete the following building blocks:

-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.

-2. **[Configure Manabi Pocket Single Sign-On](#configure-manabi-pocket-single-sign-on)** - to configure the Single Sign-On settings on application side.

-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.

-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.

-5. **[Create Manabi Pocket test user](#create-manabi-pocket-test-user)** - to have a counterpart of Britta Simon in Manabi Pocket that is linked to the Azure AD representation of user.

-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.

-### Configure Azure AD single sign-on

-In this section, you enable Azure AD single sign-on in the Azure portal.

-To configure Azure AD single sign-on with Manabi Pocket, perform the following steps:

-1. In the [Azure portal](https://portal.azure.com/), on the **Manabi Pocket** application integration page, select **Single sign-on**.

- 

-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.

- 

-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.

- 

- 

- a. In the **Sign on URL** text box, type a URL:

- `https://ed-cl.com/`

- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:

- a. Login URL

- b. Azure AD Identifier

- c. Logout URL

-### Configure Manabi Pocket Single Sign-On

-To configure single sign-on on **Manabi Pocket** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Manabi Pocket support team](mailto:info-ed-cl@ntt.com). They set this setting to have the SAML SSO connection set properly on both sides.

-The objective of this section is to create a test user in the Azure portal called Britta Simon.

-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.

- 

-2. Select **New user** at the top of the screen.

- 

-3. In the User properties, perform the following steps.

- 

- a. In the **Name** field enter **BrittaSimon**.

-

- b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com

- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.

- d. Click **Create**.

-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Manabi Pocket.

-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Manabi Pocket**.

- 

-2. In the applications list, select **Manabi Pocket**.

- 

-3. In the menu on the left, select **Users and groups**.

- 

-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.

- 

-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.

-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.

-7. In the **Add Assignment** dialog click the **Assign** button.

-### Test single sign-on

-In this section, you test your Azure AD single sign-on configuration using the Access Panel.

-When you click the Manabi Pocket tile in the Access Panel, you should be automatically signed in to the Manabi Pocket for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-## Additional Resources

-# Tutorial: Azure Active Directory integration with Nomadesk

-In this tutorial, you learn how to integrate Nomadesk with Azure Active Directory (Azure AD).

-Integrating Nomadesk with Azure AD provides you with the following benefits:

-* You can control in Azure AD who has access to Nomadesk.

-* You can enable your users to be automatically signed-in to Nomadesk (Single Sign-On) with their Azure AD accounts.

-* You can manage your accounts in one central location - the Azure portal.

-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).

-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.

-To configure Azure AD integration with Nomadesk, you need the following items:

-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)

-* Nomadesk single sign-on enabled subscription

-* Nomadesk supports **SP** initiated SSO

-* Nomadesk supports **Just In Time** user provisioning

-## Adding Nomadesk from the gallery

-**To add Nomadesk from the gallery, perform the following steps:**

-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.

- 

-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.

- 

-3. To add new application, click **New application** button on the top of dialog.

- 

-4. In the search box, type **Nomadesk**, select **Nomadesk** from result panel then click **Add** button to add the application.

- 

-## Configure and test Azure AD single sign-on

-In this section, you configure and test Azure AD single sign-on with Nomadesk based on a test user called **Britta Simon**.

-For single sign-on to work, a link relationship between an Azure AD user and the related user in Nomadesk needs to be established.

-To configure and test Azure AD single sign-on with Nomadesk, you need to complete the following building blocks:

-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.

-2. **[Configure Nomadesk Single Sign-On](#configure-nomadesk-single-sign-on)** - to configure the Single Sign-On settings on application side.

-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.

-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.

-5. **[Create Nomadesk test user](#create-nomadesk-test-user)** - to have a counterpart of Britta Simon in Nomadesk that is linked to the Azure AD representation of user.

-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.

-### Configure Azure AD single sign-on

-In this section, you enable Azure AD single sign-on in the Azure portal.

-To configure Azure AD single sign-on with Nomadesk, perform the following steps:

-1. In the [Azure portal](https://portal.azure.com/), on the **Nomadesk** application integration page, select **Single sign-on**.

- 

-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.

- 

-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.

- 

- 

- a. In the **Sign on URL** text box, type a URL using the following pattern:

- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:

- `https://secure.nomadesk.com/saml/<instancename>`

- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Nomadesk Client support team](mailto:support@nomadesk.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

- a. Login URL

- b. Azure AD Identifier

- c. Logout URL

-### Configure Nomadesk Single Sign-On

-To configure single sign-on on **Nomadesk** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Nomadesk support team](mailto:support@nomadesk.com). They set this setting to have the SAML SSO connection set properly on both sides.

-The objective of this section is to create a test user in the Azure portal called Britta Simon.

-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.

- 

-2. Select **New user** at the top of the screen.

- 

-3. In the User properties, perform the following steps.

- 

- a. In the **Name** field enter **BrittaSimon**.

-

- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**

- For example, BrittaSimon@contoso.com

- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.

- d. Click **Create**.

-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Nomadesk.

-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Nomadesk**.

- 

-2. In the applications list, select **Nomadesk**.

- 

-3. In the menu on the left, select **Users and groups**.

- 

-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.

- 

-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.

-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.

-7. In the **Add Assignment** dialog click the **Assign** button.

-### Test single sign-on

-In this section, you test your Azure AD single sign-on configuration using the Access Panel.

-When you click the Nomadesk tile in the Access Panel, you should be automatically signed in to the Nomadesk for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-## Additional Resources

-# Tutorial: Azure Active Directory integration with Peoplecart

-In this tutorial, you learn how to integrate Peoplecart with Azure Active Directory (Azure AD).

-Integrating Peoplecart with Azure AD provides you with the following benefits:

-* You can control in Azure AD who has access to Peoplecart.

-* You can enable your users to be automatically signed-in to Peoplecart (Single Sign-On) with their Azure AD accounts.

-* You can manage your accounts in one central location - the Azure portal.

-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).

-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.

-To configure Azure AD integration with Peoplecart, you need the following items:

-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)

-* Peoplecart single sign-on enabled subscription

-* Peoplecart supports **SP** initiated SSO

-## Adding Peoplecart from the gallery

-**To add Peoplecart from the gallery, perform the following steps:**

-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.

- 

-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.

- 

-3. To add new application, click **New application** button on the top of dialog.

- 

-4. In the search box, type **Peoplecart**, select **Peoplecart** from result panel then click **Add** button to add the application.

- 

-## Configure and test Azure AD single sign-on

-In this section, you configure and test Azure AD single sign-on with Peoplecart based on a test user called **Britta Simon**.

-For single sign-on to work, a link relationship between an Azure AD user and the related user in Peoplecart needs to be established.

-To configure and test Azure AD single sign-on with Peoplecart, you need to complete the following building blocks:

-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.

-2. **[Configure Peoplecart Single Sign-On](#configure-peoplecart-single-sign-on)** - to configure the Single Sign-On settings on application side.

-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.

-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.

-5. **[Create Peoplecart test user](#create-peoplecart-test-user)** - to have a counterpart of Britta Simon in Peoplecart that is linked to the Azure AD representation of user.

-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.

-### Configure Azure AD single sign-on

-In this section, you enable Azure AD single sign-on in the Azure portal.

-To configure Azure AD single sign-on with Peoplecart, perform the following steps:

-1. In the [Azure portal](https://portal.azure.com/), on the **Peoplecart** application integration page, select **Single sign-on**.

- 

-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.

- 

-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.

- 

- 

- a. In the **Sign on URL** text box, type a URL using the following pattern:

- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:

- `https://<tenantname>.peoplecart.com`

- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Peoplecart Client support team](https://peoplecart.com/ContactUs.aspx) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

- a. Login URL

- b. Azure AD Identifier

- c. Logout URL

-### Configure Peoplecart Single Sign-On

-To configure single sign-on on **Peoplecart** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Peoplecart support team](https://peoplecart.com/ContactUs.aspx). They set this setting to have the SAML SSO connection set properly on both sides.

-The objective of this section is to create a test user in the Azure portal called Britta Simon.

-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.

- 

-2. Select **New user** at the top of the screen.

- 

-3. In the User properties, perform the following steps.

- 

- a. In the **Name** field enter **BrittaSimon**.

-

- b. In the **User name** field type **brittasimon@yourcompanydomain.extension**

- For example, BrittaSimon@contoso.com

- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.

- d. Click **Create**.

-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Peoplecart.

-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Peoplecart**.

- 

-2. In the applications list, select **Peoplecart**.

- 

-3. In the menu on the left, select **Users and groups**.

- 

-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.

- 

-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.

-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.

-7. In the **Add Assignment** dialog click the **Assign** button.

-### Test single sign-on

-In this section, you test your Azure AD single sign-on configuration using the Access Panel.

-When you click the Peoplecart tile in the Access Panel, you should be automatically signed in to the Peoplecart for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-## Additional Resources

- b. In the **SAML ISSUER ID** textbox, paste the **Identifier URL** value which you have copied from the Azure portal.

- `http://<tenant-name>.talentlms.com`

-Once you configure TalentLMS you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

-1. You can leave the image name and the service port set to the defaults.

-description: Learn about the security hardening in AKS VM host OS

-# Security hardening for AKS agent node host OS

-As a secure service, Azure Kubernetes Service (AKS) complies with SOC, ISO, PCI DSS, and HIPAA standards. This article covers the security hardening applied to AKS virtual machine (VM) hosts. For more information about AKS security, see [Security concepts for applications and clusters in Azure Kubernetes Service (AKS)](./concepts-security.md).

-> [!Note]

-> This document is scoped to Linux agents in AKS only.

-AKS clusters are deployed on host VMs, which run a security-optimized OS used for containers running on AKS. This host OS is based on an **Ubuntu 18.04.5 LTS** image with more [security hardening](#security-hardening-features) and optimizations applied.

-The goal of the security hardened host OS is to reduce the surface area of attack and optimize for the deployment of containers in a secure manner.

-> [!Important]

-> The security hardened OS is **not** CIS benchmarked. While it overlaps with CIS benchmarks, the goal is not to be CIS-compliant. The goal for host OS hardening is to converge on a level of security consistent with Microsoft's own internal host security standards.

-## Security hardening features

-* AKS provides a security-optimized host OS by default, but no option to select an alternate operating system.

-* Azure applies daily patches (including security patches) to AKS virtual machine hosts.

- * Some of these patches require a reboot, while others will not.

- * You're responsible for scheduling AKS VM host reboots as needed.

- * For guidance on how to automate AKS patching, see [patching AKS nodes](./node-updates-kured.md).

-## What is configured

-| CIS | Audit description|

-|||

-| 1.1.1.1 |Ensure mounting of cramfs filesystems is disabled|

-| 1.1.1.2 |Ensure mounting of freevxfs filesystems is disabled|

-| 1.1.1.3 |Ensure mounting of jffs2 filesystems is disabled|

-| 1.1.1.4 |Ensure mounting of HFS filesystems is disabled|

-| 1.1.1.5 |Ensure mounting of HFS Plus filesystems is disabled|

-|1.4.3 |Ensure authentication required for single user mode |

-|1.7.1.2 |Ensure local login warning banner is configured properly |

-|1.7.1.3 |Ensure remote login warning banner is configured properly |

-|1.7.1.5 |Ensure permissions on /etc/issue are configured |

-|1.7.1.6 |Ensure permissions on /etc/issue.net are configured |

-|2.1.5 |Ensure that --streaming-connection-idle-timeout is not set to 0 |

-|3.1.2 |Ensure packet redirect sending is disabled |

-|3.2.1 |Ensure source routed packages are not accepted |

-|3.2.2 |Ensure ICMP redirects are not accepted |

-|3.2.3 |Ensure secure ICMP redirects are not accepted |

-|3.2.4 |Ensure suspicious packets are logged |

-|3.3.1 |Ensure IPv6 router advertisements are not accepted |

-|3.5.1 |Ensure DCCP is disabled |

-|3.5.2 |Ensure SCTP is disabled |

-|3.5.3 |Ensure RDS is disabled |

-|3.5.4 |Ensure TIPC is disabled |

-|4.2.1.2 |Ensure logging is configured |

-|5.1.2 |Ensure permissions on /etc/crontab are configured |

-|5.2.4 |Ensure SSH X11 forwarding is disabled |

-|5.2.5 |Ensure SSH MaxAuthTries is set to 4 or less |

-|5.2.8 |Ensure SSH root login is disabled |

-|5.2.10 |Ensure SSH PermitUserEnvironment is disabled |

-|5.2.11 |Ensure only approved MAX algorithms are used |

-|5.2.12 |Ensure SSH Idle Timeout Interval is configured |

-|5.2.13 |Ensure SSH LoginGraceTime is set to one minute or less |

-|5.2.15 |Ensure SSH warning banner is configured |

-|5.3.1 |Ensure password creation requirements are configured |

-|5.4.1.1 |Ensure password expiration is 90 days or less |

-|5.4.1.4 |Ensure inactive password lock is 30 days or less |

-|5.4.4 |Ensure default user umask is 027 or more restrictive |

-|5.6 |Ensure access to the su command is restricted|

-## Additional notes

-

-* To further reduce the attack surface area, some unnecessary kernel module drivers have been disabled in the OS.

-* The security hardened OS is built and maintained specifically for AKS and is **not** supported outside of the AKS platform.

-## Next steps

-For more information about AKS security, see the following articles:

-* [Azure Kubernetes Service (AKS)](./intro-kubernetes.md)

-* [AKS security considerations](./concepts-security.md)

-* [AKS best practices](./best-practices.md)

-| validate-jwt | Jwt token is missing in request | TokenNotFound | JWT not found in the request. Access denied. |

-* `Directory.Read.All` application permission for Microsoft Graph API and Azure Active Directory Graph API.

-* `User.Read` delegated permission for Microsoft Graph API.

- az rest --method PATCH --uri "https://graph.microsoft.com/v1.0/$($tenantId)/applications/$($appObjectID)" --body "{'requiredResourceAccess':[{'resourceAccess': [{'id': 'e1fe6dd8-ba31-4d61-89e7-88639da4683d','type': 'Scope'},{'id': '7ab1d382-f21e-4acd-a863-ba3e13f7da61','type': 'Role'}],'resourceAppId': '00000003-0000-0000-c000-000000000000'},{'resourceAccess': [{'id': '5778995a-e1bf-45b8-affa-663a9f3f4d04','type': 'Role'}], 'resourceAppId': '00000002-0000-0000-c000-000000000000'}]}"

- 1. Select **Certificate permissions**, then select **Get** and **List**.

-This article shows you how to create a managed identity for an Azure API Management instance and how to access other resources. A managed identity generated by Azure Active Directory (Azure AD) allows your API Management instance to easily and securely access other Azure AD-protected resources, such as Azure Key Vault. Azure manages this identity, so you don't have to provision or rotate any secrets. For more information about managed identities, see [What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md).

-2. Select **Managed identities**.

- :::image type="content" source="./media/api-management-msi/enable-system-msi.png" alt-text="Selections for enabling a system-assigned managed identity" border="true":::

-2. Use the following code to create the instance. For more examples of how to use Azure PowerShell with an API Management instance, see [API Management PowerShell samples](powershell-samples.md).

-3. Update an existing instance to create the identity:

- ```azurepowershell-interactive

- # Get an API Management instance

- $apimService = Get-AzApiManagement -ResourceGroupName $resourceGroupName -Name $apiManagementName

- # Update an API Management instance

- Set-AzApiManagement -InputObject $apimService -SystemAssignedIdentity

- ```

-You can create an API Management instance with an identity by including the following property in the resource definition:

- "$schema": "https://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",

- "apiVersion": "2020-01-01",

-The `tenantId` property identifies what Azure AD tenant the identity belongs to. The `principalId` property is a unique identifier for the instance's new identity. Within Azure AD, the service principal has the same name that you gave to your API Management instance.

-## Supported scenarios using System Assigned Identity

- "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",

- "description": "Proxy Custom hostname."

- "apiVersion": "2020-01-01",

- "secrets": ["get"]

-### Authenticate to the back end by using an API Management identity

-You can use the system-assigned identity to authenticate to the back end through the [authentication-managed-identity](api-management-authentication-policies.md#ManagedIdentity) policy.

-### <a name="apim-as-trusted-service"></a>Connect to Azure resources behind IP Firewall using System Assigned Managed Identity

-API Management is a trusted microsoft service to the following resources. This allows the service to connect to the following resources behind a firewall. After explicitly assigning the appropriate Azure role to the [system-assigned managed identity](../active-directory/managed-identities-azure-resources/overview.md) for that resource instance, the scope of access for the instance corresponds to the Azure role assigned to the managed identity.

-To set up a managed identity in the portal, you'll first create an API Management instance and then enable the feature.

-2. Select **Managed identities**.

- :::image type="content" source="./media/api-management-msi/enable-user-assigned-msi.png" alt-text="Selections for enabling a user-assigned managed identity" border="true":::

-2. Use the following code to create the instance. For more examples of how to use Azure PowerShell with an API Management instance, see [API Management PowerShell samples](powershell-samples.md).

-3. Update an existing service to assign an identity to the service:

- ```azurepowershell-interactive

- # Get an API Management instance

- $apimService = Get-AzApiManagement -ResourceGroupName $resourceGroupName -Name $apiManagementName

- # Create a user-assigned identity. This requires installation of the "Az.ManagedServiceIdentity" module.

- $userAssignedIdentity = New-AzUserAssignedIdentity -Name $userAssignedIdentityName -ResourceGroupName $resourceGroupName

- # Update an API Management instance

- $userIdentities = @($userAssignedIdentity.Id)

- Set-AzApiManagement -InputObject $apimService -UserAssignedIdentity $userIdentities

- ```

- "apiVersion": "2020-12-01",

-## Supported scenarios using User Assigned Managed Identity

-You can use any user-assigned identity to establish trust between an API Management instance and KeyVault. This trust can then be used to retrieve custom TLS/SSL certificates stored in Azure Key Vault. You can then assign these certificates to custom domains in the API Management instance.

-For the complete template, see [API Management with KeyVault based SSL using User Assigned Identity](https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.apimanagement/api-management-key-vault-create/azuredeploy.json).

-* Azure API Management

-* Azure Managed User Assigned Identity

-* Azure KeyVault for storing the SSL/TLS certificate

-### Authenticate to the back end by using a user-assigned identity

-You can use the user-assigned identity to authenticate to the back end through the [authentication-managed-identity](api-management-authentication-policies.md#ManagedIdentity) policy.

- 

- 

-This article presents the information for customers to create a _business continuity and disaster recovery plan_ for their Azure Cache for Redis, or Azure Cache for Redis Enterprise implementation.

-[Geo-replication](cache-how-to-geo-replication.md) is a mechanism for linking two or more Azure Cache for Redis instances, typically spanning two Azure regions. Geo-replication is designed mainly for disaster recovery. Two Premium tier cache instances are connected through geo-replication in away that provides reads and writes to your primary cache, and that data is replicated to the secondary cache.

-We expect that most Azure Cache for Redis customers won't be affected. However, your application might be affected if you explicitly specify a list of acceptable certificate authorities (CAs), which is known as *certificate pinning*.

-If you have more questions, contact us through [support](https://azure.microsoft.com/support/options/).

-Working with the trigger and bindings requires that you reference the appropriate NuGet package. Install the [NuGet package], version 3.x.

- "defaultValue": "westus2",

- "allowedValues": [

- "westus2",

- "eastus2",

- "eastus2euap"

- ],

- "defaultValue": "westus2",

- "allowedValues": [

- "westus2",

- "eastus2",

- "eastus2euap"

- ],

- "Custom-MyLogFileFormat "

- "/var/*.log"

- "defaultValue": "westus2",

- "allowedValues": [

- "westus2",

- "eastus2",

- "eastus2euap"

- ],

-description: "Learn how to scale your resource Web App, Cloud Service, Virtual Machine or Virtual Machine scale set in Azure."

-1. Click the Azure Monitor icon in the left pane.

- ![Open Azure Monitor][2]

- ![Discover Autoscale in Azure Monitor][3]

-1. Open the **Autoscale** blade in Azure Monitor and select a resource that you want to scale. (The following steps use an App Service plan associated with a web app. You can [create your first ASP.NET web app in Azure in 5 minutes.][4])

-1. Note that the current instance count is 1. Click **Enable autoscale**.

- ![Scale setting for new web app][5]

-1. Provide a name for the scale setting, and then click **Add a rule**. Notice the scale rule options that open as a context pane on the right side. By default, this sets the option to scale your instance count by 1 if the CPU percentage of the resource exceeds 70 percent. Leave it at its default values and click **Add**.

- ![Create scale setting for a web app][6]

- ![Scale based on CPU][8]

-> The same steps are applicable to get started with a virtual machine scale set or cloud service role.

-![Scale condition based on schedule][9]

-![Scale condition based on dates][10]

-![Run history][11]

-![Scale definition][12]

-### Disable Autoscale and manually scale your instances

-There might be times when you want to disable your current scale setting and manually scale your resource.

-Click the **Disable autoscale** button at the top.

-![Disable Autoscale][13]

-> [!NOTE]

-> This option disables your configuration. However, you can get back to it after you enable Autoscale again.

-You can now set the number of instances that you want to scale to manually.

-![Set manual scale][14]

-You can always return to Autoscale by clicking **Enable autoscale** and then **Save**.

-[2]: ./media/autoscale-get-started/azure-monitor-launch.png

-[3]: ./media/autoscale-get-started/discover-autoscale-azure-monitor.png

-[4]: ../../app-service/quickstart-dotnetcore.md

-[5]: ./media/autoscale-get-started/scale-setting-new-web-app.png

-[6]: ./media/autoscale-get-started/create-scale-setting-web-app.png

-[7]: ./media/autoscale-get-started/scale-in-recommendation.png

-[8]: ./media/autoscale-get-started/scale-based-on-cpu.png

-[9]: ./media/autoscale-get-started/scale-condition-schedule.png

-[10]: ./media/autoscale-get-started/scale-condition-dates.png

-[11]: ./media/autoscale-get-started/scale-history.png

-[12]: ./media/autoscale-get-started/scale-definition-json.png

-[13]: ./media/autoscale-get-started/disable-autoscale.png

-[14]: ./media/autoscale-get-started/set-manualscale.png

-* [Troubleshooting Virtual Machine Scale Sets Autoscale](../../virtual-machine-scale-sets/virtual-machine-scale-sets-troubleshoot.md)

-run the command `kubectl apply -f <configmap_yaml_file.yaml`.

-For an Azure Red Hat OpenShift v3.x cluster, run the command, `oc edit configmaps container-azm-ms-agentconfig -n openshift-azure-logging` to open the file in your default editor to modify and then save it.

-The configuration change can take a few minutes to finish before taking effect, and all omsagent pods in the cluster will restart. The restart is a rolling restart for all omsagent pods, not all restart at the same time. When the restarts are finished, a message is displayed that's similar to the following and includes the result: `configmap "container-azm-ms-agentconfig" updated`.

- az ad sp create-for-rbac --role Contributor --scopes /subscriptions/{subscription-id} --sdk-auth

-1. Select **Access Control (IAM)**.

-1. On the **Roles** tab, select **SignalR App Server**.

-1. Select **Access Control (IAM)**.

-1. On the **Roles** tab, select **SignalR App Server**.

-Certain hardware configurations such as Gen5 may use more than one type of processor (CPU), as described in [Compute resources (CPU and memory)](#compute-resources-cpu-and-memory). While a given database or elastic pool tends to stay on the hardware with the same CPU type for a long time (commonly for multiple months), there are certain events that can cause a database or pool to be moved to hardware that uses a different CPU type. For example, a database or pool can be moved if it's scaled up or down to a different service objective, or if the current infrastructure in a datacenter is approaching its capacity limits, or if the currently used hardware is being decommissioned due to its end of life.

-|Gen4 |- Intel&reg; E5-2673 v3 (Haswell) 2.4-GHz processors<br>- Provision up to 24 vCores (1 vCore = 1 physical core) |- 7 GB per vCore<br>- Provision up to 168 GB|

-|Gen5 |**Provisioned compute**<br>- Intel&reg; E5-2673 v4 (Broadwell) 2.3-GHz, Intel&reg; SP-8160 (Skylake)\*, and Intel&reg; 8272CL (Cascade Lake) 2.5 GHz\* processors<br>- Provision up to 80 vCores (1 vCore = 1 hyper-thread)<br><br>**Serverless compute**<br>- Intel&reg; E5-2673 v4 (Broadwell) 2.3-GHz and Intel&reg; SP-8160 (Skylake)* processors<br>- Auto-scale up to 40 vCores (1 vCore = 1 hyper-thread)|**Provisioned compute**<br>- 5.1 GB per vCore<br>- Provision up to 408 GB<br><br>**Serverless compute**<br>- Auto-scale up to 24 GB per vCore<br>- Auto-scale up to 120 GB max|

-|Fsv2-series |- Intel&reg; 8168 (Skylake) processors<br>- Featuring a sustained all core turbo clock speed of 3.4 GHz and a maximum single core turbo clock speed of 3.7 GHz.<br>- Provision up to 72 vCores (1 vCore = 1 hyper-thread)|- 1.9 GB per vCore<br>- Provision up to 136 GB|

-|M-series |- Intel&reg; E7-8890 v3 2.5 GHz and Intel&reg; 8280M 2.7 GHz (Cascade Lake) processors<br>- Provision up to 128 vCores (1 vCore = 1 hyper-thread)|- 29 GB per vCore<br>- Provision up to 3.7 TB|

-|DC-series | - Intel&reg; XEON E-2288G processors<br>- Featuring Intel Software Guard Extension (Intel SGX))<br>- Provision up to 8 vCores (1 vCore = 1 physical core) | 4.5 GB per vCore |

-\* In the [sys.dm_user_db_resource_governance](/sql/relational-databases/system-dynamic-management-views/sys-dm-user-db-resource-governor-azure-sql-database) dynamic management view, hardware generation for databases using Intel&reg; SP-8160 (Skylake) processors appears as Gen6, hardware generation for databases using Intel&reg; 8272CL (Cascade Lake) appears as Gen7 and hardware generation for databases using Intel Xeon&reg; Platinum 8307C (Ice Lake) appear as Gen8. For a given compute size and hardware configuration, resource limits are the same regardless of processor type (Broadwell, Skylake, or Cascade Lake).

-# Configure external identity source for vCenter

-Azure file shares backup is available in all regions, **except** for Germany Central (Sovereign), Germany Northeast (Sovereign), China East, China East 2, China North, China North 2, and US Gov Iowa.

- Note that Hourly backup frequency is in preview. To enroll your subscription for this feature, write to us at [askazurebackupteam@microsoft.com](mailto:askazurebackupteam@microsoft.com).

-Multiple Backups Per Day | Supported, using _Enhanced policy_ (in preview). To enroll your subscription for this feature, write to us at [askazurebackupteam@microsoft.com](mailto:askazurebackupteam@microsoft.com). <br><br> For hourly backup, the minimum RPO is 4 hours and the maximum is 24 hours. You can set the backup schedule to 4, 6, 8, 12, and 24 hours respectively. Learn about how to [back up an Azure VM using Enhanced policy](backup-azure-vms-enhanced-policy.md).

-| Prerequisites | None. |

-3. If setting up a virtual machine scale set, verify that the instances have been upgraded to the latest model.

-| **Max number of transactions per second (TPS) per Speech service resource** | | |

-| Real-time API. Prebuilt neural voices and custom neural voices. | 20 per 60 seconds | 200⁴ |

-| Adjustable | No⁴ | Yes⁴ |

-It's easy to make mistakes in the custom lexicon, so Microsoft provides a [validation tool for the custom lexicon](https://github.com/jiajzhan/Custom-Lexicon-Validation). It provides detailed error messages that help you find errors. Before you send SSML with the custom lexicon to the Speech service, check your custom lexicon with this tool.

-<math xmlns="http://www.w3.org/1998/Math/MathML"><msup><mi>a</mi><mn>2</mn></msup><mo>+</mo><msup><mi>b</mi><mn>2</mn></msup><mo>=</mo><msup><mi>c</mi><mn>2</mn></msup></math>

-The `xmlns` attribute in `<math xmlns="http://www.w3.org/1998/Math/MathML">` is optional.

-All elements from the [MathML 2.0](https://www.w3.org/TR/MathML2/) and [MathML 3.0](https://www.w3.org/TR/MathML3/) specifications are supported, except the MathML 3.0 [Elementary Math](https://www.w3.org/TR/MathML3/chapter3.html#presm.elementary) elements. The `semantics`, `annotation`, and `annotation-xml` elements don't output speech, so they are ignored.

-description: Automatically generate a secure, compliant tenant model (Custom Speech with Microsoft 365 data) that uses your Microsoft 365 data to deliver optimal speech recognition for organization-specific terms.

-# Tutorial: Create a tenant model (preview)

-Tenant Model (Custom Speech with Microsoft 365 data) is an opt-in service for Microsoft 365 enterprise customers that automatically generates a custom speech recognition model from your organization's Microsoft 365 data. The model is optimized for technical terms, jargon, and people's names, all in a secure and compliant way.

-> [!IMPORTANT]

-> If your organization enrolls by using the Tenant Model service, Speech Service may access your organizationΓÇÖs language model. The model is generated from Microsoft 365 public group emails and documents, which can be seen by anyone in your organization. Your organization's admin can turn on or turn off the use of the organization-wide language model from the admin portal.

-In this tutorial, you learn how to:

-> [!div class="checklist"]

-> * Enroll in the Tenant Model by using the Microsoft 365 admin center

-> * Get a Speech subscription key

-> * Create a tenant model

-> * Deploy a tenant model

-> * Use your tenant model with the Speech SDK

-## Enroll in the Tenant Model service

-Before you can deploy your tenant model, you need to be enrolled in the Tenant Model service. Enrollment is completed in the Microsoft 365 admin center and can be done only by your admin.

-1. Sign in to the [Microsoft 365 admin center](https://admin.microsoft.com).

-1. In the left pane, select **Settings**, then select **Settings** from the nested menu, then select **Azure Speech Services** from the main window.

- 

-1. Select the **Allow the organization-wide language model** check box, and then select **Save changes**.

- 

-To turn off the tenant model instance:

-1. Repeat the preceding steps 1 and 2.

-1. Clear the **Allow the organization-wide language model** check box, and then select **Save changes**.

-## Get a Speech subscription key

-To use your tenant model with the Speech SDK, you need a Speech resource and its associated subscription key.

-1. Sign in to the [Azure portal](https://aka.ms/azureportal).

-1. Select **Create a resource**.

-1. In the **Search** box, type **Speech**.

-1. In the results list, select **Speech**, and then select **Create**.

-1. Follow the onscreen instructions to create your resource. Make sure that:

- * **Location** is set to either **eastus** or **westus**.

- * **Pricing tier** is set to **S0**.

-1. Select **Create**.

- After a few minutes, your resource is created. The subscription key is available in the **Overview** section for your resource.

-## Create a language model

-After your admin has enabled Tenant Model for your organization, you can create a language model that's based on your Microsoft 365 data.

-1. Sign in to [Speech Studio](https://speech.microsoft.com/).

-1. At the top right, select **Settings** (gear icon), and then select **Tenant Model settings**.

- 

- Speech Studio displays a message that lets you know whether you're qualified to create a tenant model.

- > [!NOTE]

- > Enterprise customers in North America are eligible to create a tenant model (English). If you're a Customer Lockbox, Customer Key, or Office 365 Government customer, this feature isn't available. To determine whether you're a Customer Lockbox or Customer Key customer, see:

- > * [Customer Lockbox](/microsoft-365/compliance/customer-lockbox-requests)

- > * [Customer Key](/microsoft-365/compliance/customer-key-overview)

- > * [Office 365 Government](https://www.microsoft.com/microsoft-365/government)

-1. Select **Opt in**.

- When your tenant model is ready, you'll receive a confirmation email message with further instructions.

-## Deploy your tenant model

-When your tenant model instance is ready, deploy it by doing the following:

-1. In your confirmation email message, select the **View model** button. Or sign in to [Speech Studio](https://speech.microsoft.com/).

-1. At the top right, select **Settings** (gear icon), and then select **Tenant Model settings**.

- 

-1. Select **Deploy**.

- When your model has been deployed, the status changes to *Deployed*.

-## Use your tenant model with the Speech SDK

-Now that you've deployed your model, you can use it with the Speech SDK. In this section, you use sample code to call Speech Service by using Azure Active Directory (Azure AD) authentication.

-Let's look at the code you'll use to call the Speech SDK in C#. In this example, you perform speech recognition by using your tenant model. This guide presumes that your platform is already set up. If you need setup help, see [Quickstart: Recognize speech, C# (.NET Core)](./get-started-speech-to-text.md?pivots=programming-language-csharp&tabs=dotnetcore).

-Copy this code into your project:

-```csharp

-namespace PrincetonSROnly.FrontEnd.Samples

-{

- using System;

- using System.Collections.Generic;

- using System.IO;

- using System.Net.Http;

- using System.Text;

- using System.Text.RegularExpressions;

- using System.Threading.Tasks;

- using Microsoft.CognitiveServices.Speech;

- using Microsoft.CognitiveServices.Speech.Audio;

- using Microsoft.IdentityModel.Clients.ActiveDirectory;

- using Newtonsoft.Json.Linq;

- // ServiceApplicationId is a fixed value. No need to change it.

- public class TenantLMSample

- {

- private const string EndpointUriArgName = "EndpointUri";

- private const string SubscriptionKeyArgName = "SubscriptionKey";

- private const string UsernameArgName = "Username";

- private const string PasswordArgName = "Password";

- private const string ClientApplicationId = "f87bc118-1576-4097-93c9-dbf8f45ef0dd";

- private const string ServiceApplicationId = "18301695-f99d-4cae-9618-6901d4bdc7be";

- public static async Task ContinuousRecognitionWithTenantLMAsync(Uri endpointUri, string subscriptionKey, string audioDirPath, string username, string password)

- {

- var config = SpeechConfig.FromEndpoint(endpointUri, subscriptionKey);

- // Passing client specific information for obtaining LM

- if (string.IsNullOrEmpty(username) || string.IsNullOrEmpty(password))

- {

- config.AuthorizationToken = await AcquireAuthTokenWithInteractiveLoginAsync().ConfigureAwait(false);

- }

- else

- {

- config.AuthorizationToken = await AcquireAuthTokenWithUsernamePasswordAsync(username, password).ConfigureAwait(false);

- }

- var stopRecognition = new TaskCompletionSource<int>();

- // Creates a speech recognizer using file as audio input.

- // Replace with your own audio file name.

- using (var audioInput = AudioConfig.FromWavFileInput(audioDirPath))

- {

- using (var recognizer = new SpeechRecognizer(config, audioInput))

- {

- // Subscribes to events

- recognizer.Recognizing += (s, e) =>

- {

- Console.WriteLine($"RECOGNIZING: Text={e.Result.Text}");

- };

- recognizer.Recognized += (s, e) =>

- {

- if (e.Result.Reason == ResultReason.RecognizedSpeech)

- {

- Console.WriteLine($"RECOGNIZED: Text={e.Result.Text}");

- }

- else if (e.Result.Reason == ResultReason.NoMatch)

- {

- Console.WriteLine($"NOMATCH: Speech could not be recognized.");

- }

- };

- recognizer.Canceled += (s, e) =>

- {

- Console.WriteLine($"CANCELED: Reason={e.Reason}");

- if (e.Reason == CancellationReason.Error)

- {

- Exception exp = new Exception(string.Format("Error Code: {0}\nError Details{1}\nIs your subscription information updated?", e.ErrorCode, e.ErrorDetails));

- throw exp;

- }

- stopRecognition.TrySetResult(0);

- };

- recognizer.SessionStarted += (s, e) =>

- {

- Console.WriteLine("\n Session started event.");

- };

- recognizer.SessionStopped += (s, e) =>

- {

- Console.WriteLine("\n Session stopped event.");

- Console.WriteLine("\nStop recognition.");

- stopRecognition.TrySetResult(0);

- };

- // Starts continuous recognition. Uses StopContinuousRecognitionAsync() to stop recognition.

- await recognizer.StartContinuousRecognitionAsync().ConfigureAwait(false);

- // Waits for completion.

- // Use Task.WaitAny to keep the task rooted.

- Task.WaitAny(new[] { stopRecognition.Task });

- // Stops recognition.

- await recognizer.StopContinuousRecognitionAsync().ConfigureAwait(false);

- }

- }

- }

- public static void Main(string[] args)

- {

- var arguments = new Dictionary<string, string>();

- string inputArgNamePattern = "--";

- Regex regex = new Regex(inputArgNamePattern);

- if (args.Length > 0)

- {

- foreach (var arg in args)

- {

- var userArgs = arg.Split("=");

- arguments[regex.Replace(userArgs[0], string.Empty)] = userArgs[1];

- }

- }

- var endpointString = arguments.GetValueOrDefault(EndpointUriArgName, $"wss://westus.online.princeton.customspeech.ai/msgraphcustomspeech/conversation/v1");

- var endpointUri = new Uri(endpointString);

- if (!arguments.ContainsKey(SubscriptionKeyArgName))

- {

- Exception exp = new Exception("Subscription Key missing! Please pass in a Cognitive services subscription Key using --SubscriptionKey=\"your_subscription_key\"" +

- "Find more information on creating a Cognitive services resource and accessing your Subscription key here: https://docs.microsoft.com/azure/cognitive-services/cognitive-services-apis-create-account?tabs=multiservice%2Cwindows");

- throw exp;

- }

- var subscriptionKey = arguments[SubscriptionKeyArgName];

- var username = arguments.GetValueOrDefault(UsernameArgName, null);

- var password = arguments.GetValueOrDefault(PasswordArgName, null);

- var audioDirPath = Path.Combine(Path.GetDirectoryName(System.Reflection.Assembly.GetExecutingAssembly().Location), "../../../AudioSamples/DictationBatman.wav");

- if (!File.Exists(audioDirPath))

- {

- Exception exp = new Exception(string.Format("Audio File does not exist at path: {0}", audioDirPath));

- throw exp;

- }

- ContinuousRecognitionWithTenantLMAsync(endpointUri, subscriptionKey, audioDirPath, username, password).GetAwaiter().GetResult();

- }

- private static async Task<string> AcquireAuthTokenWithUsernamePasswordAsync(string username, string password)

- {

- var tokenEndpoint = "https://login.microsoftonline.com/common/oauth2/token";

- var postBody = $"resource={ServiceApplicationId}&client_id={ClientApplicationId}&grant_type=password&username={username}&password={password}";

- var stringContent = new StringContent(postBody, Encoding.UTF8, "application/x-www-form-urlencoded");

- using (HttpClient httpClient = new HttpClient())

- {

- var response = await httpClient.PostAsync(tokenEndpoint, stringContent).ConfigureAwait(false);

- if (response.IsSuccessStatusCode)

- {

- var result = await response.Content.ReadAsStringAsync().ConfigureAwait(false);

- JObject jobject = JObject.Parse(result);

- return jobject["access_token"].Value<string>();

- }

- else

- {

- throw new Exception($"Requesting token from {tokenEndpoint} failed with status code {response.StatusCode}: {await response.Content.ReadAsStringAsync().ConfigureAwait(false)}");

- }

- }

- }

- private static async Task<string> AcquireAuthTokenWithInteractiveLoginAsync()

- {

- var authContext = new AuthenticationContext("https://login.windows.net/microsoft.onmicrosoft.com");

- var deviceCodeResult = await authContext.AcquireDeviceCodeAsync(ServiceApplicationId, ClientApplicationId).ConfigureAwait(false);

- Console.WriteLine(deviceCodeResult.Message);

- var authResult = await authContext.AcquireTokenByDeviceCodeAsync(deviceCodeResult).ConfigureAwait(false);

- return authResult.AccessToken;

- }

- }

-}

-```

-Next, you need to rebuild and run the project from the command line. Before you run the command, update a few parameters by doing the following:

-1. Replace `<Username>` and `<Password>` with the values for a valid tenant user.

-1. Replace `<Subscription-Key>` with the subscription key for your Speech resource. This value is available in the **Overview** section for your Speech resource in the [Azure portal](https://aka.ms/azureportal).

-1. Replace `<Endpoint-Uri>` with the following endpoint. Make sure that you replace `{your region}` with the region where your Speech resource was created. These regions are supported: `westus`, `westus2`, and `eastus`. Your region information is available in the **Overview** section of your Speech resource in the [Azure portal](https://aka.ms/azureportal).

- ```

- "wss://{your region}.online.princeton.customspeech.ai/msgraphcustomspeech/conversation/v1".

- ```

-1. Run the following command:

- ```bash

- dotnet TenantLMSample.dll --Username=<Username> --Password=<Password> --SubscriptionKey=<Subscription-Key> --EndpointUri=<Endpoint-Uri>

- ```

-In this tutorial, you've learned how to use Microsoft 365 data to create a custom speech recognition model, deploy it, and use it with the Speech SDK.

-## Next steps

-* [Speech Studio](https://speech.microsoft.com/)

-* [Speech SDK](speech-sdk.md)

-| Text Analytics for health | `2021-05-15` | `2021-05-15` | |

-Submit a **GET** request using the `{RESULT-URL}` you recieved from the previous step to view the results of the export job.

-This is te step where you make your trained model available form consumption via the [runtime API](https://aka.ms/clu-apis).

-* [Authoring REST API reference ](https://aka.ms/ct-authoring-swagger)

-> If you're using the REST API, see the [quickstart](../quickstart.md?pivots=rest-api#deploy-your-model) and REST API [reference documentation](https://westus2.dev.cognitive.microsoft.com/docs/services/language-authoring-clu-apis-2021-11-01-preview/operations/Deployments_TriggerDeploymentJob) for examples and more information.

-* [Authoring REST API reference ](https://aka.ms/ct-authoring-swagger)

-You can use the [REST APIs](https://aka.ms/ct-authoring-swagger) to build your custom models. Follow this [quickstart](quickstart.md?pivots=rest-api) to get started with creating a project and creating a model through APIs for examples of how to call the Authoring API.

-Custom text classification is a data processor for General Data Protection Regulation (GDPR) purposes. In compliance with GDPR policies, custom text classification users have full control to view, export, or delete any user content either through the [Language Studio](https://aka.ms/languageStudio) or programmatically by using [REST APIs](https://aka.ms/ct-authoring-swagger).

-To clone your project you need to use the export API to export the project assets and then import them into a new project. See [REST APIs](https://aka.ms/ct-authoring-swagger) reference for both operations.

-To deploy your model, go to your project in [Language Studio](https://aka.ms/custom-classification). You can also use the [REST API](https://westus2.dev.cognitive.microsoft.com/docs/services/language-authoring-apis-2021-11-01-preview/operations/Deployments_TriggerDeploymentJob).

-Submit a **GET** request using the `{RESULT-URL}` you recieved from the previous step to view the results of the export job.

-* [Authoring REST API reference ](https://aka.ms/ct-authoring-swagger)

-You can use the [REST APIs](https://aka.ms/ct-authoring-swagger) to build your custom models. Follow this [quickstart](quickstart.md?pivots=rest-api) to get started with creating a project and creating a model through APIs for examples of how to call the Authoring API.

-Custom NER is a data processor for General Data Protection Regulation (GDPR) purposes. In compliance with GDPR policies, Custom NER users have full control to view, export, or delete any user content either through the [Language Studio](https://aka.ms/languageStudio) or programmatically by using [REST APIs](https://aka.ms/ct-authoring-swagger).

-To clone your project you need to use the export API to export the project assets, and then import them into a new project. See the [REST API](https://aka.ms/ct-authoring-swagger) reference for both operations.

-description: In this quickstart, you will learn how to leverage UI Library Design Kit for Azure Communication Services to quickly design communication experiences using Figma.

-# Get started with UI Library Design Kit (Figma)

-Start by getting the [UI Library Design Kit](https://www.figma.com/community/file/1095841357293210472) from Figma.

-## Design faster

-A resource to help design user interfaces built on Azure Communication Services, the UI Library Design Kit includes components, composites, and UX guidance purpose-built to help bring your video calling and chat experiences to life faster.

-## UI Library components and composites

-The same components and composites offered in the UI Library are available in Figma so you can quickly begin designing and prototyping your calling and chat experiences.

-## Built on Fluent

-The UI Library Design Kit's components are based on MicrosoftΓÇÖs Fluent UI; so, theyΓÇÖre built with usability, accessibility, and localization in mind.

-## Next steps

->[Get the ACS UI Kit (Figma)](https://www.figma.com/community/file/1095841357293210472)

-1. On the **Roles** tab, select **DocumentDB Account Contributor**.

-#### Note

-Support for unique index on existing collections with data is available in preview. You can sign up for the feature ΓÇ£Azure Cosmos DB API for MongoDB New Unique Indexes in existing collectionΓÇ¥ through the [Preview Features blade in the portal](./../access-previews.md).

-On accounts that have continuous backup or synapse link enabled, unique indexes will need to be created while the collection is empty.

-* Assign a [public IP to your Azure VM](../../load-balancer/troubleshoot-outbound-connection.md#assignilpip).

-You may experience an issue or error in which a credit card is declined at Azure sign-up in the Microsoft Azure portal.

-## The credit card provider is not accepted for your country/region

->[!Note]

->American Express credit cards are not currently supported as a payment instrument in India. We have no time frame as to when it may be an accepted form of payment.

-## Your credit card information is outdated

-The following properties are supported for an SharePoint Online List linked service:

-1. Select **Access Control (IAM)**.

-1. On the **Roles** tab, select one of the roles listed in the role assignment table in the previous section.

-1. Select **Access Control (IAM)**.

-1. On the **Roles** tab, select one of the roles listed in the role assignment table in the previous section. For example, for a storage account, select Storage Blob Data Reader.

-description: Learn about Azure high availability and disaster recovery features as they pertain to Azure Digital Twins, which will help you build highly available Azure IoT solutions with disaster recovery capabilities.

-This article discusses the High Availability (HA) and Disaster Recovery (DR) features offered specifically by the Azure Digital Twins service. The article covers intra-region HA, cross region DR, monitoring service health, and best practices on HA/DR.

-A key area of consideration for resilient IoT solutions is business continuity and disaster recovery. Designing for HA and DR can help you define and achieve appropriate uptime goals for your solution.

-Azure Digital Twins supports these feature options:

-You can also see the [Best practices](#best-practices) section for general Azure guidance about designing for HA/DR.

-Azure Digital Twins provides *intra-region HA* by implementing redundancies within the service. This functionality is reflected in the [service SLA](https://azure.microsoft.com/support/legal/sla/digital-twins) for uptime. No additional work is required by the developers of an Azure Digital Twins solution to take advantage of these HA features. Although Azure Digital Twins offers a reasonably high uptime guarantee, transient failures can still be expected, as with any distributed computing platform. Appropriate retry policies should be built in to the components interacting with a cloud application to deal with transient failures.

-There could be some rare situations when a data center experiences extended outages because of power failures or other events in the region. Such events are rare, and during such failures, the intra region HA capability described above may not help. Azure Digital Twins addresses this scenario with Microsoft-initiated failover.

-*Microsoft-initiated failover* is exercised in rare situations to failover all the Azure Digital Twins instances from an affected region to the corresponding [geo-paired region](../availability-zones/cross-region-replication-azure.md). This process is a default option (with no way for users to opt out), and requires no intervention from the user. Microsoft reserves the right to make a determination of when this option will be exercised. This mechanism doesn't involve user consent before the user's instance is failed over.

->[!NOTE]

-> Some Azure services provide an additional option called *customer-initiated failover*, which enables customers to initiate a failover just for their instance, such as to run a DR drill. This mechanism is currently not supported by Azure Digital Twins.

-> Some Azure services provide an option for users to configure a different region for failover, as a way to meet data residency requirements. This capability is currently not supported by Azure Digital Twins.

-## Best practices

-For best practices on HA/DR, see the following Azure guidance on this topic:

-* The article [Design reliable Azure applications](/azure/architecture/framework/resiliency/app-design) describes a general framework to help you think about business continuity and disaster recovery.

-* The [Disaster recovery and high availability for Azure applications](/azure/architecture/framework/resiliency/backup-and-recovery) paper provides architecture guidance on strategies for Azure applications to achieve High Availability (HA) and Disaster Recovery (DR).

-Read more about getting started with Azure Digital Twins solutions:

-

-* [What is Azure Digital Twins?](overview.md)

-* [Get started with Azure Digital Twins Explorer](quickstart-azure-digital-twins-explorer.md)

-| **Phoenix** | [CyrusOne Chandler](https://cyrusone.com/locations/arizona/phoenix-arizona-chandler/) | US Gov Arizona | Supported | AT&T NetBond, CenturyLink Cloud Connect, Megaport |

- /usr/hdp/current/kafka-broker/bin/kafka-console-producer.sh --topic salesevents --broker-list $KAFKABROKERS --security-protocol SASL_PLAINTEXT

- /usr/hdp/current/kafka-broker/bin/kafka-console-consumer.sh --topic salesevents --from-beginning --bootstrap-server $KAFKABROKERS --security-protocol SASL_PLAINTEXT

-* [Connect to Azure HDInsight and run Apache Hive queries using Data Lake Tools for Visual Studio](apache-hadoop-visual-studio-tools-get-started.md).

-* If you need more help, you can submit a support request from the [Azure portal](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade/). Select **Support** from the menu bar or open the **Help + support** hub. For more detailed information, review [How to create an Azure support request](../../azure-portal/supportability/how-to-create-azure-support-request.md). Access to Subscription Management and billing support is included with your Microsoft Azure subscription, and Technical Support is provided through one of the [Azure Support Plans](https://azure.microsoft.com/support/plans/).

-* Livy: `curl -u admin -G "http://10.0.0.11:8998/"`. In this example, `10.0.0.11` is the IP address of the headnode that hosts the Livy service.

-# "NativeAzureFileSystem...RequestBodyTooLarge" appear in Apache Spark streaming app log in HDInsight

-The error: `NativeAzureFileSystem ... RequestBodyTooLarge` appears in the driver log for an Apache Spark streaming app.

-Your Spark event log file is probably hitting the file length limit for WASB.

-There are three solutions available for this error:

-1. Select **Access Control (IAM)**.

-1. On the **Roles** tab, select the [Storage Blob Data Contributor](../../role-based-access-control/built-in-roles.md#storage-blob-data-contributor) role.

-1. Select **Access Control (IAM)**.

-1. On the **Roles** tab, select the [AcrPull](../../role-based-access-control/built-in-roles.md#acrpull) role.

-* Any static string. Dynamic values such as conditions, logic, operations, and functions are not allowed. For example, if you develop a SaaS application that is used by several customers, you can assign an identifier to each customer and make that identifier available in the application. When the application runs, IoT Hub will stamp the device telemetry messages with the customer's identifier, making it possible to process the messages differently for each customer.

-You can also add enrichments to messages that are being published to Event Grid by first creating an event grid subscription with the device telemetry message type. Based on this subscription, we will create a default route in Azure IoT Hub for the telemetry. This single route can handle all of your Event Grid subscriptions. You can then configure enrichments for the endpoint by using the **Enrich messages** tab of the IoT Hub **Message routing** section. For information about reacting to events by using Event Grid, see [Iot Hub and Event Grid](iot-hub-event-grid.md).

-| -- | --|

-| Portal | [Azure portal](https://portal.azure.com) See the [message enrichments tutorial](tutorial-message-enrichments.md) |

-* In some cases, if you're applying an enrichment with a value set to a tag or property in the device twin, the value will be stamped with the specified device twin path. For example, if an enrichment value is set to $twin.tags.field, the messages will be stamped with the string "$twin.tags.field", rather than the value of that field from the twin. This behavior happens in the following cases:

- * Your IoT hub is in the basic tier. Basic tier IoT hubs do not support device twins.

- * Your IoT hub is in the standard tier, but the device sending the message has no device twin.

- * Your IoT hub is in the standard tier, but the device twin path used for the value of the enrichment does not exist. For example, if the enrichment value is set to $twin.tags.location, and the device twin does not have a location property under tags, the message is stamped with the string "$twin.tags.location".

- * Your IoT hub is in the standard tier, but the device twin path used for the value of the enrichment resolves to an object, rather than a simple property. For example, if the enrichment value is set to $twin.tags.location, and the location property under tags is an object that contains child properties like `{"building": 43, "room": 503}`, the message is stamped with the string "$twin.tags.location".

-* Modules do not inherit twin tags from their corresponding devices. Enrichments for messages originating from device modules (for example from IoT Edge modules) must use the twin tags that are set on the module twin.

-Message enrichments are available for no additional charge. Currently, you are charged when you send a message to an IoT hub. You are only charged once for that message, even if the message goes to multiple endpoints.

-Use multiple IP addresses to plan for large-scale scenarios. Use outbound rules to mitigate [SNAT exhaustion](troubleshoot-outbound-connection.md#snatexhaust).

-description: Resolutions for common problems with outbound connectivity through the Azure Load Balancer.

-# <a name="obconnecttsg"></a> Troubleshooting outbound connections failures

-This article is intended to provide resolutions for common problems that can occur with outbound connections from an Azure Load Balancer. Most problems with outbound connectivity that customers experience are due to source network address translation (SNAT) port exhaustion and connection timeouts leading to dropped packets. This article provides steps for mitigating each of these issues.

-## Avoid SNAT

-The best way to avoid SNAT port exhaustion is to eliminate the need for SNAT in the first place, if possible. In some cases this might not be possible. For example, when connecting to public endpoints. However, in some cases this is possible and can be achieved by connecting privately to resources. If connecting to Azure services like Storage, SQL, Cosmos DB, or any other of the [Azure services listed here](../private-link/availability.md), leveraging Azure Private Link eliminates the need for SNAT. As a result, you will not risk a potential connectivity issue due to SNAT port exhaustion.

-Private Link Service is also supported by Snowflake, MongoDB, Confluent, Elastic and other such services.

-## <a name="snatexhaust"></a> Managing SNAT (PAT) port exhaustion

-[Ephemeral ports](load-balancer-outbound-connections.md) used for [PAT](load-balancer-outbound-connections.md) are an exhaustible resource, as described in [Standalone VM without a Public IP address](load-balancer-outbound-connections.md) and [Load-balanced VM without a Public IP address](load-balancer-outbound-connections.md). You can monitor your usage of ephemeral ports and compare with your current allocation to determine the risk of or to confirm SNAT exhaustion using [this](./load-balancer-standard-diagnostics.md#how-do-i-check-my-snat-port-usage-and-allocation) guide.

-If you know that you're initiating many outbound TCP or UDP connections to the same destination IP address and port, and you observe failing outbound connections or are advised by support that you're exhausting SNAT ports (preallocated [ephemeral ports](load-balancer-outbound-connections.md#preallocatedports) used by [PAT](load-balancer-outbound-connections.md)), you have several general mitigation options. Review these options and decide what is available and best for your scenario. It's possible that one or more can help manage this scenario.

-If you are having trouble understanding the outbound connection behavior, you can use IP stack statistics (netstat). Or it can be helpful to observe connection behaviors by using packet captures. You can perform these packet captures in the guest OS of your instance or use [Network Watcher for packet capture](../network-watcher/network-watcher-packet-capture-manage-portal.md).

-## <a name ="manualsnat"></a>Manually allocate SNAT ports to maximize SNAT ports per VM

-As defined in [preallocated ports](load-balancer-outbound-connections.md#preallocatedports), the load balancer will automatically allocate ports based on the number of VMs in the backend. By default, this is done conservatively to ensure scalability. If you know the maximum number of VMs you will have in the backend, you can manually allocate SNAT ports in each outbound rule. For example, if you know you will have a maximum of 10 VMs you can allocate 6,400 SNAT ports per VM rather than the default 1,024.

-## <a name="connectionreuse"></a>Modify the application to reuse connections

-You can reduce demand for ephemeral ports that are used for SNAT by reusing connections in your application. Connection reuse is especially relevant for protocols like HTTP/1.1, where connection reuse is the default. And other protocols that use HTTP as their transport (for example, REST) can benefit in turn.

-Reuse is always better than individual, atomic TCP connections for each request. Reuse results in more performant, very efficient TCP transactions.

-## <a name="connection pooling"></a>Modify the application to use connection pooling

-You can employ a connection pooling scheme in your application, where requests are internally distributed across a fixed set of connections (each reusing where possible). This scheme constrains the number of ephemeral ports in use and creates a more predictable environment. This scheme can also increase the throughput of requests by allowing multiple simultaneous operations when a single connection is blocking on the reply of an operation.

-Connection pooling might already exist within the framework that you're using to develop your application or the configuration settings for your application. You can combine connection pooling with connection reuse. Your multiple requests then consume a fixed, predictable number of ports to the same destination IP address and port. The requests also benefit from efficient use of TCP transactions reducing latency and resource utilization. UDP transactions can also benefit, because managing the number of UDP flows can in turn avoid exhaust conditions and manage the SNAT port utilization.

-## <a name="retry logic"></a>Modify the application to use less aggressive retry logic

-When [preallocated ephemeral ports](load-balancer-outbound-connections.md#preallocatedports) used for [PAT](load-balancer-outbound-connections.md) are exhausted or application failures occur, aggressive or brute force retries without decay and backoff logic cause exhaustion to occur or persist. You can reduce demand for ephemeral ports by using a less aggressive retry logic.

-Ephemeral ports have a 4-minute idle timeout (not adjustable). If the retries are too aggressive, the exhaustion has no opportunity to clear up on its own. Therefore, considering how--and how often--your application retries transactions is a critical part of the design.

-## <a name="assignilpip"></a>Assign a Public IP to each VM

-Assigning a Public IP address changes your scenario to [Public IP to a VM](load-balancer-outbound-connections.md). All ephemeral ports of the public IP that are used for each VM are available to the VM. (As opposed to scenarios where ephemeral ports of a public IP are shared with all the VMs associated with the respective backend pool.) There are trade-offs to consider, such as the additional cost of public IP addresses and the potential impact of filtering a large number of individual IP addresses.

->[!NOTE]

->This option is not available for web worker roles.

-## <a name="multifesnat"></a>Use multiple frontends

-When using public Standard Load Balancer, you assign [multiple frontend IP addresses for outbound connections](load-balancer-outbound-connections.md) and [multiply the number of SNAT ports available](load-balancer-outbound-connections.md#preallocatedports). Create a frontend IP configuration, rule, and backend pool to trigger the programming of SNAT to the public IP of the frontend. The rule does not need to function and a health probe does not need to succeed. If you do use multiple frontends for inbound as well (rather than just for outbound), you should use custom health probes well to ensure reliability.

->[!NOTE]

->In most cases, exhaustion of SNAT ports is a sign of bad design. Make sure you understand why you are exhausting ports before using more frontends to add SNAT ports. You may be masking a problem which can lead to failure later.

-## <a name="scaleout"></a>Scale out

-[Preallocated ports](load-balancer-outbound-connections.md#preallocatedports) are assigned based on the backend pool size and grouped into tiers to minimize disruption when some of the ports have to be reallocated to accommodate the next larger backend pool size tier. You may have an option to increase the SNAT port utilization for a given frontend by scaling your backend pool to the maximum size for a given tier. Keeping in mind the default port allocation is required for the application to scale out efficiently without risk SNAT exhaustion.

-For example, two virtual machines in the backend pool would have 1024 SNAT ports available per IP configuration, allowing a total of 2048 SNAT ports for the deployment. If the deployment were to be increased to 50 virtual machines, even though the number of preallocated ports remains constant per virtual machine, a total of 51,200 (50 x 1024) SNAT ports can be used by the deployment. If you wish to scale out your deployment, check the number of [preallocated ports](load-balancer-outbound-connections.md#preallocatedports) per tier to make sure you shape your scale-out to the maximum for the respective tier. In the preceding example, if you had chosen to scale out to 51 instead of 50 instances, you would progress to the next tier and end up with fewer SNAT ports per VM as well as in total.

-If you scale out to the next larger backend pool size tier, there is potential for some of your outbound connections to time out if allocated ports have to be reallocated. If you are only using some of your SNAT ports, scaling out across the next larger backend pool size is inconsequential. Half the existing ports will be reallocated each time you move to the next backend pool tier. If you don't want this to take place, you need to shape your deployment to the tier size. Or make sure your application can detect and retry as necessary. TCP keepalives can assist in detect when SNAT ports no longer function due to being reallocated.

-## <a name="idletimeout"></a>Use keepalives to reset the outbound idle timeout

-Outbound connections have a 4-minute idle timeout. This timeout is adjustable via [Outbound rules](outbound-rules.md). You can also use transport (for example, TCP keepalives) or application-layer keepalives to refresh an idle flow and reset this idle timeout if necessary.

-When using TCP keepalives, it is sufficient to enable them on one side of the connection. For example, it is sufficient to enable them on the server side only to reset the idle timer of the flow and it is not necessary for both sides to initiate TCP keepalives. Similar concepts exist for application layer, including database client-server configurations. Check the server side for what options exist for application-specific keepalives.

-## Next Steps

-We are always looking to improve the experience of our customers. If you are experiencing issues with outbound connectivity that are not listed or resolved by this article, submit feedback through GitHub via the bottom of this page and we will address your feedback as soon as possible.

-This article introduces a PowerShell script which creates a Standard Load Balancer with the same configuration as the Basic Load Balancer along with migrating traffic from Basic Load Balancer to Standard Load Balancer.

-An Azure PowerShell script is available that does the following:

- * **rgName: [String]: Required** ΓÇô This is the resource group for your existing Basic Load Balancer and new Standard Load Balancer. To find this string value, navigate to Azure portal, select your Basic Load Balancer source, and click the **Overview** for the load balancer. The Resource Group is located on that page.

- * **oldLBName: [String]: Required** ΓÇô This is the name of your existing Basic Balancer you want to upgrade.

- * **newlocation: [String]: Required** ΓÇô This is the location in which the Standard Load Balancer will be created. It is recommended to inherit the same location of the chosen Basic Load Balancer to the Standard Load Balancer for better association with other existing resources.

- * **newLBName: [String]: Required** ΓÇô This is the name for the Standard Load Balancer to be created.

-The curation process applies automated classification labels on the schema attributes based on the scan rule set configured. Sensitivity labels are applied if your Microsoft Purview account is connected to the Microsoft 365 Security and Compliance Center.

-The Microsoft Purview data map supports labeling structured and unstructured data stored across various data sources. Labeling data within the data map allows users to easily find data that matches predefined autolabeling rules that were configured in the Microsoft Purview compliance portal. The data map extends the use of sensitivity labels from Microsoft Purview Information Protection to assets stored in infrastructure cloud locations and structured data sources.

-## Microsoft Purview data map labeling best practices and considerations

- > Microsoft Purview Information Protection trainable classifiers aren't used by the Microsoft Purview data map.

-By using sensitivity labels with the Microsoft Purview data map, you can extend Microsoft Purview Information Protection beyond the border of your Microsoft data estate to your on-premises, hybrid cloud, multicloud, and software as a service (SaaS) scenarios.

- - Microsoft Information Protection (MIP) sensitivity labels can be automatically applied to your Azure assets in Microsoft Purview.

- - MIP sensitivity labels are created and managed in the Microsoft 365 Security and Compliance Center.

-After data sources are [registered](manage-data-sources.md) in your Microsoft Purview account, the next step is to scan the data sources. The scanning process establishes a connection to the data source and captures technical metadata like names, file size, columns, and so on. It also extracts schema for structured data sources, applies classifications on schemas, and [applies sensitivity labels if your Microsoft Purview account is connected to a Microsoft 365 Security and Compliance Center (SCC)](create-sensitivity-label.md). The scanning process can be triggered to run immediately or can be scheduled to run on a periodic basis to keep your Microsoft Purview account up to date.

-The self-service data access policy is only supported when the prerequisites mentioned in [data use governance](./how-to-enable-data-use-governance.md#prerequisites) are satisfied.

-Microsoft Purview Self-service data access workflow allows data consumer to request access to data when browsing or searching for data. Once the data access request is approved, a policy gets auto-generated to grant access to the requestor provided the data source is enabled for data use governance. Currently, self-service data access policy is supported for storage accounts, containers, folders, and files.

-A **workflow admin** will need to map a self-service data access workflow to a collection. Collection is logical grouping of data sources that are registered within Microsoft Purview. **Only data source(s) that are registered** for data use governance will have self-service policies auto-generated.

-* **Approver** is either security group or AAD users that can approve self-service access requests.

-A default self-service data access workflow template is provided with every Microsoft Purview account.The default template can be amended to add more approvers and/or set the approver's email address. For more details refer [Create and enable self-service data access workflow](./how-to-workflow-self-service-data-access-hybrid.md).

-Whenever a data consumer requests access to a dataset, the notification is sent to the workflow approver(s). The approver(s) can view the request and approve it either from Microsft Purview portal or from within the email notification. When the request is approved, a policy is auto-generated and applied against the respective data source. Self-service data access policy gets auto-generated only if the data source is registered for **data use governance**. The pre-requisites mentioned within the [data use governance](./how-to-enable-data-use-governance.md#prerequisites) have to be satisfied.

-# Labeling in the Microsoft Purview data map

-> Labeling in the Microsoft Purview data map is currently in PREVIEW. The [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-* **Label travels with the data:** The sensitivity labels created in Microsoft Purview Information Protection can also be extended to the Microsoft Purview data map, SharePoint, Teams, Power BI, and SQL. When you apply a label on an office document and then scan it into the Microsoft Purview data map, the label will be applied to the data asset. While the label is applied to the actual file in Microsoft Purview Information Protection, it's only added as metadata in the Microsoft Purview map. While there are differences in how a label is applied to an asset across various services/applications, labels travel with the data and is recognized by all the services you extend it to.

-* **Overview of your data estate:** Microsoft Purview provides insights into your data through pre-canned reports. When you scan data into the Microsoft Purview data map, we hydrate the reports with information on what assets you have, scan history, classifications found in your data, labels applied, glossary terms, etc.

-## How to apply labels to assets in the Microsoft Purview data map

-1. [Register and scan your asset](how-to-automatically-label-your-content.md#scan-your-data-to-apply-sensitivity-labels-automatically) in the Microsoft Purview data map.

-Sensitivity labels are supported in the Microsoft Purview data map for the following data sources:

-In addition to labeling for schematized data assets, the Microsoft Purview data map also supports labeling for SQL database columns using the SQL data classification in [SQL Server Management Studio (SSMS)](/sql/ssms/sql-server-management-studio-ssms). While Microsoft Purview uses the global [sensitivity labels](/microsoft-365/compliance/sensitivity-labels), SSMS only uses labels defined locally.

-Labeling in Microsoft Purview and labeling in SSMS are separate processes that don't currently interact with each other. Therefore, **labels applied in SSMS are not shown in Microsoft Purview, and vice versa**. We recommend Microsoft Purview for labeling SQL databases, as it uses global MIP labels that can be applied across multiple platforms.

-# How to automatically apply sensitivity labels to your data in the Microsoft Purview data map

-> Labeling in the Microsoft Purview data map is currently in PREVIEW. The [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-If you don't already have sensitivity labels, you'll need to create them and make them available for the Microsoft Purview data map. Existing sensitivity labels from Microsoft Purview Information Protection can also be modified to make them available to the data map.

-### Step 2: Consent to use sensitivity labels in the Microsoft Purview data map

-After you've extended labeling to assets in the Microsoft Purview data map, all published sensitivity labels are available for use in the data map.

- :::image type="content" source="media/how-to-automatically-label-your-content/create-sensitivity-label-full-small.png" alt-text="Create sensitivity labels in the Microsoft 365 compliance center" lightbox="media/how-to-automatically-label-your-content/create-sensitivity-label-full.png":::

- :::image type="content" source="media/how-to-automatically-label-your-content/create-label-scope-small.png" alt-text="Automatically label in the Microsoft 365 compliance center" lightbox="media/how-to-automatically-label-your-content/create-label-scope.png":::

-Once you create a label, you'll need to Scan your data in the Microsoft Purview data map to automatically apply the labels you've created, based on the autolabeling rules you've defined.

-For more information on how to set up scans on various assets in the Microsoft Purview data map, see:

-Find insights on your classified and labeled data in the Microsoft Purview data map use the **Classification** and **Sensitivity labeling** reports.

-In order to create and manage collections in Microsoft Purview, you will need to be a **Collection Admin** within Microsoft Purview. We can check these permissions in the [Microsoft Purview Studio](https://web.purview.azure.com/resource/). You can find Studio in the overview page of the Microsoft Purview account in [Azure portal](https://portal.azure.com).

- :::image type="content" source="./media/how-to-create-and-manage-collections/find-collections.png" alt-text="Screenshot of Microsoft Purview studio window, opened to the Data Map, with the Collections tab selected." border="true":::

- :::image type="content" source="./media/how-to-create-and-manage-collections/select-root-collection.png" alt-text="Screenshot of Microsoft Purview studio window, opened to the Data Map, with the root collection highlighted." border="true":::

- :::image type="content" source="./media/how-to-create-and-manage-collections/role-assignments.png" alt-text="Screenshot of Microsoft Purview studio window, opened to the Data Map, with the role assignments tab highlighted." border="true":::

- :::image type="content" source="./media/how-to-create-and-manage-collections/collection-admins.png" alt-text="Screenshot of Microsoft Purview studio window, opened to the Data Map, with the collection admin section highlighted." border="true":::

- :::image type="content" source="./media/how-to-create-and-manage-collections/find-collections.png" alt-text="Screenshot of Microsoft Purview studio window, opened to the Data Map, with the Collections tab selected and open." border="true":::

- :::image type="content" source="./media/how-to-create-and-manage-collections/select-add-a-collection.png" alt-text="Screenshot of Microsoft Purview studio window, showing the new collection window, with the 'Add a collection' button highlighted." border="true":::

- :::image type="content" source="./media/how-to-create-and-manage-collections/create-collection.png" alt-text="Screenshot of Microsoft Purview studio window, showing the new collection window, with a display name and collection admins selected, and the create button highlighted." border="true":::

- :::image type="content" source="./media/how-to-create-and-manage-collections/created-collection.png" alt-text="Screenshot of Microsoft Purview studio window, showing the newly created collection window." border="true":::

- :::image type="content" source="./media/how-to-create-and-manage-collections/edit-collection.png" alt-text="Screenshot of Microsoft Purview studio window, open to collection window, with the 'edit' button highlighted both in the selected collection window, and under the ellipsis button next to the name of the collection." border="true":::

- :::image type="content" source="./media/how-to-create-and-manage-collections/edit-description.png" alt-text="Screenshot of Microsoft Purview studio window with the edit collection window open, a description added to the collection, and the save button highlighted." border="true":::

- :::image type="content" source="./media/how-to-create-and-manage-collections/subcollection-menu.png" alt-text="Screenshot of Microsoft Purview studio collection window, with the button next to the collection name highlighted." border="true":::

- :::image type="content" source="./media/how-to-create-and-manage-collections/filter-collections.png" alt-text="Screenshot of Microsoft Purview studio collection window, with the filter above the collections highlighted." border="true":::

- :::image type="content" source="./media/how-to-create-and-manage-collections/refresh-collections.png" alt-text="Screenshot of Microsoft Purview studio collection window, with the button next to the Resource name selected, and the refresh button highlighted." border="true":::

- :::image type="content" source="./media/how-to-create-and-manage-collections/refresh-single-collection.png" alt-text="Screenshot of Microsoft Purview studio collection window, with the refresh button under the collection window highlighted." border="true":::

- :::image type="content" source="./media/how-to-create-and-manage-collections/delete-collections.png" alt-text="Screenshot of Microsoft Purview studio window to delete a collection" border="true":::

- :::image type="content" source="./media/how-to-create-and-manage-collections/delete-collection-confirmation.png" alt-text="Screenshot of Microsoft Purview studio window showing confirmation message to delete a collection" border="true":::

- :::image type="content" source="./media/how-to-create-and-manage-collections/select-role-assignments.png" alt-text="Screenshot of Microsoft Purview studio collection window, with the role assignments tab highlighted." border="true":::

- :::image type="content" source="./media/how-to-create-and-manage-collections/edit-role-assignments.png" alt-text="Screenshot of Microsoft Purview studio collection window, with the edit role assignments dropdown list selected." border="true":::

- :::image type="content" source="./media/how-to-create-and-manage-collections/search-user-permissions.png" alt-text="Screenshot of Microsoft Purview studio collection admin window with the search bar highlighted." border="true":::

- :::image type="content" source="./media/how-to-create-and-manage-collections/remove-role-assignment.png" alt-text="Screenshot of Microsoft Purview studio collection window, with the role assignments tab selected, and the x button beside one of the names highlighted." border="true":::

- :::image type="content" source="./media/how-to-create-and-manage-collections/restrict-access-inheritance.png" alt-text="Screenshot of Microsoft Purview studio collection window, with the role assignments tab selected, and the restrict inherited permissions slide button highlighted." border="true":::

- :::image type="content" source="./media/how-to-create-and-manage-collections/remove-restriction.png" alt-text="Screenshot of Microsoft Purview studio collection window, with the role assignments tab selected, and the unrestrict inherited permissions slide button highlighted." border="true":::

- :::image type="content" source="./media/how-to-create-and-manage-collections/register-by-collection.png" alt-text="Screenshot of the data map Microsoft Purview studio window with the register button highlighted both at the top of the page and under a collection."border="true":::

- :::image type="content" source="./media/how-to-create-and-manage-collections/see-registered-source.png" alt-text="Screenshot of the data map Microsoft Purview studio window with the newly added source card highlighted."border="true":::

- :::image type="content" source="./media/how-to-create-and-manage-collections/new-scan.png" alt-text="Screenshot of a source Microsoft Purview studio window with the new scan button highlighted."border="true":::

- :::image type="content" source="./media/how-to-create-and-manage-collections/source-under-collection.png" alt-text="Screenshot of the data map Microsoft Purview studio window with the newly added source card highlighted in the map."border="true":::

- :::image type="content" source="./media/how-to-create-and-manage-collections/collection-path.png" alt-text="Screenshot of Microsoft Purview studio asset window, with the collection path highlighted." border="true":::

- :::image type="content" source="./media/how-to-create-and-manage-collections/no-access.png" alt-text="Screenshot of Microsoft Purview studio asset window where the user has no permissions, and has no access to information or options." border="true":::

- :::image type="content" source="./media/how-to-create-and-manage-collections/hierarchy-permissions.png" alt-text="Screenshot of Microsoft Purview studio hierarchy window where the user has only read permissions, and has no access to options." border="true":::

- :::image type="content" source="./media/how-to-create-and-manage-collections/move-asset.png" alt-text="Screenshot of Microsoft Purview studio asset window with the collection path highlighted and the ellipsis button next to collection path selected." border="true":::

- :::image type="content" source="./media/how-to-create-and-manage-collections/move-select-collection.png" alt-text="Screenshot of Microsoft Purview studio pop-up window with the select a collection dropdown menu highlighted." border="true":::

-1. In Microsoft Purview, the search bar is located at the top of the Microsoft Purview studio UX.

- :::image type="content" source="./media/how-to-create-and-manage-collections/browse-by-collection.png" alt-text="Screenshot of the catalog Microsoft Purview studio window with the browse assets button highlighted." border="true":::

- :::image type="content" source="./media/how-to-create-and-manage-collections/by-collection-view.png" alt-text="Screenshot of the asset Microsoft Purview studio window with the by collection tab selected."border="true":::

- :::image type="content" source="./media/how-to-create-and-manage-collections/search-results-by-collection.png" alt-text="Screenshot of the catalog Microsoft Purview studio window with the by collection tab selected."border="true":::

- :::image type="content" source="./media/how-to-create-and-manage-collections/view-asset-details.png" alt-text="Screenshot of the catalog Microsoft Purview studio window with the by collection tab selected and asset check boxes highlighted."border="true":::

-[Policies](concept-data-owner-policies.md) allow you to enable access to data sources that have been registered for *Data use governance* in Microsoft Purview.

-### Register the subscription or resource group for data use governance

-After you've registered your resources, you'll need to enable data use governance. Data use governance affects the security of your data, as it delegates to certain users to manage access to data resources from within Microsoft Purview.

-To ensure you securely enable data use governance, and follow best practices, follow this guide to enable data use governance for your resource group or subscription:

-In the end, your resource will have the **Data use governance** toggle to **Enabled**, as shown in the picture:

-[Access policies](concept-data-owner-policies.md) allow you to enable access to data sources that have been registered for *Data use governance* in Microsoft Purview.

-### Register the data sources in Microsoft Purview for Data use governance

-After you've registered your resources, you'll need to enable *Data use governance*. Data use governance can affect the security of your data, as it delegates to certain Microsoft Purview roles to manage access to data sources that have been registered. Secure practices related to *Data use governance* are described in this guide:

-Once your data source has the **Data use governance** toggle **Enabled**, it will look like this picture:

-Access policies allow a data owner to delegate in Microsoft Purview access management to a data source. These policies can be authored directly in the Microsoft Purview studio, and after publishing, they get enforced by the data source. This tutorial describes how to create, update, and publish access policies in the Microsoft Purview studio.

-Before authoring data policies in Microsoft Purview Studio, you'll need to configure the data sources so that they can enforce those policies.

-1. [Enable the data use governance toggle on the data source](how-to-enable-data-use-governance.md#enable-data-use-governance). Additional permissions for this step are described in the linked document.

-1. Sign in to the [Microsoft Purview Studio](https://web.purview.azure.com/resource/).

-1. Sign in to the [Microsoft Purview Studio](https://web.purview.azure.com/resource/).

-1. Sign in to the [Microsoft Purview Studio](https://web.purview.azure.com/resource/).

-In a Microsoft Purview catalog, you can now [request access](how-to-request-access.md) to data assets. If policies are currently available for the data source type and the data source has [data use governance enabled](how-to-enable-data-use-governance.md), a self-service policy is generated when a data access request is approved.

-1. [Enable Data Use Governance](how-to-enable-data-use-governance.md) - this will allow Microsoft Purview to create policies for your sources.

-1. Open the Azure portal and launch the [Microsoft Purview Studio](https://web.purview.azure.com/resource/). The Microsoft Purview studio can be launched as shown below or by using the [url directly](https://web.purview.azure.com/resource/).

- :::image type="content" source="./media/how-to-delete-self-service-data-access-policy/Purview-Studio-launch-pic-1.png" alt-text="Screenshot showing a Microsoft Purview account open in the Azure portal, with the Microsoft Purview studio button highlighted.":::

- :::image type="content" source="./media/how-to-delete-self-service-data-access-policy/Purview-Studio-self-service-tab-pic-2.png" alt-text="Screenshot of the Microsoft Purview studio with the leftmost menu open, and the Data policy page option highlighted.":::

- :::image type="content" source="./media/how-to-delete-self-service-data-access-policy/Purview-Studio-self-service-tab-pic-3.png" alt-text="Screenshot of the Microsoft Purview studio open to the Data policy page with self-service access policies highlighted.":::

-1. Go to your Microsoft Purview account -> open **Microsoft Purview Studio** -> **Data map** -> **Monitoring**.

- :::image type="content" source="./media/how-to-request-access/search-or-browse.png" alt-text="Screenshot of the Microsoft Purview studio, with the search bar and browse buttons highlighted.":::

-The search bar can be quickly accessed from the top bar of the Microsoft Purview Studio UX. In the data catalog home page, the search bar is in the center of the screen.

-In a Microsoft Purview catalog, you can now [request access](how-to-request-access.md) to data assets. If policies are currently available for the data source type and the data source has [data use governance enabled](how-to-enable-data-use-governance.md), a self-service policy is generated when a data access request is approved.

-1. [Enable Data Use Governance](how-to-enable-data-use-governance.md) - this will allow Microsoft Purview to create policies for your sources.

-1. Open the Azure portal and launch the [Microsoft Purview Studio](https://web.purview.azure.com/resource/). The Microsoft Purview studio can be launched as shown below or by using the [url directly](https://web.purview.azure.com/resource/).

- :::image type="content" source="./media/how-to-view-self-service-data-access-policy/Purview-Studio-launch-pic-1.png" alt-text="Screenshot showing a Microsoft Purview account open in the Azure portal, with the Microsoft Purview studio button highlighted.":::

- :::image type="content" source="./media/how-to-view-self-service-data-access-policy/Purview-Studio-self-service-tab-pic-2.png" alt-text="Screenshot of the Microsoft Purview studio with the leftmost menu open, and the Data policy page option highlighted.":::

- :::image type="content" source="./media/how-to-view-self-service-data-access-policy/Purview-Studio-self-service-tab-pic-3.png" alt-text="Screenshot of the Microsoft Purview studio open to the Data policy page with self-service access policies highlighted.":::

-1. Provide a suitable **Name** for the data source, select the relevant **Azure subscription**, existing **Data Lake Store account name** and the **collection** and select **Apply**. Leave the **Data use governance** toggle on the **disabled** position until you have a chance to carefully go over this [document](./how-to-access-policies-storage.md).

-### Enable data use governance

-Data use governance is an option on your Microsoft Purview sources that will allow you to manage access for that source from within Microsoft Purview.

-To enable data use governance, follow [the data use governance guide](how-to-enable-data-use-governance.md#enable-data-use-governance).

-1. Provide a suitable **Name** for the data source, select the relevant **Azure subscription**, existing **Azure Blob Storage account name** and the **collection** and select **Apply**. Leave the **Data use governance** toggle on the **disabled** position until you have a chance to carefully go over this [document](./how-to-access-policies-storage.md).

-### Enable data use governance

-Data use governance is an option on your Microsoft Purview sources that will allow you to manage access for that source from within Microsoft Purview.

-To enable data use governance, follow [the data use governance guide](how-to-enable-data-use-governance.md#enable-data-use-governance).

-1. [Allow Azure connections through the firewall](#allow-azure-connections).

-1. [Install a Self-Hosted Integration Runtime and give it access through the firewall](#self-hosted-integration-runtime).

-1. Check your database server networking configuration to confirm that there is a private endpoint accessible to the SHIR machine. Add the IP of the machine if it doesn't already have access.

-The following options are supported:

-* **SQL Authentication**

-* **System-assigned managed identity** - As soon as the Microsoft Purview account is created, a system-assigned managed identity (SAMI) is created automatically in Azure AD tenant, and has the same name as your Microsoft Purview account. Depending on the type of resource, specific RBAC role assignments are required for the Microsoft Purview SAMI to be able to scan.

-* **User-assigned managed identity** (preview) - Similar to a SAMI, a user-assigned managed identity (UAMI) is a credential resource that can be used to allow Microsoft Purview to authenticate against Azure Active Directory. Depending on the type of resource, specific RBAC role assignments are required when using a UAMI credential to run scans.

-* **Service Principal**- In this method, you can create a new or use an existing service principal in your Azure Active Directory tenant.

->[!IMPORTANT]

-> If you are using a [self-hosted integration runtime](manage-integration-runtimes.md) to connect to your resource, system-assigned and user-assigned managed identities will not work. You need to use SQL Authentication or Service Principal Authentication.

-Select your method of authentication from the tabs below for steps to authenticate with your Azure SQL Database.

-* You'll need to be a Data Source Administrator and Data Reader to register a source and manage it in the Microsoft Purview Studio. See our [Microsoft Purview Permissions page](catalog-permissions.md) for details.

-This section describes how to register Cassandra in Microsoft Purview using the [Microsoft Purview Studio](https://web.purview.azure.com/).

-* You'll need to be a Data Source Administrator and Data Reader to register a source and manage it in the Microsoft Purview Studio. See [Microsoft Purview Permissions page](catalog-permissions.md) for details.

-This section describes how to register Db2 in Microsoft Purview using the [Microsoft Purview Studio](https://web.purview.azure.com/).

-1. Navigate to your Microsoft Purview account in the [Microsoft Purview Studio](https://web.purview.azure.com/resource/).

- * Its fully qualified JDBC connection string. For example:

- ```

- jdbc:db2://COMPUTER_NAME_OR_IP:PORT/DATABASE_NAME

- ```

-* You'll need to be a Data Source Administrator and Data Reader to register a source and manage it in the Microsoft Purview Studio. See our [Microsoft Purview Permissions page](catalog-permissions.md) for details.

-This section describes how to register erwin Mart servers in Microsoft Purview using the [Microsoft Purview Studio](https://web.purview.azure.com/).

-1. Navigate to your Microsoft Purview account in the [Microsoft Purview Studio](https://web.purview.azure.com/).

-* You'll need to be a Data Source Administrator and Data Reader to register a source and manage it in the Microsoft Purview Studio. See our [Microsoft Purview Permissions page](catalog-permissions.md) for details.

-This section describes how to register a Google BigQuery project in Microsoft Purview using the [Microsoft Purview Studio](https://web.purview.azure.com/).

-* You need Data Source Administrator and Data Reader permissions to register a source and manage it in Microsoft Purview Studio. For more information about permissions, see [Access control in Microsoft Purview](catalog-permissions.md).

-This section describes how to register a Hive Metastore database in Microsoft Purview by using [Microsoft Purview Studio](https://web.purview.azure.com/).

-* You'll need to be a Data Source Administrator and Data Reader to register a source and manage it in the Microsoft Purview Studio. See our [Microsoft Purview Permissions page](catalog-permissions.md) for details.

-This section describes how to register Looker in Microsoft Purview using the [Microsoft Purview Studio](https://web.purview.azure.com/).

-* You need to be a Data Source Administrator and Data Reader to register a source and manage it in the Microsoft Purview Studio. See our [Microsoft Purview Permissions page](catalog-permissions.md) for details.

-This section describes how to register MongoDB in Microsoft Purview using the [Microsoft Purview Studio](https://web.purview.azure.com/).

-1. Navigate to your Microsoft Purview account in the [Microsoft Purview Studio](https://web.purview.azure.com/resource/).

-* You'll need to be a Data Source Administrator and Data Reader to register a source and manage it in the Microsoft Purview Studio. See [Microsoft Purview Permissions page](catalog-permissions.md) for details.

-This section describes how to register MySQL in Microsoft Purview using the [Microsoft Purview Studio](https://web.purview.azure.com/).

-1. Navigate to your Microsoft Purview account in the [Microsoft Purview Studio](https://web.purview.azure.com/resource/).

- * Its fully qualified JDBC connection string. For example:

- ```

- jdbc:mysql://COMPUTER_NAME_OR_IP/DATABASE_NAME

- ```

-* You will need to be a Data Source Administrator and Data Reader to register a source and manage it in the Microsoft Purview Studio. See our [Microsoft Purview Permissions page](catalog-permissions.md) for details.

-This section describes how to register an on-premises SQL server instance in Microsoft Purview using the [Microsoft Purview Studio](https://web.purview.azure.com/).

-1. Select the **Data Map** tab on the left pane in the [Microsoft Purview Studio](https://web.purview.azure.com/resource/).

-* You'll need to be a Data Source Administrator and Data Reader to register a source and manage it in the Microsoft Purview Studio. See our [Microsoft Purview Permissions page](catalog-permissions.md) for details.

-This section describes how to register Oracle in Microsoft Purview using the [Microsoft Purview Studio](https://web.purview.azure.com/).

-1. Navigate to your Microsoft Purview account in the [Microsoft Purview Studio](https://web.purview.azure.com/resource/).

- * Its fully qualified JDBC connection string. For example:

- ```

- jdbc:oracle:thin:@(DESCRIPTION=(LOAD_BALANCE=on)(ADDRESS=(PROTOCOL=TCP)(HOST=oracleserver1)(PORT=1521))(ADDRESS=(PROTOCOL=TCP)(HOST=oracleserver2)(PORT=1521))(ADDRESS=(PROTOCOL=TCP)(HOST=oracleserver3)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=orcl)))

- ```

-* You'll need to be a Data Source Administrator and Data Reader to register a source and manage it in the Microsoft Purview Studio. See our [Microsoft Purview Permissions page](catalog-permissions.md) for details.

-This section describes how to register PostgreSQL in Microsoft Purview using the [Microsoft Purview Studio](https://web.purview.azure.com/).

-1. Navigate to your Microsoft Purview account in the [Microsoft Purview Studio](https://web.purview.azure.com/resource/).

- * Its fully qualified JDBC connection string. For example:

- ```

- jdbc:postgresql://COMPUTER_NAME_OR_IP:PORT/DATABASE_NAME

- ```

-1. In the Microsoft Purview Studio, navigate to the **Data map** in the left menu.

-8. In the Microsoft Purview Studio, navigate to the **Data map** in the left menu.

-12. In the Microsoft Purview Studio, navigate to the **Data map** in the left menu. Navigate to **Sources**.

-1. Enter the **Host** name to connect to a Teradata source. It can also be an IP address or a fully qualified connection string to the server.

-description: This how-to guide describes how to view and use Microsoft Purview Sensitivity label reporting on your data.

-> Microsoft Purview Sensitivity Label Insights are currently in PREVIEW. The [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-Before getting started with Microsoft Purview insights, make sure that you've completed the following steps:

-## Use Microsoft Purview Sensitivity labeling insights

-In Microsoft Purview, classifications are similar to subject tags, and are used to mark and identify data of a specific type that's found within your data estate during scanning.

-Microsoft Purview uses the same classifications, also known as [sensitive information types](/microsoft-365/compliance/sensitive-information-type-entity-definitions), as Microsoft 365. This enables you to extend your existing sensitivity labels across your Microsoft Purview assets.

- > If this report is empty, you may not have extended your sensitivity labels to Microsoft Purview. For more information, see [Automatically label your data in Microsoft Purview](create-sensitivity-label.md).

-## Sensitivity label integration with Microsoft 365 compliance

-Close integration with [Microsoft Information Protection](/microsoft-365/compliance/information-protection) offered in Microsoft 365 means that Microsoft Purview enables direct ways to extend visibility into your data estate, and classify and label your data.

-For your Microsoft 365 sensitivity labels to be extended to your assets in Microsoft Purview, you must actively turn on Information Protection for Microsoft Purview, in the Microsoft 365 compliance center.

-For more information, see [Automatically label your data in Microsoft Purview](create-sensitivity-label.md).

-|3 |Define whether you plan to deploy a Microsoft Purview with managed Event Hub | N/A |A managed Event Hub is created as part of Microsoft Purview account creation, see Microsoft Purview account creation. You can publish messages to the Event Hub kafka topic ATLAS_HOOK and Microsoft Purview will consume and process it. Microsoft Purview will notify entity changes to Event Hub kafka topic ATLAS_ENTITIES and user can consume and process it. |

-|5 |Update Azure Policy to allow deployment of the following resources in your Azure subscription: <ul><li>Microsoft Purview</li><li>Azure Storage</li><li>Azure Event Hub (optional)</li></ul> |*Subscription Owner* |Use this step if an existing Azure Policy prevents deploying such Azure resources. If a blocking policy exists and needs to remain in place, please follow our [Microsoft Purview exception tag guide](create-azure-purview-portal-faq.md) and follow the steps to create an exception for Microsoft Purview accounts. |

-|16 |Grant Azure RBAC **Reader** role to **Microsoft Purview MSI** at data sources' Subscriptions |*Subscription owner* or *User Access Administrator* |Use this step if you're planning to register [multiple](register-scan-azure-multiple-sources.md) or **any** of the following data sources: <ul><li>[Azure Blob Storage](register-scan-azure-blob-storage-source.md)</li><li>[Azure Data Lake Storage Gen1](register-scan-adls-gen1.md)</li><li>[Azure Data Lake Storage Gen2](register-scan-adls-gen2.md)</li><li>[Azure SQL Database](register-scan-azure-sql-database.md)</li><li>[Azure SQL Database Managed Instance](register-scan-azure-sql-database-managed-instance.md)</li><li>[Azure Synapse Analytics](register-scan-synapse-workspace.md)</li></ul> |

-|19 |Enable **Azure Active Directory Authentication** on **Azure SQL Servers**, **Azure SQL Database Managed Instance** and **Azure Synapse Analytics** |Azure SQL Server Contributor |Use this step if you have **Azure SQL DB** or **Azure SQL Database Managed Instance** or **Azure Synapse Analytics** as data source. **Skip** this step if you are using **Private Endpoint** to connect to data sources. |

-|20 |Grant **Microsoft Purview MSI** account with **db_datareader** role to Azure SQL databases and Azure SQL Database Managed Instance databases |Azure SQL Administrator |Use this step if you have **Azure SQL DB** or **Azure SQL Database Managed Instance** as data source. **Skip** this step if you are using **Private Endpoint** to connect to data sources. |

-|32 |Verify if you have at least one **Microsoft 365 required license** in your Azure Active Directory tenant to use sensitivity labels in Microsoft Purview. |Azure Active Directory *Global Reader* |Perform this step if you're planning in extending **Sensitivity Labels from Microsoft 365 to Microsoft Purview** <br> For more information, see [licensing requirements to use sensitivity labels on files and database columns in Microsoft Purview](sensitivity-labels-frequently-asked-questions.yml) |

-|33 |Consent "**Extend labeling to assets in Microsoft Purview**" |Compliance Administrator <br> Azure Information Protection Administrator |Use this step if you are interested in extending Sensitivity Labels from Microsoft 365 to Microsoft Purview. <br> Use this step if you are interested in extending **Sensitivity Labels** from Microsoft 365 to Microsoft Purview. |

-> * Register your Azure Storage resource for data use governance

-### Register the data sources in Microsoft Purview for data use governance

-Your Azure Storage account needs to be registered in Microsoft Purview to later define access policies, and during registration we'll enable data use governance. **Data use governance** is an available feature in Microsoft Purview that allows users to manage access to a resource from within Microsoft Purview. This allows you to centralize data discovery and access management, however it's a feature that directly impacts your data security.

-> Before enabling data use governance for any of your resources, read through our [**data use governance article**](how-to-enable-data-use-governance.md).

-> This article includes data use governance best practices to help you ensure that your information is secure.

-To register your resource and enable data use governance, follow these steps:

- 1. Set the *Data use governance* toggle to **Enabled**, as shown in the image below.

- :::image type="content" source="./media/tutorial-data-owner-policies-storage/register-data-source-for-policy-storage.png" alt-text="Screenshot that shows Data use governance toggle set to active on the registered resource page.":::

- >If the data use governance toggle is greyed out and unable to be selected:

- > 1. Confirm you have followed all prerequisites to enable Data use governance across your resources.

- > 1. It may be that this resource is already registered in another Microsoft Purview account. Hover over it to know the name of the Microsoft Purview account that has registered the data resource.first. Only one Microsoft Purview account can register a resource for data use governance at at time.

- 1. Select **Register** to register the resource group or subscription with Microsoft Purview with data use governance enabled.

-> For more information about data use governance, including best practices or known issues, see our [data use governance article](how-to-enable-data-use-governance.md).

-As a rule, if you're using multiple Azure services, putting all of them in the same region minimizes or voids bandwidth charges. There are no charges for outbound data when services are in the same region.

-1. On the **Roles** tab, select the appropriate **Reader** role.

-For example, you might want to augment a read-only role to include listing the indexes on the search service (Microsoft.Search/searchServices/indexes/read), or create a role that can fully manage indexes, including the ability to create indexes and read data.

-The PowerShell example shows the JSON syntax for creating a custom role.

-### [**Azure portal**](#tab/custom-role-portal)

-1. Review the [list of atomic permissions](../role-based-access-control/resource-provider-operations.md#microsoftsearch) to determine which ones you need.

-1. See [Create or update Azure custom roles using the Azure portal](../role-based-access-control/custom-roles-portal.md) for steps.

-1. Clone or create a role, or use JSON to specify the custom role (see the PowerShell tab for JSON syntax).

-> - [Red Button](https://www.red-button.net/): Work with a dedicated team of experts to simulate real-world DDoS attack scenarios in a controlled environment.

-> To learn more about the BreakingPoint Cloud simulation, see [testing with simulation partners](../../ddos-protection/test-through-simulations.md).

-3. Once the application and services have stopped, the *operator* can unprovision the application type using the [**UnprovisionApplicationAsync** method](/dotnet/api/system.fabric.fabricclient.applicationmanagementclient), the [**Unregister-ServiceFabricApplicationType** cmdlet](/powershell/module/servicefabric/unregister-servicefabricapplicationtype), or the [**Unprovision an Application** REST operation](/rest/api/servicefabric/unprovision-an-application). Unprovisioning the application type does not remove the application package from the ImageStore. You must remove the application package manually.

-In **Connection Endpoint**, select the endpoint for the cluster you created in the previous step. For example, "mytestcluster.southcentral.cloudapp.azure.com:19000". If you select **Advanced Connection Parameters**, the certificate information should be auto-filled.

-Once the application is deployed, open a browser and enter the cluster address followed by **:8080**. Or enter another port if one is configured. An example is `http://mytestcluster.southcentral.cloudapp.azure.com:8080`. You see the application running in the cluster in Azure. In the voting web page, try adding and deleting voting options and voting for one or more of these options.

-1. On the **Roles** tab, select one of the roles listed in the beginning of this section.

-Azure shared disks | Not supported

-1. On the **Roles** tab, select one of the roles listed in the beginning of this section.

-Immutable storage for Azure Blob storage supports two types of immutability policies:

-> Immutable storage for Azure Blob storage in accounts that have the hierarchical namespace feature enabled is currently in PREVIEW. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-There is no additional capacity charge for using immutable storage. Immutable data is priced in the same way as mutable data. For pricing details on Azure Blob storage, see the [Azure Storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/).

-Are you a storage partner but your solution is not listed yet? Send us your info [here](https://forms.office.com/pages/responsepage.aspx?id=v4j5cvGGr0GRqy180BHbR3i8TQB_XnRAsV3-7XmQFpFUQjY4QlJYUzFHQ0ZBVDNYWERaUlNRVU5IMyQlQCN0PWcu).

-2. Fill out the Stream Analytics Input Configurations. Choose the database name, server name, username and password. If you want your reference data input to refresh periodically, choose ΓÇ£OnΓÇ¥ to specify the refresh rate in DD:HH:MM. If you have large data sets with a short refresh rate, you can use a [delta query](sql-reference-data.md#delta-query).

-workspaces/read|Synapse Administrator</br>Synapse Apache Spark Administrator</br>Synapse SQL Administrator</br>Synapse Contributor</br>Synapse Artifact Publisher</br>Synapse Artifact User</br>Synapse Compute Operator </br>Synapse Credential User</br>Synapse Linked Data Manager</br>Synapse User

-workspaces/bigDataPools/useCompute/action|Synapse Administrator</br>Synapse Apache Spark Administrator</br>Synapse Contributor</br>Synapse Compute Operator

-workspaces/integrationRuntimes/useCompute/action|Synapse Administrator</br>Synapse Contributor</br>Synapse Compute Operator

-workspaces/integrationRuntimes/viewLogs/action|Synapse Administrator</br>Synapse Contributor</br>Synapse Compute Operator

-Workspace |Synapse Administrator</br>Synapse Apache Spark Administrator</br>Synapse SQL Administrator</br>Synapse Contributor</br>Synapse Artifact Publisher</br>Synapse Artifact User</br>Synapse Compute Operator </br>Synapse Credential User</br>Synapse Linked Data Manager</br>Synapse User

-View the logs for notebook and job execution |Synapse Compute Operator|

-List and open a published notebook or job definition, including reviewing saved outputs|Synapse Artifact User, Synapse Artifact Publisher, Synapse Contributor on the workspace|artifacts/read

-Monitor Integration runtime status|Synapse Compute Operator|read, integrationRuntimes/viewLogs

-Review pipeline runs|Synapse Artifact Publisher/Synapse Contributor|read, pipelines/viewOutputs

-List and open a published pipeline |Synapse Artifact User | artifacts/read

-[10]: ./media/traffic-manager-nested-profiles/figure-10.png

-| STUN Access | VM Subnet | 3478 | UDP | 13.107.17.41/24, 13.107.64.0/18, 20.202.0.0/16, 52.112.0.0/14, 52.120.0.0/14 | Allow |

-| STUN Access | Client network | 3478 | UDP | 13.107.17.41/24, 13.107.64.0/18, 20.202.0.0/16, 52.112.0.0/14, 52.120.0.0/14 | Allow |

-In this section, we will discuss the common performance indicators in the context of Premium Storage. In the following section, Gathering Application Requirements, you will learn how to measure these performance indicators for your application. Later in Optimizing Application Performance, you will learn about the factors affecting these performance indicators and recommendations to optimize them.

-IOPS, or Input/output Operations Per Second, is the number of requests that your application is sending to the storage disks in one second. An input/output operation could be read or write, sequential, or random. Online Transaction Processing (OLTP) applications like an online retail website need to process many concurrent user requests immediately. The user requests are insert and update intensive database transactions, which the application must process quickly. Therefore, OLTP applications require very high IOPS. Such applications handle millions of small and random IO requests. If you have such an application, you must design the application infrastructure to optimize for IOPS. In the later section, *Optimizing Application Performance*, we discuss in detail all the factors that you must consider to get high IOPS.

-Therefore, it is important to determine the optimal throughput and IOPS values that your application requires. As you try to optimize one, the other also gets affected. In a later section, *Optimizing Application Performance*, we will discuss in more details about optimizing IOPS and Throughput.

-Latency is the time it takes an application to receive a single request, send it to the storage disks and send the response to the client. This is a critical measure of an application's performance in addition to IOPS and Throughput. The Latency of a premium storage disk is the time it takes to retrieve the information for a request and communicate it back to your application. Premium Storage provides consistent low latencies. Premium Disks are designed to provide single-digit millisecond latencies for most IO operations. If you enable ReadOnly host caching on premium storage disks, you can get much lower read latency. We will discuss Disk Caching in more detail in later section on *Optimizing Application Performance*.

-If you have an existing application and want to move to Premium Storage, first build the checklist above for the existing application. Then, build a prototype of your application on Premium Storage and design the application based on guidelines described in *Optimizing Application Performance* in a later section of this document. The next article describes the tools you can use to gather the performance measurements.

-Deploy a virtual machine from a snapshot. Create a managed disk from a snapshot and then attach the new managed disk as the OS disk.

-* Access to Azure-hosted RHUI is limited to the VMs within the [Azure datacenter IP ranges](https://www.microsoft.com/download/details.aspx?id=41653). If you're proxying all VM traffic via an on-premises network infrastructure, you might need to set up user-defined routes for the RHEL PAYG VMs to access the Azure RHUI. If that is the case, user-defined routes will need to be added for _all_ RHUI IP addresses.

-1. Access to Azure-hosted RHUI is limited to VMs within the [Azure datacenter IP ranges](https://www.microsoft.com/download/details.aspx?id=41653).

-The Virtual WAN team has been working on upgrading virtual routers from their current Cloud Services infrastructure to Virtual Machine Scale Sets (VMSS) based deployments. This will enable the virtual hub router to now be availability zone aware and have enhanced scaling out capabilities during high CPU usage. If you navigate to your Virtual WAN hub resource and see this message and button, then you can upgrade your router to the latest version by clicking on the button. The Cloud Services infrastructure will be deprecated soon. If you would like to take advantage of new Virtual WAN features, such as [BGP peering with the hub](create-bgp-peering-hub-portal.md), you'll have to update your virtual hub router using the Azure portal.

-description: In this tutorial, learn how to create, deploy, and manage an Azure VPN gateway using the portal.

-#Customer intent: I want to create a VPN gateway for my virtual network so that I can connect to my VNet and communicate with resources remotely.

-# Tutorial: Create and manage a VPN gateway using Azure portal

-Azure VPN gateways provide cross-premises connectivity between customer premises and Azure. This tutorial covers basic Azure VPN gateway deployment items such as creating and managing a VPN gateway. You can also create a gateway using [Azure CLI](create-routebased-vpn-gateway-cli.md) or [Azure PowerShell](create-routebased-vpn-gateway-powershell.md). If you want to learn more about the configuration settings used in this tutorial, see [About VPN Gateway configuration settings](vpn-gateway-about-vpn-gateway-settings.md).

-The values in this article apply VPN gateways (virtual network gateways that use the -GatewayType Vpn). This article does not cover all gateway types or zone-redundant gateways.

-Each virtual network can only have one virtual network gateway of each type. When you are creating a virtual network gateway, you must make sure that the gateway type is correct for your configuration.

-If you use the Azure portal to create a Resource Manager virtual network gateway, you can select the gateway SKU by using the dropdown. The options you are presented with correspond to the Gateway type and VPN type that you select.

-If you have a VPN gateway and you want to use a different gateway SKU, your options are to either resize your gateway SKU, or to change to another SKU. When you change to another gateway SKU, you delete the existing gateway entirely and build a new one. Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU. In comparison, when you resize a gateway SKU, there is not much downtime because you do not have to delete and rebuild the gateway. If you have the option to resize your gateway SKU, rather than change it, you will want to do that. However, there are rules regarding resizing:

-When you create the virtual network gateway for a VPN gateway configuration, you must specify a VPN type. The VPN type that you choose depends on the connection topology that you want to create. For example, a P2S connection requires a RouteBased VPN type. A VPN type can also depend on the hardware that you are using. S2S configurations require a VPN device. Some VPN devices only support a certain VPN type.

-The following PowerShell example specifies the `-VpnType` as *RouteBased*. When you are creating a gateway, you must make sure that the -VpnType is correct for your configuration.

-When you are planning your gateway subnet size, refer to the documentation for the configuration that you are planning to create. For example, the ExpressRoute/VPN Gateway coexist configuration requires a larger gateway subnet than most other configurations. Additionally, you may want to make sure your gateway subnet contains enough IP addresses to accommodate possible future additional configurations. While you can create a gateway subnet as small as /29, we recommend that you create a gateway subnet of /27 or larger (/27, /26 etc.) if you have the available address space to do so. This will accommodate most configurations.

-You give the local network gateway a name, the public IP address or the fully qualified domain name (FQDN) of the on-premises VPN device, and specify the address prefixes that are located on the on-premises location. Azure looks at the destination address prefixes for network traffic, consults the configuration that you have specified for your local network gateway, and routes packets accordingly. If you use Border Gateway Protocol (BGP) on your VPN device, you will provide the BGP peer IP address of your VPN device and the autonomous system number (ASN) of your on premises network. You also specify local network gateways for VNet-to-VNet configurations that use a VPN gateway connection.

-A VPN gateway is a specific type of virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. You can also use a VPN gateway to send encrypted traffic between Azure virtual networks over the Microsoft network. Each virtual network can have only one VPN gateway. However, you can create multiple connections to the same VPN gateway. When you create multiple connections to the same VPN gateway, all VPN tunnels share the available gateway bandwidth.

-The following table can help you decide the best connectivity option for your solution. Note that ExpressRoute is not a part of VPN Gateway, but is included in the table.