+"identifierUris":"https://tenant-name.onmicrosoft.com/app-name",

+- **ID token** - A JWT that contains claims that you can use to identify users in your application. This token is securely sent in HTTP requests for communication between two components of the same application or service. You can use the claims in an ID token as you see fit. They're commonly used to display account information or to make access control decisions in an application. The ID tokens issued by Azure AD B2C are signed, but they're not encrypted. When your application or API receives an ID token, it must validate the signature to prove that the token is authentic. Your application or API must also validate a few claims in the token to prove that it's valid. Depending on the scenario requirements, the claims validated by an application can vary, but your application must perform some common claim validations in every scenario.

+editor:

+> [!IMPORTANT]

+> To modify user permissions when you use an app service principal by using the CLI, you must provide the service principal more permissions in the Azure Active Directory Graph API because portions of the CLI perform GET requests against the Graph API. Otherwise, you might end up receiving an "Insufficient privileges to complete the operation" message. To do this step, go into the **App registration** in Azure AD, select your app, select **API permissions**, and scroll down and select **Azure Active Directory Graph**. From there, select **Application permissions**, and then add the appropriate permissions.

+## Create a user-assigned managed identity

+1. Install the [latest version of PowerShellGet](/powershell/gallery/powershellget/install-powershellget).

+- Use the Visual Studio [Azure Resource Group project](../../azure-resource-manager/templates/create-visual-studio-deployment-project.md) to create and deploy a template.

+## Create a user-assigned managed identity

+## Create a user-assigned managed identity

+- [Configure managed identities for Azure resources on an Azure VM using REST API calls](qs-configure-rest-vm.md#user-assigned-managed-identity)

+editor:

+This tutorial explains how to create a user-assigned identity, assign it to a Windows Virtual Machine (VM), and then use that identity to access the Azure Resource Manager API. Managed Service Identities are automatically managed by Azure. They enable authentication to services that support Azure AD authentication, without needing to embed credentials into your code.

+> * Grant the user-assigned identity access to a Resource Group in Azure Resource Manager

+> * Get an access token using the user-assigned identity and use it to call Azure Resource Manager

+1. Install the [latest version of PowerShellGet](/powershell/gallery/powershellget/install-powershellget).

+## Grant access

+This section shows how to grant your user-assigned identity access to a Resource Group in Azure Resource Manager. Managed identities for Azure resources provide identities that your code can use to request access tokens to authenticate to resource APIs that support Azure AD authentication. In this tutorial, your code will access the Azure Resource Manager API.

+### Get an access token

+5. Using PowerShell's `Invoke-WebRequest`, make a request to the local managed identities for Azure resources endpoint to get an access token for Azure Resource Manager. The `client_id` value is the value returned when you created the user-assigned managed identity.

+description: Set up a trust relationship between a user-assigned managed identity in Azure AD and an external identity provider. This allows a software workload outside of Azure to access Azure AD protected resources without using secrets or certificates.

+After you configure your user-assigned managed identity to trust an external IdP, configure your external software workload to exchange a token from the external IdP for an access token from Microsoft identity platform. The external workload uses the access token to access Azure AD protected resources without needing to manage secrets (in supported scenarios). To learn more about the token exchange workflow, read about [workload identity federation](workload-identity-federation.md).

+- `AZURE_SUBSCRIPTION_ID` the **Subscription ID**.

+ branches:

+ tags:

+- **Service account name** is the name of the Kubernetes service account, which provides an identity for processes that run in a Pod.

+az login

+# set variables

+subscription="{subscription-id}"

+rg="fic-test-rg"

+# user assigned identity name

+uaId="fic-test-ua"

+# federated identity credential name

+ficId="fic-test-fic-name"

+# create prerequisites if required.

+# otherwise make sure that existing resources names are set in variables above

+az identity create --name $uaId --resource-group $rg --location $location --subscription $subscription

+# Create/update a federated identity credential

+az login

+# Set variables

+rg="fic-test-rg"

+# User assigned identity name

+uaId="fic-test-ua"

+# Read all federated identity credentials assigned to the user-assigned managed identity

+az login

+# Set variables

+rg="fic-test-rg"

+# User assigned identity name

+uaId="fic-test-ua"

+# Federated identity credential name

+ficId="fic-test-fic-name"

+# Show the federated identity credential

+az login

+# Set variables

+# in Linux shell remove $ from set variable statement

+$rg="fic-test-rg"

+# User assigned identity name

+$uaId="fic-test-ua"

+# Federated identity credential name

+$ficId="fic-test-fic-name"

+- [Create a user-assigned manged identity](../managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md?pivots=identity-mi-methods-powershell#list-user-assigned-managed-identities-2)

+1. Install the [latest version of PowerShellGet](/powershell/gallery/powershellget/install-powershellget).

+There's a limit of 3-120 characters for a federated identity credential name length. It must be alphanumeric, dash, underscore. First symbol is alphanumeric only.

+You must add exactly one audience to a federated identity credential. The audience is verified during token exchange. Use "api://AzureADTokenExchange" as the default value.

+{

+ΓÇ» ΓÇ» "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ΓÇ» ΓÇ» "contentVersion": "1.0.0.0",

+ΓÇ» ΓÇ» "variables": {},

+ΓÇ» ΓÇ» "parameters": {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» "location": {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "type": "string",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "defaultValue": "westcentralus",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "metadata": {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "description": "Location for identities resources. FIC should be enabled in this region."

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» }

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» },

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» "userAssignedIdentityName": {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "type": "string",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "defaultValue": "FIC_UA",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "metadata": {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "description": "Name of the User Assigned identity (parent identity)"

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» }

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» },

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» "federatedIdentityCredential": {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "type": "string",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "defaultValue": "testCredential",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "metadata": {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "description": "Name of the Federated Identity Credential"

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» }

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» },

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» "federatedIdentityCredentialIssuer": {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "type": "string",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "defaultValue": "https://aks.azure.com/issuerGUID",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "metadata": {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "description": "Federated Identity Credential token issuer"

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» }

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» },

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» "federatedIdentityCredentialSubject": {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "type": "string",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "defaultValue": "system:serviceaccount:ns:svcaccount",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "metadata": {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "description": "Federated Identity Credential token subject"

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» }

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» },

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» "federatedIdentityCredentialAudience": {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "type": "string",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "defaultValue": " api://AzureADTokenExchange",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "metadata": {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "description": "Federated Identity Credential audience. Single value is only supported."

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» }

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» }

+ΓÇ» ΓÇ» },

+ΓÇ» ΓÇ» "resources": [

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "type": "Microsoft.ManagedIdentity/userAssignedIdentities",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "apiVersion": "2018-11-30",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "name": "[parameters('userAssignedIdentityName')]",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "location": "[parameters('location')]",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "tags": {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "firstTag": "ficTest"

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» },

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "resources": [

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "apiVersion": "2022-01-31-PREVIEW",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "name": "[concat(parameters('userAssignedIdentityName'), '/', parameters('federatedIdentityCredential'))]",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "dependsOn": [

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userAssignedIdentityName'))]"

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ],

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "properties": {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "issuer": "[parameters('federatedIdentityCredentialIssuer')]",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "subject": "[parameters('federatedIdentityCredentialSubject')]",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "audiences": [

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "[parameters('federatedIdentityCredentialAudience')]"

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ]

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» }

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» }

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ]

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» }

+ΓÇ» ΓÇ» ]

+}

+description: Set up a trust relationship between an app in Azure AD and an external identity provider. This allows a software workload outside of Azure to access Azure AD protected resources without using secrets or certificates.

+You can then configure an external software workload to exchange a token from the external IdP for an access token from Microsoft identity platform. The external workload can access Azure AD protected resources without needing to manage secrets (in supported scenarios). To learn more about the token exchange workflow, read about [workload identity federation](workload-identity-federation.md).

+[Create an app registration](/azure/active-directory/develop/quickstart-register-app) in Azure AD. Grant your app access to the Azure resources targeted by your external software workload.

+1. Specify the **Organization** and **Repository** for your GitHub Actions workflow.

+- `AZURE_CLIENT_ID` the **Application (client) ID**

+ branches:

+ tags:

+- **Service account name** is the name of the Kubernetes service account, which provides an identity for processes that run in a Pod.

+Run the [az ad app federated-credential create](/cli/azure/ad/app/federated-credential) command to create a new federated identity credential on your app.

+The *issuer* identifies the path to the GitHub OIDC provider: `https://token.actions.githubusercontent.com/`. This issuer will become trusted by your Azure application.

+*issuer* is your service account issuer URL (the [OIDC issuer URL](../../aks/use-oidc-issuer.md) for the managed cluster or the [OIDC Issuer URL](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/oidc-issuer.html) for a self-managed cluster).

+1. Install the [latest version of PowerShellGet](/powershell/gallery/powershellget/install-powershellget).

+- *Issuer* identifies GitHub as the external token issuer.

+- *Issuer* is your service account issuer URL (the [OIDC issuer URL](../../aks/use-oidc-issuer.md) for the managed cluster or the [OIDC Issuer URL](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/oidc-issuer.html) for a self-managed cluster).

+[Create an app registration](/azure/active-directory/develop/quickstart-register-app) in Azure AD. Grant your app access to the Azure resources targeted by your external software workload.

+### GitHub Actions

+az rest --method POST --uri 'https://graph.microsoft.com/applications/f6475511-fd81-4965-a00e-41e7792b7b9c/federatedIdentityCredentials' --body '{"name":"Testing","issuer":"https://token.actions.githubusercontent.com","subject":"repo:octo-org/octo-repo:environment:Production","description":"Testing","audiences":["api://AzureADTokenExchange"]}'

+- *issuer* is your service account issuer URL (the [OIDC issuer URL](../../aks/use-oidc-issuer.md) for the managed cluster or the [OIDC Issuer URL](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/oidc-issuer.html) for a self-managed cluster).

+az rest --method POST --uri 'https://graph.microsoft.com/applications/f6475511-fd81-4965-a00e-41e7792b7b9c/federatedIdentityCredentials' --body '{"name":"Kubernetes-federated-credential","issuer":"https://aksoicwesteurope.blob.core.windows.net/9d80a3e1-2a87-46ea-ab16-e629589c541c/","subject":"system:serviceaccount:erp8asle:pod-identity-sa","description":"Kubernetes service account federated credential","audiences":["api://AzureADTokenExchange"]}'

+az rest -m GET -u 'https://graph.microsoft.com/applications/f6475511-fd81-4965-a00e-41e7792b7b9c/federatedIdentityCredentials'

+az rest -m GET -u 'https://graph.microsoft.com/applications/f6475511-fd81-4965-a00e-41e7792b7b9c//federatedIdentityCredentials/1aa3e6a7-464c-4cd2-88d3-90db98132755'

+ }

+az rest -m DELETE -u 'https://graph.microsoft.com/applications/f6475511-fd81-4965-a00e-41e7792b7b9c/federatedIdentityCredentials/1aa3e6a7-464c-4cd2-88d3-90db98132755'

+- To learn how to use workload identity federation for Kubernetes, see [Azure AD Workload Identity for Kubernetes](https://azure.github.io/azure-workload-identity/docs/quick-start.html) open source project.

+This command also installs the required Az modules.

+If you do have some Azure Az modules installed and can't uninstall them (or don't want to uninstall them), you can manually download the script using the **Manual Download** tab in the script download link. The script is downloaded as a raw nupkg file. To install the script from this nupkg file, see [Manual Package Download](/powershell/gallery/how-to/working-with-packages/manual-download).

+ $appgw = Get-AzApplicationGateway -Name <v1 gateway name> -ResourceGroupName <resource group Name>

+ ```azurepowershell

+ -Password $password

+### Is this article and the Azure PowerShell script applicable for Application Gateway WAF product as well?

+1. Click **Select** to select a chosen runbook.

+> [!IMPORTANT]

+To suggest changes to an existing runbook, file a pull request against it.

+Microsoft encourages you to add runbooks to the PowerShell Gallery that you think would be useful to other customers. The PowerShell Gallery accepts PowerShell modules and PowerShell scripts. You can add a runbook by [uploading it to the PowerShell Gallery](/powershell/gallery/how-to/publishing-packages/publishing-a-package).

+process_name="omsagent"

+ps aux | grep %s | grep -v grep" % (process_name)"

+| Windows Server 2022 | X | X | |

+ }

+```

+```powershell

+```

+> [!NOTE]

+> For information about earlier versions, see [Installing PowerShellGet](/powershell/gallery/powershellget/install-powershellget).

+ PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories.

+ ```

+ You are installing the modules from an untrusted repository.

+ If you trust this repository, change its InstallationPolicy value

+ by running the Set-PSRepository cmdlet. Are you sure you want to

+ - Reference: [Installing PowerShellGet](/powershell/gallery/powershellget/install-powershellget).

+> [!IMPORTANT]

+> [!NOTE]

+> [!IMPORTANT]

+PS C:\> Enable-ApplicationInsightsMonitoring -InstrumentationKeyMap

+Use this switch to ignore this check and continue installing prerequisites.

+##### -WhatIf

+#### Parameters

+#### Parameters

+> [!IMPORTANT]

+Collects [ETW Events](/windows/desktop/etw/event-tracing-portal) from the codeless attach runtime.

+**Optional.** Use this switch to set the output directory of the ETL file.

+By default, this file will be created in the PowerShell Modules directory.

+If you're using the *exec* form, add the parameter `-javaagent:"path/to/applicationinsights-agent-3.4.12.jar"` to the parameter list somewhere before the `"-jar"` parameter, for example:

+ENTRYPOINT ["java", "-javaagent:path/to/applicationinsights-agent-3.4.12.jar", "-jar", "<myapp.jar>"]

+If you're using the *shell* form, add the JVM arg `-javaagent:"path/to/applicationinsights-agent-3.4.12.jar"` somewhere before `-jar`, for example:

+ENTRYPOINT java -javaagent:"path/to/applicationinsights-agent-3.4.12.jar" -jar <myapp.jar>

+COPY agent/applicationinsights-agent-3.4.12.jar applicationinsights-agent-3.4.12.jar

+ENTRYPOINT["java", "-javaagent:applicationinsights-agent-3.4.12.jar", "-jar", "app.jar"]

+JAVA_OPTS="$JAVA_OPTS -javaagent:path/to/applicationinsights-agent-3.4.12.jar"

+CATALINA_OPTS="$CATALINA_OPTS -javaagent:path/to/applicationinsights-agent-3.4.12.jar"

+If the file `<tomcat>/bin/setenv.sh` already exists, modify that file and add `-javaagent:path/to/applicationinsights-agent-3.4.12.jar` to `CATALINA_OPTS`.

+set CATALINA_OPTS=%CATALINA_OPTS% -javaagent:path/to/applicationinsights-agent-3.4.12.jar

+set "CATALINA_OPTS=%CATALINA_OPTS% -javaagent:path/to/applicationinsights-agent-3.4.12.jar"

+If the file `<tomcat>/bin/setenv.bat` already exists, modify that file and add `-javaagent:path/to/applicationinsights-agent-3.4.12.jar` to `CATALINA_OPTS`.

+Locate the file `<tomcat>/bin/tomcat8w.exe`. Run that executable and add `-javaagent:path/to/applicationinsights-agent-3.4.12.jar` to the `Java Options` under the `Java` tab.

+Add `-javaagent:path/to/applicationinsights-agent-3.4.12.jar` to the existing `JAVA_OPTS` environment variable in the file `JBOSS_HOME/bin/standalone.conf` (Linux) or `JBOSS_HOME/bin/standalone.conf.bat` (Windows):

+ JAVA_OPTS="-javaagent:path/to/applicationinsights-agent-3.4.12.jar -Xms1303m -Xmx1303m ..."

+Add `-javaagent:path/to/applicationinsights-agent-3.4.12.jar` to the existing `jvm-options` in `JBOSS_HOME/domain/configuration/host.xml`:

+ <option value="-javaagent:path/to/applicationinsights-agent-3.4.12.jar"/>

+-javaagent:path/to/applicationinsights-agent-3.4.12.jar

+Add `-javaagent:path/to/applicationinsights-agent-3.4.12.jar` to the existing `jvm-options` in `glassfish/domains/domain1/config/domain.xml`:

+ -javaagent:path/to/applicationinsights-agent-3.4.12.jar>

+ -javaagent:path/to/applicationinsights-agent-3.4.12.jar

+-javaagent:path/to/applicationinsights-agent-3.4.12.jar

+Add the JVM arg `-javaagent:"path/to/applicationinsights-agent-3.4.12.jar"` somewhere before `-jar`, for example:

+java -javaagent:"path/to/applicationinsights-agent-3.4.12.jar" -jar <myapp.jar>

+If you're using the *exec* form, add the parameter `-javaagent:"path/to/applicationinsights-agent-3.4.12.jar"` to the parameter list somewhere before the `"-jar"` parameter, for example:

+ENTRYPOINT ["java", "-javaagent:path/to/applicationinsights-agent-3.4.12.jar", "-jar", "<myapp.jar>"]

+If you're using the *shell* form, add the JVM arg `-javaagent:"path/to/applicationinsights-agent-3.4.12.jar"` somewhere before `-jar`, for example:

+ENTRYPOINT java -javaagent:"path/to/applicationinsights-agent-3.4.12.jar" -jar <myapp.jar>

+ <version>3.4.12</version>

+By default, Application Insights Java 3.x expects the configuration file to be named `applicationinsights.json`, and to be located in the same directory as `applicationinsights-agent-3.4.12.jar`.

+If you specify a relative path, it will be resolved relative to the directory where `applicationinsights-agent-3.4.12.jar` is located.

+If you specify a relative path, it's resolved relative to the directory where `applicationinsights-agent-3.4.12.jar` is located.

+ <version>3.4.12</version>

+`applicationinsights-agent-3.4.12.jar` is located.

+-javaagent:path/to/applicationinsights-agent-3.4.12.jar

+Download the [applicationinsights-agent-3.4.12.jar](https://github.com/microsoft/ApplicationInsights-Java/releases/download/3.4.12/applicationinsights-agent-3.4.12.jar) file.

+Point the JVM to the jar file by adding `-javaagent:"path/to/applicationinsights-agent-3.4.12.jar"` to your application's JVM args.

+- Create a configuration file named `applicationinsights.json`, and place it in the same directory as `applicationinsights-agent-3.4.12.jar` with the following content:

+ <version>3.4.12</version>

+This article is part of the guide [Monitor virtual machines and their workloads in Azure Monitor](monitor-virtual-machine.md). [Alerts in Azure Monitor](../alerts/alerts-overview.md) proactively notify you of interesting data and patterns in your monitoring data. There are no preconfigured alert rules for virtual machines, but you can create your own based on data you collect from Azure Monitor Agent. This article presents alerting concepts specific to virtual machines and common alert rules used by other Azure Monitor customers.

+This scenario describes how to implement complete monitoring of your Azure and hybrid virtual machine environment:

+- To get started monitoring your first Azure virtual machine, see [Monitor Azure virtual machines](../../virtual-machines/monitor-vm.md).

+- To quickly enable a recommended set of alerts, see [Enable recommended alert rules for an Azure virtual machine](tutorial-monitor-vm-alert-recommended.md).

+> Most alert rules have a cost that's dependent on the type of rule, how many dimensions it includes, and how frequently it's run. Before you create any alert rules, see the **Alert rules** section in [Azure Monitor pricing](https://azure.microsoft.com/pricing/details/monitor/).

+Alert rules inspect data that's already been collected in Azure Monitor. You need to ensure that data is being collected for a particular scenario before you can create an alert rule. See [Monitor virtual machines with Azure Monitor: Collect data](monitor-virtual-machine-data-collection.md) for guidance on configuring data collection for various scenarios, including all the alert rules in this article.

+Azure Monitor provides a set of [recommended alert rules](tutorial-monitor-vm-alert-availability.md) that you can quickly enable for any Azure virtual machine. These rules are a great starting point for basic monitoring. But alone, they won't provide sufficient alerting for most enterprise implementations for the following reasons:

+- Recommended alerts only include host metrics and not guest metrics or logs. These metrics are useful to monitor the health of the machine itself. But they give you minimal visibility into the workloads and applications running on the machine.

+- Recommended alerts are associated with individual machines that create an excessive number of alert rules. Instead of relying on this method for each machine, see [Scaling alert rules](#scaling-alert-rules) for strategies on using a minimal number of alert rules for multiple machines.

+The most common types of alert rules in Azure Monitor are [metric alerts](../alerts/alerts-metric.md) and [log query alerts](../alerts/alerts-log-query.md). The type of alert rule that you create for a particular scenario depends on where the data that you're alerting on is located.

+You might have cases where data for a particular alerting scenario is available in both Metrics and Logs. If so, you need to determine which rule type to use. You might also have flexibility in how you collect certain data and let your decision of alert rule type drive your decision for data collection method.

+Common uses for metric alerts:

+Data sources for metric alerts:

+- Host metrics for Azure virtual machines, which are collected automatically

+- Metrics collected by Azure Monitor Agent from the guest operating system

+Common uses for log alerts:

+- Alert when a particular event or pattern of events from Windows event log or Syslog are found. These alert rules typically measure table rows returned from the query.

+- Alert based on a calculation of numeric data across multiple machines. These alert rules typically measure the calculation of a numeric column in the query results.

+Data sources for log alerts:

+- All data collected in a Log Analytics workspace

+Because you might have many virtual machines that require the same monitoring, you don't want to have to create individual alert rules for each one. You also want to ensure there are different strategies to limit the number of alert rules you need to manage, depending on the type of rule. Each of these strategies depends on understanding the target resource of the alert rule.

+Virtual machines support multiple resource metric alert rules as described in [Monitor multiple resources](../alerts/alerts-types.md#metric-alerts). This capability allows you to create a single metric alert rule that applies to all virtual machines in a resource group or subscription within the same region.

+Start with the [recommended alerts](#recommended-alert-rules) and create a corresponding rule for each by using your subscription or a resource group as the target resource. You need to create duplicate rules for each region if you have machines in multiple regions.

+As you identify requirements for more metric alert rules, follow this same strategy by using a subscription or resource group as the target resource to:

+- Minimize the number of alert rules you need to manage.

+- Ensure that they're automatically applied to any new machines.

+If you set the target resource of a log alert rule to a specific machine, queries are limited to data associated with that machine, which gives you individual alerts for it. This arrangement requires a separate alert rule for each machine.

+If you set the target resource of a log alert rule to a Log Analytics workspace, you have access to all data in that workspace. For this reason, you can alert on data from all machines in the workgroup with a single rule. This arrangement gives you the option of creating a single alert for all machines. You can then use dimensions to create a separate alert for each machine.

+For example, you might want to alert when an error event is created in the Windows event log by any machine. You first need to create a data collection rule as described in [Collect events and performance counters from virtual machines with Azure Monitor Agent](../agents/data-collection-rule-azure-monitor-agent.md) to send these events to the `Event` table in the Log Analytics workspace. Then you create an alert rule that queries this table by using the workspace as the target resource and the condition shown in the following image.

+The query returns a record for any error messages on any machine. Use the **Split by dimensions** option and specify **_ResourceId** to instruct the rule to create an alert for each machine if multiple machines are returned in the results.

+Depending on the information you want to include in the alert, you might need to split by using different dimensions. In this case, make sure the necessary dimensions are projected in the query by using the [project](/azure/data-explorer/kusto/query/projectoperator) or [extend](/azure/data-explorer/kusto/query/extendoperator) operator. Set the **Resource ID column** field to **Don't split** and include all the meaningful dimensions in the list. Make sure **Include all future values** is selected so that any value returned from the query is included.

+Another benefit of using log alert rules is the ability to include complex logic in the query for determining the threshold value. You can hardcode the threshold, apply it to all resources, or calculate it dynamically based on some field or calculated value. The threshold is applied to resources only according to specific conditions. For example, you might create an alert based on available memory but only for machines with a particular amount of total memory.

+The following section lists common alert rules for virtual machines in Azure Monitor. Details for metric alerts and log alerts are provided for each. For guidance on which type of alert to use, see [Alert types](#alert-types). If you're unfamiliar with the process for creating alert rules in Azure Monitor, see the [instructions to create a new alert rule](../alerts/alerts-create-new-alert-rule.md).

+> The details for log alerts provided here are using data collected by using [VM Insights](vminsights-overview.md), which provides a set of common performance counters for the client operating system. This name is independent of the operating system type.

+One of the most common monitoring requirements for a virtual machine is to create an alert if it stops running. The best method is to create a metric alert rule in Azure Monitor by using the VM availability metric. It's currently in public preview. For a walk-through on this metric, see [Create availability alert rule for Azure virtual machine](tutorial-monitor-vm-alert-availability.md).

+As described in [Scaling alert rules](#scaling-alert-rules), create an availability alert rule by using a subscription or resource group as the target resource. The rule applies to multiple virtual machines, including new machines that you create after the alert rule.

+The agent heartbeat is slightly different than the machine unavailable alert because it relies on Azure Monitor Agent to send a heartbeat. The agent heartbeat can alert you if the machine is running but the agent is unresponsive.

+A metric called **Heartbeat** is included in each Log Analytics workspace. Each virtual machine connected to that workspace sends a heartbeat metric value each minute. Because the computer is a dimension on the metric, you can fire an alert when any computer fails to send a heartbeat. Set the **Aggregation type** to **Count** and the **Threshold** value to match the **Evaluation granularity**.

+Use a rule with the following query:

+This section describes CPU alerts.

+**CPU utilization**

+This section describes memory alerts.

+**Available memory in MB**

+**Available memory in percentage**

+This section describes disk alerts.

+**Logical disk used - all disks on each computer**

+[Analyze monitoring data collected for virtual machines](monitor-virtual-machine-analyze.md)

+ Title: Enable monitoring with VM insights for an Azure virtual machine

+# Tutorial: Enable monitoring with VM insights for an Azure virtual machine

+VM insights is a feature of Azure Monitor that quickly gets you started monitoring your virtual machines. You can view trends of performance data, running processes on individual machines, and dependencies between machines. VM insights installs [Azure Monitor Agent](../agents/azure-monitor-agent-overview.md). It's required to collect the guest operating system and prepares you to configure more monitoring from your VMs according to your requirements.

+> * Enable VM insights for a virtual machine, which installs Azure Monitor Agent and begins data collection.

+> * Inspect graphs analyzing performance data collected from the virtual machine.

+> * Inspect a map showing processes running on the virtual machine and dependencies with other systems.

+To complete this tutorial, you need an Azure virtual machine to monitor.

+> If you selected the option to **Enable virtual machine insights** when you created your virtual machine, VM insights is already enabled. If the machine was previously enabled for VM insights by using the Log Analytics agent, see [Enable VM insights in the Azure portal](vminsights-enable-portal.md) for upgrading to Azure Monitor Agent.

+Select **Insights** from your virtual machine's menu in the Azure portal. If VM insights isn't enabled, you see a short description of it and an option to enable it. Select **Enable** to open the **Monitoring configuration** pane. Leave the default option of **Azure Monitor agent**.

+To reduce cost for data collection, VM insights creates a default [data collection rule](../essentials/data-collection-rule-overview.md) that doesn't include collection of processes and dependencies. To enable this collection, select **Create New** to create a new data collection rule.

+Provide a **Data collection rule name** and then select **Enable processes and dependencies (Map)**. You can't disable collection of guest performance because it's required for VM insights.

+Keep the default Log Analytics workspace for the subscription unless you have another workspace that you want to use. Select **Create** to create the new data collection rule. Select **Configure** to start VM insights configuration.

+A message says that monitoring is being enabled. It might take several minutes for the agent to be installed and for data collection to begin.

+When the deployment is finished, you see views on the **Performance** tab in VM insights with performance data for the machine. This data shows you the values of key guest metrics over time.

+Select the **Map** tab to view processes and dependencies for the virtual machine. The current machine is at the center of the view. View the processes running on it by expanding **Processes**.

+The **Map** view provides different tabs with information collected about the virtual machine. Select the tabs to see what's available.

+VM insights collects performance data from the VM guest operating system, but it doesn't collect log data such as Windows event log or Syslog. Now that you have the machine monitored with Azure Monitor Agent, you can create another data collection rule to perform this collection.

+ Title: Configure a Log Analytics workspace for VM insights

+description: This article describes how to create and configure a Log Analytics workspace used by VM insights.

+# Configure a Log Analytics workspace for VM insights

+VM insights collects its data from one or more Log Analytics workspaces in Azure Monitor. Prior to onboarding agents, you must create and configure a workspace. This article describes the requirements of the workspace and how to configure it for VM insights.

+> Configuration of the Log Analytics workspace is only required for using VM insights with virtual machines by using the Log Analytics agent. Virtual machines using Azure Monitor Agent don't use the VMInsights solution that's installed in this configuration. To support Azure Monitor Agent, a standard Log Analytics workspace must be created as described in [Create a Log Analytics workspace](#create-a-log-analytics-workspace).

+A single subscription can use any number of workspaces depending on your requirements. The only requirement of the workspace is that it must be located in a supported location and be configured with the VMInsights solution.

+After the workspace is configured, you can use any of the available options to install the required agents on virtual machines and virtual machine scale sets and specify a workspace for them to send their data. VM insights collects data from any configured workspace in its subscription.

+> When you enable VM insights on a single virtual machine or virtual machine scale set by using the Azure portal, you can select an existing workspace or create a new one. The VMInsights solution is installed in this workspace if it isn't already. You can then use this workspace for other agents.

+## Create a Log Analytics workspace

+>The information described in this section also applies to the [Service Map solution](service-map.md).

+To access Log Analytics workspaces in the Azure portal, use the **Log Analytics workspaces** menu.

+[](media/vminsights-configure-workspace/log-analytics-workspaces.png#lightbox)

+You can create a new Log Analytics workspace by using any of the following methods:

+For guidance on how to determine the number of workspaces you should use in your environment and how to design their access strategy, see [Design a Log Analytics workspace configuration](../logs/workspace-design.md).

+To enable and access the features in VM insights, you must have the [Log Analytics Contributor role](../logs/manage-access.md#azure-rbac) in the workspace. To view performance, health, and map data, you must have the [Monitoring Reader role](../roles-permissions-security.md#built-in-monitoring-roles) for the Azure VM. For more information about how to control access to a Log Analytics workspace, see [Manage workspaces](../logs/manage-access.md).

+## Add the VMInsights solution to a workspace

+Before a Log Analytics workspace can be used with VM insights, it must have the VMInsights solution installed. The methods for configuring the workspace are described in the following sections.

+> When you add the VMInsights solution to the workspace, all existing virtual machines connected to the workspace start to send data to InsightsMetrics. Data for the other data types won't be collected until you add the Dependency agent to those existing virtual machines connected to the workspace.

+There are three options for configuring an existing workspace by using the Azure portal:

+- To configure a single workspace, on the **Azure Monitor** menu, select **Virtual Machines**. Select **Other onboarding options** and then select **Configure a workspace**. Select a subscription and a workspace and then select **Configure**.

+ [](../vm/media/vminsights-enable-policy/configure-workspace.png#lightbox)

+- To configure multiple workspaces, on the **Monitor** menu, select **Virtual Machines**. Then select the **Workspace configuration** tab. Set the filter values to display a list of existing workspaces. Select the checkbox next to each workspace to enable it and then select **Configure selected**.

+ [](../vm/media/vminsights-enable-policy/workspace-configuration.png#lightbox)

+- When you enable VM insights on a single virtual machine or virtual machine scale set by using the Azure portal, you can select an existing workspace or create a new one. The VMInsights solution is installed in this workspace if it isn't already. You can then use this workspace for other agents.

+ [](../vm/media/vminsights-enable-portal/enable-vminsights-vm-portal.png#lightbox)

+The Azure Resource Manager templates for VM insights are provided in an archive file (.zip) that you can [download from our GitHub repo](https://aka.ms/VmInsightsARMTemplates). A template called **ConfigureWorkspace** configures a Log Analytics workspace for VM insights. You deploy this template by using any of the standard methods, including the following sample PowerShell and CLI commands.

+## Remove the VMInsights solution from a workspace

+If you've migrated your virtual machines to Azure Monitor Agent and no longer want to support virtual machines with the Log Analytics agent in your workspace, remove the VMInsights solution from the workspace. Removing the solution ensures that you don't collect data from any Log Analytics agents that inadvertently remain.

+To remove the VMInsights solution, use the same process as [removing any other solution from a workspace](/previous-versions/azure/azure-monitor/insights/solutions#remove-a-monitoring-solution).

+1. Locate the VMInsights solution for your workspace and select it to view its detail.

+1. Select **Delete**.

+ :::image type="content" source="media/vminsights-configure-workspace/remove-solution.png" lightbox="media/vminsights-configure-workspace/remove-solution.png" alt-text="Screenshot that shows deleting a solution dialog.":::

+- See [Targeting monitoring solutions in Azure Monitor (preview)](/previous-versions/azure/azure-monitor/insights/solution-targeting) to limit the amount of data sent from a solution to the workspace.

+- After you verify that no Log Analytics agents are still connected to your Log Analytics workspace, you can [remove the VM Insights solution from the workspace](vminsights-configure-workspace.md#remove-the-vminsights-solution-from-a-workspace). It's no longer needed.

+description: This article shows how to use the VM insights Map feature. It discovers application components on Windows and Linux systems and maps the communication between services.

+In VM insights, you can view discovered application components on Windows and Linux virtual machines (VMs) that run in Azure or your environment. You can observe the VMs in two ways. You can view a map directly from a VM. You can also view a map from Azure Monitor to see the components across groups of VMs. This article helps you to understand these two viewing methods and how to use the Map feature.

+To enable the Map feature in VM insights, the virtual machine requires one of the following agents:

+- Azure Monitor Agent with processes and dependencies enabled.

+- The Log Analytics agent enabled for VM insights.

+For more information, see [Enable VM insights on unmonitored machine](vminsights-enable-overview.md).

+> Collecting duplicate data from a single machine with both Azure Monitor Agent and the Log Analytics agent can result in the Map feature of VM insights being inaccurate because it doesn't check for duplicate data.

+>

+> For more information, see [Migrate from the Log Analytics agent](vminsights-enable-overview.md#migrate-from-log-analytics-agent-to-azure-monitor-agent).

+Before diving into the Map experience, you should understand how it presents and visualizes information.

+Whether you select the Map feature directly from a VM or from Azure Monitor, the Map feature presents a consistent experience. The only difference is that from Azure Monitor, one map shows all the members of a multiple-tier application or cluster.

+The Map feature visualizes the VM dependencies by discovering running processes that have:

+- Ports across any TCP-connected architecture over a specified time range.

+Expand a VM to show process details and only those processes that communicate with the VM. The client group shows the count of front-end clients that connect into the VM. The server-port groups show the count of back-end servers the VM connects to. Expand a server-port group to see the detailed list of servers that connect over that port.

+When you select the VM, the **Properties** pane shows the VM's properties. Properties include system information reported by the operating system, properties of the Azure VM, and a doughnut chart that summarizes the discovered connections.

+

+On the right side of the pane, select **Log Events** to show a list of data that the VM has sent to Azure Monitor. This data is available for querying. Select any record type to open the **Logs** page, where you see the results for that record type. You also see a preconfigured query that's filtered against the VM.

+

+Close the **Logs** page and return to the **Properties** pane. There, select **Alerts** to view VM health-criteria alerts. The Map feature integrates with Azure alerts to show alerts for the selected server in the selected time range. The server displays an icon for current alerts, and the **Machine Alerts** pane lists the alerts.

+

+For more information about Azure alerts and how to create alert rules, see [Unified alerts in Azure Monitor](../alerts/alerts-overview.md).

+In the upper-right corner, the **Legend** option describes the symbols and roles on the map. For a closer look at your map and to move it around, use the zoom controls in the lower-right corner. You can set the zoom level and fit the map to the size of the page.

+The **Connections** pane displays standard metrics for the selected connection from the VM over the TCP port. The metrics include response time, requests per minute, traffic throughput, and links.

+

+

+

+To see the monitored clients and IP addresses of the systems in a client group, select the group. The contents of the group appear in the following image.

+

+Server-port groups represent ports on servers that have inbound connections from the mapped machine. The group contains the server port and a count of the number of servers that have connections to that port. Select the group to see the individual servers and connections.

+

+## View a map from a VM

+1. In the Azure portal, select **Virtual Machines**.

+1. From the list, select a VM. In the **Monitoring** section, select **Insights**.

+1. Select the **Map** tab.

+The map visualizes the VM's dependencies by discovering running process groups and processes that have active network connections over a specified time range.

+By default, the map shows the last 30 minutes. If you want to see how dependencies looked in the past, you can query for historical time ranges of up to one hour. To run the query, use the **TimeRange** selector in the upper-left corner. You might run a query, for example, during an incident or to see the status before a change.

+

+## View a map from a virtual machine scale set

+To access VM insights directly from a virtual machine scale set:

+1. From the list, select a VM. Then in the **Monitoring** section, select **Insights**.

+1. Select the **Map** tab.

+The map visualizes all instances in the scale set as a group node along with the group's dependencies. The expanded node lists the instances in the scale set. You can scroll through these instances 10 at a time.

+To load a map for a specific instance, first select that instance on the map. Then select the **ellipsis** button **(...**) and select **Load Server Map**. In the map that appears, you see process groups and processes that have active network connections over a specified time range.

+

+1. In the Azure portal, select **Monitor**.

+1. In the **Insights** section, select **Virtual Machines**.

+1. Select the **Map** tab.

+ 

+Choose a workspace by using the **Workspace** selector at the top of the page. If you have more than one Log Analytics workspace, choose the workspace that's enabled with the solution and that has VMs reporting to it.

+The **Group** selector returns subscriptions, resource groups, [computer groups](../logs/computer-groups.md), and virtual machine scale sets of computers that are related to the selected workspace. Your selection applies only to the Map feature and doesn't carry over to Performance or Health.

+By default, the map shows the last 30 minutes. If you want to see how dependencies looked in the past, you can query for historical time ranges of up to one hour. To run the query, use the **TimeRange** selector. You might run a query, for example, during an incident or to see the status before a change.

+description: Troubleshooting information for VM insights installation.

+This article provides troubleshooting information to help you with problems you might have experienced when you tried to enable or use VM insights.

+## Can't enable VM insights on a machine

+When you onboard an Azure virtual machine from the Azure portal, the following steps occur:

+- The Log Analytics agent is installed on Azure virtual machines by using a VM extension if the agent is already installed.

+- The Dependency agent is installed on Azure virtual machines by using an extension if it's required.

+During the onboarding process, each of these steps is verified and a notification status appears in the portal. Configuration of the workspace and the agent installation typically takes 5 to 10 minutes. It takes another 5 to 10 minutes for data to become available to view in the portal.

+If you receive a message that the virtual machine needs to be onboarded after you've performed the onboarding process, allow for up to 30 minutes for the process to finish. If the issue persists, see the following sections for possible causes.

+ If the virtual machine has been turned off for a while, is off currently, or was only recently turned on, you won't have data to display until data arrives.

+If the operating system isn't in the list of [supported operating systems](vminsights-enable-overview.md#supported-operating-systems), the extension fails to install and you see a message that we're waiting for data to arrive.

+> Post April 11, 2022, if you aren't seeing your virtual machine in the VM insights solution, you might be running an older version of the Dependency agent. For more information, see the blog post [Potential breaking changes for VM insights Linux customers](https://techcommunity.microsoft.com/t5/azure-monitor-status/potential-breaking-changes-for-vm-insights-linux-customers/ba-p/3271989). Not applicable for Windows machines and before April 11, 2022.

+If you still see a message that the virtual machine needs to be onboarded, it might mean that one or both of the extensions failed to install correctly. Check the **Extensions** page for your virtual machine in the Azure portal to verify that the following extensions are listed.

+If you don't see both the extensions for your operating system in the list of installed extensions, they must be installed. If the extensions are listed but their status doesn't appear as *Provisioning succeeded*, remove the extensions and reinstall them.

+For Windows machines, you can use the TestCloudConnectivity tool to identify connectivity issue. This tool is installed by default with the agent in the folder *%SystemDrive%\Program Files\Microsoft Monitoring Agent\Agent*. Run the tool from an elevated command prompt. It returns results and highlights where the test fails.

+

+- [Troubleshoot issues with the Log Analytics agent for Windows](../agents/agent-windows-troubleshoot.md)

+- [Troubleshoot issues with the Log Analytics agent for Linux](../agents/agent-linux-troubleshoot.md)

+If the agents appear to be installed correctly but you don't see any data in the **Performance** view, see the following sections for possible causes.

+If you don't see any data or if the computer hasn't sent a heartbeat recently, you might have problems with your agent. See the preceding section for agent troubleshooting information.

+## Virtual machine doesn't appear in the Map view

+See the following sections for issues with the **Map** view.

+ Use the information in the preceding sections to determine if the Dependency agent is installed and working properly.

+The [Log Analytics free tier](https://azure.microsoft.com/pricing/details/monitor/) is a legacy pricing plan that allows for up to five unique Service Map machines. Any subsequent machines won't appear in Service Map, even if the prior five are no longer sending data.

+Use the log query in the [Performance view has no data](#performance-view-has-no-data) section to determine if data is being collected for the virtual machine. If no data is being collected, use the TestCloudConnectivity tool to determine if you have connectivity issues.

+## Virtual machine appears in the Map view but has missing data

+If the virtual machine is in the **Map** view, the Dependency agent is installed and running, but the kernel driver didn't load, check the log file at the following locations:

+For more information on onboarding VM insights agents, see [Enable VM insights overview](vminsights-enable-overview.md).

+Azure resources are organized by Azure services and by resource groups. The following procedures show how to open a storage account called **mystorage0207**. The virtual machine resides in a resource group called **mystorage0207rg**.

+ Title: Manage resources - Python

+description: Use Python and Azure Resource Manager to manage your resources. Shows how to deploy and delete resources.

+# Manage Azure resources by using Python

+Learn how to use Azure Python with [Azure Resource Manager](overview.md) to manage your Azure resources. For managing resource groups, see [Manage Azure resource groups by using Python](manage-resource-groups-python.md).

+## Deploy resources to an existing resource group

+You can deploy Azure resources directly by using Python, or deploy an Azure Resource Manager template (ARM template) to create Azure resources.

+### Deploy resources by using Python classes

+The following example creates a storage account by using [StorageManagementClient.storage_accounts.begin_create](/python/api/azure-mgmt-storage/azure.mgmt.storage.v2022_09_01.operations.storageaccountsoperations#azure-mgmt-storage-v2022-09-01-operations-storageaccountsoperations-begin-create). The name for the storage account must be unique across Azure.

+```python

+import os

+import random

+from azure.identity import AzureCliCredential

+from azure.mgmt.storage import StorageManagementClient

+credential = AzureCliCredential()

+subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

+random_postfix = ''.join(random.choices('abcdefghijklmnopqrstuvwxyz1234567890', k=13))

+storage_account_name = "demostore" + random_postfix

+storage_client = StorageManagementClient(credential, subscription_id)

+storage_account_result = storage_client.storage_accounts.begin_create(

+ "exampleGroup",

+ storage_account_name,

+ {

+ "location": "westus",

+ "sku": {

+ "name": "Standard_LRS"

+ }

+ }

+)

+```

+### Deploy a template

+To deploy an ARM template, use [ResourceManagementClient.deployments.begin_create_or_update](/python/api/azure-mgmt-resource/azure.mgmt.resource.resources.v2022_09_01.operations.deploymentsoperations#azure-mgmt-resource-resources-v2022-09-01-operations-deploymentsoperations-begin-create-or-update). The following example deploys a [remote template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.storage/storage-account-create). That template creates a storage account.

+```python

+import os

+from azure.identity import AzureCliCredential

+from azure.mgmt.resource import ResourceManagementClient

+from azure.mgmt.resource.resources.models import DeploymentMode

+credential = AzureCliCredential()

+subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

+resource_client = ResourceManagementClient(credential, subscription_id)

+resource_group_name = input("Enter the resource group name: ")

+location = input("Enter the location (i.e. centralus): ")

+template_uri = "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.storage/storage-account-create/azuredeploy.json"

+rg_deployment_result = resource_client.deployments.begin_create_or_update(

+ resource_group_name,

+ "exampleDeployment",

+ {

+ "properties": {

+ "templateLink": {

+ "uri": template_uri

+ },

+ "parameters": {

+ "location": {

+ "value": location

+ },

+ },

+ "mode": DeploymentMode.incremental

+ }

+ }

+)

+```

+### Deploy a resource group and resources

+You can create a resource group and deploy resources to the group. For more information, see [Create resource group and deploy resources](../templates/deploy-to-subscription.md#resource-groups).

+### Deploy resources to multiple subscriptions or resource groups

+Typically, you deploy all the resources in your template to a single resource group. However, there are scenarios where you want to deploy a set of resources together but place them in different resource groups or subscriptions. For more information, see [Deploy Azure resources to multiple subscriptions or resource groups](../templates/deploy-to-resource-group.md).

+## Delete resources

+The following example shows how to delete a storage account.

+```python

+import os

+from azure.identity import AzureCliCredential

+from azure.mgmt.storage import StorageManagementClient

+credential = AzureCliCredential()

+subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

+storage_client = StorageManagementClient(credential, subscription_id)

+resource_group_name = "demoGroup"

+storage_account_name = "demostore"

+storage_account = storage_client.storage_accounts.delete(

+ resource_group_name,

+ storage_account_name

+)

+```

+For more information about how Azure Resource Manager orders the deletion of resources, see [Azure Resource Manager resource group deletion](delete-resource-group.md).

+## Move resources

+The following example shows how to move a storage account from one resource group to another resource group.

+```python

+import os

+from azure.identity import AzureCliCredential

+from azure.mgmt.resource import ResourceManagementClient

+credential = AzureCliCredential()

+subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

+resource_client = ResourceManagementClient(credential, subscription_id)

+src_resource_group_name = "sourceGroup"

+dest_resource_group_name = "destinationGroup"

+storage_account_name = "demostore"

+dest_resource_group = resource_client.resource_groups.get(dest_resource_group_name)

+storage_account = resource_client.resources.get(

+ src_resource_group_name, "Microsoft.Storage", "", "storageAccounts", storage_account_name, "2022-09-01"

+)

+move_result = resource_client.resources.begin_move_resources(

+ src_resource_group_name,

+ {

+ "resources": [storage_account.id],

+ "targetResourceGroup": dest_resource_group.id,

+ }

+)

+```

+For more information, see [Move resources to new resource group or subscription](move-resource-group-and-subscription.md).

+## Lock resources

+Locking prevents other users in your organization from accidentally deleting or modifying critical resources, such as Azure subscription, resource group, or resource.

+The following example locks a web site so it can't be deleted.

+```python

+import os

+from azure.identity import AzureCliCredential

+from azure.mgmt.resource import ManagementLockClient

+credential = AzureCliCredential()

+subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

+lock_client = ManagementLockClient(credential, subscription_id)

+lock_result = lock_client.management_locks.create_or_update_at_resource_level(

+ "exampleGroup",

+ "Microsoft.Web",

+ "",

+ "sites",

+ "examplesite",

+ "lockSite",

+ {

+ "level": "CanNotDelete"

+ }

+)

+```

+The following script gets all locks for a storage account:

+```python

+import os

+from azure.identity import AzureCliCredential

+from azure.mgmt.resource import ResourceManagementClient

+from azure.mgmt.resource.locks import ManagementLockClient

+credential = AzureCliCredential()

+subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

+resource_client = ResourceManagementClient(credential, subscription_id)

+lock_client = ManagementLockClient(credential, subscription_id)

+resource_group_name = "demoGroup"

+storage_account_name = "demostore"

+resource = resource_client.resources.get_by_id(

+ f"/subscriptions/{subscription_id}/resourceGroups/{resource_group_name}/providers/Microsoft.Storage/storageAccounts/{storage_account_name}",

+ "2021-04-01"

+)

+locks = lock_client.management_locks.list_at_resource_level(

+ resource_group_name,

+ "Microsoft.Storage",

+ "",

+ "storageAccounts",

+ storage_account_name

+)

+for lock in locks:

+ print(f"Lock Name: {lock.name}, Lock Level: {lock.level}")

+```

+The following script deletes a lock of a web site:

+```python

+import os

+from azure.identity import AzureCliCredential

+from azure.mgmt.resource import ManagementLockClient

+credential = AzureCliCredential()

+subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

+lock_client = ManagementLockClient(credential, subscription_id)

+lock_client.management_locks.delete_at_resource_level(

+ "exampleGroup",

+ "Microsoft.Web",

+ "",

+ "sites",

+ "examplesite",

+ "lockSite"

+)

+```

+For more information, see [Lock resources with Azure Resource Manager](lock-resources.md).

+## Tag resources

+Tagging helps organizing your resource group and resources logically. For information, see [Using tags to organize your Azure resources](tag-resources-python.md).

+## Next steps

+- To learn Azure Resource Manager, see [Azure Resource Manager overview](overview.md).

+- To learn the Resource Manager template syntax, see [Understand the structure and syntax of Azure Resource Manager templates](../templates/syntax.md).

+- To learn how to develop templates, see the [step-by-step tutorials](../index.yml).

+- To view the Azure Resource Manager template schemas, see [template reference](/azure/templates/).

+* Once you have your Azure subscription, <a href="https://ms.portal.azure.com/#create/Microsoft.BingSearch" title="Create a Bing Search resource" target="_blank">create a Bing Search resource </a> in the Azure portal to get your key and endpoint. After it deploys, click **Go to resource**.

+> [Bing Web Search API v7 reference](/rest/api/cognitiveservices/bing-web-api-v7-reference)

+Get started with the Image Analysis 4.0 REST API or client libraries to set up a basic image analysis application. The Image Analysis service provides you with AI algorithms for processing images and returning information on their visual features. Follow these steps to install a package to your application and try out the sample code.

+ Title: Prompt engineering techniques with Azure OpenAI

+description: Learn about the options for how to use prompt engineering with GPT-3, ChatGPT, and GPT-4 models

+keywords: ChatGPT, GPT-4, prompt engineering, meta prompts, chain of thought

+zone_pivot_groups: openai-prompt

+# Prompt engineering techniques

+This guide will walk you through some advanced techniques in prompt design and prompt engineering. If you're new to prompt engineering, we recommend starting with our [introduction to prompt engineering guide](prompt-engineering.md).

+While the principles of prompt engineering can be generalized across many different model types, certain models expect a specialized prompt structure. For Azure OpenAI GPT models, there are currently two distinct APIs where prompt engineering comes into play:

+- Chat Completion API.

+- Completion API.

+Each API requires input data to be formatted differently, which in turn impacts overall prompt design. The **Chat Completion API** supports the ChatGPT (preview) and GPT-4 (preview) models. These models are designed to take input formatted in a [specific chat-like transcript](../how-to/chatgpt.md) stored inside an array of dictionaries.

+The **Completion API** supports the older GPT-3 models and has much more flexible input requirements in that it takes a string of text with no specific format rules. Technically the ChatGPT (preview) models can be used with either APIs, but we strongly recommend using the Chat Completion API for these models. To learn more, please consult our [in-depth guide on using these APIs](../how-to/chatgpt.md).

+The techniques in this guide will teach you strategies for increasing the accuracy and grounding of responses you generate with a Large Language Model (LLM). It is, however, important to remember that even when using prompt engineering effectively you still need to validate the responses the models generate. Just because a carefully crafted prompt worked well for a particular scenario doesn't necessarily mean it will generalize more broadly to certain use cases. Understanding the [limitations of LLMs](/legal/cognitive-services/openai/transparency-note?context=%2Fazure%2Fcognitive-services%2Fopenai%2Fcontext%2Fcontext#limitations), is just as important as understanding how to leverage their strengths.

+1. Navigate to your ACS Resource in the Azure portal.

+4. Select "Add role assignments" from the menu.

+8. Search for your Azure Communication Services resource name in the text box and click it when it shows up, then click "Select".

+1. Navigate to your ACS resource in the Azure portal.

+2. Select Identity tab.

+3. Click on "Azure role assignments".

+4. Click the "Add role assignment (Preview)" button, which opens the "Add role assignment (Preview)" tab.

+6. Select the "Subscription".

+7. Select the "Resource Group" containing the Cognitive Service.

+8. Select the "Role" "Cognitive Services User".

+10. Click Save.

+description: Learn how to validate a domain for direct routing.

+# Validate a domain for direct routing

+This article describes the process of validating domain name ownership by using the Azure portal.

+A fully qualified domain name (FQDN) consists of two parts: host name and domain name. For example, if your session border controller (SBC) name is `sbc1.contoso.com`, then `sbc1` is the host name and `contoso.com` is the domain name. If an SBC has an FQDN of `acs.sbc1.testing.contoso.com`, then `acs` is the host name and `sbc1.testing.contoso.com` is the domain name.

+To use direct routing in Azure Communication Services, you need to validate that you own the domain part of your SBC FQDN. After that, you can configure the SBC FQDN and port number and then create voice routing rules.

+When you're verifying the domain name portion of the SBC FQDN, keep in mind that the `*.onmicrosoft.com` and `*.azure.com` domain names aren't supported. For example, if you have two domain names, `contoso.com` and `contoso.onmicrosoft.com`, use `sbc.contoso.com` as the SBC name.

+If you're using a subdomain, make sure that this subdomain is also added and verified. For example, if you want to use `sbc.acs.contoso.com`, you need to register `acs.contoso.com`.

+## Add a new domain name

+1. Open the Azure portal and go to your [Communication Services resource](../../quickstarts/create-communication-resource.md).

+1. On the left pane, under **Voice Calling - PSTN**, select **Direct routing**.

+1. On the **Domains** tab, select **Connect domain**.

+1. Enter the domain part of the SBC FQDN.

+1. Select **Confirm**, and then select **Add**.

+## Verify domain ownership

+1. On the **Domains** tab, select **Verify** next to the new domain that you created.

+1. The Azure portal generates a value for a TXT record. Add that record to your domain's registrar or DNS hosting provider with the provided value.

+ [](./media/direct-routing-verify-domain-2.png#lightbox)

+ It might take up to 30 minutes for a new DNS record to propagate on the internet.

+1. Select **Next**. If you set up everything correctly, **Domain status** should change to **Verified** next to the added domain.

+ [](./media/direct-routing-domain-verified.png#lightbox)

+## Remove a domain from Azure Communication Services

+If you want to remove a domain from your Azure Communication Services direct routing configuration, select the checkbox for a corresponding domain name, and then select **Remove**.

+## Next steps

+- [Redirect inbound telephony calls with Call Automation](../../quickstarts/call-automation/redirect-inbound-telephony-calls.md)

+ Title: How to add and remove sender addresses in Azure Communication Services using the ACS Management Client Libraries

+description: Learn about adding and removing sender addresses in Azure Communication Services using the ACS Management Client Libraries

+zone_pivot_groups: acs-js-csharp-java-python

+# Quickstart: How to add and remove sender addresses in Azure Communication Services using the ACS Management Client Libraries

+In this quick start, you will learn how to add and remove sender addresses in Azure Communication Services using the ACS Management Client Libraries.

+Configure outbound voice routing rules for Azure Communication Services direct routing.

+If you want to clean up and remove a Communication Services subscription, you can delete the resource or resource group. Deleting the resource group also deletes any other resources associated with it. [Learn more about cleaning up resources](../create-communication-resource.md#clean-up-resources).

+- Call to a telephone number by [following a quickstart](./pstn-call.md).

+>[!TIP]

+> If there is a need for the downstream consumers to restore the order of updates with the ΓÇ£capture intermediate updatesΓÇ¥ option checked, the system timestamp `_ts` field can be used as the ordering field.

+This article helps you programmatically create Azure Enterprise Agreement (EA) subscriptions for an EA billing account using the most recent API versions. If you are still using the older preview version, see [Programmatically create Azure subscriptions legacy APIs](programmatically-create-subscription-preview.md).

+To use a service principal (SPN) to create an EA subscription, an Owner of the Enrollment Account must [grant that service principal the ability to create subscriptions](/rest/api/billing/2019-10-01-preview/enrollmentaccountroleassignments/put).

+ > - Ensure that you use the correct API version to give the enrollment account owner permissions. For this article and for the APIs documented in it, use the [2019-10-01-preview](/rest/api/billing/2019-10-01-preview/enrollmentaccountroleassignments/put) API.

+The values for a billing scope and `id` are the same thing. The `id` for your enrollment account is the billing scope under which the subscription request is initiated. It's important to know the ID because it's a required parameter that you use later in the article to create a subscription.

+The values for a billing scope and `id` are the same thing. The `id` for your enrollment account is the billing scope under which the subscription request is initiated. It's important to know the ID because it's a required parameter that you use later in the article to create a subscription.

+The following example creates a subscription named *Dev Team Subscription* in the enrollment account selected in the previous step.

+PUT https://management.azure.com/providers/Microsoft.Subscription/aliases/sampleAlias?api-version=2021-10-01

+```json

+ "billingScope": "/providers/Microsoft.Billing/BillingAccounts/1234567/enrollmentAccounts/7654321",

+ "DisplayName": "Dev Team Subscription", //Subscription Display Name

+ "Workload": "Production"

+To install the latest version of the module that contains the `New-AzSubscriptionAlias` cmdlet, run `Install-Module Az.Subscription`. To install a recent version of PowerShellGet, see [Get PowerShellGet Module](/powershell/gallery/powershellget/install-powershellget).

+Run the following [New-AzSubscriptionAlias](/powershell/module/az.subscription/get-azsubscriptionalias) command, using the billing scope `"/providers/Microsoft.Billing/BillingAccounts/1234567/enrollmentAccounts/7654321"`.

+Run the following [az account alias create](/cli/azure/account/alias#az-account-alias-create) command and provide `billing-scope` and `id` from one of your `enrollmentAccounts`.

+ "scope": "/",

+This article helps you programmatically create Azure subscriptions for a Microsoft Customer Agreement using the most recent API versions. If you are still using the older preview version, see [Programmatically create Azure subscriptions with legacy APIs](programmatically-create-subscription-preview.md).

+You will get back a list of all billing accounts that you have access to

+You will get back a list of all billing accounts that you have access to

+Use the `id` property to identify the invoice section for which you want to create subscriptions. Copy the entire string. For example, `/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx`.

+AddressLine2 :

+The following example creates a subscription named *Dev Team subscription* for the *Development* invoice section. The subscription is billed to the *Contoso Billing Profile* billing profile and appears on the *Development* section of its invoice. You use the copied billing scope from the previous step: `/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx`.

+ "billingScope": "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx",

+ "DisplayName": "Dev Team subscription",

+ "Workload": "Production"

+To install the latest version of the module that contains the `New-AzSubscriptionAlias` cmdlet, run `Install-Module Az.Subscription`. To install a recent version of PowerShellGet, see [Get PowerShellGet Module](/powershell/gallery/powershellget/install-powershellget).

+Run the following [New-AzSubscriptionAlias](/powershell/module/az.subscription/new-azsubscriptionalias) command and the billing scope `"/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/AW4F-xxxx-xxx-xxx/invoiceSections/SH3V-xxxx-xxx-xxx"`.

+ "scope": "/",

+This article helps you programmatically create Azure subscriptions for a Microsoft Partner Agreement using the most recent API versions. If you are still using the older preview version, see [Programmatically create Azure subscriptions with legacy APIs](programmatically-create-subscription-preview.md).

+The following example creates a subscription named *Dev Team subscription* for *Fabrikam toys* and associate *Wingtip* reseller to the subscription. You use the copied billing scope from previous step: `/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers/2281f543-xxxx-xxxx-xxxx-xxxxxxxxxxxx`.

+ "billingScope": "/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers/2281f543-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

+ "DisplayName": "Dev Team subscription",

+ "Workload": "Production"

+An in-progress status is returned as an `Accepted` state under `provisioningState`.

+To install the latest version of the module that contains the `New-AzSubscriptionAlias` cmdlet, run `Install-Module Az.Subscription`. To install a recent version of PowerShellGet, see [Get PowerShellGet Module](/powershell/gallery/powershellget/install-powershellget).

+Run the following New-AzSubscriptionAlias command, using the billing scope `"/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers/2281f543-xxxx-xxxx-xxxx-xxxxxxxxxxxx"`.

+Run the following [az account alias create](/cli/azure/account/alias#az-account-alias-create) command.

+ "scope": "/",

+To install the latest version of the module that contains the `New-AzSubscription` cmdlet, run `Install-Module Az.Subscription`. To install a recent version of PowerShellGet, see [Get PowerShellGet Module](/powershell/gallery/powershellget/install-powershellget).

+The following example creates a subscription named *Dev Team subscription* for *Fabrikam toys* and associate *Wingtip* reseller to the subscription.

+| **The access level of a potentially sensitive storage blob container was changed to allow unauthenticated public access**<br>(Storage.Blob_OpenACL) | The alert indicates that someone has changed the access level of a blob container in the storage account, which may contain sensitive data, to the 'Container' level, to allow unauthenticated (anonymous) public access. The change was made through the Azure portal.<br>Based on statistical analysis, the blob container is flagged as possibly containing sensitive data. This analysis suggests that blob containers or storage accounts with similar names are typically not exposed to public access.<br>Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2, or premium block blobs) storage accounts. | Collection | Medium |

+## Alerts for Defender for APIs

+**Alert (alert type)** | **Description** | **MITRE tactics** | **Severity**

+ | | |

+**(Preview) Suspicious population-level spike in API traffic to an API endpoint**<br/> (API_PopulationSpikeInAPITraffic) | A suspicious spike in API traffic was detected at one of the API endpoints. The detection system used historical traffic patterns to establish a baseline for routine API traffic volume between all IPs and the endpoint, with the baseline being specific to API traffic for each status code (such as 200 Success). The detection system flagged an unusual deviation from this baseline leading to the detection of suspicious activity. | Impact | Medium

+**(Preview) Suspicious spike in API traffic from a single IP address to an API endpoint**<br/> (API_SpikeInAPITraffic) | A suspicious spike in API traffic was detected from a client IP to the API endpoint. The detection system used historical traffic patterns to establish a baseline for routine API traffic volume to the endpoint coming from a specific IP to the endpoint. The detection system flagged an unusual deviation from this baseline leading to the detection of suspicious activity. | Impact | Medium

+**(Preview) Unusually large response payload transmitted between a single IP address and an API endpoint**<br/> (API_SpikeInPayload) | A suspicious spike in API response payload size was observed for traffic between a single IP and one of the API endpoints. Based on historical traffic patterns from the last 30 days, Defender for APIs learns a baseline that represents the typical API response payload size between a specific IP and API endpoint. The learned baseline is specific to API traffic for each status code (e.g., 200 Success). The alert was triggered because an API response payload size deviated significantly from the historical baseline. | Initial access | Medium

+**(Preview) Unusually large request body transmitted between a single IP address and an API endpoint**<br/> (API_SpikeInPayload) | A suspicious spike in API request body size was observed for traffic between a single IP and one of the API endpoints. Based on historical traffic patterns from the last 30 days, Defender for APIs learns a baseline that represents the typical API request body size between a specific IP and API endpoint. The learned baseline is specific to API traffic for each status code (e.g., 200 Success). The alert was triggered because an API request size deviated significantly from the historical baseline. | Initial access | Medium

+**(Preview) Suspicious spike in latency for traffic between a single IP address and an API endpoint**<br/> (API_SpikeInLatency) | A suspicious spike in latency was observed for traffic between a single IP and one of the API endpoints. Based on historical traffic patterns from the last 30 days, Defender for APIs learns a baseline that represents the routine API traffic latency between a specific IP and API endpoint. The learned baseline is specific to API traffic for each status code (e.g., 200 Success). The alert was triggered because an API call latency deviated significantly from the historical baseline. | Initial access | Medium

+**(Preview) API requests spray from a single IP address to an unusually large number of distinct API endpoints**<br/>(API_SprayInRequests) | A single IP was observed making API calls to an unusually large number of distinct endpoints. Based on historical traffic patterns from the last 30 days, Defenders for APIs learns a baseline that represents the typical number of distinct endpoints called by a single IP across 20-minute windows. The alert was triggered because a single IP's behavior deviated significantly from the historical baseline. | Discovery | Medium

+**(Preview) Parameter enumeration on an API endpoint**<br/> (API_ParameterEnumeration) | A single IP was observed enumerating parameters when accessing one of the API endpoints. Based on historical traffic patterns from the last 30 days, Defender for APIs learns a baseline that represents the typical number of distinct parameter values used by a single IP when accessing this endpoint across 20-minute windows. The alert was triggered because a single client IP recently accessed an endpoint using an unusually large number of distinct parameter values. | Initial access | Medium

+**(Preview) Distributed parameter enumeration on an API endpoint**<br/> (API_DistributedParameterEnumeration) | The aggregate user population (all IPs) was observed enumerating parameters when accessing one of the API endpoints. Based on historical traffic patterns from the last 30 days, Defender for APIs learns a baseline that represents the typical number of distinct parameter values used by the user population (all IPs) when accessing an endpoint across 20-minute windows. The alert was triggered because the user population recently accessed an endpoint using an unusually large number of distinct parameter values. | Initial access | Medium

+**(Preview) Parameter value(s) with anomalous data types in an API call**<br/> (API_UnseenParamType) | A single IP was observed accessing one of your API endpoints and using parameter values of a low probability data type (e.g., string, integer, etc.). Based on historical traffic patterns from the last 30 days, Defender for APIs learns the expected data types for each API parameter. The alert was triggered because an IP recently accessed an endpoint using a previously low probability data type as a parameter input. | Impact | Medium

+**(Preview) Previously unseen parameter used in an API call**<br/> (API_UnseenParam) | A single IP was observed accessing one of the API endpoints using a previously unseen or out-of-bounds parameter in the request. Based on historical traffic patterns from the last 30 days, Defender for APIs learns a set of expected parameters associated with calls to an endpoint. The alert was triggered because an IP recently accessed an endpoint using a previously unseen parameter. | Impact | Medium

+**(Preview) Access from a Tor exit node to an API endpoint**<br/> (API_AccessFromTorExitNode) | An IP address from the Tor network accessed one of your API endpoints. Tor is a network that allows people to access the Internet while keeping their real IP hidden. Though there are legitimate uses, it is frequently used by attackers to hide their identity when they target people's systems online. | Pre-attack | Medium

+**(Preview) API Endpoint access from suspicious IP**<br/> (API_AccessFromSuspiciousIP) | An IP address accessing one of your API endpoints was identified by Microsoft Threat Intelligence as having a high probability of being a threat. While observing malicious Internet traffic, this IP came up as involved in attacking other online targets. | Pre-attack | High

+**(Preview) Suspicious User Agent detected**<br/> (API_AccessFromSuspiciousUserAgent) |

+The user agent of a request accessing one of your API endpoints contained anomalous values indicative of an attempt at remote code execution. This does not mean that any of your API endpoints have been breached, but it does suggest that an attempted attack is underway. | Execution | Medium

+- [Continuously export Defender for Cloud data](continuous-export.md)

+For commercial and national cloud coverage, review [features supported in different Azure cloud environments](support-matrix-cloud-environment.md).

+ Title: Enable Defender for APIs in Defender for Cloud

+description: Learn about deploying the Defender for APIs plan in Defender for Cloud

+# Onboard Defender for APIs

+This article describes how to deploy the [Microsoft Defender for APIs](defender-for-apis-introduction.md) plan in the Microsoft Defender for Cloud portal. Defender for APIs is currently in preview.

+## Before you start

+- Review [Defender for APIs support, permissions, and requirements](defender-for-apis-introduction.md) before you begin deployment.

+- Make sure that Defender for Cloud is enabled in your Azure subscription. You enable Defender for APIs at the subscription level.

+- Ensure that APIs you want to secure are published in [Azure API management](/azure/api-management/api-management-key-concepts). Follow [these instructions](/azure/api-management/get-started-create-service-instance) to set up Azure API Management.

+> [!NOTE]

+> This article describes how to enable and onboard the Defender for APIs plan in the Defender for Cloud portal. Alternately, you can [enable Defender for APIs within an API Management instance](../api-management/protect-with-defender-for-apis.md) in the Azure portal.

+## Enable the plan

+1. Sign into the [portal](https://portal.azure.com/), and in Defender for Cloud, select **Environment settings**.

+1. Select the subscription that contains the managed APIs that you want to protect.

+1. In the **APIs** plan, select **On**. Then select **Save**.

+ :::image type="content" source="media/defender-for-apis-deploy/enable-plan.png" alt-text="Screenshot that shows how to turn on the Defender for APIs plan in the portal." lightbox="media/defender-for-apis-deploy/enable-plan.png":::

+> [!NOTE]

+> After enabling Defender for APIs, onboarded APIs take up to 50 minutes to appear in the **Recommendations** tab. Security insights are available in the **Workload protections** > **API security** dashboard within 40 minutes of onboarding.

+## Onboard APIs

+1. In the Defender for Cloud portal, select **Recommendations**.

+1. Search for *Defender for APIs*.

+1. Under **Enable enhanced security features**, select the security recommendation **Azure API Management APIs should be onboarded to Defender for APIs**.

+ :::image type="content" source="media/defender-for-apis-deploy/api-recommendations.png" alt-text="Screenshot that shows how to turn on the Defender for APIs plan from the recommendation." lightbox="media/defender-for-apis-deploy/api-recommendations.png":::

+1. In the recommendation page, you can review the recommendation severity, update interval, description, and remediation steps.

+1. Review the resources in scope for the recommendations:

+ - **Unhealthy resources**: Resources that aren't onboarded to Defender for APIs.

+ - **Healthy resources**: API resources that are onboarded to Defender for APIs.

+ - **Not applicable resources**: API resources that aren't applicable for protection.

+1. In **Unhealthy resources**, select the APIs that you want to protect with Defender for APIs.

+1. Select **Fix**.

+ :::image type="content" source="media/defender-for-apis-deploy/api-recommendation-details.png" alt-text="Screenshot that shows the recommendation details for turning on the plan." lightbox="media/defender-for-apis-deploy/api-recommendation-details.png":::

+1. In **Fixing resources**, review the selected APIs, and select **Fix resources**.

+ :::image type="content" source="media/defender-for-apis-deploy/fix-resources.png" alt-text="Screenshot that shows how to fix unhealthy resources." lightbox="media/defender-for-apis-deploy/fix-resources.png":::

+1. Verify that remediation was successful.

+ :::image type="content" source="media/defender-for-apis-deploy/fix-resources-confirm.png" alt-text="Screenshot that confirms that remediation was successful." lightbox="media/defender-for-apis-deploy/fix-resources-confirm.png":::

+## Track onboarded API resources

+After onboarding the API resources, you can track their status in the Defender for Cloud portal > **Workload protections** > **API security**.

+## Next steps

+[Review](defender-for-apis-posture.md) API threats and security posture.

+ Title: Overview of the Microsoft Defender for APIs plan in Microsoft Defender for Cloud

+description: Learn about the benefits of the Microsoft Defender for APIs plan in Microsoft Defender for Cloud

+# About Microsoft Defender for APIs

+Microsoft Defender for APIs is a plan provided by [Microsoft Defender for Cloud](defender-for-cloud-introduction.md) that offers full lifecycle protection, detection, and response coverage for APIs.

+Defender for APIs helps you to gain visibility into business-critical APIs. You can investigate and improve your API security posture, prioritize vulnerability fixes, and quickly detect active real-time threats.

+> [!IMPORTANT]

+> Defender for APIs is currently in PREVIEW.

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+Defender for APIs currently provides security for APIs published in Azure API Management. Defender for APIs can be onboarded in the Defender for Cloud portal, or within the API Management instance in the Azure portal.

+## What can I do with Defender for APIs?

+- **Inventory**: In a single dashboard, get an aggregated view of all managed APIs.

+- **Security findings**: Analyze API security findings, including information about external, unused, or unauthenticated APIs.

+- **Security posture**: Review and implement security recommendations to improve API security posture, and harden at-risk surfaces.

+- **API data classification**: Classify APIs that receive or respond with sensitive data, to support risk prioritization.

+- **Real time threat detection**: Ingest API traffic and monitor it with runtime anomaly detection, using machine-learning and rule-based analytics, to detect API security threats, including the [OWASP Top 10](https://owasp.org/www-project-top-ten/) critical threats.

+- **Defender CSPM integration**: Integrate with Cloud Security Graph in [Defender Cloud Security Posture Management (CSPM)](concept-cloud-security-posture-management.md) for API visibility and risk assessment across your organization.

+- **Azure API Management integration**: With the Defender for APIs plan enabled, you can receive API security recommendations and alerts in the Azure API Management portal.

+- **SIEM integration**: Integrate with security information and event management (SIEM) systems, making it easier for security teams to investigate with existing threat response workflows. [Learn more](tutorial-security-incident.md).

+## Reviewing API security findings

+Review the inventory and security findings for onboarded APIs in the Defender for Cloud API Security dashboard. The dashboard shows the number of onboarded devices, broken down by API collections, endpoints, and Azure API Management services.

+You can drill down into API collection to review security findings for onboarded API endpoints.

+API endpoint information includes:

+- **Endpoint name**: The name of API endpoint/operation as defined in Azure API Management.

+- **Endpoint**: The URL path of the API endpoints, and the HTTPS method.

+Last called data (UTC): The date when API traffic was last observed going to/from API endpoints (in UTC time zone).

+- **30 days unused**: Shows whether API endpoints have received any API call traffic in the last 30 days. APIs that haven't received any traffic in the last 30 days are marked as Inactive.

+- **Authentication**: Shows when a monitored API endpoint has no authentication. Defender for APIs assesses the authentication state using the subscription keys, JSON web token (JWT), and client certificate configured in Azure API Management. If none of these authentication mechanisms are present or executed, the API is marked as "unauthenticated".

+- **External traffic observed date**: The date when external API traffic was observed going to/from the API endpoint.

+- **Data classification**: Classifies API request and response bodies based on supported data types.

+> [!NOTE]

+> API endpoints that haven't received any traffic since onboarding to Defender for APIs display the status *Awaiting data* in the API dashboard.

+## Investigating API recommendations

+Use recommendations to improve your security posture, harden API configurations, identify critical API risks, and mitigate issues by risk priority.

+Defender for API provides a number of recommendations, including recommendations to onboard APIs to the Defender for API plan, disable and remove unused APIs, and best practice recommendations for security, authentication, and access control.

+[Review the recommendations reference](recommendations-reference.md).

+## Detecting runtime threats

+Defender for APIs monitors runtime traffic and threat intelligence feeds, and issues threat detection alerts. API alerts detect the top 10 OWASP threats, data exfiltration, volumetric attacks, anomalous and suspicious API parameters, traffic and IP access anomalies, and usage patterns.

+[Review the security alerts reference](alerts-reference.md).

+## Responding to threats

+Act on recommendations and alerts to mitigate threats and risk. Defender for Cloud alerts and recommendations can be exported into SIEM systems such as Microsoft Sentinel, for investigation within existing threat response workflows for fast and efficient remediation. [Learn more](export-to-siem.md).

+## Investigating Cloud Security Graph insights

+[Cloud Security Graph](concept-attack-path.md) in the Defender CSPM plan analyses assets and connections across your organization, to expose risks, vulnerabilities, and possible lateral movement paths.

+**When Defender for APIs is enabled together with the Defender CSPM plan**, you can use Cloud Security Explorer to proactively and efficiently query your organizational information to locate, identify, and remediate API assets, security issues, and risks.

+## Next steps

+[Review support and prerequisites](defender-for-apis-prepare.md) for Defender for APIs deployment.

+ Title: Manage the Defender for APIs plan in Microsoft Defender for Cloud

+description: Manage your Defender for APIs deployment in Microsoft Defender for Cloud

+# Manage your Defender for APIs deployment

+This article describes how to manage your [Microsoft Defender for APIs](defender-for-apis-introduction.md) plan deployment in Microsoft Defender for Cloud. Management tasks include offboarding APIs from Defender for APIs.

+Defender for APIs is currently in preview.

+## Offboard an API

+1. In the Defender for Cloud portal, select **Workload protections**.

+1. Select **API security**.

+1. Next to the API you want to offboard from Defender for APIs, select the ellipsis (...) > **Remove**.

+ :::image type="content" source="media/defender-for-apis-manage/api-remove.png" alt-text="Screenshot of the review API information in Cloud Security Explorer." lightbox="media/defender-for-apis-manage/api-remove.png":::

+## Next steps

+[Learn about](defender-for-apis-introduction.md) Defender for APIs.

+ Title: Investigate your API security findings and posture in Microsoft Defender for Cloud

+description: Learn how to analyze your API security alerts and posture in Microsoft Defender for Cloud

+# Investigate API findings, recommendations, and alerts

+This article describes how to investigate API security findings, alerts, and security posture recommendations for APIs protected by [Microsoft Defender for APIs](defender-for-apis-introduction.md). Defender for APIs is currently in preview.

+## Before you start

+- [Onboard your API resources](defender-for-apis-deploy.md) to Defender for APIs.

+- To explore security risks within your organization using Cloud Security Explorer, the Defender Cloud Security Posture Management (CSPM) plan must be enabled. [Learn more](concept-cloud-security-posture-management.md).

+## View recommendations and runtime alerts

+1. In the Defender for Cloud portal, select **Workload protections**.

+1. Select **API security (Preview)**.

+1. In the **API Security** dashboard, select an API collection.

+ :::image type="content" source="media/defender-for-apis-posture/api-collection-details.png" alt-text="Screenshot that shows the onboarded API collections."lightbox="media/defender-for-apis-posture/api-collection-details.png":::

+1. In the API collection page, to drill down into an API endpoint, select the ellipses (...) > **View resource**.

+ :::image type="content" source="media/defender-for-apis-posture/view-resource.png" alt-text="Screenshot that shows an API endpoint details." lightbox="media/defender-for-apis-posture/view-resource.png":::

+1. In the **Resource health** page, review the endpoint settings.

+1. In the **Recommendations** tab, review recommendation details and status.

+1. In the **Alerts** tab review security alerts for the endpoint. Defender for Endpoint monitors API traffic to and from endpoints, to provide runtime protection against suspicious behavior and malicious attacks.

+ :::image type="content" source="media/defender-for-apis-posture/resource-health.png" alt-text="Screenshot that shows the health of an endpoint." lightbox="media/defender-for-apis-posture/resource-health.png":::

+## Create sample security alerts

+In Defender for Cloud you can use sample alerts to evaluate your Defender for Cloud plans, and validate your security configuration. [Follow these instructions](alert-validation.md#generate-sample-security-alerts) to set up sample alerts, and select the relevant APIs within your subscriptions.

+## Build queries in Cloud Security Explorer

+In Defender CSPM, [Cloud Security Graph](concept-attack-path.md) collects data to provide a map of assets and connections across organization, to expose security risks, vulnerabilities, and possible lateral movement paths.

+When the Defender CSPM plan is enabled together with Defender for APIs, you can use Cloud Security Explorer to query Cloud Security Graph, to identify, review and analyze API security risks across your organization.

+1. In the Defender for Cloud portal, select **Cloud Security Explorer**.

+1. You can build your own query, or select the API query template.

+ 1. To build your own query, in **What would you like to search?** select the **APIs** category. You can query:

+ - API collections that contain one or more API endpoints.

+ - API endpoints for Azure API Management operations.

+ :::image type="content" source="media/defender-for-apis-posture/api-insights.png" alt-text="Screenshot that shows the predefined API query." lightbox="media/defender-for-apis-posture/api-insights.png":::

+

+ The search resultS display each API resource with its associated insights, so that you can review, prioritize, and fix any issues.

+ Alternatively, you can select the predefined query **Unauthenticated API endpoints containing sensitive data are outside the virtual network** > **Open query**. The query returns all unauthenticated API endpoints that contain sensitive data and aren't part of the Azure API management network.

+

+ :::image type="content" source="media/defender-for-apis-posture/predefined-query.png" alt-text="Screenshot that shows a predefined API query.":::

+

+## Next steps

+[Manage](defender-for-apis-manage.md) your Defender for APIs deployment.

+ Title: Support and prerequisites for deploying the Defender for APIs plan in Microsoft Defender for Cloud

+description: Learn about the requirements for Defender for APIs deployment in Microsoft Defender for Cloud

+# Support and prerequisites for Defender for APIs deployment

+Review the requirements on this page before setting up [Microsoft Defender for APIs](defender-for-apis-introduction.md). Defender for APIs is currently in preview.

+## Cloud and region support

+Defender for APIs is in public preview in the Azure commercial cloud, in these regions:

+- Asia (Southeast Asia, EastAsia)

+- Australia (Australia East, Australia Southeast, Australia Central, Australia Central 2)

+- Brazil (Brazil South, Brazil Southeast)

+- Canada (Canada Central, Canada East)

+- Europe (West Europe, North Europe)

+- India (Central India, South India, West India)

+- Japan (Japan East, Japan West)

+- UK (UK South, UK West)

+- US (East US, East US 2, West US, West US 2, West US 3, Central US, North Central US, South Central US, West Central US, East US 2 EUAP, Central US EUAP)

+Review the latest cloud support information for Defender for Cloud plans and features in the [cloud support matrix](support-matrix-cloud-environment.md).

+## API support

+**Feature** | **Supported**

+ |

+Availability | This feature is available in the Premium, Standard, Basic, and Developer tiers of Azure API Management.

+API gateways | Azure API Management<br/><br/> Defender for APIs currently doesn't onboard APIs that are exposed using the API Management [self-hosted gateway](../api-management/self-hosted-gateway-overview.md), or managed using API Management [workspaces](../api-management/workspaces-overview.md).

+API types | Currently, Defender for APIs discovers and analyzes REST APIs.

+Multi-region support | In multi-region Azure API Management instances, some ML-based detections and security insights (data classification, authentication check, unused and external APIs) aren't supported in secondary regions. In such cases, data residency requirements are still met.ΓÇ»

+## Defender CSPM integration

+To explore API security risks using Cloud Security Explorer, the Defender Cloud Security Posture Management (CSPM) plan must be enabled. [Learn more](concept-cloud-security-posture-management.md).

+## Onboarding requirements

+Onboarding requirements for Defender for APIs are as follows.

+**Requirement** | **Details**

+ |

+API Management instance | At least one API Management instance in an Azure subscription. Defender for APIs is enabled at the level of a subscription.<br/><br/> One or more supported APIs must be imported to the API Management instance.

+Azure account | You need an Azure account to sign into the Azure portal.

+Onboarding permissions | To enable and onboard Defender for APIs, you need the Owner or Contributor role on the Azure subscriptions, resource groups, or Azure API Management instance that you want to secure. If you don't have the Contributor role, you need to enable these roles:<br/><br/> - Security Admin role for full access in Defender for Cloud.<br/> - Security Reader role to view inventory and recommendations in Defender for Cloud.

+Onboarding location | You can [enable Defender for APIs in the Defender for Cloud portal](defender-for-apis-deploy.md), or in the [Azure API Management portal](../api-management/protect-with-defender-for-apis.md).

+## Next steps

+[Enable and onboard](defender-for-apis-deploy.md) Defender for APIs.

+- [**Run-time threat protection for nodes and clusters**](#run-time-protection-for-kubernetes-nodes-and-clusters) - Threat protection for clusters and nodes generates security alerts for suspicious activities.

+Defender for Containers provides real-time threat protection for [supported containerized environments](support-matrix-defender-for-containers.md) and generates alerts for suspicious activities. You can use this information to quickly remediate security issues and improve the security of your containers. Threat protection at the cluster level is provided by the Defender agent and analysis of the Kubernetes audit logs. Examples of events at this level include exposed Kubernetes dashboards, creation of high-privileged roles, and the creation of sensitive mounts.

+ Title: Zero Trust and Defender for Cloud | Defender for Cloud in the Field

+description: Learn about Zero Trust best practices and Zero Trust visibility and analytics tools

+# Zero Trust and Defender for Cloud | Defender for Cloud in the field

+**Episode description**: In this episode of Defender for Cloud in the Field, Mekonnen Kassa joins Yuri Diogenes to discuss the importance of using Zero Trust. Mekonnen covers the principles of Zero Trust, the importance of switching your mindset to adopt this strategy and how Defender for Cloud can help. Mekonnen also talks about best practices to get started, visibility and analytics as part of Zero Trust, and what tools can be leveraged to achieve it.

+<br>

+<br>

+<iframe src="https://aka.ms/docs/player?id=125af768-01bd-45ac-8503-4dba5eb53ff7" width="1080" height="530" allowFullScreen="true" frameBorder="0"></iframe>

+- [01:21](/shows/mdc-in-the-field/zero-trust#time=01m21s) - What is Zero Trust?

+- [04:12](/shows/mdc-in-the-field/zero-trust#time=04m12s) - Current challenges with multicloud and hybrid workloads

+- [06:47](/shows/mdc-in-the-field/zero-trust#time=06m47s) - How can Defender for Cloud help with Zero Trust?

+- [11:38](/shows/mdc-in-the-field/zero-trust#time=11m38s) - Azure Network Security Controls that can help with Zero Trust

+- [14:50](/shows/mdc-in-the-field/zero-trust#time=14m50s) - Visibility and Analytics for Zero Trust

+- [18:09](/shows/mdc-in-the-field/zero-trust#time=18m09s) - Final recommendations to start your Zero Trust journey

+## Recommended resources

+ - Learn more about [Zero Trust](https://www.microsoft.com/security/business/zero-trust)

+ - Subscribe to [Microsoft Security on YouTube](https://www.youtube.com/playlist?list=PL3ZTgFEc7LysiX4PfHhdJPR7S8mGO14YS)

+ - Join our [Tech Community](https://aka.ms/SecurityTechCommunity)

+ - For more about [Microsoft Security](https://msft.it/6002T9HQY)

+- Follow us on social media:

+ - [LinkedIn](https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbFk5TXZuQld2NlpBRV9BQlJqMktYSm95WWhCZ3xBQ3Jtc0tsQU13MkNPWGNFZzVuem5zc05wcnp0VGxybHprVTkwS2todWw0b0VCWUl4a2ZKYVktNGM1TVFHTXpmajVLcjRKX0cwVFNJaDlzTld4MnhyenBuUGRCVmdoYzRZTjFmYXRTVlhpZGc4MHhoa3N6ZDhFMA&q=https%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fmicrosoft-security%2F)

+ - [Twitter](https://twitter.com/msftsecurity)

+- Join our [Tech Community](https://aka.ms/SecurityTechCommunity)

+- Learn more about [Microsoft Security](https://msft.it/6002T9HQY)

+## Next steps

+> [!div class="nextstepaction"]

+> [New AWS Connector in Microsoft Defender for Cloud](episode-one.md)

+> [Zero Trust and Defender for Cloud](episode-twenty-eight.md)

+ Ensure that your SSM agent has the managed policy ["AmazonSSMManagedInstanceCore"] (https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html) that enables AWS Systems Manager service core functionality.

+ Ensure that your SSM agent has the managed policy ["AmazonSSMManagedInstanceCore"] (https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html) that enables AWS Systems Manager service core functionality.

+

+- [Troubleshoot your multicloud connectors](troubleshooting-guide.md#troubleshooting-the-native-multicloud-connector)

+Recommendations in Defender for Cloud are based on the [Microsoft cloud security benchmark](/security/benchmark/azure/introduction).

+## API recommendations

+|Recommendation|Description & related policy|Severity|

+|-|-|-|

+|(Preview) Microsoft Defender for APIs should be enabled|Enable the Defender for APIs plan to discover and protect API resources against attacks and security misconfigurations. [Learn more](defender-for-apis-deploy.md)|High|

+(Preview) Azure API Management APIs should be onboarded to Defender for APIs. | Onboarding APIs to Defender for APIs requires compute and memory utilization on the Azure API Management service. Monitor performance of your Azure API Management service while onboarding APIs, and scale out your Azure API Management resources as needed.|High|

+(Preview) API endpoints that are unused should be disabled and removed from the Azure API Management service|As a security best practice, API endpoints that haven't received traffic for 30 days are considered unused, and should be removed from the Azure API Management service. Keeping unused API endpoints might pose a security risk. These might be APIs that should have been deprecated from the Azure API Management service, but have accidentally been left active. Such APIs typically do not receive the most up-to-date security coverage.|Low|

+(Preview) API endpoints in Azure API Management should be authenticated|API endpoints published within Azure API Management should enforce authentication to help minimize security risk. Authentication mechanisms are sometimes implemented incorrectly or are missing. This allows attackers to exploit implementation flaws and to access data. For APIs published in Azure API Management, this recommendation assesses the execution of authentication via the Subscription Keys, JWT, and Client Certificate configured within Azure API Management. If none of these authentication mechanisms are executed during the API call, the API will receive this recommendation.|High

+## API management recommendations

+|Recommendation|Description & related policy|Severity|

+|-|-|-|

+|(Preview) API Management subscriptions should not be scoped to all APIs|API Management subscriptions should be scoped to a product or an individual API instead of all APIs, which could result in excessive data exposure.|Medium|

+(Preview) API Management calls to API backends should not bypass certificate thumbprint or name validation| API Management should validate the backend server certificate for all API calls. Enable SSL certificate thumbprint and name validation to improve the API security.|Medium|

+(Preview) API Management direct management endpoint should not be enabled|The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service.|Low|

+(Preview) API Management APIs should use only encrypted protocols|APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS to ensure security of data in transit.|High

+(Preview) API Management secret named values should be stored in Azure Key Vault|Named values are a collection of name and value pairs in each API Management service. Secret values can be stored either as encrypted text in API Management (custom secrets) or by referencing secrets in Azure Key Vault. Reference secret named values from Azure Key Vault to improve security of API Management and secrets. Azure Key Vault supports granular access management and secret rotation policies.|Medium

+(Preview) API Management should disable public network access to the service configuration endpoints|To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint.| Medium

+(Preview) API Management minimum API version should be set to 2019-12-01 or higher|To prevent service secrets from being shared with read-only users, the minimum API version should be set to 2019-12-01 or higher.|Medium

+(Preview) API Management calls to API backends should be authenticated|Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends.|Medium

+ Title: Microsoft Defender for Cloud support across cloud types

+description: Review Defender for Cloud features and plans supported across different clouds

+# Defender for Cloud support for commercial/government clouds

+This article indicates which Defender for Cloud features are supported in Azure commercial and government clouds.

+## Cloud support

+In the support table, **NA** indicates that the feature is not available.

+**Feature/Plan** | **Details** | **Azure** | **Azure Government** | **Azure China**<br/><br/>**21Vianet**

+ | | | |

+**Foundational CSPM** | | | |

+[Continuous export](./continuous-export.md) | GA | GA | GA

+[Workflow automation](./workflow-automation.md) | GA | GA | GA

+[Recommendation exemption rules](./exempt-resource.md) | Public preview | NA | NA

+[Alert suppression rules](./alerts-suppression-rules.md) | GA | GA | GA

+[Alert email notifications](./configure-email-notifications.md) | GA | GA | GA

+[Agent/extension deployment](monitoring-components.md) | GA | GA | GA

+[Asset inventory](./asset-inventory.md) | GA | GA | GA

+[Azure Workbooks support](./custom-dashboards-azure-workbooks.md) | GA | GA | GA

+[Microsoft Defender for Cloud Apps integration](./other-threat-protections.md#display-recommendations-in-microsoft-defender-for-cloud-apps) | GA | GA | GA

+**[Defender CSPM](concept-cloud-security-posture-management.md)** | GA | NA | NA

+**[Defender for APIs](defender-for-apis-introduction.md)** | Public preview | NA | NA

+**[Defender for App Service](defender-for-app-service-introduction.md)** | GA | NA | NA

+**[Defender for Azure Cosmos DB](concept-defender-for-cosmos.md)** | Public preview | NA | NA

+**[Defender for Azure SQL database servers](defender-for-sql-introduction.md)**<br/><br/> Partial GA in Vianet21<br/> - A subset of alerts/vulnerability assessments is available.<br/>- Behavioral threat protection isn't available. | GA | GA | GA

+**[Defender for Containers](defender-for-containers-introduction.md)**| GA | GA | GA

+[Azure Arc extension for Kubernetes clusters/servers/data services](defender-for-kubernetes-azure-arc.md): | Public preview | NA | NA

+Runtime visibility of vulnerabilities in container images | Public preview | NA | NA

+**[Defender for DNS](defender-for-dns-introduction.md)** | GA | GA | GA

+**[Defender for Key Vault](./defender-for-key-vault-introduction.md)** | GA | NA | NA

+[Defender for Kubernetes](./defender-for-kubernetes-introduction.md)<br/><br/> Defender for Kubernetes is deprecated and doesn't include new features. [Learn more](defender-for-kubernetes-introduction.md) | GA | GA | GA

+**[Defender for open-source relational databases](defender-for-databases-introduction.md)** | GA | NA | NA

+**[Defender for Resource Manager](./defender-for-resource-manager-introduction.md)** | GA | GA | GA

+**[Defender for Servers](plan-defender-for-servers.md)** | | | |

+[Just-in-time VM access](./just-in-time-access-usage.md) | GA | GA | GA

+[File integrity monitoring](./file-integrity-monitoring-overview.md) | GA | GA | GA

+[Adaptive application controls](./adaptive-application-controls.md) | GA | GA | GA

+[Adaptive network hardening](./adaptive-network-hardening.md) | GA | GA | NA

+[Docker host hardening](./harden-docker-hosts.md) | | GA | GA | GA

+[Integrated Qualys scanner](./deploy-vulnerability-assessment-vm.md) | GA | NA | NA

+[Compliance dashboard/reports](./regulatory-compliance-dashboard.md)<br/><br/> Compliance standards might differ depending on the cloud type.| GA | GA | GA

+[Defender for Endpoint integration](./integration-defender-for-endpoint.md) | | GA | GA | NA

+[Connect AWS account](./quickstart-onboard-aws.md) | GA | NA | NA

+[Connect GCP project](./quickstart-onboard-gcp.md) | GA | NA | NA

+**[Defender for Storage](./defender-for-storage-introduction.md)**<br/><br/> Some alerts in Defender for Storage are in public preview. | GA | GA | NA

+**[Defender for SQL servers on machines](./defender-for-sql-introduction.md)** | GA | GA | NA

+**[Microsoft Sentinel bi-directional alert synchronization](../sentinel/connect-azure-security-center.md)** | Public preview | NA | NA

+## Next steps

+Start reading about [Defender for Cloud features](defender-for-cloud-introduction.md).

+| [Release of containers Vulnerability Assessment powered by Microsoft Defender Vulnerability Management (MDVM) in Defender CSPM](#release-of-containers-vulnerability-assessment-powered-by-microsoft-defender-vulnerability-management-mdvm-in-defender-cspm) | May 2023 |

+|[Renaming container recommendations powered by Qualys](#renaming-container-recommendations-powered-by-qualys) | May 2023 |

+### Release of containers Vulnerability Assessment powered by Microsoft Defender Vulnerability Management (MDVM) in Defender CSPM

+**Estimated date for change: May 2023**

+We're announcing the release of Vulnerability Assessment for Linux images in Azure container registries powered by Microsoft Defender Vulnerability Management (MDVM) in Defender CSPM. This release includes daily scanning of images. Findings used in the Security Explorer and attack paths will rely on MDVM Vulnerability Assessment instead of the Qualys scanner.

+The existing recommendation "Container registry images should have vulnerability findings resolved" is replaced by a new recommendation powered by MDVM:

+|Recommendation | Description | Assessment Key|

+|--|--|--|

+| Container registry images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)| Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to  improving your security posture, significantly reducing the attack surface for your containerized workloads. |dbd0cb49-b563-45e7-9724-889e799fa648 <br> is replaced by c0b7cfc6-3172-465a-b378-53c7ff2cc0d5

+The recommendation "Running container images should have vulnerability findings resolved" (assessment key 41503391-efa5-47ee-9282-4eff6131462c) is temporarily removed and will be replaced soon by a new recommendation powered by MDVM.

+Learn more about [Microsoft Defender Vulnerability Management (MDVM)](https://learn.microsoft.com/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management).

+### Renaming container recommendations powered by Qualys

+**Estimated date for change: May 2023**

+ The current container recommendations in Defender for Containers are renamed as follows:

+|Recommendation | Description | Assessment Key|

+|--|--|--|

+| Container registry images should have vulnerability findings resolved (powered by Qualys) | Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. | dbd0cb49-b563-45e7-9724-889e799fa648 |

+| Running container images should have vulnerability findings resolved (powered by Qualys) | Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. | 41503391-efa5-47ee-9282-4eff6131462c |

+- **Recommendation**: The latest version of Integration Runtime (**5.28.8488**) prevents access to a network file share on a local host. Ensure you run Integration Runtime on a different machine than the network share hosting. If hosting the self-hosted Integration Runtime and the network share on different machines isn't possible with your current migration setup, you can use the option to opt out using ```DisableLocalFolderPathValidation```.

+- **Message**: Unable to read blobs in storage container, exception: The remote server returned an error: (403) Forbidden.; The remote server returned an error: (403) Forbidden

+## Azure Data Studio Limitations

+### Failed to start Sql Migration Service: Error: Request error:

+- **Message**: `Error at ClientRequest.<anonymous> (c:\Users\MyUser\.azuredatastudio\extensions\microsoft.sql-migration-1.4.2\dist\main.js:2:7448) at ClientRequest.emit (node:events:538:35) at TLSSocket.socketOnEnd (node:_http_client:466:9) at TLSSocket.emit (node:events:538:35) at endReadableNT (node:internal/streams/readable:1345:12) at process.processTicksAndRejections (node:internal/process/task_queues:83:21)`

+- **Cause**: This issue occurs when Azure Data Studio isn't able to download the MigrationService package from https://github.com/microsoft/sqltoolsservice/releases. The download failure can be due to disconnected network work or unresolved proxy settings.

+- **Recommendation**: The sure fire way of solving this issue is by downloading the package manually. Follow the mitigation steps outlined in this link: https://github.com/microsoft/azuredatastudio/issues/22558#issuecomment-1496307891

+1. Create an Azure function by following instructions from the **Create a local project** section of [Quickstart: Create a JavaScript function in Azure using Visual Studio Code](../azure-functions/create-first-function-vs-code-node.md?pivots=nodejs-model-v3).

+ Title: Scale SNAT ports with Azure NAT Gateway

+# Scale SNAT ports with Azure NAT Gateway

+A better option to scale outbound SNAT ports is to use an [Azure NAT Gateway](../virtual-network/nat-gateway/nat-overview.md). It provides 64,512 SNAT ports per public IP address and supports up to 16 public IP addresses, effectively providing up to 1,032,192 outbound SNAT ports.

+> In addition, Azure NAT Gateway integration is not currently supported in secured virtual hub network architectures. You must deploy using a hub virtual network architecture. For detailed guidance on integrating NAT gateway with Azure Firewall in a hub and spoke network architecture refer to the [NAT gateway and Azure Firewall integration tutorial](../virtual-network/nat-gateway/tutorial-hub-spoke-nat-firewall.md). For more information about Azure Firewall architecture options, see [What are the Azure Firewall Manager architecture options?](../firewall-manager/vhubs-and-vnets.md).

+ [these instructions](/powershell/gallery/powershellget/install-powershellget).

+[04]: /powershell/gallery/how-to/working-with-local-psrepositories

+ [these instructions](/powershell/gallery/powershellget/install-powershellget).

+ [these instructions](/powershell/gallery/powershellget/install-powershellget).

+description: In this article, learn about the different methods for deploying the MedTech service.

+The MedTech service provides multiple methods for deployment into Azure. Each deployment method has different advantages allow you to customize your deployment to suit your needs and use cases.

+In this quickstart, learn about these deployment methods:

+* Azure Resource Manager template (ARM template) including an Azure Iot Hub using the **Deploy to Azure** button.

+* ARM template using the **Deploy to Azure** button.

+* ARM template using Azure PowerShell or the Azure CLI.

+* Manually in the Azure portal.

+## Deployment overview

+The following diagram outlines the basic steps of the MedTech service deployment. These basic steps may help you analyze the deployment options and determine which deployment method is best for you.

+Using an ARM template with the **Deploy to Azure** button is an easy and fast deployment method because it automates the deployment, most configuration steps, and uses the Azure portal. The deployed MedTech service requires conforming and valid device and FHIR destination mappings to be fully functional.

+Using an ARM template with Azure PowerShell or the Azure CLI is a more advanced deployment method. This deployment method can be useful for adding automation and repeatability so that you can scale and customize your deployments. The deployed MedTech service requires conforming and valid device and FHIR destination mappings to be fully functional.

+Using the Azure portal manual deployment allows you to see the details of each deployment step. The manual deployment has many steps, but it provides valuable technical information that may be useful for customizing and troubleshooting your MedTech service.

+If you need a diagram with information on the MedTech service deployment, there's an overview at [Choose a deployment method](deploy-new-choose.md#deployment-overview). This diagram shows the steps of deployment and how MedTech service processes device data into FHIR Observations.

+This article and diagram outlines the basic steps to get started with the MedTech service in the [Azure Health Data Services](../healthcare-apis-overview.md). These basic steps may help you analyze the MedTech service deployment options and determine which deployment method is best for you.

+As a prerequisite, you need an Azure subscription and have been granted proper permissions to deploy Azure resource groups and resources. You can follow all the steps, or skip some if you have an existing environment. Also, you can combine all the steps and complete them in Azure PowerShell, Azure CLI, and REST API scripts.

+> [!TIP]

+> See the MedTech service article, [Quickstart: Choose a deployment method for the MedTech service](deploy-new-choose.md), for a description of the different deployment methods that can help to simply and automate the deployment of the MedTech service.

+## Deploy resources

+After you obtain the required subscription prerequisites, the first step is to create and deploy the MedTech service prerequisite resources:

+* Azure resource group.

+* Azure Event Hubs namespace and event hub.

+* Azure Health Data services workspace.

+* Azure Health Data Services FHIR service.

+Once the prerequisite resources are available, deploy:

+

+* Azure Health Data Services MedTech service.

+### Deploy a resource group

+Deploy a [resource group](../../azure-resource-manager/management/manage-resource-groups-portal.md) to contain the prerequisite resources and the MedTech service.

+### Deploy an Event Hubs namespace and event hub

+Deploy an Event Hubs namespace into the resource group. Event Hubs namespaces are logical containers for event hubs. Once the namespace is deployed, you can deploy an event hub, which the MedTech service reads from. For information about deploying Event Hubs namespaces and event hubs, see [Quickstart: Create an event hub using Azure portal](../../event-hubs/event-hubs-create.md).

+### Deploy a workspace

+ Deploy a [workspace](../workspace-overview.md). After you create a workspace using the [Azure portal](../healthcare-apis-quickstart.md), a FHIR service and MedTech service can be deployed from the workspace.

+### Deploy a FHIR service

+Deploy a [FHIR service](../fhir/fhir-portal-quickstart.md) into your resource group using your workspace. The MedTech service persists transformed device data into the FHIR service.

+### Deploy a MedTech service

+If you have successfully deployed the prerequisite resources, you're now ready to deploy a [MedTech service](deploy-new-manual.md) using your workspace.

+## Next steps

+This article described the basic steps needed to get started using the MedTech service.

+To learn about methods of deploying the MedTech service, see

+> [!div class="nextstepaction"]

+> [Choose a deployment method for the MedTech service](deploy-new-choose.md)

+For an overview of the MedTech service device mapping, see

+> [!div class="nextstepaction"]

+> [Overview of the MedTech service device mapping](overview-of-device-mapping.md)

+For an overview of the MedTech service FHIR destination mapping, see

+> [Overview of the MedTech service FHIR destination mapping](overview-of-fhir-destination-mapping.md)

+* [microsoft/iomt-fhir](https://github.com/microsoft/iomt-fhir): Open-source version of the Azure Health Data Services MedTech service managed service. Can be used with any FHIR service that supports [FHIR](https://www.hl7.org/implement/standards/product_brief.cfm?product_id=491)

+* Link devices and consumers together for enhanced insights, trend captures, interoperability between systems, and proactive and remote monitoring.

+* Update or create FHIR Observations according to existing or new mapping template types.

+* Choose data terms that work best for your organization and provide consistency in device data ingestion.

+* Customize, edit, test, and troubleshoot MedTech service device and FHIR destination mappings with the [Mapping debugger](how-to-use-mapping-debugger.md) tool.

+* Fitbit&#174;

+* Apple&#174;

+* Google&#174;

+* [**Microsoft Azure IoT Hub**](../../iot-hub/iot-concepts-and-iot-hub.md) - enhances workflow and ease of use.

+* [**Azure Machine Learning Service**](concepts-machine-learning.md) - helps build, deploy, and manage models, integrate tools, and increase open-source operability.

+* [**Microsoft Power BI**](concepts-power-bi.md) - enables data visualization features.

+* [**Microsoft Teams**](concepts-teams.md) - facilitates virtual visits.

+ Title: Create an Azure IoT hub using the Azure IoT Hub extension for Visual Studio Code

+description: Learn how to use the Azure IoT Hub extension for Visual Studio Code to create an Azure IoT hub in a resource group.

+# Create an IoT hub using the Azure IoT Hub extension for Visual Studio Code

+This article shows you how to use the [Azure IoT Hub extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-toolkit) to create an Azure IoT hub.

+- [Azure IoT Hub extension](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-toolkit) installed for Visual Studio Code

+- An Azure subscription: [create a free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin

+## Create an IoT hub

+The following steps show how to create an IoT hub in Visual Studio Code (VS Code):

+4. If you're not signed into Azure, a pop-up notification is shown in the bottom right corner to let you sign in to Azure. Select **Sign In** and follow the instructions to sign into Azure.

+7. Select a region.

+9. Enter a globally unique name for your IoT hub, and then select the Enter key.

+10. Wait a few minutes until the IoT hub is created and confirmation is displayed in the **Output** panel.

+> There is no option to delete your IoT hub in Visual Studio Code, however you can [delete your hub in the Azure portal](iot-hub-create-through-portal.md#delete-an-iot-hub).

+Now that you've deployed an IoT hub using the Azure IoT Hub extension for Visual Studio Code, explore these articles:

+- [Use the Azure IoT Hub extension for Visual Studio Code to send and receive messages between your device and an IoT hub](iot-hub-vscode-iot-toolkit-cloud-device-messaging.md).

+- [Use the Azure IoT Hub extension for Visual Studio Code for Azure IoT Hub device management](iot-hub-device-management-iot-toolkit.md)

+- [See the Azure IoT Hub extension for Visual Studio Code wiki page](https://github.com/microsoft/vscode-azure-iot-toolkit/wiki).

+Password (You can generate a SAS token with the CLI extension command [az iot hub generate-sas-token](/cli/azure/iot/hub#az-iot-hub-generate-sas-token), or the [Azure IoT Hub extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-toolkit)):

+> It's possible to generate a SAS token with the CLI extension command [az iot hub generate-sas-token](/cli/azure/iot/hub#az-iot-hub-generate-sas-token), or the [Azure IoT Hub extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-toolkit).

+* [Device management with the Azure IoT Hub extension for VS Code](iot-hub-device-management-iot-toolkit.md)

+description: This article describes how to use direct methods to invoke code on your devices from a service app.

+* [Device management with the Azure IoT Hub extension for VS Code](iot-hub-device-management-iot-toolkit.md)

+ Title: Azure IoT Hub device management with the Azure IoT Hub extension for Visual Studio Code

+description: Use the Azure IoT Hub extension for Visual Studio Code for Azure IoT Hub device management, featuring the Direct methods and the Twin's desired properties management options.

+# Use the Azure IoT Hub extension for Visual Studio Code for Azure IoT Hub device management

+In this article, you learn how to use the [Azure IoT Hub extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-toolkit) with various management options on your development machine. The IoT Hub extension is a useful Visual Studio (VS) Code extension that makes IoT Hub management and IoT application development easier. It comes with management options that you can use to perform various tasks.

+| Cloud-to-device messages | Send notifications to a device. For example, "It's likely to rain today. Don't forget to bring an umbrella." |

+* [Azure IoT Hub extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-toolkit) or copy this URL and paste it into a browser window:`vscode:extension/vsciot-vscode.azure-iot-toolkit`.

+Follow these steps to sign into Azure and access your IoT hub from your Azure subscription:

+1. In the **Explorer** view of VS Code, expand the **Azure IoT Hub** section in the side bar.

+1. Select the ellipsis (…) button of the **Azure IoT Hub** section to display the action menu, and then select **Select IoT Hub** from the action menu.

+1. If you're not signed into Azure, a pop-up notification is shown in the bottom right corner to let you sign in to Azure. Select **Sign In** and follow the instructions to sign into Azure.

+1. From the command palette at the top of VS Code, select your Azure subscription from the **Select Subscription** dropdown list.

+1. Select your IoT hub from the **Select IoT Hub** dropdown list.

+1. The devices for your IoT hub are retrieved from IoT Hub and shown under the **Devices** node in the **Azure IoT Hub** section of the side bar.

+ > [!NOTE]

+ > You can also use a connection string to access your IoT hub, by selecting **Set IoT Hub Connection String** from the action menu and entering the **iothubowner** policy connection string for your IoT hub in the **IoT Hub Connection String** input box.

+To invoke a direct method from your IoT device, follow these steps:

+1. In the side bar, expand the **Devices** node under the **Azure IoT Hub** section.

+1. Right-click your IoT device and select **Invoke Device Direct Method**.

+1. Enter the method name in the input box, and then select the Enter key.

+1. Enter the payload in the input box, and then select the Enter key.

+1. The results are shown in the **Output** panel.

+To display the JSON document for the device twin of your IoT device, follow these steps:

+1. In the side bar, expand the **Devices** node under the **Azure IoT Hub** section.

+

+1. Right-click your IoT device and select **Edit Device Twin**.

+1. The JSON document for the device twin, named **azure-iot-device-twin.json**, is shown in the editor.

+After [reading the device twin](#read-device-twin), follow these steps to update the device twin for your IoT device:

+1. Make changes to arrays or values in the JSON document for the device twin. For example, add tags in the **tags** array, or change the values of desired properties in the **properties.desired** array.

+1. Right-click the content area of the **azure-iot-device-twin.json** file and select **Update Device Twin**.

+1. In the side bar, expand the **Devices** node under the **Azure IoT Hub** section.

+1. Right-click your IoT device and select **Send C2D Message to Device**.

+1. Enter the message in the input box, and then select the Enter key.

+1. The results are shown in the **Output** panel.

+You've learned how to use the Azure IoT Hub extension for Visual Studio Code with various management options.

+IoT Hub is one of the first Azure services to support distributed tracing. As more Azure services support distributed tracing, you're able to trace Internet of Things (IoT) messages throughout the Azure services involved in your solution. For a background on the feature, see [What is distributed tracing?](../azure-monitor/app/distributed-tracing-telemetry-correlation.md).

+1. Choose one or more of the following options under **Destination details** to determine where to send logging information:

+ If CMake can't find your C++ compiler, you might encounter build errors while running the preceding command. If that happens, try running the command in the [Visual Studio command prompt](/dotnet/framework/tools/developer-command-prompt-for-vs).

+### Update by using the Azure IoT Hub extension for Visual Studio Code

+1. With Visual Studio Code installed, install the latest version of the [Azure IoT Hub extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-toolkit).

+1. In the pop-up pane that appears for the sampling rate, enter **100** and then select the Enter key.

+Pinpointing where IoT messages are dropping or slowing down can be challenging. For example, imagine that you have an IoT solution that uses five different Azure services and 1,500 active devices. Each device sends 10 device-to-cloud messages per second, for a total of 15,000 messages per second. But you notice that your web app sees only 10,000 messages per second. How do you find the culprit?

+To support wider adoption for distributed tracing, Microsoft is contributing to [W3C standard proposal for distributed tracing](https://w3c.github.io/trace-context/). When distributed tracing support for IoT Hub is enabled, it follows this flow:

+- Cloud-to-device twin capability isn't available for the [IoT Hub basic tier](iot-hub-scaling.md#basic-and-standard-tiers). However, IoT Hub still logs to Azure Monitor if it sees a properly composed trace context header.

+- To ensure efficient operation, IoT Hub imposes a throttle on the rate of logging that can occur as part of distributed tracing.

+All device communication with IoT Hub must be secured using TLS/SSL. Therefore, IoT Hub doesn't support nonsecure connections over TCP port 1883.

+*The C# SDK defines the default value of the MQTT KeepAliveInSeconds property as 300 seconds. In reality, the SDK sends a ping request four times per keep-alive duration set. In other words, the SDK sends a keep-alive ping once every 75 seconds.

+The maximum client keep-alive value you can set is `1767 / 1.5 = 1177` seconds. Any traffic resets the keep-alive. For example, a successful shared access signature (SAS) token refresh resets the keep-alive.

+ You can also use the cross-platform [Azure IoT Hub extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-toolkit) or the CLI extension command [az iot hub generate-sas-token](/cli/azure/iot/hub#az-iot-hub-generate-sas-token) to quickly generate a SAS token. You can then copy and paste the SAS token into your own code for testing purposes.

+### Using the Azure IoT Hub extension for Visual Studio Code

+1. In the side bar, expand the **Devices** node under the **Azure IoT Hub** section.

+1. Right-click your IoT device and select **Generate SAS Token for Device** from the context menu.

+1. Enter the expiration time, in hours, for the SAS token in the input box, and then select the Enter key.

+1. The SAS token is created and copied to clipboard.

+* IoT Hub only supports one active MQTT connection per device. Any new MQTT connection on behalf of the same device ID causes IoT Hub to drop the existing connection and **400027 ConnectionForcefullyClosedOnNewConnection** is logged into IoT Hub Logs

+| non-null, nonempty value | `key=value` | The key followed by an equal sign and the value |

+To update reported properties, the device issues a request to IoT Hub via a publication over a designated MQTT topic. After IoT Hub processes the request, it responds the success or failure status of the update operation via a publication to another topic. The device can subscribe to this topic in order to notify it about the result of its twin update request. To implement this type of request/response interaction in MQTT, we use the notion of request ID (`$rid`) provided initially by the device in its update request. This request ID is also included in the response from IoT Hub to allow the device to correlate the response to its particular earlier request.

+Upon success of the twin reported properties update process in the previous code snippet, the publication message from IoT Hub has the following topic: `$iothub/twin/res/204/?$rid=1&$version=6`, where `204` is the status code indicating success, `$rid=1` corresponds to the request ID provided by the device in the code, and `$version` corresponds to the version of reported properties section of device twins after the update.

+One way to monitor messages received by your IoT hub from your device is to use the Azure IoT Hub extension for Visual Studio Code. To learn more, see [Use the Azure IoT Hub extension for Visual Studio Code to send and receive messages between your device and IoT Hub](iot-hub-vscode-iot-toolkit-cloud-device-messaging.md).

+2. Install Node.js and npm to your Pi.

+One way to monitor messages received by your IoT hub from your device is to use the Azure IoT Hub extension for Visual Studio Code. To learn more, see [Use the Azure IoT Hub extension for Visual Studio Code to send and receive messages between your device and IoT Hub](iot-hub-vscode-iot-toolkit-cloud-device-messaging.md).

+One way to monitor messages received by your IoT hub from the simulated device is to use the Azure IoT Hub extension for Visual Studio Code. To learn more, see [Use the Azure IoT Hub extension for Visual Studio Code to send and receive messages between your device and IoT Hub](iot-hub-vscode-iot-toolkit-cloud-device-messaging.md).

+ Title: Use the Azure IoT Hub extension for Visual Studio Code to manage IoT Hub messaging

+description: Learn how to use the Azure IoT Hub extension for Visual Studio Code to monitor device to cloud messages and send cloud to device messages in Azure IoT Hub.

+# Use the Azure IoT Hub extension for Visual Studio Code to send and receive messages between your device and IoT Hub

+In this article, you learn how to use the Azure IoT Hub extension for Visual Studio Code to monitor device-to-cloud messages and to send cloud-to-device messages. Device-to-cloud messages could be sensor data that your device collects and then sends to your IoT hub. Cloud-to-device messages could be commands that your IoT hub sends to your device to blink an LED that is connected to your device.

+The [Azure IoT Hub extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-toolkit) is a useful extension that makes IoT Hub management and IoT application development easier. This article focuses on how to use the extension to send and receive messages between your device and your IoT hub.

+* [Azure IoT Hub extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-toolkit) or copy and paste this URL into a browser window: `vscode:extension/vsciot-vscode.azure-iot-toolkit`

+Follow these steps to sign into Azure and access your IoT hub from your Azure subscription:

+1. In the **Explorer** view of VS Code, expand the **Azure IoT Hub** section in the side bar.

+1. Select the ellipsis (…) button of the **Azure IoT Hub** section to display the action menu, and then select **Select IoT Hub** from the action menu.

+1. If you're not signed into Azure, a pop-up notification is shown in the bottom right corner to let you sign in to Azure. Select **Sign In** and follow the instructions to sign into Azure.

+1. Select your Azure subscription from the **Select Subscription** dropdown list.

+1. Select your IoT hub from the **Select IoT Hub** dropdown list.

+1. The devices for your IoT hub are retrieved from IoT Hub and shown under the **Devices** node in the **Azure IoT Hub** section of the side bar.

+ > [!NOTE]

+ > You can also use a connection string to access your IoT hub, by selecting **Set IoT Hub Connection String** from the action menu and entering the **iothubowner** policy connection string for your IoT hub in the **IoT Hub Connection String** input box.

+1. In the side bar, expand the **Devices** node under the **Azure IoT Hub** section.

+1. Right-click your IoT device and select **Start Monitoring Built-in Event Endpoint**.

+1. The monitored messages are shown in the **Output** panel.

+1. To stop monitoring messages, right-click the **Output** panel and select **Stop Monitoring Built-in Event Endpoint**.

+

+1. In the side bar, expand the **Devices** node under the **Azure IoT Hub** section.

+1. Right-click your IoT device and select **Send C2D Message to Device** from the context menu.

+1. Enter the message in the input box, and then select the Enter key.

+1. The results are shown in the **Output** panel.

+* [Device management with the Azure IoT Hub extension for VS Code](iot-hub-device-management-iot-toolkit.md)

+* If you don't have the Az PowerShell module installed, or don't mind uninstalling the Az PowerShell module, use the `Install-Script` option to run the script.

+This command also installs the required Az PowerShell module.

+If you do have Az PowerShell module installed and can't uninstall it, or don't want to uninstall it,you can manually download the script using the **Manual Download** tab in the script download link. The script is downloaded as a raw **nupkg** file. To install the script from this **nupkg** file, see [Manual Package Download](/powershell/gallery/how-to/working-with-packages/manual-download)

+The script creates an outbound rule that enables outbound connectivity. Azure Virtual Network NAT is the recommended service for outbound connectivity. For more information about Azure Virtual Network NAT, see [What is Azure Virtual Network NAT?](../virtual-network/nat-gateway/nat-overview.md).

+* Script only supports Internal Load Balancer upgrade where no outbound connection is required. If you required [outbound connection](./load-balancer-outbound-connections.md) for some of your VMs, refer to this [page](upgrade-InternalBasic-To-PublicStandard.md) for instructions.

+* If the Standard load balancer is created in a different region, you won't be able to associate the VMs existing in the old region to the newly created Standard Load Balancer. To work around this limitation, make sure to create a new VM in the new region.

+2. Under **Settings**, select **Frontend IP configuration**, and select the first frontend IP configuration.

+* If you don't have the Azure Az PowerShell module installed, or don't mind uninstalling the Azure Az PowerShell module, the best option is to use the `Install-Script` option to run the script.

+This command also installs the required Az PowerShell module.

+If you do have some Azure Az PowerShell module installed and can't uninstall them (or don't want to uninstall them), you can manually download the script using the **Manual Download** tab in the script download link. The script is downloaded as a raw nupkg file. To install the script from this nupkg file, see [Manual Package Download](/powershell/gallery/how-to/working-with-packages/manual-download).

+ * **oldLBName: [String]: Required** ΓÇô This parameter is the name of your existing Basic Balancer you want to upgrade.

+>On September 30, 2025, Basic Load Balancer will be retired. For more information, see the [official announcement](https://azure.microsoft.com/updates/azure-basic-load-balancer-will-be-retired-on-30-september-2025-upgrade-to-standard-load-balancer/). If you are currently using Basic Load Balancer, make sure to upgrade to Standard Load Balancer prior to the retirement date.

+* The standard load balancer has a new public address. It's impossible to move the IP addresses associated with existing basic internal load balancer to a standard public load balancer because of different SKUs.

+* If the standard load balancer is created in a different region, you won't be able to associate the VMs in the old region. To avoid this constraint, ensure you create new VMs in the new region.

+* If you don't have the Az PowerShell module installed, or don't mind uninstalling the Az PowerShell module, use the `Install-Script` option to run the script.

+This command also installs the required Az PowerShell module.

+If you do have Az PowerShell module installed and can't uninstall them, or don't want to uninstall them, you can manually download the script using the **Manual Download** tab in the script download link. The script is downloaded as a raw **nupkg** file. To install the script from this **nupkg** file, see [Manual Package Download](/powershell/gallery/how-to/working-with-packages/manual-download).

+ * **newRgName: [String]: Required** ΓÇô This parameter is the resource group where the standard load balancer is created. The resource group can be new or existing. If you choose an existing resource group, the name of the load balancer must be unique within the resource group.

+The script creates an outbound rule that enables outbound connectivity. Azure NAT Gateway is the recommended service for outbound connectivity. For more information about Azure NAT Gateway, see [What is Azure NAT Gateway?](../virtual-network/nat-gateway/nat-overview.md).

+Once you've chosen the version, specify it using the `--version` parameter in the `az aro create` command:

+ --worker-subnet worker-subnet \

+Without these values, a Private DNS Zone will be created in the SAP Library resource group.

+Most SAP application landscapes are partitioned in different tiers. In SDAF these are called workload zones, for example, you might have different workload zones for development, quality assurance, and production. See [workload zones](deployment-framework.md#deployment-components).

+The default naming convention for workload zones is `[ENVIRONMENT]-[REGIONCODE]-[NETWORK]-INFRASTRUCTURE`, for example, `DEV-WEEU-SAP01-INFRASTRUCTURE` for a development environment hosted in the West Europe region using the SAP01 virtual network or `PRD-WEEU-SAP02-INFRASTRUCTURE` for a production environment hosted in the West Europe region using the SAP02 virtual network.

+* Are you deploying into new Virtual networks or are you using existing virtual networks

+When doing Windows based deployments the Virtual Machines in the workload zone's Virtual Network need to be able to communicate with Active Directory in order to join the SAP Virtual Machines to the Active Directory Domain. The provided DNS name needs to be resolvable by the Active Directory.

+| | -- | -- |

+| Account that can perform domain join activities | [IDENTIFIER]-ad-svc-account | DEV-WEEU-SAP01-ad-svc-account |

+| Password for the account that performs the domain join | [IDENTIFIER]-ad-svc-account-password | DEV-WEEU-SAP01-ad-svc-account-password |

+| 'sidadm' account password | [IDENTIFIER]-[SID]-win-sidadm_password_id | DEV-WEEU-SAP01-W01-winsidadm_password_id |

+| SID Service account password | [IDENTIFIER]-[SID]-svc-sidadm-password | DEV-WEEU-SAP01-W01-svc-sidadm-password |

+| SQL Server Service account | [IDENTIFIER]-[SID]-sql-svc-account | DEV-WEEU-SAP01-W01-sql-svc-account |

+| SQL Server Service account password | [IDENTIFIER]-[SID]-sql-svc-password | DEV-WEEU-SAP01-W01-sql-svc-password |

+| SQL Server Agent Service account | [IDENTIFIER]-[SID]-sql-agent-account | DEV-WEEU-SAP01-W01-sql-agent-account |

+| SQL Server Agent Service account password | [IDENTIFIER]-[SID]-sql-agent-password | DEV-WEEU-SAP01-W01-sql-agent-password |

+| - | - | - |

+| Private key | [IDENTIFIER]-sshkey | DEV-WEEU-SAP01-sid-sshkey |

+| Public key | [IDENTIFIER]-sshkey-pub | DEV-WEEU-SAP01-sid-sshkey-pub |

+| Username | [IDENTIFIER]-username | DEV-WEEU-SAP01-sid-username |

+| Password | [IDENTIFIER]-password | DEV-WEEU-SAP01-sid-password |

+| sidadm Password | [IDENTIFIER]-[SID]-sap-password | DEV-WEEU-SAP01-X00-sap-password |

+| sidadm account password | [IDENTIFIER]-[SID]-winsidadm_password_id | DEV-WEEU-SAP01-W01-winsidadm_password_id |

+| SID Service account password | [IDENTIFIER]-[SID]-svc-sidadm-password | DEV-WEEU-SAP01-W01-svc-sidadm-password |

+1. Optionally assign the User Access Administrator role to your service principal. For example:

+In a locked down environment, you might need to assign another permissions to the service principals. For example, you might need to assign the User Access Administrator role to the service principal.

+> | PowerShell Gallery | 'onegetcdn.azureedge.net', 'psg-prod-centralus.azureedge.net', 'psg-prod-eastus.azureedge.net' | Setup of Windows based systems | See [PowerShell Gallery](/powershell/gallery/getting-started#network-access-to-the-powershell-gallery) |

+The deployment framework uses three separate repositories for the deployment artifacts. For your own parameter files, it's a best practice to keep these files in a source control repository that you manage.

+This repository contains the Terraform parameter files and the files needed for the Ansible playbooks for all the workload zone and system deployments.

+* How many web dispatchers do you need, if any?

+The automation framework uses a default naming convention. If you'd like to use a custom naming convention, plan and define your custom names before deployment. For more information, see [how to configure the naming convention](naming-module.md).

+ Title: Manage multiple Microsoft Sentinel workspaces with workspace manager

+description: Learn how to centrally manage multiple Microsoft Sentinel workspaces within one or more Azure tenants with workspace manager. This article takes you through provisioning and usage of Workspace Manager to help you gain operational efficiency and operate at scale.

+# Centrally manage multiple Microsoft Sentinel workspaces with workspace manager

+Learn how to centrally manage multiple Microsoft Sentinel workspaces within one or more Azure tenants with workspace manager. This article takes you through provisioning and usage of workspace manager. Whether you're a global enterprise or a Managed Security Services Provider (MSSP), workspace manager helps you operate at scale efficiently.

+Here are the active content types supported with workspace

+- Analytics rules

+- Automation rules (excluding Playbooks)

+- Parsers, Saved Searches and Functions

+- Hunting and Livestream queries

+- Workbooks

+## Prerequisites

+- You need at least two Microsoft Sentinel workspaces. One workspace to manage from and at least one other workspace to be managed.

+- The [Microsoft Sentinel Contributor role assignment](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-contributor) is required on the central workspace (where workspace manager is enabled on), and on the member workspace(s) the contributor needs to manage. To learn more about roles in Microsoft Sentinel, see [Roles and permissions in Microsoft Sentinel](roles.md).

+- Enable Azure Lighthouse if you're managing workspaces across multiple Azure AD tenants. To learn more, see [Manage Microsoft Sentinel workspaces at scale](/azure/lighthouse/how-to/manage-sentinel-workspaces).

+## Considerations

+Configure a central workspace to be the environment where you consolidate content items and configurations to be published at scale to member workspaces. Create a new Microsoft Sentinel workspace or utilize an existing one to serve as the central workspace.

+Depending on your scenario, consider these architectures:

+- **Direct-link** is the least complex setup. Control all member workspaces with only one central workspace.

+- **Co-Management** supports scenarios where more than one central workspace needs to manage a member workspace. For example, workspaces simultaneously managed by an in-house SOC team and an MSSP.

+- **N-Tier** supports complex scenarios where a central workspace controls another central workspace. For example, a conglomerate that manages multiple subsidiaries, where each subsidiary also manages multiple workspaces.

+## Enable workspace manager on the central workspace

+Enable the central workspace once you have decided which Microsoft Sentinel workspace should be the workspace manager.

+1. Navigate to the **Settings** blade in the parent workspace, and toggle **On** the workspace manager configuration setting to "Make this workspace a parent".

+1. Once enabled, a new menu **Workspace manager (preview)** appears under **Configuration**.

+ :::image type="content" source="media/workspace-manager/enable-workspace-manager-on.png" alt-text="Screenshot shows the workspace manager configuration settings. The menu item added for workspace manager is highlighted and the toggle button on.":::

+## Onboard member workspaces

+Member workspaces are the set of workspaces managed by workspace manager. Onboard some or all of the workspaces in the tenant, and across multiple tenants as well (if Azure Lighthouse is enabled).

+1. Navigate to workspace manager and select "Add workspaces"

+ :::image type="content" source="media/workspace-manager/add-workspace.png" alt-text="Screenshot shows the add workspace menu." lightbox="media/workspace-manager/add-workspace.png":::

+1. Select the member workspace(s) you would like to onboard to workspace manager.

+ :::image type="content" source="media/workspace-manager/add-workspace-select.png" alt-text="Screenshot shows the add workspace selection menu.":::

+1. Once successfully onboarded, the **Members** count increases and your member workspaces are reflected in the **Workspaces** tab.

+ :::image type="content" source="media/workspace-manager/add-workspace-selected.png" alt-text="Screenshot shows the added workspaces and the Members count incremented to 2.":::

+## Create a group

+Workspace manager groups allow you to organize workspaces together based on business groups, verticals, geography, etc. Use groups to pair content items relevant to the workspaces.

+> [!TIP]

+> Make sure you have at least one active content item deployed in the central workspace. This allows you to select content items from the central workspace to be published in the member workspace(s) in the subsequent steps.

+>

+1. To create a group:

+ - To add one workspace, select **Add** > **Group**.

+ - To add multiple workspaces, select the workspaces and **Add** > **Group from selected**.

+ :::image type="content" source="media/workspace-manager/add-group.png" alt-text="Screenshot shows the add group menu.":::

+1. On the **Create or update group** page, enter a **Name** and **Description** for the group.

+ :::image type="content" source="media/workspace-manager/add-group-name.png" alt-text="Screenshot shows the group create or update configuration page.":::

+1. In the **Select workspaces** tab, select **Add** and select the member workspaces that you would like to add to the group.

+1. In the **Select content** tab, you have 2 ways to add content items.

+ - Method 1: Select the **Add** menu and choose **All content**. All active content currently deployed in the central workspace is added. This list is a point-in-time snapshot that selects only active content, not templates.

+ - Method 2: Select the **Add** menu and choose **Content**. A **Select content** window opens to custom select the content added.

+ :::image type="content" source="media/workspace-manager/add-group-content.png" alt-text="Screenshot shows the group content selection.":::

+1. Filter the content as needed before you **Review + create**.

+1. Once created, the **Group count** increases and your groups are reflected in the **Groups tab**.

+## Publish the Group definition

+At this point, the content items selected haven't been published to the member workspace(s) yet.

+1. Select the group > **Publish content**.

+ :::image type="content" source="media/workspace-manager/publish-group.png" alt-text="Screenshot shows the group publish window.":::

+ To bulk publish, multi-select the desired groups and select **Publish**.

+ :::image type="content" source="media/workspace-manager/publish-groups.png" alt-text="Screenshot shows the multi-select group publishing window.":::

+1. The **Last publish status** column updates to reflect **In progress**.

+ :::image type="content" source="media/workspace-manager/publish-groups-in-progress.png" alt-text="Screenshot shows the multi group publishing progress column.":::

+1. If successful, the **Last publish status** updates to reflect **Succeeded**. The selected content items now exist in the member workspaces.

+ :::image type="content" source="media/workspace-manager/publish-groups-success.png" alt-text="Screenshot shows the last published column with entries that succeeded.":::

+ If just one content item fails to publish for the entire group, the **Last publish status** updates to reflect **Failed**.

+### Troubleshooting

+Each publish attempt has a link to help with troubleshooting if content items fail to publish.

+1. Select the **Failed** hyperlink to open the job failure details window. A status for each content item and target workspace pair is displayed.

+1. Filter the **Status** for failed item pairs.

+ :::image type="content" source="media/workspace-manager/publish-groups-job-details-failure.png" alt-text="Screenshot shows the job details of a group publishing failure event." lightbox="media/workspace-manager/publish-groups-job-details-failure.png":::

+Common reasons for failure include:

+- Content items referenced in the group definition no longer exist at the time of publish (have been deleted).

+- Permissions have changed at the time of publish. For example, the user is no longer a Microsoft Sentinel Contributor or doesn't have sufficient permissions on the member workspace anymore.

+- A member workspace has been deleted.

+### Known limitations

+- Playbooks attributed or attached to analytics and automation rules aren't currently supported.

+- Workbooks stored in bring-your-own-storage aren't currently supported.

+- Workspace manager only manages content items published from the central workspace. It doesn't manage content created locally from member workspace(s).

+- Currently, deleting content residing in member workspace(s) centrally via workspace manager isn't supported.

+### API references

+- [Workspace Manager Assignment Jobs](/rest/api/securityinsights/preview/workspace-manager-assignment-jobs)

+- [Workspace Manager Assignments](/rest/api/securityinsights/preview/workspace-manager-assignments)

+- [Workspace Manager Configurations](/rest/api/securityinsights/preview/workspace-manager-configurations)

+- [Workspace Manager Groups](/rest/api/securityinsights/preview/workspace-manager-groups)

+- [Workspace Manager Members](/rest/api/securityinsights/preview/workspace-manager-members)

+## Next steps

+- [Manage multiple tenants in Microsoft Sentinel as an MSSP](multiple-tenants-service-providers.md)

+- [Work with Microsoft Sentinel incidents in many workspaces at once](multiple-workspace-view.md)

+- [Protecting MSSP intellectual property in Microsoft Sentinel](mssp-protect-intellectual-property.md)

+First, install PowerShellGet if you don't already have it installed. For more information on how to install PowerShellGet, see [Installing PowerShellGet](/powershell/gallery/powershellget/install-powershellget). After you install PowerShellGet, close and reopen the PowerShell console.

+description: View a comprehensive list of Azure Files and Azure File Sync video content released over time.

+If you're new to Azure Files and File Sync or looking to deepen your understanding, this article provides a comprehensive list of video content released over time. Some videos might not reflect the latest updates.

+## Video list

+ :::column:::

+ <iframe width="560" height="315" src="https://www.youtube.com/embed/jd49W33DxkQ" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>

+ :::column-end:::

+ :::column:::

+ **Domain join Azure file share with on-premises Active Directory and replace your file server with Azure file share**

+ :::column-end:::

+ :::column:::

+ <iframe width="560" height="315" src="https://www.youtube.com/embed/bmRZi9iGsK0" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>

+ :::column-end:::

+ :::column:::

+ **Mount an Azure file share in Windows**

+ :::column-end:::

+ :::column:::

+ <iframe width="560" height="315" src="https://www.youtube.com/embed/44qVRZg-bMA?list=PLEq-KSMM-P-0jRrVF5peNCA0GbBZrOhE1" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>

+ :::column-end:::

+ :::column:::

+ **NFS 4.1 for Azure file shares**

+ :::column-end:::

+ :::column:::

+ <iframe width="560" height="315" src="https://www.youtube.com/embed/V43p6qIhFkc?list=PLEq-KSMM-P-0jRrVF5peNCA0GbBZrOhE1" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>

+ :::column-end:::

+ :::column:::

+ **How to set up Azure File Sync**

+ :::column-end:::

+ :::column:::

+ <iframe width="560" height="315" src="https://www.youtube.com/embed/uStaB09y6TE" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>

+ :::column-end:::

+ :::column:::

+ **Integrating HPC Pack with Azure Files**

+ :::column-end:::

+ > - Whether you should select **Premium** depends on your IOPS and latency requirements. For more information, see [Storage options for FSLogix Profile Containers in Azure Virtual Desktop](store-fslogix-profile.md).

+ > This module requires requires the [PowerShell Gallery](/powershell/gallery/overview) and [Azure PowerShell](/powershell/azure/what-is-azure-powershell). You may be prompted to install these if they are not already installed or they need updating. If you are prompted for these, install them, then close all instances of PowerShell. Re-open an elevated PowerShell prompt and import the `AzFilesHybrid` module again before continuing.

+## Validate profile creation

+Once you've installed and configured Profile Container, you can test your deployment by signing in with a user account that's been assigned an application group or desktop on the host pool.

+>We recommend you use an image from the Azure Compute Gallery or the Azure portal. However, if you do need to use a customized image, make sure you don't already have the Azure Virtual Desktop Agent installed on your VM. If you do, either follow the instructions in [Step 1: Uninstall all agent, boot loader, and stack component programs](troubleshoot-agent.md#step-1-uninstall-all-agent-boot-loader-and-stack-component-programs) to uninstall the Agent and all related components from your VM or create a new image from a VM with the Agent uninstalled. Using a customized image with the Azure Virtual Desktop Agent can cause problems with the image, such as blocking registration as the host pool registration token will have expired which will prevent user session connections.

+Windows 10 Enterprise multi-session is available in the Azure Compute Gallery or the Azure portal. There are two options for customizing this image.

+| Insider | 1.2.4157 | [Windows 64-bit](https://go.microsoft.com/fwlink/?linkid=2139233) *(most common)*<br />[Windows 32-bit](https://go.microsoft.com/fwlink/?linkid=2139144)<br />[Windows ARM64](https://go.microsoft.com/fwlink/?linkid=2139368) |

+By default, managed disks use platform-managed encryption keys. All managed disks, snapshots, images, and data written to existing managed disks are automatically encrypted-at-rest with platform-managed keys. Platform-managed keys are managed by Microsoft.

+- You can only copy one incremental snapshot of a particular disk at a time.

+- Snapshots must be copied in the order they were created.

+```

+### Check copy status

+You can check the status of an individual snapshot by checking the `CompletionPercent` property. Replace `$sourceSnapshotName` with the name of your snapshot then run the following command. The value of the property must be 100 before you can use the snapshot for restoring disk or generate a SAS URI for downloading the underlying data.

+```azurecli

+```

+### Check copy status

+You can check the `CompletionPercent` property of an individual snapshot to get its status. Replace `yourResourceGroupNameHere` and `yourSnapshotName` then run the script. The value of the property must be 100 before you can use the snapshot for restoring disk or generate a SAS URI for downloading the underlying data.

+```azurepowershell

+$resourceGroupName = "yourResourceGroupNameHere"

+$snapshotName = "yourSnapshotName"

+$targetSnapshot=Get-AzSnapshot -ResourceGroupName $resourceGroupName -SnapshotName $snapshotName

+If you have additional questions on snapshots, see the [snapshots](faq-for-disks.yml#snapshots) section of the FAQ.

+- [FAQ for private links and managed disks](./faq-for-disks.yml#private-links-for-managed-disks)

+- For additional questions on Ultra Disks, see the [Ultra Disks](faq-for-disks.yml#ultra-disks) section of the FAQ.

+If you have additional questions on snapshots, see the [snapshots](faq-for-disks.yml#snapshots) section of the FAQ.

+When a reservation expires, any Azure Disk Storage capacity that you use under that reservation is billed at the [pay-as-you-go rate](https://azure.microsoft.com/pricing/details/managed-disks/). Reservations don't renew automatically.

+If you've additional questions, see the [shared disks](faq-for-disks.yml#azure-shared-disks) section of the FAQ.

+If you've additional questions, see the [shared disks](faq-for-disks.yml#azure-shared-disks) section of the FAQ.

+- [FAQ on Private Links](../faq-for-disks.yml#private-links-for-managed-disks)

+If you've additional questions, see the [uploading a managed disk](../faq-for-disks.yml#uploading-to-a-managed-disk) section in the FAQ.

+If you've additional questions, see the section on [uploading a managed disk](../faq-for-disks.yml#uploading-to-a-managed-disk) in the FAQ.

+### SNAT exhaustion when connecting outbound with Azure Firewall

+Azure Firewall can provide outbound connectivity to the internet from virtual networks. Azure Firewall provides only 2,496 SNAT ports per public IP address. While Azure Firewall can be associated with up to 250 public IP addresses to handle egress traffic, users may require much fewer public IP addresses for connecting outbound. The requirement for egressing with fewer public IP addresses may be due to various architectural requirements and allowlist limitations by destination endpoints.

+One method by which to provide greater scalability for outbound traffic and also reduce the risk of SNAT port exhaustion is to use NAT gateway in the same subnet with Azure Firewall. To set up NAT gateway in an Azure Firewall subnet, see [integrate NAT gateway with Azure Firewall](/azure/virtual-network/nat-gateway/tutorial-hub-spoke-nat-firewall). See [Scale SNAT ports with Azure NAT Gateway](../../firewall/integrate-with-nat-gateway.md) to learn more about how NAT gateway works with Firewall.

+> [!NOTE]

+> NAT gateway is not supported in a vWAN architecture. NAT gateway cannot be configured to an Azure Firewall subnet in a vWAN hub.