+1. In the left menu, select **Azure Active Directory**. Or, select **All services** and search for and select **Azure Active Directory**.

+You can change SKUs up or down after the managed domain has been deployed. However, the *Premium* and *Enterprise* SKUs define a limit on the number of trusts you can create. You can't change to a SKU with a lower maximum limit than you currently have configured.

+For example, if you have created seven trusts on the *Premium* SKU, you can't change down to the *Enterprise* SKU. The *Enterprise* SKU supports a maximum of five trusts.

+* **Azure Active Directory Domain Services (Azure AD DS)** - Provides managed domain services with a subset of fully compatible traditional AD DS features such as domain join, group policy, LDAP, and Kerberos / NTLM authentication.

+If on-premises AD DS and Azure AD are configured for federated authentication using AD FS, then there's no (current/valid) password hash available in Azure DS. Azure AD user accounts created before fed auth was implemented might have an old password hash but this likely doesn't match a hash of their on-premises password. Hence Azure AD DS won't be able to validate the users credentials

+> Azure AD Domain Services only supports a one-way forest trust to on-premises Active Directory.

+ Title: Create an Azure AD Domain Services forest trust using Azure PowerShell | Microsoft Docs

+description: In this article, learn how to create and configure an Azure Active Directory Domain Services forest trust to an on-premises Active Directory Domain Services environment using Azure PowerShell.

+#Customer intent: As an identity administrator, I want to create an Azure AD Domain Services forest and one-way outbound trust from an Azure Active Directory Domain Services forest to an on-premises Active Directory Domain Services forest using Azure PowerShell to provide authentication and resource access between forests.

+# Create an Azure Active Directory Domain Services forest trust to an on-premises domain using Azure PowerShell

+In environments where you can't synchronize password hashes, or you have users that exclusively sign in using smart cards so they don't know their password, you can create a one-way outbound trust from Azure Active Directory Domain Services (Azure AD DS) to one or more on-premises AD DS environments. This trust relationship lets users, applications, and computers authenticate against an on-premises domain from the Azure AD DS managed domain. In this case, on-premises password hashes are never synchronized.

+

+In this article, you learn how to:

+> [!div class="checklist"]

+> * Create an Azure AD DS forest using Azure PowerShell

+> * Create a one-way outbound forest trust in the managed domain using Azure PowerShell

+> * Configure DNS in an on-premises AD DS environment to support managed domain connectivity

+> * Create a one-way inbound forest trust in an on-premises AD DS environment

+> * Test and validate the trust relationship for authentication and resource access

+If you don't have an Azure subscription, [create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+> [!IMPORTANT]

+> Managed domain forests don't currently support Azure HDInsight or Azure Files. The default managed domain forests do support both of these additional services.

+## Prerequisites

+To complete this article, you need the following resources and privileges:

+* An active Azure subscription.

+ * If you don't have an Azure subscription, [create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory.

+ * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant].

+* Install and configure Azure PowerShell.

+ * If needed, follow the instructions to [install the Azure PowerShell module and connect to your Azure subscription](/powershell/azure/install-az-ps).

+ * Make sure that you sign in to your Azure subscription using the [Connect-AzAccount][Connect-AzAccount] cmdlet.

+* Install and configure Azure AD PowerShell.

+ * If needed, follow the instructions to [install the Azure AD PowerShell module and connect to Azure AD](/powershell/azure/active-directory/install-adv2).

+ * Make sure that you sign in to your Azure AD tenant using the [Connect-AzureAD][Connect-AzureAD] cmdlet.

+* You need [Application Administrator](../active-directory/roles/permissions-reference.md#application-administrator) and [Groups Administrator](../active-directory/roles/permissions-reference.md#groups-administrator) Azure AD roles in your tenant to enable Azure AD DS.

+* You need [Domain Services Contributor](../role-based-access-control/built-in-roles.md#contributor) Azure role to create the required Azure AD DS resources.

+## Sign in to the Azure portal

+In this article, you create and configure the outbound forest trust from a managed domain using the Azure portal. To get started, first sign in to the [Azure portal](https://portal.azure.com).

+## Deployment process

+It's a multi-part process to create a managed domain forest and the trust relationship to an on-premises AD DS. The following high-level steps build your trusted, hybrid environment:

+1. Create a managed domain service principal.

+1. Create a managed domain forest.

+1. Create hybrid network connectivity using site-to-site VPN or Express Route.

+1. Create the managed domain side of the trust relationship.

+1. Create the on-premises AD DS side of the trust relationship.

+Before you start, make sure you understand the [network considerations, forest naming, and DNS requirements](tutorial-create-forest-trust.md#networking-considerations). You can't change the managed domain forest name once it's deployed.

+## Create the Azure AD service principal

+Azure AD DS requires a service principal synchronize data from Azure AD. This principal must be created in your Azure AD tenant before you created the managed domain forest.

+Create an Azure AD service principal for Azure AD DS to communicate and authenticate itself. A specific application ID is used named *Domain Controller Services* with an ID of *6ba9a5d4-8456-4118-b521-9c5ca10cdf84*. Don't change this application ID.

+Create an Azure AD service principal using the [New-AzureADServicePrincipal][New-AzureADServicePrincipal] cmdlet:

+```powershell

+New-AzureADServicePrincipal -AppId "6ba9a5d4-8456-4118-b521-9c5ca10cdf84"

+```

+## Create a managed domain

+To create a managed domain, you use the `New-AzureAaddsForest` script. This script is part of a wider set of commands that support managed domains, including create the one-way bound forest in a following section. These scripts are available from the [PowerShell Gallery](https://www.powershellgallery.com/) and are digitally signed by the Azure AD engineering team.

+1. First, create a resource group using the [New-AzResourceGroup][New-AzResourceGroup] cmdlet. In the following example, the resource group is named *myResourceGroup* and is created in the *westus* region. Use your own name and desired region:

+ ```azurepowershell

+ New-AzResourceGroup `

+ -Name "myResourceGroup" `

+ -Location "WestUS"

+ ```

+1. Install the `New-AaddsResourceForestTrust` script from the [PowerShell Gallery][powershell-gallery] using the [Install-Script][Install-Script] cmdlet:

+ ```powershell

+ Install-Script -Name New-AaddsResourceForestTrust

+ ```

+1. Review the following parameters needed for the `New-AzureAaddsForest` script. Make sure you also have the prerequisite **Azure PowerShell** and **Azure AD PowerShell** modules. Make sure you have planned the virtual network requirements to provide application and on-premises connectivity.

+ | Name | Script parameter | Description |

+ |:--||:|

+ | Subscription | *-azureSubscriptionId* | Subscription ID used for Azure AD DS billing. You can get the list of subscriptions using the [Get-AzureRMSubscription][Get-AzureRMSubscription] cmdlet. |

+ | Resource Group | *-aaddsResourceGroupName* | Name of the resource group for the managed domain and associated resources. |

+ | Location | *-aaddsLocation* | The Azure region to host your managed domain. For available regions, see [supported regions for Azure AD DS.](https://azure.microsoft.com/global-infrastructure/services/?products=active-directory-ds&regions=all) |

+ | Azure AD DS administrator | *-aaddsAdminUser* | The user principal name of the first managed domain administrator. This account must be an existing cloud user account in your Azure Active Directory. The user, and the user running the script, is added to the *AAD DC Administrators* group. |

+ | Azure AD DS domain name | *-aaddsDomainName* | The FQDN of the managed domain, based on the previous guidance on how to choose a forest name. |

+ The `New-AzureAaddsForest` script can create the Azure virtual network and Azure AD DS subnet if these resources don't already exist. The script can optionally create the workload subnets, when specified:

+ | Name | Script parameter | Description |

+ |:-|:-|:|

+ | Virtual network name | *-aaddsVnetName* | Name of the virtual network for the managed domain.|

+ | Address space | *-aaddsVnetCIDRAddressSpace* | Virtual network's address range in CIDR notation (if creating the virtual network).|

+ | Azure AD DS subnet name | *-aaddsSubnetName* | Name of the subnet of the *aaddsVnetName* virtual network hosting the managed domain. Don't deploy your own VMs and workloads into this subnet. |

+ | Azure AD DS address range | *-aaddsSubnetCIDRAddressRange* | Subnet address range in CIDR notation for the Azure AD DS instance, such as *192.168.1.0/24*. Address range must be contained by the address range of the virtual network, and different from other subnets. |

+ | Workload subnet name (optional) | *-workloadSubnetName* | Optional name of a subnet in the *aaddsVnetName* virtual network to create for your own application workloads. VMs and applications and also be connected to a peered Azure virtual network instead. |

+ | Workload address range (optional) | *-workloadSubnetCIDRAddressRange* | Optional subnet address range in CIDR notation for application workload, such as *192.168.2.0/24*. Address range must be contained by the address range of the virtual network, and different from other subnets.|

+1. Now create a managed domain forest using the `New-AzureAaaddsForest` script. The following example creates a forest named *addscontoso.com* and creates a workload subnet. Provide your own parameter names and IP address ranges or existing virtual networks.

+ ```azurepowershell

+ New-AzureAaddsForest `

+ -azureSubscriptionId <subscriptionId> `

+ -aaddsResourceGroupName "myResourceGroup" `

+ -aaddsLocation "WestUS" `

+ -aaddsAdminUser "contosoadmin@contoso.com" `

+ -aaddsDomainName "aaddscontoso.com" `

+ -aaddsVnetName "myVnet" `

+ -aaddsVnetCIDRAddressSpace "192.168.0.0/16" `

+ -aaddsSubnetName "AzureADDS" `

+ -aaddsSubnetCIDRAddressRange "192.168.1.0/24" `

+ -workloadSubnetName "myWorkloads" `

+ -workloadSubnetCIDRAddressRange "192.168.2.0/24"

+ ```

+ It takes quite some time to create the managed domain forest and supporting resources. Allow the script to complete. Continue on to the next section to configure your on-premises network connectivity while the Azure AD forest provisions in the background.

+## Configure and validate network settings

+As the managed domain continues to deploy, configure and validate the hybrid network connectivity to the on-premises datacenter. You also need a management VM to use with the managed domain for regular maintenance. Some of the hybrid connectivity may already exist in your environment, or you may need to work with others in your team to configure the connections.

+Before you start, make sure you understand the [network considerations and recommendations](tutorial-create-forest-trust.md#networking-considerations).

+1. Create the hybrid connectivity to your on-premises network to Azure using an Azure VPN or Azure ExpressRoute connection. The hybrid network configuration is beyond the scope of this documentation, and may already exist in your environment. For details on specific scenarios, see the following articles:

+ * [Azure Site-to-Site VPN](../vpn-gateway/vpn-gateway-about-vpngateways.md).

+ * [Azure ExpressRoute Overview](../expressroute/expressroute-introduction.md).

+ > [!IMPORTANT]

+ > If you create the connection directly to your managed domain's virtual network, use a separate gateway subnet. Don't create the gateway in the managed domain's subnet.

+1. To administer a managed domain, you create a management VM, join it to the managed domain, and install the required AD DS management tools.

+ While the managed domain is being deployed, [create a Windows Server VM](./join-windows-vm.md) then [install the core AD DS management tools](./tutorial-create-management-vm.md) to install the needed management tools. Wait to join the management VM to the managed domain until one of the following steps after the domain is successfully deployed.

+1. Validate network connectivity between your on-premises network and the Azure virtual network.

+ * Confirm that your on-premises domain controller can connect to the managed VM using `ping` or remote desktop, for example.

+ * Verify that your management VM can connect to your on-premises domain controllers, again using a utility such as `ping`.

+1. In the Azure portal, search for and select **Azure AD Domain Services**. Choose your managed domain, such as *aaddscontoso.com* and wait for the status to report as **Running**.

+ When running, [update DNS settings for the Azure virtual network](tutorial-create-instance.md#update-dns-settings-for-the-azure-virtual-network) and then [enable user accounts for Azure AD DS](tutorial-create-instance.md#enable-user-accounts-for-azure-ad-ds) to finalize the configurations for your managed domain.

+1. Make a note of the DNS addresses shown on the overview page. You need these addresses when you configure the on-premises Active Directory side of the trust relationship in a following section.

+1. Restart the management VM for it to receive the new DNS settings, then [join the VM to the managed domain](join-windows-vm.md#join-the-vm-to-the-managed-domain).

+1. After the management VM is joined to the managed domain, connect again using remote desktop.

+ From a command prompt, use `nslookup` and the managed domain name to validate name resolution for the forest.

+ ```console

+ nslookup aaddscontoso.com

+ ```

+ The command should return two IP addresses for the forest.

+## Create the forest trust

+The forest trust has two parts - the one-way outbound forest trust in the managed domain, and the one-way inbound forest trust in the on-premises AD DS forest. You manually create both sides of this trust relationship. When both sides are created, users and resources can successfully authenticate using the forest trust. A managed domain supports up to five one-way outbound forest trusts to on-premises forests.

+### Create the managed domain side of the trust relationship

+Use the `Add-AaddsResourceForestTrust` script to create the managed domain side of the trust relationship. First, install the `Add-AaddsResourceForestTrust` script from the [PowerShell Gallery][powershell-gallery] using the [Install-Script][Install-Script] cmdlet:

+```powershell

+Install-Script -Name Add-AaddsResourceForestTrust

+```

+Now provide the script the following information:

+| Name | Script parameter | Description |

+|:--|:|:|

+| Azure AD DS domain name | *-ManagedDomainFqdn* | FQDN of the managed domain, such as *aaddscontoso.com* |

+| On-premises AD DS domain name | *-TrustFqdn* | The FQDN of the trusted forest, such as *onprem.contoso.com* |

+| Trust friendly name | *-TrustFriendlyName* | Friendly name of the trust relationship. |

+| On-premises AD DS DNS IP addresses | *-TrustDnsIPs* | A comma-delimited list of DNS server IPv4 addresses for the trusted domain listed. |

+| Trust password | *-TrustPassword* | A complex password for the trust relationship. This password is also entered when creating the one-way inbound trust in the on-premises AD DS. |

+| Credentials | *-Credentials* | The credentials used to authenticate to Azure. The user must be in the *AAD DC Administrators group*. If not provided, the script prompts for authentication. |

+The following example creates a trust relationship named *myAzureADDSTrust* to *onprem.contoso.com*. Use your own parameter names and passwords:.

+```azurepowershell

+Add-AaddsResourceForestTrust `

+ -ManagedDomainFqdn "aaddscontoso.com" `

+ -TrustFqdn "onprem.contoso.com" `

+ -TrustFriendlyName "myAzureADDSTrust" `

+ -TrustDnsIPs "10.0.1.10,10.0.1.11" `

+ -TrustPassword <complexPassword>

+```

+> [!IMPORTANT]

+> Remember your trust password. You must use the same password when your create the on-premises side of the trust.

+## Configure DNS in the on-premises domain

+To correctly resolve the managed domain from the on-premises environment, you may need to add forwarders to the existing DNS servers. If you haven't configure the on-premises environment to communicate with the managed domain, complete the following steps from a management workstation for the on-premises AD DS domain:

+1. Select **Start | Administrative Tools | DNS**

+1. Right-select DNS server, such as *myAD01*, select **Properties**

+1. Choose **Forwarders**, then **Edit** to add additional forwarders.

+1. Add the IP addresses of the managed domain, such as *10.0.1.4* and *10.0.1.5*.

+1. From a local command prompt, validate name resolution using **nslookup** of the managed domain name. For example, `Nslookup aaddscontoso.com` should return the two IP addresses for the managed domain.

+## Create inbound forest trust in the on-premises domain

+The on-premises AD DS domain needs an incoming forest trust for the managed domain. This trust must be manually created in the on-premises AD DS domain, it can't be created from the Azure portal.

+To configure inbound trust on the on-premises AD DS domain, complete the following steps from a management workstation for the on-premises AD DS domain:

+1. Select **Start | Administrative Tools | Active Directory Domains and Trusts**

+1. Right-select domain, such as *onprem.contoso.com*, select **Properties**

+1. Choose **Trusts** tab, then **New Trust**

+1. Enter the name of the managed domain, such as *aaddscontoso.com*, then select **Next**

+1. Select the option to create a **Forest trust**, then to create a **One way: incoming** trust.

+1. Choose to create the trust for **This domain only**. In the next step, you create the trust in the Azure portal for the managed domain.

+1. Choose to use **Forest-wide authentication**, then enter and confirm a trust password. This same password is also entered in the Azure portal in the next section.

+1. Step through the next few windows with default options, then choose the option for **No, do not confirm the outgoing trust**. You can't validate the trust relation because your delegated admin account to the managed domain doesn't have the required permissions. This behavior is by design.

+1. Select **Finish**

+## Validate resource authentication

+The following common scenarios let you validate that forest trust correctly authenticates users and access to resources:

+* [On-premises user authentication from the Azure AD DS forest](#on-premises-user-authentication-from-the-azure-ad-ds-forest)

+* [Access resources in the Azure AD DS forest as an on-premises user](#access-resources-in-azure-ad-ds-as-an-on-premises-user)

+ * [Enable file and printer sharing](#enable-file-and-printer-sharing)

+ * [Create a security group and add members](#create-a-security-group-and-add-members)

+ * [Create a file share for cross-forest access](#create-a-file-share-for-cross-forest-access)

+ * [Validate cross-forest authentication to a resource](#validate-cross-forest-authentication-to-a-resource)

+### On-premises user authentication from the Azure AD DS forest

+You should have Windows Server virtual machine joined to the managed domain resource domain. Use this virtual machine to test your on-premises user can authenticate on a virtual machine.

+1. Connect to the Windows Server VM joined to the managed domain using Remote Desktop and your managed domain administrator credentials. If you get a Network Level Authentication (NLA) error, check the user account you used is not a domain user account.

+ > [!TIP]

+ > To securely connect to your VMs joined to Azure AD Domain Services, you can use the [Azure Bastion Host Service](../bastion/bastion-overview.md) in supported Azure regions.

+1. Open a command prompt and use the `whoami` command to show the distinguished name of the currently authenticated user:

+ ```console

+ whoami /fqdn

+ ```

+1. Use the `runas` command to authenticate as a user from the on-premises domain. In the following command, replace `userUpn@trusteddomain.com` with the UPN of a user from the trusted on-premises domain. The command prompts you for the user's password:

+ ```console

+ Runas /u:userUpn@trusteddomain.com cmd.exe

+ ```

+1. If the authentication is a successful, a new command prompt opens. The title of the new command prompt includes `running as userUpn@trusteddomain.com`.

+1. Use `whoami /fqdn` in the new command prompt to view the distinguished name of the authenticated user from the on-premises Active Directory.

+### Access resources in Azure AD DS as an on-premises user

+Using the Windows Server VM joined to the managed domain, you can test the scenario where users can access resources hosted in the forest when they authenticate from computers in the on-premises domain with users from the on-premises domain. The following examples show you how to create and test various common scenarios.

+#### Enable file and printer sharing

+1. Connect to the Windows Server VM joined to the managed domain using Remote Desktop and your managed domain administrator credentials. If you get a Network Level Authentication (NLA) error, check the user account you used is not a domain user account.

+ > [!TIP]

+ > To securely connect to your VMs joined to Azure AD Domain Services, you can use the [Azure Bastion Host Service](../bastion/bastion-overview.md) in supported Azure regions.

+1. Open **Windows Settings**, then search for and select **Network and Sharing Center**.

+1. Choose the option for **Change advanced sharing** settings.

+1. Under the **Domain Profile**, select **Turn on file and printer sharing** and then **Save changes**.

+1. Close **Network and Sharing Center**.

+#### Create a security group and add members

+1. Open **Active Directory Users and Computers**.

+1. Right-select the domain name, choose **New**, and then select **Organizational Unit**.

+1. In the name box, type *LocalObjects*, then select **OK**.

+1. Select and right-click **LocalObjects** in the navigation pane. Select **New** and then **Group**.

+1. Type *FileServerAccess* in the **Group name** box. For the **Group Scope**, select **Domain local**, then choose **OK**.

+1. In the content pane, double-click **FileServerAccess**. Select **Members**, choose to **Add**, then select **Locations**.

+1. Select your on-premises Active Directory from the **Location** view, then choose **OK**.

+1. Type *Domain Users* in the **Enter the object names to select** box. Select **Check Names**, provide credentials for the on-premises Active Directory, then select **OK**.

+ > [!NOTE]

+ > You must provide credentials because the trust relationship is only one way. This means users from the managed domain can't access resources or search for users or groups in the trusted (on-premises) domain.

+1. The **Domain Users** group from your on-premises Active Directory should be a member of the **FileServerAccess** group. Select **OK** to save the group and close the window.

+#### Create a file share for cross-forest access

+1. On the Windows Server VM joined to the managed domain, create a folder and provide name such as *CrossForestShare*.

+1. Right-select the folder and choose **Properties**.

+1. Select the **Security** tab, then choose **Edit**.

+1. In the *Permissions for CrossForestShare* dialog box, select **Add**.

+1. Type *FileServerAccess* in **Enter the object names to select**, then select **OK**.

+1. Select *FileServerAccess* from the **Groups or user names** list. In the **Permissions for FileServerAccess** list, choose *Allow* for the **Modify** and **Write** permissions, then select **OK**.

+1. Select the **Sharing** tab, then choose **Advanced Sharing…**

+1. Choose **Share this folder**, then enter a memorable name for the file share in **Share name** such as *CrossForestShare*.

+1. Select **Permissions**. In the **Permissions for Everyone** list, choose **Allow** for the **Change** permission.

+1. Select **OK** two times and then **Close**.

+#### Validate cross-forest authentication to a resource

+1. Sign in a Windows computer joined to your on-premises Active Directory using a user account from your on-premises Active Directory.

+1. Using **Windows Explorer**, connect to the share you created using the fully qualified host name and the share such as `\\fs1.aaddscontoso.com\CrossforestShare`.

+1. To validate the write permission, right-select in the folder, choose **New**, then select **Text Document**. Use the default name **New Text Document**.

+ If the write permissions are set correctly, a new text document is created. The following steps will then open, edit, and delete the file as appropriate.

+1. To validate the read permission, open **New Text Document**.

+1. To validate the modify permission, add text to the file and close **Notepad**. When prompted to save changes, choose **Save**.

+1. To validate the delete permission, right-select **New Text Document** and choose **Delete**. Choose **Yes** to confirm file deletion.

+## Update or remove outbound forest trust

+If you need to update an existing one-way outbound forest from the managed domain, you can use the `Get-AaddsResourceForestTrusts` and `Set-AaddsResourceForestTrust` scripts. These scripts help in scenarios where you want to update the forest trust friendly name or trust password. To remove a one-way outbound trust from the managed domain, you can use the `Remove-AaddsResourceForestTrust` script. You must manually remove the one-way inbound forest trust in the associated on-premises AD DS forest.

+### Update a forest trust

+In normal operation, the managed domain and on-premises forest negotiate a regular password update process between themselves. This is part of the normal AD DS trust relationship security process. You don't need to manually rotate the trust password unless the trust relationship has experienced an issue and you want to manually reset to a known password. For more information, see [trusted domain object password changes](concepts-forest-trust.md#tdo-password-changes).

+The following example steps show you how to update an existing trust relationship if you need to manually reset the outbound trust password:

+1. Install the `Get-AaddsResourceForestTrusts` and `Set-AaddsResourceForestTrust` scripts from the [PowerShell Gallery][powershell-gallery] using the [Install-Script][Install-Script] cmdlet:

+ ```powershell

+ Install-Script -Name Get-AaddsResourceForestTrusts,Set-AaddsResourceForestTrust

+ ```

+1. Before you can update an existing trust, first get the trust resource using the `Get-AaddsResourceForestTrusts` script. In the following example, the existing trust is assigned to an object named *existingTrust*. Specify your own managed domain forest name and on-premises forest name to update:

+ ```powershell

+ $existingTrust = Get-AaddsResourceForestTrust `

+ -ManagedDomainFqdn "aaddscontoso.com" `

+ -TrustFqdn "onprem.contoso.com" `

+ -TrustFriendlyName "myAzureADDSTrust"

+ ```

+1. To update the existing trust password, use the `Set-AaddsResourceForestTrust` script. Specify the existing trust object from the previous step, then a new trust relationship password. No password complexity is enforced by PowerShell, so make sure you to generate and use a secure password for your environment.

+ ```powershell

+ Set-AaddsResourceForestTrust `

+ -Trust $existingTrust `

+ -TrustPassword <newComplexPassword>

+ ```

+### Delete a forest trust

+If you no longer need the one-way outbound forest trust from the managed domain to an on-premises AD DS forest, you can remove it. Make sure that no applications or services need to authenticate against the on-premises AD DS forest before you remove the trust. You must manually remove the one-way inbound trust in the on-premises AD DS forest, too.

+1. Install the `Remove-AaddsResourceForestTrust` script from the [PowerShell Gallery][powershell-gallery] using the [Install-Script][Install-Script] cmdlet:

+ ```powershell

+ Install-Script -Name Remove-AaddsResourceForestTrust

+ ```

+1. Now remove the forest trust using the `Remove-AaddsResourceForestTrust` script. In the following example, the trust named *myAzureADDSTrust* between the managed domain forest named *aaddscontoso.com* and on-premises forest *onprem.contoso.com* is removed. Specify your own managed domain forest name and on-premises forest name to remove:

+ ```powershell

+ Remove-AaddsResourceForestTrust `

+ -ManagedDomainFqdn "aaddscontoso.com" `

+ -TrustFqdn "onprem.contoso.com" `

+ -TrustFriendlyName "myAzureADDSTrust"

+ ```

+To remove the one-way inbound trust from the on-premises AD DS forest, connect to a management computer with access to the on-premises AD DS forest and complete the following steps:

+1. Select **Start | Administrative Tools | Active Directory Domains and Trusts**.

+1. Right-select domain, such as *onprem.contoso.com*, select **Properties**.

+1. Choose **Trusts** tab, then select the existing incoming trust from your managed domain forest.

+1. Select **Remove**, then confirm that you wish to remove the incoming trust.

+## Next steps

+In this article, you learned how to:

+> [!div class="checklist"]

+> * Create a managed domain using Azure PowerShell

+> * Create a one-way outbound forest trust in the managed domain using Azure PowerShell

+> * Configure DNS in an on-premises AD DS environment to support the managed domain connectivity

+> * Create a one-way inbound forest trust in an on-premises AD DS environment

+> * Test and validate the trust relationship for authentication and resource access

+For more conceptual information about forest types in Azure AD DS, see [How do forest trusts work in Azure AD DS?][concepts-trust]

+<!-- INTERNAL LINKS -->

+[concepts-trust]: concepts-forest-trust.md

+[create-azure-ad-tenant]: ../active-directory/fundamentals/sign-up-organization.md

+[associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md

+[create-azure-ad-ds-instance-advanced]: tutorial-create-instance-advanced.md

+[Connect-AzAccount]: /powershell/module/Az.Accounts/Connect-AzAccount

+[Connect-AzureAD]: /powershell/module/AzureAD/Connect-AzureAD

+[New-AzResourceGroup]: /powershell/module/Az.Resources/New-AzResourceGroup

+[network-peering]: ../virtual-network/virtual-network-peering-overview.md

+[New-AzureADServicePrincipal]: /powershell/module/AzureAD/New-AzureADServicePrincipal

+[Get-AzureRMSubscription]: /powershell/module/AzureRM.Profile/Get-AzureRmSubscription

+[Install-Script]: /powershell/module/powershellget/install-script

+<!-- EXTERNAL LINKS -->

+[powershell-gallery]: https://www.powershellgallery.com/

+ * If needed, you can create one-way outbound forest trusts from Azure AD DS to an on-premises AD DS environment. For more information, see [Forest concepts and features for Azure AD DS][forest-trusts].

+By default, all users and groups from an Azure AD directory are synchronized to a managed domain. If only some users need to use Azure AD DS, you can instead choose to synchronize only groups of users. You can filter synchronization for groups on-premises, cloud only, or both.

+By default, all users and groups from an Azure AD directory are synchronized to a managed domain. You can scope synchronization to only user accounts that were created in Azure AD, or synchronize all users.

+If only a few groups of users need to access the managed domain, you can select **Filter by group entitlement** to synchronize only those groups. This scoped synchronization is only group-based. When you configure group-based scoped synchronization, only the user accounts that belong to the groups you specify are synchronized to the managed domain. Nested groups aren't synchronized; only the groups you specify get synchronized.

+1. For *Synchronization scope*, select **All** or **Cloud Only**.

+1. To filter synchronization for selected groups, click **Show selected groups**, choose whether to synchronize cloud-only groups, on-premises groups, or both. For example, the following screenshot shows how to synchronize only three groups that were created in Azure AD. Only users who belong to those groups will have their accounts synchronized to Azure AD DS.

+ :::image type="content" source="media/scoped-synchronization/cloud-only-groups.png" alt-text="Screenshot that shows filter by cloud-only groups." :::

+1. To add groups, click **Add groups**, then search for and choose the groups to add.

+1. To add a group, choose **+ Add groups** at the top, then choose the groups to add.

+1. Clear the check box for **Show selected groups**, and click **Save synchronization scope**.

+The synchronization process is one-way by design. There's no reverse synchronization of changes from Azure AD DS back to Azure AD. A managed domain is largely read-only except for custom OUs that you can create. You can't make changes to user attributes, user passwords, or group memberships within a managed domain.

+## Scoped synchronization and group filter

+You can scope synchronization to only user accounts that originated in the cloud. Within that synchronization scope, you can filter for specific groups os users. You can choose between cloud only groups, on-premises groups, or both. For more information about how to configure scoped synchronization, see [Configure scoped synchronization](scoped-synchronization.md).

+If you configure writeback, changes from Azure AD are synchronized back to the on-premises AD DS environment. For example, if a user changes their password using Azure AD self-service password management, the password is updated back in the on-premises AD DS environment.

+When you enable Azure AD DS, legacy password hashes for NTLM and Kerberos authentication are required. Azure AD doesn't store clear-text passwords, so these hashes can't be automatically generated for existing user accounts. NTLM and Kerberos compatible password hashes are always stored in an encrypted manner in Azure AD.

+You don't need to perform these steps if you use cloud-only accounts with no on-premises AD DS environment.

+ * The Azure AD connector is named *contoso.onmicrosoft.com - Azure AD*

+Trusts can be created in any domain. The domain will automatically block synchronization from an on-premises domain for any user accounts that were synchronized to Azure AD DS. This prevents UPN collisions when users authenticate.

+* An Azure Active Directory Domain Services managed domain.

+For more conceptual information about forest in Azure AD DS, see [How do forest trusts work in Azure AD DS?][concepts-trust].

+1. A *forest* is a logical construct used by Active Directory Domain Services to group one or more domains.

+1. A *forest* is a logical construct used by Active Directory Domain Services to group one or more domains.

+The Azure AD provisioning service uses the [SCIM 2.0 protocol](https://techcommunity.microsoft.com/t5/Identity-Standards-Blog/bg-p/IdentityStandards) for automatic provisioning. The service connects to the SCIM endpoint for the application, and uses SCIM user object schema and REST APIs to automate the provisioning and de-provisioning of users and groups. A SCIM-based provisioning connector is provided for most applications in the Azure AD gallery. Developers use the SCIM 2.0 user management API in Azure AD to build endpoints for their apps that integrate with the provisioning service. For details, see [Build a SCIM endpoint and configure user provisioning](../app-provisioning/use-scim-to-provision-users-and-groups.md).

+- The provisioning process goes into quarantine (see example) because of a high error rate, and stays in quarantine for more than four weeks. In this event, the service is automatically disabled.

+Confirm the checkbox for updates is selected.

+Confirm the mapping for *active* for your application. If you're using an application from the app gallery, the mapping may be slightly different. In this case, use the default mapping for gallery applications.

+The scenario triggers a disable or a delete:

+* A user is soft-deleted in Azure AD (sent to the recycle bin / AccountEnabled property set to false).

+By default, the Azure AD provisioning service soft-deletes or disables users that go out of scope. If you want to override this default behavior, you can set a flag to [skip out-of-scope deletions.](skip-out-of-scope-deletions.md)

+When one of the four events occurs and the target application doesn't support soft-deletes, the provisioning service sends a DELETE request to permanently delete the user from the app.

+If you see `IsSoftDeleted` in your attribute mappings, it's used to determine the state of the user and whether to send an update request with `active = false` to soft-delete the user.

+The table describes how you can configure deprovisioning actions with the Azure AD provisioning service. These rules are written with the non-gallery / custom application in mind, but generally apply to applications in the gallery. However, the behavior for gallery applications can differ as they've been optimized to meet the needs of the application. For example, if the target application doesn't support soft-deleting then the Azure AD provisioning service might send a hard-delete request to delete users rather than send a soft-delete.

+|When a user is deleted in Azure AD, do nothing in the target application.|Ensure that "Delete" isn't selected as one of the target object actions in the [attribute configuration experience](skip-out-of-scope-deletions.md).|

+When developing an application, always support both soft-deletes and hard-deletes. It allows customers to recover when a user is accidentally disabled.

+| Password expiry duration (Maximum password age) |Default value: **90** days.<br>The value is configurable by using the `Set-MsolPasswordPolicy` cmdlet from the Azure Active Directory Module for Windows PowerShell. |

+| Password expiry (Let passwords never expire) |Default value: **false** (indicates that password's have an expiration date).<br>The value can be configured for individual user accounts by using the `Set-MsolUser` cmdlet.|

+## Enable system-preferred MFA in the Azure portal

+By default, system-preferred MFA is Microsoft managed and disabled for all users.

+1. In the Azure portal, click **Security** > **Authentication methods** > **Settings**.

+1. For **System-preferred multifactor authentication**, choose whether to explicitly enable or disable the feature, and include or exclude any users. Excluded groups take precedence over include groups.

+ For example, the following screenshot shows how to make system-preferred MFA explicitly enabled for only the Engineering group.

+ :::image type="content" border="true" source="./media/concept-system-preferred-multifactor-authentication/enable.png" alt-text="Screenshot of how to enable Microsoft Authenticator settings for Push authentication mode.":::

+1. After you finish making any changes, click **Save**.

+## Enable system-preferred MFA using Graph APIs

+| ID | String | ID of the entity targeted. |

+- Users in scope for Self Service Password Reset (SSPR) registration policy *or* [Identity Protection Multi-factor authentication registration policy](../identity-protection/howto-identity-protection-configure-mfa-policy.md) will be required to register authentication methods after they've signed in with a Temporary Access Pass using a browser.

+Administrators can monitor user sign-ins where continuous access evaluation (CAE) is applied. This information is found in the Azure AD sign-in logs:

+1. Browse to **Azure Active Directory** > **Sign-in logs**.

+[  ](./media/howto-continuous-access-evaluation-troubleshoot/sign-ins-log-apply-filter.png#lightbox)

+From here, admins are presented with information about their userΓÇÖs sign-in events. Select any sign-in to see details about the session, like which Conditional Access policies applied and if CAE enabled.

+There are multiple sign-in requests for each authentication. Some are on the interactive tab, while others are on the non-interactive tab. CAE is only marked true for one of the requests, it can be on the interactive tab or non-interactive tab. Admins must check both tabs to confirm whether the user's authentication is CAE enabled or not.

+Sign in logs contain information on success and failure events. Use filters to narrow your search. For example, if a user signed in to Teams, use the Application filter and set it to Teams. Admins may need to check the sign-ins from both interactive and non-interactive tabs to locate the specific sign-in. To further narrow the search, admins may apply multiple filters.

+### Continuous access evaluation insights per sign-in

+## IP address configuration

+If this scenario exists in your environment, to avoid infinite loops, Azure AD issues a one-hour CAE token and doesn't enforce client location change during that one-hour period. Even in this case, security is improved compared to traditional one-hour tokens since we're still evaluating the other events besides client location change events.

+| Claim | Format | Description | Authorization considerations |

+|-|--|-||

+| `aud` | String, an Application ID URI or GUID | Identifies the intended audience of the token. In v2.0 tokens, this value is always the client ID of the API. In v1.0 tokens, it can be the client ID or the resource URI used in the request. The value can depend on how the client requested the token. | This value must be validated, reject the token if the value doesn't match the intended audience. |

+| `iss` | String, a security token service (STS) URI | Identifies the STS that constructs and returns the token, and the Azure AD tenant of the authenticated user. If the token issued is a v2.0 token (see the `ver` claim), the URI ends in `/v2.0`. The GUID that indicates that the user is a consumer user from a Microsoft account is `9188040d-6c67-4c5b-b112-36a304b66dad`. | The application can use the GUID portion of the claim to restrict the set of tenants that can sign in to the application, if applicable. |

+|`idp`| String, usually an STS URI | Records the identity provider that authenticated the subject of the token. This value is identical to the value of the Issuer claim unless the user account isn't in the same tenant as the issuer, such as guests. Use the value of `iss` if the claim isn't present. For personal accounts being used in an organizational context (for instance, a personal account invited to an Azure AD tenant), the `idp` claim may be 'live.com' or an STS URI containing the Microsoft account tenant `9188040d-6c67-4c5b-b112-36a304b66dad`. | |

+| `iat` | int, a Unix timestamp | Specifies when the authentication for this token occurred. | |

+| `nbf` | int, a Unix timestamp | Specifies the time after which the JWT can be processed. | |

+| `exp` | int, a Unix timestamp | Specifies the expiration time before which the JWT can be accepted for processing. A resource may reject the token before this time as well. The rejection can occur for a required change in authentication or when a token is revoked. | |

+| `aio` | Opaque String | An internal claim used by Azure AD to record data for token reuse. Resources shouldn't use this claim. | |

+| `acr` | String, a `0` or `1`, only present in v1.0 tokens | A value of `0` for the "Authentication context class" claim indicates the end-user authentication didn't meet the requirements of ISO/IEC 29115. | |

+| `amr` | JSON array of strings, only present in v1.0 tokens | Identifies the authentication method of the subject of the token. | |

+| `appid` | String, a GUID, only present in v1.0 tokens | The application ID of the client using the token. The application can act as itself or on behalf of a user. The application ID typically represents an application object, but it can also represent a service principal object in Azure AD. | `appid` may be used in authorization decisions. |

+| `azp` | String, a GUID, only present in v2.0 tokens | A replacement for `appid`. The application ID of the client using the token. The application can act as itself or on behalf of a user. The application ID typically represents an application object, but it can also represent a service principal object in Azure AD. | `azp` may be used in authorization decisions. |

+| `appidacr` | String, a `0`, `1`, or `2`, only present in v1.0 tokens | Indicates authentication method of the client. For a public client, the value is `0`. When you use the client ID and client secret, the value is `1`. When you use a client certificate for authentication, the value is `2`. | |

+| `azpacr` | String, a `0`, `1`, or `2`, only present in v2.0 tokens | A replacement for `appidacr`. Indicates the authentication method of the client. For a public client, the value is `0`. When you use the client ID and client secret, the value is `1`. When you use a client certificate for authentication, the value is `2`. | |

+| `preferred_username` | String, only present in v2.0 tokens. | The primary username that represents the user. The value could be an email address, phone number, or a generic username without a specified format. Use the value for username hints and in human-readable UI as a username. To receive this claim, use the `profile` scope. | Since this value is mutable, don't use it to make authorization decisions. |

+| `name` | String | Provides a human-readable value that identifies the subject of the token. The value can vary, it's mutable, and is for display purposes only. To receive this claim, use the `profile` scope. | Don't use this value to make authorization decisions. |

+| `scp` | String, a space separated list of scopes | The set of scopes exposed by the application for which the client application has requested (and received) consent. Only included for user tokens. | The application should verify that these scopes are valid ones exposed by the application, and make authorization decisions based on the value of these scopes. |

+| `roles` | Array of strings, a list of permissions | The set of permissions exposed by the application that the requesting application or user has been given permission to call. The [client credential flow](v2-oauth2-client-creds-grant-flow.md) uses this set of permission in place of user scopes for application tokens. For user tokens, this set of values contains the assigned roles of the user on the target application. | These values can be used for managing access, such as enforcing authorization to access a resource. |

+| `wids` | Array of [RoleTemplateID](../roles/permissions-reference.md#all-roles) GUIDs | Denotes the tenant-wide roles assigned to this user, from the section of roles present in [Azure AD built-in roles](../roles/permissions-reference.md#all-roles). The `groupMembershipClaims` property of the [application manifest](reference-app-manifest.md) configures this claim on a per-application basis. Set the claim to `All` or `DirectoryRole`. May not be present in tokens obtained through the implicit flow due to token length concerns. | These values can be used for managing access, such as enforcing authorization to access a resource. |

+| `groups` | JSON array of GUIDs | Provides object IDs that represent the group memberships of the subject. The `groupMembershipClaims` property of the [application manifest](reference-app-manifest.md) configures the groups claim on a per-application basis. A value of `null` excludes all groups, a value of `SecurityGroup` includes only Active Directory Security Group memberships, and a value of `All` includes both Security Groups and Microsoft 365 Distribution Lists. <br><br>See the `hasgroups` claim for details on using the `groups` claim with the implicit grant. For other flows, if the number of groups the user is in goes over 150 for SAML and 200 for JWT, then Azure AD adds an overage claim to the claim sources. The claim sources point to the Microsoft Graph endpoint that contains the list of groups for the user. | These values can be used for managing access, such as enforcing authorization to access a resource. |

+| `hasgroups` | Boolean | If present, always `true`, indicates whether the user is in at least one group. Used in place of the `groups` claim for JWTs in implicit grant flows if the full groups claim would extend the URI fragment beyond the URL length limits (currently six or more groups). Indicates that the client should use the Microsoft Graph API to determine the groups (`https://graph.microsoft.com/v1.0/users/{userID}/getMemberObjects`) of the user. | |

+| `groups:src1` | JSON object | Includes a link to the full groups list for the user when token requests are too large for the token. For JWTs as a distributed claim, for SAML as a new claim in place of the `groups` claim. <br><br>**Example JWT Value**: <br> `"groups":"src1"` <br> `"_claim_sources`: `"src1" : { "endpoint" : "https://graph.microsoft.com/v1.0/users/{userID}/getMemberObjects" }` | |

+| `sub` | String | The principal associated with the token. For example, the user of an application. This value is immutable, don't reassign or reuse. The subject is a pairwise identifier that's unique to a particular application ID. If a single user signs into two different applications using two different client IDs, those applications receive two different values for the subject claim. Using the two different values depends on architecture and privacy requirements. See also the `oid` claim, which does remain the same across applications within a tenant. | This value can be used to perform authorization checks, such as when the token is used to access a resource, and can be used as a key in database tables. |

+| `oid` | String, a GUID | The immutable identifier for the requestor, which is the verified identity of the user or service principal. This ID uniquely identifies the requestor across applications. Two different applications signing in the same user receive the same value in the `oid` claim. The `oid` can be used when making queries to Microsoft online services, such as the Microsoft Graph. The Microsoft Graph returns this ID as the `id` property for a given user account. Because the `oid` allows multiple applications to correlate principals, to receive this claim for users use the `profile` scope. If a single user exists in multiple tenants, the user contains a different object ID in each tenant. Even though the user logs into each account with the same credentials, the accounts are different. | This value can be used to perform authorization checks, such as when the token is used to access a resource, and can be used as a key in database tables. |

+| `tid` | String, a GUID | Represents the tenant that the user is signing in to. For work and school accounts, the GUID is the immutable tenant ID of the organization that the user is signing in to. For sign-ins to the personal Microsoft account tenant (services like Xbox, Teams for Life, or Outlook), the value is `9188040d-6c67-4c5b-b112-36a304b66dad`. To receive this claim, the application must request the `profile` scope. | This value should be considered in combination with other claims in authorization decisions. |

+| `unique_name` | String, only present in v1.0 tokens | Provides a human readable value that identifies the subject of the token. | This value can be different within a tenant and use it only for display purposes. |

+| `uti` | String | Token identifier claim, equivalent to `jti` in the JWT specification. Unique, per-token identifier that is case-sensitive. | |

+| `rh` | Opaque String | An internal claim used by Azure to revalidate tokens. Resources shouldn't use this claim. | |

+| `ver` | String, either `1.0` or `2.0` | Indicates the version of the access token. | |

+| [Authorization code](#authorization-code) | User sign-in and access to web APIs on behalf of the user. | [Desktop](scenario-desktop-overview.md) <br /> [Mobile](scenario-mobile-overview.md) <br /> [Single-page app (SPA)](scenario-spa-overview.md) (requires PKCE) <br /> [Web](scenario-web-app-call-api-overview.md) |

+When users sign in to web applications, the application receives an authorization code that it can redeem for an access token to call web APIs.

+In the following diagram, the application:

+1. Requests an authorization code which was redeemed for an access token.

+

+- Single-page applications require *Proof Key for Code Exchange* (PKCE) when using the authorization code grant flow. PKCE is supported by MSAL.

+- The OAuth 2.0 specification requires you to use an authorization code to redeem an access token only _once_.

+ If you attempt to acquire access token multiple times with the same authorization code, an error similar to the following is returned by the Microsoft identity platform. Some libraries and frameworks request the authorization code for you automatically, and requesting a code manually in such cases will also result in this error.

+In the following diagram, the application:

+

+### Certificates

+In the following diagram, the application:

+

+In the following diagram:

+

+ - Tenant: `https://login.microsoftonline.com/{tenant}/,` where `{tenant}` is either the GUID representing the tenant ID or a domain name associated with the tenant.

+In the following diagram:

+

+In the following diagram, the application:

+

+In the following diagram, the application:

+

+- You've provided a way for users to consent to the application; see [User consent](../manage-apps/user-admin-consent-overview.md#user-consent).

+- You've provided a way for the tenant admin to consent for the application; see [Administrator consent]../manage-apps/user-admin-consent-overview.md#administrator-consent).

+For more information on consent, see [Permissions and consent](v2-permissions-and-consent.md#consent).

+| Personal Microsoft accounts only | `PersonalMicrosoftAccount` |

+## March 2023

+### New articles

+- [Configure a SAML app to receive tokens with claims from an external store (preview)](custom-extension-configure-saml-app.md)

+- [Configure a custom claim provider token issuance event (preview)](custom-extension-get-started.md)

+- [Custom claims provider (preview)](custom-claims-provider-overview.md)

+- [Custom claims providers](custom-claims-provider-reference.md)

+- [Custom authentication extensions (preview)](custom-extension-overview.md)

+- [Troubleshoot your custom claims provider API (preview)](custom-extension-troubleshoot.md)

+- [Understanding application-only access](app-only-access-primer.md)

+### Updated articles

+- [ADAL to MSAL migration guide for Python](migrate-python-adal-msal.md)

+- [Handle errors and exceptions in MSAL for Python](msal-error-handling-python.md)

+- [How to migrate a JavaScript app from ADAL.js to MSAL.js](msal-compare-msal-js-and-adal-js.md)

+- [Microsoft identity platform access tokens](access-tokens.md)

+- [Microsoft Enterprise SSO plug-in for Apple devices (preview)](apple-sso-plugin.md)

+- [Restrict your Azure AD app to a set of users in an Azure AD tenant](howto-restrict-your-app-to-a-set-of-users.md)

+- [Token cache serialization in MSAL.NET](msal-net-token-cache-serialization.md)

+- [Troubleshoot publisher verification](troubleshoot-publisher-verification.md)

+- [Tutorial: Call the Microsoft Graph API from a Universal Windows Platform (UWP) application](tutorial-v2-windows-uwp.md)

+> When customizing the subject or message body, we recommend that you also enable the custom sender domain and organizational branding, otherwise an additional security disclaimer will be added to your email.

+## March 2023

+### Updated articles

+- [Move application authentication to Azure Active Directory](migrate-adfs-apps-to-azure.md)

+- [Quickstart: Create and assign a user account](add-application-portal-assign-users.md)

+- [Configure sign-in behavior using Home Realm Discovery](configure-authentication-for-federated-users-portal.md)

+- [Disable auto-acceleration sign-in](prevent-domain-hints-with-home-realm-discovery.md)

+- [Review permissions granted to enterprise applications](manage-application-permissions.md)

+- [Migrate application authentication to Azure Active Directory](migrate-application-authentication-to-azure-active-directory.md)

+- [Azure Active Directory application management: What's new](whats-new-docs.md)

+- [Configure permission classifications](configure-permission-classifications.md)

+- [Restrict access to a tenant](tenant-restrictions.md)

+- [Tutorial: Migrate Okta sign-on policies to Azure Active Directory Conditional Access](migrate-okta-sign-on-policies-to-azure-active-directory-conditional-access.md)

+- [Delete an enterprise application](delete-application-portal.md)

+- [Restore an enterprise application in Azure AD](restore-application.md)

+ Title: 'Tutorial: Azure Active Directory integration with Convercent | Microsoft Docs'

+ > These values are not real. Update these values with the actual Identifier, Sign-On URL and Relay State. Contact [Convercent Client support team](https://www.convercent.com/customers/services/customer-support) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+To configure single sign-on on **Convercent** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Convercent support team](https://www.convercent.com/customers/services/customer-support). They set this setting to have the SAML SSO connection set properly on both sides.

+In this section, you create a user called Britta Simon in Convercent. Work with [Convercent support team](https://www.convercent.com/customers/services/customer-support) to add the users in the Convercent platform. Users must be created and activated before you use single sign-on.

+ Title: Azure Active Directory SSO integration with Maximo Application Suite

+description: Learn how to configure single sign-on between Azure Active Directory and Maximo Application Suite.

+# Azure Active Directory SSO integration with Maximo Application Suite

+In this article, you learn how to integrate Maximo Application Suite with Azure Active Directory (Azure AD). Customer-Managed - IBM Maximo Application Suite is a CMMS EAM platform, which delivers intelligent asset management, monitoring, predictive maintenance and reliability in a single platform. When you integrate Maximo Application Suite with Azure AD, you can:

+* Control in Azure AD who has access to Maximo Application Suite.

+* Enable your users to be automatically signed-in to Maximo Application Suite with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You configure and test Azure AD single sign-on for Maximo Application Suite in a test environment. Maximo Application Suite supports **SP** and **IDP** initiated single sign-on.

+## Prerequisites

+To integrate Azure Active Directory with Maximo Application Suite, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Maximo Application Suite single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the Maximo Application Suite application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add Maximo Application Suite from the Azure AD gallery

+Add Maximo Application Suite from the Azure AD application gallery to configure single sign-on with Maximo Application Suite. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **Maximo Application Suite** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, if you have **Service Provider metadata file** then perform the following steps:

+ a. Click **Upload metadata file**.

+ 

+ b. Click on **folder logo** to select the metadata file and click **Upload**.

+ 

+ c. After the metadata file is successfully uploaded, the **Identifier** and **Reply URL** values get auto populated in Basic SAML Configuration section.

+ d. If you wish to configure **SP** initiated mode, then perform the following step:

+

+ In the **Sign on URL** textbox, type a URL using the following pattern without `</path>`:

+ `https://<workspace_id>.<mas_application>.<mas_domain>`

+ > [!Note]

+ > You will get the **Service Provider metadata file** from the **Configure Maximo Application Suite SSO** section, which is explained later in the tutorial. If the **Identifier** and **Reply URL** values do not get auto populated, then fill the values manually according to your requirement. Contact [Maximo Application Suite Client support](https://www.ibm.com/mysupport/) to get these values.

+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Maximo Application Suite** section, copy the appropriate URL(s) based on your requirement.

+ 

+## Configure Maximo Application Suite SSO

+1. Log in to your Maximo Application Suite company site as an administrator.

+1. Go to the Suite administration and select **Configure SAML**.

+ 

+1. In the SAML Authentication page, perform the following steps:

+ 

+

+ 1. Select emailAddress as the [name-id format](../develop/single-sign-on-saml-protocol.md).

+ 1. Click **Generate file**, wait and then **Download file**. Store this metadata file and upload it in Azure AD side.

+1. Download the **Federation Metadata XML file** from the Azure portal and upload the Azure AD Federation Metadata XML document to Maximo's SAML configuration panel and save it.

+ 

+### Create Maximo Application Suite test user

+1. In a different web browser window, sign into your Maximo Application Suite company site as an administrator.

+1. Create a new user in Suite Administration under **Users** and perform the following steps:

+ 

+ 1. Select Authentication type as **SAML**.

+ 1. In the **Display Name** textbox, enter the UPN used in Azure AD as they must match.

+ 1. In the **Primary email** textbox, enter the UPN used in Azure AD.

+ > [!Note]

+ > The rest of the fields can be populated as you like with whatever permissions necessary.

+ 1. Select any **Entitlements** required for that user.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to Maximo Application Suite Sign-on URL where you can initiate the login flow.

+* Go to Maximo Application Suite Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal to be taken to the Maximo login page where you need to enter in your SAML identity as a fully qualified email address. If the user has already authenticated with the IDP the Maximo Application Suite won't have to login again, and the browser will be redirected to the home page.

+* You can also use Microsoft My Apps to test the application in any mode. When you click the Maximo Application Suite tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Maximo Application Suite for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+> [!Note]

+> Screenshots are from MAS Continuous-delivery 8.9 and may differ in future versions.

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure Maximo Application Suite you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with ServiceNow | Microsoft Docs'

+ a. For **Sign on URL**, enter one of the following URL patterns:

+ c. For **Reply URL**, enter one of the following URL patterns:

+> If you need to create a user manually, contact the [ServiceNow Client support team](https://support.servicenow.com/now).

+ `https://<InstanceName>-tanium.auth.<SUBDOMAIN>.amazoncognito.com/saml2/idpresponse`

+ `https://<InstanceName>.cloud.tanium.com`

+ 

+ 

+Typically, a software workload (such as an application, service, script, or container-based application) needs an identity in order to authenticate and access resources or communicate with other services. When these workloads run on Azure, you can use [managed identities](../managed-identities-azure-resources/overview.md) and the Azure platform manages the credentials for you. You can only use managed identities, however, for software workloads running in Azure. For a software workload running outside of Azure, you need to use application credentials (a secret or certificate) to access Azure AD protected resources (such as Azure, Microsoft Graph, Microsoft 365, or third-party resources). These credentials pose a security risk and have to be stored securely and rotated regularly. You also run the risk of service downtime if the credentials expire.

+You use workload identity federation to configure an [user-assigned managed identity](../managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md) or [app registration](../develop/app-objects-and-service-principals.md) in Azure AD to trust tokens from an external identity provider (IdP), such as GitHub or Google. The user-assigned managed identity or app registration in Azure AD becomes an identity for software workloads running, for example, in on-premises Kubernetes or GitHub Actions workflows. Once that trust relationship is created, your external software workload exchanges trusted tokens from the external IdP for access tokens from Microsoft identity platform. Your software workload uses that access token to access the Azure AD protected resources to which the workload has been granted access. You eliminate the maintenance burden of manually managing credentials and eliminates the risk of leaking secrets or having certificates expire.

+- Workloads running on any Kubernetes cluster (Azure Kubernetes Service (AKS), Amazon Web Services EKS, Google Kubernetes Engine (GKE), or on-premises). Establish a trust relationship between your user-assigned managed identity or app in Azure AD and a Kubernetes workload (described in the [workload identity overview](../../aks/workload-identity-overview.md)).

+- GitHub Actions. First, configure a trust relationship between your [user-assigned managed identity](workload-identity-federation-create-trust-user-assigned-managed-identity.md) or [application](workload-identity-federation-create-trust.md) in Azure AD and a GitHub repo in the Azure portal or using Microsoft Graph. Then [configure a GitHub Actions workflow](/azure/developer/github/connect-from-azure) to get an access token from Microsoft identity provider and access Azure resources.

+- Google Cloud. First, configure a trust relationship between your user-assigned managed identity or app in Azure AD and an identity in Google Cloud. Then configure your software workload running in Google Cloud to get an access token from Microsoft identity provider and access Azure AD protected resources. See [Access Azure AD protected resources from an app in Google Cloud](https://blog.identitydigest.com/azuread-federate-gcp/).

+- Workloads running in Amazon Web Services (AWS). First, configure a trust relationship between your user-assigned managed identity or app in Azure AD and an identity in Amazon Cognito. Then configure your software workload running in AWS to get an access token from Microsoft identity provider and access Azure AD protected resources. See [Workload identity federation with AWS](https://blog.identitydigest.com/azuread-federate-aws/).

+- Other workloads running in compute platforms outside of Azure. Configure a trust relationship between your [user-assigned managed identity](workload-identity-federation-create-trust-user-assigned-managed-identity.md) or [application](workload-identity-federation-create-trust.md) in Azure AD and the external IdP for your compute platform. You can use tokens issued by that platform to authenticate with Microsoft identity platform and call APIs in the Microsoft ecosystem. Use the [client credentials flow](/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#third-case-access-token-request-with-a-federated-credential) to get an access token from Microsoft identity platform, passing in the identity provider's JWT instead of creating one yourself using a stored certificate.

+- SPIFFE and SPIRE are a set of platform agnostic, open-source standards for providing identities to your software workloads deployed across platforms and cloud vendors. First, configure a trust relationship between your user-assigned managed identity or app in Azure AD and a SPIFFE ID for an external workload. Then configure your external software workload to get an access token from Microsoft identity provider and access Azure AD protected resources. See [Workload identity federation with SPIFFE and SPIRE](https://blog.identitydigest.com/azuread-federate-spiffe/).

+> [!NOTE]

+> Azure AD issued tokens may not be used for federated identity flows. The federated identity credentials flow does not support tokens issued by Azure AD.

+Create a trust relationship between the external IdP and a [user-assigned managed identity](workload-identity-federation-create-trust-user-assigned-managed-identity.md) or [application](workload-identity-federation-create-trust.md) in Azure AD. The federated identity credential is used to indicate which token from the external IdP should be trusted by your application or managed identity. You configure a federated identity either:

+- On a user-assigned managed identity through the Azure portal, Azure CLI, Azure PowerShell, Azure SDK, and Azure Resource Manager (ARM) templates. The external workload uses the access token to access Azure AD protected resources without needing to manage secrets (in supported scenarios). The [steps for configuring the trust relationship](workload-identity-federation-create-trust-user-assigned-managed-identity.md) will differ, depending on the scenario and external IdP.

+1. Microsoft identity platform checks the trust relationship on the [user-assigned managed identity](workload-identity-federation-create-trust-user-assigned-managed-identity.md) or [app registration](workload-identity-federation-create-trust.md) and validates the external token against the Open ID Connect (OIDC) issuer URL on the external IdP.

+The Microsoft identity platform stores only the first 100 signing keys when they're downloaded from the external IdP's OIDC endpoint. If the external IdP exposes more than 100 signing keys, you may experience errors when using workload identity federation.

+- How to create, delete, get, or update [federated identity credentials](workload-identity-federation-create-trust.md) on an app registration.

+- Read the [workload identity overview](../../aks/workload-identity-overview.md) to learn how to configure a Kubernetes workload to get an access token from Microsoft identity provider and access Azure AD protected resources.

+- Read the [GitHub Actions documentation](https://docs.github.com/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure) to learn more about configuring your GitHub Actions workflow to get an access token from Microsoft identity provider and access Azure AD protected resources.

+- How Azure AD uses the [OAuth 2.0 client credentials grant](/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#third-case-access-token-request-with-a-federated-credential) and a client assertion issued by another IdP to get a token.

+### Prerequisites

+- Your AKS cluster *Control plane* identity (that is, your AKS cluster name) is added to the [Contributor](../role-based-access-control/built-in-roles.md#contributor) role on the VNet and network security group.

+az aks nodepool add --name hostencrypt --cluster-name myAKSCluster --resource-group myResourceGroup -s Standard_DS2_v2 --enable-encryption-at-host

+When you upgrade by alias minor version, only a higher minor version is supported. For example, upgrading from `1.14.x` to `1.14` won't trigger an upgrade to the latest GA `1.14` patch, but upgrading to `1.15` will trigger an upgrade to the latest GA `1.15` patch. If you wish to upgrade your patch version in the same minor version, please use [auto-upgrade](https://learn.microsoft.com/azure/aks/auto-upgrade-cluster#using-cluster-auto-upgrade).

+ 5.15.48.1-8.cm2

+ 5.15.80.mshv2-hvl1.m2

+ ```

+ Title: Enable CORS policies for Azure API Management custom connector

+description: How to enable CORS policies in Azure API Management and Power Platform to test and use a custom connector from Power Platform applications.

+# Enable CORS policies for API Management custom connector

+If you've exported an API from API Management as a [custom connector](export-api-power-platform.md) in the Power Platform and want to use browser-based clients including Power Apps or Power Automate to call the API, you need to configure your API to explicitly enable cross-origin requests from Power Platform applications. This article shows you how to configure the following two necessary policy settings:

+> To call the API from the Power Apps test console, you need to configure a CORS policy in your API Management instance and create a policy in the custom connector to set an Origin header in HTTP requests. For more information, see [Enable CORS policies for custom connector](enable-cors-power-platform.md).

+Normally, maintaining an SLA around RTO is impractical for regional disasters, and you would typically design your disaster recovery strategy around RPO alone (i.e. focus on recovering data and not on minimizing interruption). With Azure, however, it's not only practical but could even be straightforward to deploy App Service for automatic geo-failovers. This lets you disaster-proof your applications further by taking care of both RTO and RPO.

+[Tutorial: Create a highly available multi-region app in Azure App Service](tutorial-multi-region-app.md)

+|Property name|Windows default value|Linux default value|Allowed values|Description|

+|-|-|-|-|

+|dnsRetryAttemptCount|1|5|1-5|Defines the number of attempts to resolve where one means no retries.|

+|dnsMaxCacheTimeout|30|0|0-60|Cache timeout defined in seconds. Setting cache to zero means you've disabled caching.|

+|dnsRetryAttemptTimeout|3|1|1-30|Timeout before retrying or failing. Timeout also defines the time to wait for secondary server results if the primary doesn't respond.|

+> * Changing name resolution behavior is not supported on Windows Container apps.

+> * To enable DNS caching on Web App for Containers and Linux-based apps, you must add the app setting `WEBSITE_ENABLE_DNS_CACHE`. This setting defaults to 30 seconds.

+- [General networking overview](./networking-features.md)

+1. Select **Add a permission**, then select **My APIs** > **\<back-end-app-name>**.

+authSettings=$(echo "$authSettings" | jq '.properties' | jq '.identityProviders.azureActiveDirectory.login += {"loginParameters":["scope=openid offline_access api://<back-end-client-id>/user_impersonation"]}')

+> [Create a secure n-tier app in Azure App Service](tutorial-secure-ntier-app.md)

+To ensure the security of data in transit to Azure Automation, we strongly encourage you to configure the use of Transport Layer Security (TLS) 1.2. The following are a list of methods or clients that communicate over HTTPS to the Automation service:

+When you delete an Automation account in Azure, all objects in the account are deleted. The objects include runbooks, modules, configurations, settings, jobs, and assets. You can [recover](delete-account.md#restore-a-deleted-automation-account) a deleted Automation account within 30 days. You can also use the following information to back up the contents of your Automation account before deleting it:

+## Data residency

+You specify a region during the creation of an Azure Automation account. Service data such as assets, configuration, logs are stored in that region and may transit or be processed in other regions within the same geography. These global endpoints are necessary to provide end-users with a high-performance, low-latency experience regardless of location. Only for the Brazil South (Sao Paulo State) region of Brazil geography, Southeast Asia region (Singapore) and East Asia region (Hongkong) of the Asia Pacific geography, we store Azure Automation data in the same region to accommodate data-residency requirements for these regions.

+| Windows (x64) | Linux (x64) |

+| Windows (x64) | Linux (x64) |

+| Windows (x64) | Linux (x64) |

+| Windows (x64) | Linux (x64) |

+In all regions except Brazil South and Southeast Asia, Azure Automation data is stored in a different region (Azure paired region) for providing Business Continuity and Disaster Recovery (BCDR). For the Brazil and Southeast Asia regions only, we now store Azure Automation data in the same region to accommodate data-residency requirements for these regions. For more information, see [Data residency](./automation-managing-data.md#data-residency).

+Use Standard, Premium, Enterprise, or Enterprise Flash tiers for production systems. Don't use the Basic tier in production. The Basic tier is a single node system with no data replication and no SLA. Also, use at least a C1 cache. C0 caches are only meant for simple dev/test scenarios because:

+## Specific guidance for the Enterprise tiers

+Because the _Enterprise_ and _Enterprise Flash_ tiers are built on Redis Enterprise rather than open-source Redis, there are some differences in development best practices. See [Best Practices for the Enterprise and Enterprise Flash tiers](cache-best-practices-enterprise-tiers.md) for more information.

+## Next steps

+The following example shows a Functions version 4.x function that uses a `CloudEvent` binding parameter:

+The following example shows a Functions version 4.x function that uses an `EventGridEvent` binding parameter:

+using Azure.Messaging.EventGrid;

+| Activity Log | Create or update function app | When app is created or updated|

+| Activity Log | Delete function app | When app is deleted|

+| Activity Log | Restart function app| When app is restarted|

+| Activity Log | Stop function app| When app is stopped|

+For information on how to use Power BI capabilities for collaboration between Azure and Azure Government, see [Cross-cloud B2B](/power-bi/enterprise/service-admin-azure-ad-b2b#cross-cloud-b2b).

+> - For DoD IL5 PA compliance scope in Azure Government DoD regions (US DoD Central and US DoD East), see **[Azure Government DoD regions IL5 audit scope](../documentation-government-overview-dod.md#us-dod-regions-il5-audit-scope).**

+> - Some services deployed in Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia (US Gov regions) require extra configuration to meet DoD IL5 compute and storage isolation requirements, as explained in **[Isolation guidelines for Impact Level 5 workloads](../documentation-government-impact-level-5.md).**

+> - For DoD IL5 PA compliance scope in Azure Government DoD regions US DoD Central and US DoD East (US DoD regions), see **[Azure Government DoD regions IL5 audit scope](../documentation-government-overview-dod.md#us-dod-regions-il5-audit-scope).**

+Azure Government supports applications that use Impact Level 5 (IL5) data in all available regions. IL5 requirements are defined in the [US Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG)](https://public.cyber.mil/dccs/dccs-documents/). IL5 workloads have a higher degree of impact to the DoD and must be secured to a higher standard. When you deploy these workloads on Azure Government, you can meet their isolation requirements in various ways. The guidance in this document addresses configurations and settings needed to meet the IL5 isolation requirements. We'll update this article as we enable new isolation options and the Defense Information Systems Agency (DISA) authorizes new services for IL5 data.

+In January 2017, DISA awarded the [IL5 Provisional Authorization](/azure/compliance/offerings/offering-dod-il5) (PA) to [Azure Government](https://azure.microsoft.com/global-infrastructure/government/get-started/), making it the first IL5 PA awarded to a hyperscale cloud provider. The PA covered two Azure Government regions US DoD Central and US DoD East (US DoD regions) that are [dedicated to the DoD](https://azure.microsoft.com/global-infrastructure/government/dod/). Based on DoD mission owner feedback and evolving security capabilities, Microsoft has partnered with DISA to expand the IL5 PA boundary in December 2018 to cover the remaining Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia (US Gov regions). For service availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=all&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-iowa,usgov-texas,usgov-virginia&rar=true).

+- For a list of services in scope for DoD IL5 PA in US Gov regions, see [Azure Government services by audit scope](./compliance/azure-services-in-fedramp-auditscope.md#azure-government-services-by-audit-scope).

+- For a list of services in scope for DoD IL5 PA in US DoD regions, see [Azure Government DoD regions IL5 audit scope](./documentation-government-overview-dod.md#us-dod-regions-il5-audit-scope).

+You need to address two key areas for Azure services in IL5 scope: compute isolation and storage isolation. We'll focus in this article on how Azure services can help you isolate the compute and storage services for IL5 data. The SRG allows for a shared management and network infrastructure. **This article is focused on Azure Government compute and storage isolation approaches for US Gov Arizona, US Gov Texas, and US Gov Virginia regions (US Gov regions).** If an Azure service is available in Azure Government DoD regions US DoD Central and US DoD East (US DoD regions) and authorized at IL5, then it is by default suitable for IL5 workloads with no extra isolation configuration required. Azure Government DoD regions are reserved for DoD agencies and their partners, enabling physical separation from non-DoD tenants by design. For more information, see [DoD in Azure Government](./documentation-government-overview-dod.md).

+In a recent PA for Azure Government, DISA approved logical separation of IL5 from other data via cryptographic means. In Azure, this approach involves data encryption via keys that are maintained in Azure Key Vault and stored in [FIPS 140 validated](/azure/compliance/offerings/offering-fips-140-2) Hardware Security Modules (HSMs). The keys are owned and managed by the IL5 system owner, also known as customer-managed keys (CMK).

+> This article tracks Azure services that have received DoD IL5 PA and that require extra configuration options to meet IL5 isolation requirements. Services with IL5 PA that do not require any extra configuration options are not mentioned in this article. For a list of services in scope for DoD IL5 PA in US Gov regions, see **[Azure Government services by audit scope](./compliance/azure-services-in-fedramp-auditscope.md#azure-government-services-by-audit-scope).**

+**Azure Government regions** US Gov Arizona, US Gov Texas, and US Gov Virginia (**US Gov regions**) are intended for US federal (including DoD), state, and local government agencies, and their partners. **Azure Government DoD regions** US DoD Central and US DoD East (**US DoD regions**) are reserved for exclusive DoD use. Separate DoD IL5 PAs are in place for US Gov regions vs. US DoD regions. For service availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=all&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true).

+The primary differences between DoD IL5 PAs that are in place for US Gov regions vs. US DoD regions are:

+- **IL5 compliance scope:** US Gov regions have many more services authorized provisionally at DoD IL5, which in turn enables DoD mission owners and their partners to deploy more realistic applications in these regions.

+ - For a complete list of services in scope for DoD IL5 PA in US Gov regions, see [Azure Government services by audit scope](./compliance/azure-services-in-fedramp-auditscope.md#azure-government-services-by-audit-scope).

+ - For a complete list of services in scope for DoD IL5 in US DoD regions, see [Azure Government DoD regions IL5 audit scope](#us-dod-regions-il5-audit-scope) in this article.

+- **IL5 configuration:** US DoD regions are reserved for exclusive DoD use. Therefore, no extra configuration is needed in US DoD regions when deploying Azure services intended for IL5 workloads. In contrast, some Azure services deployed in US Gov regions require extra configuration to meet DoD IL5 compute and storage isolation requirements, as explained in [Isolation guidelines for Impact Level 5 workloads](./documentation-government-impact-level-5.md).

+> If you are subject to DoD IL5 requirements, we recommend that you prioritize US Gov regions for your workloads, as follows:

+> - **New deployments:** Choose US Gov regions for your new deployments. Doing so will allow you to benefit from the latest cloud innovations while meeting your DoD IL5 isolation requirements.

+> - **Existing deployments:** If you have existing deployments in US DoD regions, we encourage you to migrate these workloads to US Gov regions to take advantage of additional services.

+## US Gov regions IL5 audit scope

+For a complete list of services in scope for DoD IL5 PA in US Gov regions (US Gov Arizona, US Gov Texas, and US Gov Virginia), see [Azure Government services by audit scope](./compliance/azure-services-in-fedramp-auditscope.md#azure-government-services-by-audit-scope).

+## US DoD regions IL5 audit scope

+The following services are in scope for DoD IL5 PA in US DoD regions (US DoD Central and US DoD East):

+Azure Government DoD regions US DoD Central and US DoD East (US DoD regions) are physically separated Azure Government regions reserved for exclusive use by the DoD. They reside on the same isolated network as Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia (US Gov regions) and use the same identity model. Both the network and identity model are separate from Azure commercial.

+Azure Government is a US government community cloud providing services for federal, state and local government customers, tribal entities, and other entities subject to various US government regulations such as CJIS, ITAR, and others. All Azure Government regions are designed to meet the security requirements for DoD IL5 workloads. They are deployed on a separate and isolated network and use a separate identity model from Azure commercial regions. US DoD regions achieve DoD IL5 tenant separation requirements by being dedicated exclusively to DoD. In US Gov regions , some services require extra configuration to meet DoD IL5 compute and storage isolation requirements, as explained in [Isolation guidelines for Impact Level 5 workloads](./documentation-government-impact-level-5.md).

+### How do US Gov regions support IL5 data?

+Azure provides [extensive support for tenant isolation](./azure-secure-isolation-guidance.md) across compute, storage, and networking services to segregate each customer's applications and data. This approach provides the scale and economic benefits of multi-tenant cloud services while rigorously helping prevent other customers from accessing your data or applications. Some Azure services deployed in US Gov regions require extra configuration to meet DoD IL5 compute and storage isolation requirements, as explained in [Isolation guidelines for Impact Level 5 workloads](./documentation-government-impact-level-5.md).

+For a complete list of services in scope for DoD IL5 PA in US Gov regions, see [Azure Government services by audit scope](./compliance/azure-services-in-fedramp-auditscope.md#azure-government-services-by-audit-scope). For a complete list of services in scope for DoD IL5 PA in US DoD regions, see [Azure Government DoD regions IL5 audit scope](#us-dod-regions-il5-audit-scope) in this article.

+> - For DoD IL5 PA compliance scope in Azure Government DoD regions (US DoD Central and US DoD East), see **[Azure Government DoD regions IL5 audit scope](./documentation-government-overview-dod.md#us-dod-regions-il5-audit-scope).**

+The following are some tips to keep your Azure Maps application secure. When using Azure, be sure to familiarize yourself with the security tools available to you. For more information, See the [introduction to Azure security].

+Hackers gaining access to your account could potentially make unlimited billable transactions, resulting in unexpected costs and decreased performance due to QPS limits.

+When considering best practices for securing your Azure Maps applications, you need to understand the different authentication options available.

+When creating publicly facing client applications with Azure Maps, you must ensure that your authentication secrets aren't publicly accessible.

+Subscription key-based authentication (Shared Key) can be used in either client side applications or web services, however it's the least secure approach to securing your application or web service. The reason is the key is easily obtained from an HTTP request and grants access to all Azure Maps REST API available in the SKU (Pricing Tier). If you do use subscription keys, be sure to [rotate them regularly] and keep in mind that Shared Key doesn't allow for configurable lifetime, it must be done manually. You should also consider using [Shared Key authentication with Azure Key Vault], which enables you to securely store your secret in Azure.

+If using [Azure Active Directory (Azure AD) authentication] or [Shared Access Signature (SAS) Token authentication] (preview), access to Azure Maps REST APIs is authorized using [role-based access control (RBAC)]. RBAC enables you to control what access is given to the issued tokens. You should consider how long access should be granted for the tokens. Unlike Shared Key authentication, the lifetime of these tokens is configurable.

+> For more information on configuring token lifetimes, see:

+>

+> - [Configurable token lifetimes in the Microsoft identity platform (preview)]

+> - [Create SAS tokens]

+There are different security concerns between public and confidential client applications. For more information about what is considered a *public* versus *confidential* client application, see [Public client and confidential client applications] in the Microsoft identity platform documentation.

+For apps that run on devices or desktop computers or in a web browser, you should consider defining which domains have access to your Azure Map account using [Cross origin resource sharing (CORS)]. CORS instructs the clients' browser on which origins such as "https://microsoft.com" are allowed to request resources for the Azure Map account.

+For apps that run on servers (such as web services and service/daemon apps), if you prefer to avoid the overhead and complexity of managing secrets, consider [Managed Identities]. Managed identities can provide an identity for your web service to use when connecting to Azure Maps using Azure Active Directory (Azure AD) authentication. If so, your web service uses that identity to obtain the required Azure AD tokens. You should use Azure RBAC to configure what access the web service is given, using the [Least privileged roles] possible.

+> [Tutorial: Add app authentication to your web app running on Azure App Service](../app-service/scenario-secure-app-authentication-app-service.md)

+[introduction to Azure security]: ../security/fundamentals/overview.md

+[rotate them regularly]: how-to-manage-authentication.md#manage-and-rotate-shared-keys

+[Shared Key authentication with Azure Key Vault]: how-to-secure-daemon-app.md#scenario-shared-key-authentication-with-azure-key-vault

+[Azure Active Directory (Azure AD) authentication]: ../active-directory/fundamentals/active-directory-whatis.md

+[Shared Access Signature (SAS) Token authentication]: azure-maps-authentication.md#shared-access-signature-token-authentication

+[role-based access control (RBAC)]: azure-maps-authentication.md#authorization-with-role-based-access-control

+[Configurable token lifetimes in the Microsoft identity platform (preview)]: ../active-directory/develop/active-directory-configurable-token-lifetimes.md

+[Create SAS tokens]: azure-maps-authentication.md#create-sas-tokens

+[Public client and confidential client applications]: ../active-directory/develop/msal-client-applications.md

+[Cross origin resource sharing (CORS)]: azure-maps-authentication.md#cross-origin-resource-sharing-cors

+[Managed Identities]: ../active-directory/managed-identities-azure-resources/overview.md

+[Least privileged roles]: ../active-directory/roles/delegate-by-task.md

+- **Custom Properties**: A ΓÇ£key: valueΓÇ¥ object, defined in the alert rule and added to the webhook notifications.

+If the custom properties are not set in the Alert rule, this field will be null. Note: today this is only supported for Metric Alerts other alert types will contain null in this field.

+ "customProperties":{

+ "Key1": "Value1",

+ "Key2": "Value2"

+ }

+description: "Learn how to scale your resource web app, cloud service, virtual machine, or Virtual Machine Scale Set in Azure."

+Autoscale allows you to automatically scale your applications or resources based on demand. Use Autoscale to provision enough resources to support the demand on your application without over provisioning and incurring unnecessary costs.

+This article describes how to configure the autoscale settings for your resources in the Azure portal.

+Azure autoscale supports many resource types. For more information about supported resources, see [autoscale supported resources](./autoscale-overview.md#supported-services-for-autoscale).

+## Discover the autoscale settings in your subscription

+

+To discover the resources that you can autoscale, follow these steps.

+1. Open the [Azure portal.](https://portal.azure.com)

+1. Using the search bar at the top of the page, search for and select *Azure Monitor*

+1. Use the filter pane at the top to select resources a specific resource group, resource types, or a specific resource.

+ :::image type="content" source="./media/autoscale-get-started/view-resources.png" lightbox="./media/autoscale-get-started/view-resources.png" alt-text="A screenshot showing resources that can use autoscale and their statuses.":::

+ The page shows the instance count and the autoscale status for each resource. Autoscale statuses are:

+ You can also reach the scaling page by selecting **Scaling** from the **Settings** menu for each resource.

+ :::image type="content" source="./media/autoscale-get-started/scaling-page.png" lightbox="./media/autoscale-get-started/scaling-page.png" alt-text="A screenshot showing a resource overview page with the scaling menu item.":::

+## Create your first autoscale setting

+Follow the steps below to create your first autoscale setting.

+1. Open the **Autoscale** pane in Azure Monitor and select a resource that you want to scale. The following steps use an App Service plan associated with a web app. You can [create your first ASP.NET web app in Azure in 5 minutes.](../../app-service/quickstart-dotnetcore.md)

+1. The current instance count is 1. Select **Custom autoscale**.

+1. Enter a **Name** and **Resource group** or use the default.

+1. Select **Scale based on a metric**.

+1. Select **Add a rule**. to open a context pane on the right side.

+ :::image type="content" source="./media/autoscale-get-started/custom-scale.png" lightbox="./media/autoscale-get-started/custom-scale.png" alt-text="A screenshot showing the Configure tab of the Autoscale Settings page.":::

+1. The default rule scales your resource by one instance if the CPU percentage is greater than 70 percent. Keep the default values and select **Add**.

+1. You've now created your first scale-out rule. Best practice is to have at least one scale in rule. To add another rule, select **Add a rule**.

+1. Set **Operator** to *Less than*.

+1. Set **Metric threshold to trigger scale action** to *20*.

+1. Set **Operation** to *Decrease count by*.

+1. Select **Add**.

+ :::image type="content" source="./media/autoscale-get-started/scale-rule.png" lightbox="./media/autoscale-get-started/scale-rule.png" alt-text="A screenshot showing a scale rule.":::

+ You now have a scale setting that scales out and scales in based on CPU usage, but you're still limited to a maximum of one instance.

+1. Under **Instance limits** set **Maximum** to *3*

+ :::image type="content" source="./media/autoscale-get-started/instance-limits.png" lightbox="./media/autoscale-get-started/instance-limits.png" alt-text="A screenshot showing the configure tab of the autoscale setting page with configured rules.":::

+You have successfully created your first scale setting to autoscale your web app based on CPU usage. When CPU usage is greater than 70%, an additional instance is added, up to a maximum of 3 instances. When CPU usage is below 20%, an instance is removed up to a minimum of 1 instance. By default there will be 1 instance.

+## Scheduled scale conditions

+The default scale condition defines the scale rules that are active when no other scale condition is in effect. You can add scale conditions that are active on a given date and time, or that recur on a weekly basis.

+### Scale based on a repeating schedule

+Set your resource to scale to a single instance on a Sunday.

+1. Enter a description for the scale condition.

+1. Select **Scale to a specific instance count**. You can also scale based on metrics and thresholds that are specific to this scale condition.

+1. Enter *1* in the **Instance count** field.

+1. Select **Sunday**

+1. Set the **Start time** and **End time** for when the scale condition should be applied. Outside of this time range, the default scale condition applies.

+1. Select **Save**

+You have now defined a scale condition that reduces the number of instances of your resource to 1 every Sunday.

+Set Autoscale to scale differently for specific dates, when you know that there will be an unusual level of demand for the service.

+1. Select **Scale based on a metric**.

+1. Select **Add a rule** to define your scale-out and scale-in rules. Set the rules to be same as the default condition.

+1. Set the **Maximum** instance limit to *10*

+1. Set the **Default** instance limit to *3*

+1. Enter the **Start date** and **End date** for when the scale condition should be applied.

+1. Select **Save**

+You have now defined a scale condition for a specific day. When CPU usage is greater than 70%, an additional instance is added, up to a maximum of 10 instances to handle anticipated load. When CPU usage is below 20%, an instance is removed up to a minimum of 1 instance. By default, autoscale will scale to 3 instances when this scale condition becomes active.

+## Additional settings

+### View the history of your resource's scale events

+Whenever your resource is scaled up or down, an event is logged in the activity log. You can view the history of the scale events in the **Run history** tab.

+### View the scale settings for your resource

+Autoscale is an Azure Resource Manager resource. Like other resources, you can see the resource definition in JSON format. To view the autoscale settings in JSON, select the **JSON** tab.

+Autoscale uses a cool-down period with is the amount of time to wait after a scale operation before scaling again. For example, if the cooldown is 10 minutes, Autoscale won't attempt to scale again until 10 minutes after the previous scale action. The cooldown period allows the metrics to stabilize and avoids scaling more than once for the same condition. For more information, see [Autoscale evaluation steps](autoscale-understanding-settings.md#autoscale-evaluation).

+### Flapping

+Flapping refers to a loop condition that causes a series of opposing scale events. Flapping happens when one scale event triggers an opposite scale event. For example, scaling in reduces the number of instances causing the CPU to rise in the remaining instances. This in turn triggers scale out event, which causes CPU usage to drop, repeating the process. For more information, see [Flapping in Autoscale](autoscale-flapping.md) and [Troubleshooting autoscale](autoscale-troubleshoot.md)

+* Australia Central

+* Brazil South

+* East Asia

+* South Africa North

+> | automationaccounts | **Yes** | **Yes** | **Yes** [PowerShell script](../../automation/automation-disaster-recovery.md) |

+* When the application server broadcasts a 1-KB message to all connected clients, the message from the application server to the service is considered a free inbound message. The three messages sent from service to each of the clients are outbound messages and are billed.

+| level | string | _Enum:_ `"Info"`, `"Warning"`, `"Error"` | No |

+| scope | string | _Enum:_ `"Unknown"`, `"Request"`, `"Connection"`, `"User"`, `"Group"` | No |

+| errorKind | string | _Enum:_ `"Unknown"`, `"NotExisted"`, `"NotInGroup"`, `"Invalid"` | No |

+* UK South

+'url':'https://learn.microsoft.com/azure/cognitive-services/computer-vision/media/quickstarts/presentation.png'

+{'url':'https://learn.microsoft.com/azure/cognitive-services/computer-vision/media/quickstarts/presentation.png'

+After [building your schema](build-schema.md) and [creating your project](create-project.md), you will need to label your data. Labeling your data is important so your model knows which words and sentences will be associated with the intents and entities in your project. You will want to spend time labeling your utterances - introducing and refining the data that will be used to in training your models.

+ * **Label precisely**: Label each intent and entity to its right type always. Only include what you want classified and extracted, avoid unnecessary data in your labels.

+ * **Label completely**: Provide varied utterances for every intent. Label all the instances of the entity in all your utterances.

+ > List and prebuilt components are not shown in the data labeling page, and all labels here only apply to the **learned component**.

+To delete an entity:

+## Suggest utterances with Azure OpenAI

+In CLU, use Azure OpenAI to suggest utterances to add to your project using GPT models. You first need to get access and create a resource in Azure OpenAI. You'll then need to create a deployment for the GPT models. Follow the pre-requisite steps [here](../../../openai/how-to/create-resource.md).

+In the Data Labeling page:

+1. Click on the **Suggest utterances** button. A pane will open up on the right side prompting you to select your Azure OpenAI resource and deployment.

+2. On selection of an Azure OpenAI resource, click **Connect**, which allows your Language resource to have direct access to your Azure OpenAI resource. It assigns your Language resource the role of `Cognitive Services User` to your Azure OpenAI resource, which allows your current Language resource to have access to Azure OpenAI's service.

+3. Once the resource is connected, select the deployment. The recommended model for the Azure OpenAI deployment is `text-davinci-002`.

+4. Select the intent you'd like to get suggestions for. Make sure the intent you have selected has at least 5 saved utterances to be enabled for utterance suggestions. The suggestions provided by Azure OpenAI are based on the **most recent utterances** you've added for that intent.

+5. Click on **Generate utterances**. Once complete, the suggested utterances will show up with a dotted line around it, with the note *Generated by AI*. Those suggestions need to be accepted or rejected. Accepting a suggestion simply adds it to your project, as if you had added it yourself. Rejecting it deletes the suggestion entirely. Only accepted utterances will be part of your project and used for training or testing. You can accept or reject by clicking on the green check or red cancel buttons beside each utterance. You can also use the `Accept all` and `Reject all` buttons in the toolbar.

+Using this feature entails a charge to your Azure OpenAI resource for a similar number of tokens to the suggested utterances generated. Details for Azure OpenAI's pricing can be found [here](https://azure.microsoft.com/pricing/details/cognitive-services/openai-service/).

+ Title: Get local user capabilities

+description: Use Azure Communication Services SDKs to get capabilities of the local user in a call.

+# Observe user's capabilities

+Do I have permission to turn video on, do I have permission to turn mic on, do I have permission to share screen? Those are some examples of participant capabilities that you can learn from the capabilities API. Learning the capabilities can help build a user interface that only shows the buttons related to the actions the local user has permissions to.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- A deployed Communication Services resource. [Create a Communication Services resource](../../quickstarts/create-communication-resource.md).

+- A user access token to enable the calling client. For more information, see [Create and manage access tokens](../../quickstarts/identity/access-tokens.md).

+- Optional: Complete the quick start to [add voice calling to your application](../../quickstarts/voice-video-calling/getting-started-with-calling.md)

+## Supported Platform - Web

+## Next steps

+- [Learn how to manage video](./manage-video.md)

+- [Learn how to manage calls](./manage-calls.md)

+- [Learn how to record calls](./record-calls.md)

+| `resources.cpu` | The number of CPUs allocated to the container. | With the Consumption plan, values must adhere to the following rules:<br><br>ΓÇó greater than zero<br>ΓÇó less than or equal to 2<br>ΓÇó can be any decimal number (with a max of two decimal places)<br><br> For example, `1.25` is valid, but `1.555` is invalid.<br> The default is 0.25 CPU per container.<br><br>When you use the Consumption workload profile in the Consumption + Dedicated plan structure, the same rules apply, except CPU must be less than or equal to 4.<br><br>When you use a Dedicated workload profile in the Consumption + Dedicated plan structure, the maximum CPU must be less than or equal to the number of cores available in the profile. |

+| `resources.memory` | The amount of RAM allocated to the container. | With the Consumption plan, values must adhere to the following rules:<br><br>ΓÇó greater than zero<br>ΓÇó less than or equal to `4Gi`<br>ΓÇó can be any decimal number (with a max of two decimal places)<br><br>For example, `1.25Gi` is valid, but `1.555Gi` is invalid.<br>The default is `0.5Gi` per container.<br><br>When you use the Consumption workload profile in the Consumption + Dedicated plan structure, the same rules apply except memory must be less than or equal to `8Gi`.<br><br>When you use a dedicated workload profile in the Consumption + Dedicated plan structure, the maximum memory must be less than or equal to the amount of memory available in the profile. |

+- The total of the CPU requests in all of your containers must match one of the values in the *vCPUs* column.

+Azure creates a default route table for your virtual networks on create. By implementing a user-defined route table, you can control how traffic is routed within your virtual network. In this guide, your setup UDR on the Container Apps virtual network to restrict outbound traffic with Azure Firewall.

+You can also use a NAT gateway or any other third party appliances instead of Azure Firewall.

+* **Internal environment**: An internal container app environment on the workload profiles architecture that's integrated with a custom virtual network. When you create an internal container app environment, your container app environment has no public IP addresses, and all traffic is routed through the virtual network. For more information, see the [guide for how to create a container app environment on the workload profiles architecture](./workload-profiles-manage-cli.md).

+* **`curl` support**: Your container app must have a container that supports `curl` commands. You use `curl` to verify the container app is deployed correctly. The *helloworld* container from the sample container image already supports `curl` commands.

+1. Open the virtual network that's integrated with your app in the [Azure portal](https://portal.azure.com).

+ | **Name** | Enter **AzureFirewallSubnet**. |

+Your virtual networks in Azure have default route tables in place when you create the network. By implementing a user-defined route table, you can control how traffic is routed within your virtual network. In the following steps, you create a UDR to route all traffic to your Azure Firewall.

+1. From the menu on the left, select **Subnets**, then select **Associate** to associate your route table with the container app's subnet.

+ | **Address prefix** | Select the virtual network for your container app. |

+ | **Next hop type** | Select the subnet your for container app. |

+ > If you are using [Docker Hub registry](https://docs.docker.com/desktop/allow-list/) and want to access it through your firewall, you will need to add the following FQDNs to your rules destination list: *hub.docker.com*, *registry-1.docker.io*, and *production.cloudflare.docker.com*.

+1. From the menu on the left, select **Console**, then select your container that supports the `curl` command. If you're using the *helloworld* container from the sample container image quickstart, you can run the `curl` command.

+1. Run `curl -s https://<FQDN_ADDRESS>` for a URL that doesn't match any of your destination rules such as `example.com`. The example command would be `curl -s https://example.com`. You should get no response, which indicates that your firewall has blocked the request.

+# Protect Azure Container Apps with Web Application Firewall on Application Gateway

+- Security layers

+- **Internal environment with custom VNet**: Have a container app that is on an internal environment and integrated with a custom virtual network. For more information on how to create a custom virtual network integrated app, see [provide a virtual network to an internal Azure Container Apps environment](./vnet-custom-internal.md).

+- **Security certificates**: If you must use TLS/SSL encryption to the application gateway, a valid public certificate that's used to bind to your application gateway is required.

+Use the following steps to retrieve the values of the **default domain** and the **static IP** to set up your Private DNS Zone.

+1. On the *Overview* window for your container app environment resource, select **JSON View** in the upper right-hand corner of the page to view the JSON representation of the container apps environment.

+1. On the Azure portal menu or the *Home* page, select **Create a resource**.

+1. Select the **Virtual network links** window from the menu on the left side of the page.

+- Virtual Machine Scale Sets

+1. Open a new tab and navigate to your container app.

+## Networking

+When using workload profiles in the Consumption + Dedicated plan structure, additional networking features to fully secure your ingress/egress networking traffic such as user defined routes are available. To learn more about what networking features are supported, see [networking concepts](./networking.md), and for steps on how to secure your network with Container Apps, see the [lock down your Container App environment section](./networking.md#lock-down-your-container-app-environment).

+- [Python 3.7+](https://www.python.org/downloads/).

+Now let's clone an API for Cassandra app from GitHub, set the connection string, and run it. You see how easy it's to work with data programmatically.

+ `'contactPoint': 'cosmos-db-quickstarts.cassandra.cosmosdb.azure.com'`

+1. Paste the PORT value from the portal over `<FILLME>` on line 12.

+ Line 12 should now look similar to

+ `'port': 10350,`

+In this quickstart, you learned how to create an Azure Cosmos DB account with API for Cassandra, and run a Cassandra Python app that creates a Cassandra database and container. You can now import other data into your Azure Cosmos DB account.

+ keytool -import -alias emulator_cert -keystore -file ~/emulatorcert.crt -storepass changeit -noprompt

+Import-Module "$env:ProgramFiles\Azure Cosmos DB Emulator\PSModules\Microsoft.Azure.CosmosDB.Emulator"

+$env:PSModulePath += ";$env:ProgramFiles\Azure Cosmos DB Emulator\PSModules"

+ Title: Overview of indexing

+description: Understand how indexing works in Azure Cosmos DB. Also explore how different types of indexes such as range, spatial, and composite are supported.

+# Overview of indexing in Azure Cosmos DB

+The goal of this article is to explain how Azure Cosmos DB indexes data and how it uses indexes to improve query performance. It's recommended to go through this section before exploring how to customize [indexing policies](index-policy.md).

+Every time an item is stored in a container, its content is projected as a JSON document, then converted into a tree representation. This conversion means that every property of that item gets represented as a node in a tree. A pseudo root node is created as a parent to all the first-level properties of the item. The leaf nodes contain the actual scalar values carried by an item.

+{

+ "locations": [

+ { "country": "Germany", "city": "Berlin" },

+ { "country": "France", "city": "Paris" }

+ ],

+ "headquarters": { "country": "Belgium", "employees": 250 },

+ "exports": [

+ { "city": "Moscow" },

+ { "city": "Athens" }

+ ]

+}

+This tree represents the example JSON item:

+The reason why Azure Cosmos DB transforms items into trees is because it allows the system to reference properties using their paths within those trees. To get the path for a property, we can traverse the tree from the root node to that property, and concatenate the labels of each traversed node.

+Here are the paths for each property from the example item described previously:

+- `/locations/0/country`: "Germany"

+- `/locations/0/city`: "Berlin"

+- `/locations/1/country`: "France"

+- `/locations/1/city`: "Paris"

+- `/headquarters/country`: "Belgium"

+- `/headquarters/employees`: 250

+- `/exports/0/city`: "Moscow"

+- `/exports/1/city`: "Athens"

+Azure Cosmos DB effectively indexes each property's path and its corresponding value when an item is written.

+## Types of indexes

+ SELECT * FROM container c WHERE c.property = 'value'

+ ```sql

+ SELECT * FROM c WHERE c.property IN ("value1", "value2", "value3")

+ ```

+- Equality match on an array element

+ ```sql

+ ```

+ ```sql

+ SELECT * FROM container c WHERE c.property > 'value'

+ ```

+ > [!NOTE]

+ > (works for `>`, `<`, `>=`, `<=`, `!=`)

+ ```sql

+ SELECT * FROM c WHERE IS_DEFINED(c.property)

+ ```

+ ```sql

+ SELECT * FROM c WHERE CONTAINS(c.property, "value")

+ ```

+ ```sql

+ SELECT * FROM c WHERE STRINGEQUALS(c.property, "value")

+ ```

+ ```sql

+ SELECT * FROM container c ORDER BY c.property

+ ```

+ ```sql

+ SELECT child FROM container c JOIN child IN c.properties WHERE child = 'value'

+ ```

+ ```sql

+ SELECT * FROM container c WHERE ST_DISTANCE(c.property, { "type": "Point", "coordinates": [0.0, 10.0] }) < 40

+ ```

+ ```sql

+ SELECT * FROM container c WHERE ST_WITHIN(c.property, {"type": "Point", "coordinates": [0.0, 10.0] })

+ ```

+ ```sql

+ SELECT * FROM c WHERE ST_INTERSECTS(c.property, { 'type':'Polygon', 'coordinates': [[ [31.8, -5], [32, -5], [31.8, -5] ]] })

+ ```

+**Composite** indexes increase the efficiency when you're performing operations on multiple fields. The composite index type is used for:

+ ```sql

+ SELECT * FROM container c ORDER BY c.property1, c.property2

+ ```

+ ```sql

+ SELECT * FROM container c WHERE c.property1 = 'value' ORDER BY c.property1, c.property2

+ ```

+- Queries with a filter on two or more properties were at least one property is an equality filter

+ ```sql

+ SELECT * FROM container c WHERE c.property1 = 'value' AND c.property2 > 'value'

+ ```

+As long as one filter predicate uses one of the index type, the query engine evaluates that first before scanning the rest. For example, if you have a SQL query such as `SELECT * FROM c WHERE c.firstName = "Andrew" and CONTAINS(c.lastName, "Liu")`

+- The above query will first filter for entries where firstName = "Andrew" by using the index. It then pass all of the firstName = "Andrew" entries through a subsequent pipeline to evaluate the CONTAINS filter predicate.

+- You can speed up queries and avoid full container scans when using functions that perform a full scan like CONTAINS. You can add more filter predicates that use the index to speed up these queries. The order of filter clauses isn't important. The query engine figures out which predicates are more selective and run the query accordingly.

+When you index property paths, the query engine automatically uses the index as efficiently as possible. Aside from indexing new property paths, you don't need to configure anything to optimize how queries use the index. A query's RU charge is a combination of both the RU charge from index usage and the RU charge from loading items.

+Here's a table that summarizes the different ways indexes are used in Azure Cosmos DB:

+| Index lookup type | Description | Common Examples | RU charge from index usage | RU charges from loading items from transactional data store |

+When writing queries, you should use filter predicate that uses the index as efficiently as possible. For example, if either `StartsWith` or `Contains` would work for your use case, you should opt for `StartsWith` since it does a precise index scan instead of a full index scan.

+In this section, we cover more details about how queries use indexes. This level of detail isn't necessary to learn to get started with Azure Cosmos DB but is documented in detail for curious users. We reference the example item shared earlier in this document:

+{

+ "id": 1,

+ "locations": [

+ { "country": "Germany", "city": "Berlin" },

+ { "country": "France", "city": "Paris" }

+ ],

+ "headquarters": { "country": "Belgium", "employees": 250 },

+ "exports": [

+ { "city": "Moscow" },

+ { "city": "Athens" }

+ ]

+}

+{

+ "id": 2,

+ "locations": [

+ { "country": "Ireland", "city": "Dublin" }

+ ],

+ "headquarters": { "country": "Belgium", "employees": 200 },

+ "exports": [

+ { "city": "Moscow" },

+ { "city": "Athens" },

+ { "city": "London" }

+ ]

+}

+Azure Cosmos DB uses an inverted index. The index works by mapping each JSON path to the set of items that contain that value. The item ID mapping is represented across many different index pages for the container. Here's a sample diagram of an inverted index for a container that includes the two example items:

+| /headquarters/country | Belgium | 1, 2 |

+Consider the following query:

+The query predicate (filtering on items where any location has "France" as its country/region) would match the path highlighted in this diagram:

+Since this query has an equality filter, after traversing this tree, we can quickly identify the index pages that contain the query results. In this case, the query engine would read index pages that contain Item 1. An index seek is the most efficient way to use the index. With an index seek, we only read the necessary index pages and load only the items in the query results. Therefore, the index lookup time and RU charge from index lookup are incredibly low, regardless of the total data volume.

+Consider the following query:

+Consider the following query:

+The query predicate (filtering on items that have headquarters in a location that start with case-insensitive "United") can be evaluated with an expanded index scan of the `headquarters/country` path. Operations that do an expanded index scan have optimizations that can help avoid needs to scan every index page but are slightly more expensive than a precise index scan's binary search.

+For example, when evaluating case-insensitive `StartsWith`, the query engine checks the index for different possible combinations of uppercase and lowercase values. This optimization allows the query engine to avoid reading most index pages. Different system functions have different optimizations that they can use to avoid reading every index page, so they're broadly categorized as expanded index scan.

+Consider the following query:

+The query predicate (filtering on items that have headquarters in a location that contains "United") can be evaluated with an index scan of the `headquarters/country` path. Unlike a precise index scan, a full index scan always scans through the distinct set of possible values to identify the index pages where there are results. In this case, `Contains` is run on the index. The index lookup time and RU charge for index scans increases as the cardinality of the path increases. In other words, the more possible distinct values that the query engine needs to scan, the higher the latency and RU charge involved in doing a full index scan.

+For example, consider two properties: `town` and `country`. The cardinality of town is 5,000 and the cardinality of `country` is 200. Here are two example queries that each have a [Contains](sql-query-contains.md) system function that does a full index scan on the `town` property. The first query uses more RUs than the second query because the cardinality of town is higher than `country`.

+SELECT *

+FROM c

+WHERE CONTAINS(c.town, "Red", false)

+SELECT *

+FROM c

+WHERE CONTAINS(c.country, "States", false)

+In some cases, the query engine may not be able to evaluate a query filter using the index. In this case, the query engine needs to load all items from the transactional store in order to evaluate the query filter. Full scans don't use the index and have an RU charge that increases linearly with the total data size. Luckily, operations that require full scans are rare.

+Queries with aggregate functions must rely exclusively on the index in order to use it.

+In some cases, the index can return false positives. For example, when evaluating `Contains` on the index, the number of matches in the index may exceed the number of query results. The query engine loads all index matches, evaluate the filter on the loaded items, and return only the correct results.

+For most queries, loading false positive index matches don't have any noticeable effect on index utilization.

+The `Contains` system function may return some false positive matches, so the query engine needs to verify whether each loaded item matches the filter expression. In this example, the query engine may only need to load an extra few items, so the effect on index utilization and RU charge is minimal.

+Like in the first example, the `Contains` system function may return some false positive matches. Unlike the `SELECT *` query, however, the `Count` query can't evaluate the filter expression on the loaded items to verify all index matches. The `Count` query must rely exclusively on the index, so if there's a chance a filter expression returns false positive matches, the query engine resorts to a full scan.

+- Requests that are part of a [transactional batch](./nosql/transactional-batch.md) or in [bulk mode](./nosql/how-to-migrate-from-bulk-executor-library.md#enable-bulk-support) don't populate the item cache

+[Session consistency](consistency-levels.md#session-consistency) is the most widely used consistency level for both single region and globally distributed Azure Cosmos DB accounts. With session consistency, single client sessions can read their own writes. Any reads with session consistency that don't have a matching session token will incur RU charges. This includes the first request for a given item or query when the client application is started or restarted, unless you explicitly pass a valid session token. Clients outside of the session performing writes will see eventual consistency when they are using the integrated cache.

+ > [Open this project in GitHub Codespaces](https://github.com/codespaces/new?hide_repo_select=true&ref=main&repo=611024069)

+1. In the **server/** directory, create a new **.env** file.

+1. In the **server/.env** file, add an environment variable for this value:

+ | `CONNECTION_STRING` | The connection string to the Azure Cosmos DB for MongoDB vCore cluster. For now, use `mongodb://localhost:27017?directConnection=true`. |

+1. In the **client/** directory, create a new **.env** file.

+1. In the **client/.env** file, add an environment variable for this value:

+ | Environment Variable | Value |

+ | | |

+ | `CONNECTION_STRING` | The connection string to the Azure Cosmos DB for MongoDB vCore cluster. Use the same connection string you used with the mongo shell:

+Diagnostic settings in Azure are used to collect resource logs. Resources emit Azure resource Logs and provide rich, frequent data about the operation of that resource. These logs are captured per request and they're also referred to as "data plane logs". Some examples of the data plane operations include delete, insert, and readFeed. The content of these logs varies by resource type.

+ | **Ca/ssandraRequests** | Cassandra | Logs user-initiated requests from the front end to serve requests to Azure Cosmos DB for Cassandra. When you enable this category, make sure to disable DataPlaneRequests. | `operationName`, `requestCharge`, `piiCommandText` |

+ | **PartitionKeyStatistics** | All APIs | Logs the statistics of logical partition keys by representing the estimated storage size (KB) of the partition keys. This table is useful when troubleshooting storage skews. This PartitionKeyStatistics log is only emitted if the following conditions are true: 1. At least 1% of the documents in the physical partition have same logical partition key. 2. Out of all the keys in the physical partition, the PartitionKeyStatistics log captures the top three keys with largest storage size. </li></ul> If the previous conditions aren't met, the partition key statistics data isn't available. It's okay if the above conditions aren't met for your account, which typically indicates you have no logical partition storage skew. **Note**: The estimated size of the partition keys is calculated using a sampling approach that assumes the documents in the physical partition are roughly the same size. If the document sizes aren't uniform in the physical partition, the estimated partition key size may not be accurate. | `subscriptionId`, `regionName`, `partitionKey`, `sizeKB` |

+Azure Cosmos DB provides advanced logging for detailed troubleshooting. By enabling full-text query, you're able to view the deobfuscated query for all requests within your Azure Cosmos DB account. You also give permission for Azure Cosmos DB to access and surface this data in your logs.

+2. Select `Enable`. This setting is applied within a few minutes. All newly ingested logs have the full-text or PIICommand text for each request.

+1. Query the resource using the REST API and [`az rest`](/cli/azure/reference-index#az-rest) with an HTTP `GET` verb to check if full-text query is already enabled.

+ --query "{accountName:name,fullTextQuery:{state:properties.diagnosticLogSettings.enableFullTextQuery}}"

+ ```

+ If full-text query isn't enabled, the output would be similar to this example.

+ ```json

+ {

+ "accountName": "<account-name>",

+ "fullTextQuery": {

+ "state": "None"

+ }

+ }

+ > [!NOTE]

+ > If you are using Azure CLI within a PowerShell prompt, you will need to escape the double-quotes using a backslash (`\`) character.

+ --query "{accountName:name,fullTextQuery:{state:properties.diagnosticLogSettings.enableFullTextQuery}}"

+ "accountName": "<account-name>",

+ "fullTextQuery": {

+ "state": "True"

+ }

+database = client.get_database_client(database=database_id)

+lww_conflict_resolution_policy = {'mode': 'LastWriterWins', 'conflictResolutionPath': '/regionId'}

+lww_container = database.create_container(id=lww_container_id, partition_key=PartitionKey(path="/id"),

+ conflict_resolution_policy=lww_conflict_resolution_policy)

+database = client.get_database_client(database=database_id)

+udp_custom_resolution_policy = {'mode': 'Custom' }

+udp_container = database.create_container(id=udp_container_id, partition_key=PartitionKey(path="/id"),

+ conflict_resolution_policy=udp_custom_resolution_policy)

+database = client.get_database_client(database=database_id)

+manual_resolution_policy = {'mode': 'Custom'}

+manual_container = database.create_container(id=manual_container_id, partition_key=PartitionKey(path="/id"),

+ conflict_resolution_policy=manual_resolution_policy)

+conflicts_iterator = iter(container.list_conflicts())

+public record SalesOrder(string id, string customerId, int ttl);

+> [!IMPORTANT]

+> The query language is only used to query items in Azure Cosmos DB for NoSQL. You cannot use the query language to perform operations (Create, Update, Delete, etc.) on items.

+## Item examples

+> [!NOTE]

+> You must specify a partition key when performing operations against a specific item.

+The [Collection CRUD Samples](https://github.com/Azure/azure-documentdb-jav#include-exclude-paths) conceptual articles.

+The [IndexManagement](https://github.com/Azure/azure-cosmos-js/blob/master/samples/IndexManagement.ts) file shows how to manage indexing. To learn about indexing in Azure Cosmos DB before running the following samples, see [indexing policies](../index-policy.md), [indexing types](../index-overview.md#types-of-indexes), and [indexing paths](../index-policy.md#include-exclude-paths) conceptual articles.

+The [index_management.py](https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/cosmos/azure-cosmos/samples/index_management.py) Python sample shows how to do the following tasks. To learn about indexing in Azure Cosmos DB before running the following samples, see [indexing policies](../index-policy.md), [indexing types](../index-overview.md#types-of-indexes), and [indexing paths](../index-policy.md#include-exclude-paths) conceptual articles.

+It's important to make sure the application design is following our [guide for designing resilient applications with Azure Cosmos DB SDKs](conceptual-resilient-sdk-applications.md) to make sure it correctly reacts to different network conditions. Your application should have retries in place for service unavailable errors.

+* What is the effect measured in volume of operations affected compared to the operations succeeding? Is it within the service SLAs?

+In certain conditions, the HTTP 503 Service Unavailable error includes a substatus code that helps to identify the cause.

+| Substatus Code | Description |

+| 20005 | The service unavailable error happened because client machine's thread pool is starved. Verify any potential [blocking async calls in your code](https://github.com/davidfowl/AspNetCoreDiagnosticScenarios/blob/master/AsyncGuidance.md#avoid-using-taskresult-and-taskwait). |

+| 20006 | The connection between the service and client was interrupted or terminated in an unexpected manner. |

+ Title: Get started with partial document update

+description: Learn how to use the partial document update feature with the .NET, Java, and Node SDKs for Azure Cosmos DB for NoSQL.

+## Prerequisites

+- An existing Azure Cosmos DB account.

+ - If you have an Azure subscription, [create a new account](nosql/how-to-create-account.md?tabs=azure-portal).

+ - If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+ - Alternatively, you can [try Azure Cosmos DB free](try-free.md) before you commit.

+ PatchOperation.Add("/color", "silver"),

+ PatchOperation.Increment("/price", 50.00),

+ PatchOperation.Add("/tags/-", "featured-bikes")

+description: Learn how to conditionally modify a document using the partial document update feature in Azure Cosmos DB for NoSQL.

+ "id": "e379aea5-63f5-4623-9a9b-4cd9b33b91d5",

+ "name": "R-410 Road Bicycle",

+ "price": 455.95,

+ "inventory": {

+ "quantity": 15

+ },

+ "used": false,

+ "categoryId": "road-bikes",

+ "tags": [

+ "r-series"

+ ]

+ { "op": "add", "path": "/color", "value": "silver" },

+ { "op": "remove", "path": "/used" },

+ { "op": "set", "path": "/price", "value": 355.45 }

+ { "op": "incr", "path": "/inventory/quantity", "value": 10 },

+ { "op": "add", "path": "/tags/-", "value": "featured-bikes" }

+ "id": "e379aea5-63f5-4623-9a9b-4cd9b33b91d5",

+ "name": "R-410 Road Bicycle",

+ "price": 355.45,

+ "inventory": {

+ "quantity": 25

+ },

+ "categoryId": "road-bikes",

+ "color": "silver",

+ "tags": [

+ "r-series",

+ "featured-bikes"

+ ]

+- **Conditional Update**: For the aforementioned modes, it's also possible to add a SQL-like filter predicate (for example, `from c where c.taskNum = 3`) such that the operation fails if the precondition specified in the predicate isn't satisfied.

+Since Patch requests were made to nonconflicting paths within the document, these requests are conflict resolved automatically and transparently (as opposed to Last Writer Wins at a document level).

+Satellite imagery makes up a foundational pillar of agriculture data. To support scalable ingestion of geometry-clipped imagery, we've partnered with Sentinel Hub by Sinergise to provide a seamless bring your own license (BYOL) experience. This BYOL experience allows you to manage your own costs while keeping the convenience of storing your field-clipped historical and up to date imagery in the linked context of the relevant fields.

+## Prerequisites

+* To search and ingest imagery, you need a user account that has suitable subscription entitlement with Sentinel Hub: https://www.sentinel-hub.com/pricing/

+* Read the Sinergise Sentinel Hub terms of service and privacy policy: https://www.sentinel-hub.com/tos/

+* Have your providerClientId and providerClientSecret ready

+## Ingesting boundary-clipped imagery

+Using satellite data in Data Manager for Agriculture involves following steps:

+### Sentinel-2

+[Sentinel-2](https://sentinel.esa.int/web/sentinel/missions/sentinel-2) is a satellite constellation launched by 'European Space Agency' (ESA) under the Copernicus mission. This constellation has a pair of satellites and carries a Multi-Spectral Instrument (MSI) payload that samples 13 spectral bands: four bands at 10 m, six bands at 20 m and three bands at 60-m spatial resolution.

+> Sentinel-2 has two products: Level 1 (top of the atmosphere) data and its atmospherically corrected variant Level 2 (bottom of the atmosphere) data. We support ingesting and retrieving Sentinel_2_L2A and Sentinel_2_L1C data from Sentinel 2.

+### Image names and resolutions

+The image names and resolutions supported by APIs used to ingest and read satellite data (for Sentinel-2) in our service:

+ * Only 10 m, 20 m and 60-m images are supported.

+| Exempt security recommendations | - | - | Γ£ö | Γ£ö | Γ£ö |

+- [Monitor partner security solutions](./partner-integration.md)

+## April 2023

+Updates in April include:

+- [Changes in the recommendation "Machines should be configured securely"](#changes-in-the-recommendation-machines-should-be-configured-securely)

+### Changes in the recommendation "Machines should be configured securely"

+The recommendation `Machines should be configured securely` was updated. The update improves the performance and stability of the recommendation and aligns its experience with the generic behavior of Defender for Cloud's recommendations.

+As part of this update, the recommendation's ID was changed from `181ac480-f7c4-544b-9865-11b8ffe87f47` to `c476dc48-8110-4139-91af-c8d940896b98`.

+No action is required on the customer side, and there's no expected impact on the secure score.

+To focus the Azure device inventory on devices that are in your IoT/OT scope, you will need to manually edit the subnet list to include only the locally monitored subnets that are in your IoT/OT scope. Once the subnets have been configured, the network location of the devices is shown in the *Network location* (Public preview) column in the Azure device inventory. All of the devices associated with the listed subnets will be displayed as *local*, while devices associated with detected subnets not included in the list will be displayed as *routed*.

+**To configure your subnets in the Azure portal**:

+1. In the Azure portal, go to **Sites and sensors** > **Sensor settings**.

+1. Under **Subnets**, review the detected subnets. To focus the device inventory and view local devices in the inventory, delete any subnets that are not in your IoT/OT scope by selecting the options menu (...) on any subnet you want to delete.

+1. To modify additional settings, select any subnet and then select **Edit** for the following options:

+ - Select **Import subnets** to import a comma-separated list of subnet IP addresses and masks. Select **Export subnets** to export a list of currently configured data, or **Clear all** to start from scratch.

+ - Enter values in the **IP Address**, **Mask**, and **Name** fields to add subnet details manually. Select **Add subnet** to add additional subnets as needed.

+> [!NOTE]

+> Noted features listed below are in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+|**Network location** (Public preview) | The device's network location. Displays whether the device is defined as *local* or *routed*, according to the configured subnets. |

+After [onboarding](onboard-sensors.md) a new OT network sensor to Microsoft Defender for IoT, define the sensor's subnet settings directly on the OT sensor console to determine how devices are displayed in the sensor's [device map](how-to-work-with-the-sensor-device-map.md) and the [Azure device inventory](device-inventory.md).

+- **In the device map**, IT devices are automatically aggregated by subnet, where you can expand and collapse each subnet view to drill down as needed.

+- **In the Azure device inventory**, once the subnets have been configured, use the *Network location* (Public preview) filter to view *local* or *routed* devices as defined in your subnets list. All of the devices associated with the listed subnets will be displayed as *local*, while devices associated with detected subnets not included in the list will be displayed as *routed*.

+> [!TIP]

+> When you're ready to start managing your OT sensor settings at scale, define subnets from the Azure portal. Once you apply settings from the Azure portal, settings on the sensor console are read-only. For more information, see [Configure OT sensor settings from the Azure portal (Public preview)](configure-sensor-settings-portal.md).

+While the OT network sensor automatically learns the subnets in your network, we recommend confirming the learned settings and updating them as needed to optimize your map views and device inventory. Any subnets not listed as subnets are treated as external networks.

+> If sensor settings have already been applied from the Azure portal, the subnet settings on the individual sensor will be read-only and are managed from the Azure portal.

+**To configure your subnets on a locally managed sensor**:

+1. Sign into your OT sensor as an Admin user and select **System settings** > **Basic** > **Subnets**.

+1. Disable the **Auto subnet learning** setting to manually edit the subnets.

+1. Review the discovered subnets list and delete any subnets unrelated to your IoT/OT network scope. We recommend giving each subnet a meaningful name to specify the network role. Subnet names can have up to 60 characters.

+ Once the **Auto subnet learning** setting is disabled and the subnet list has been edited to include only the locally monitored subnets that are in your IoT/OT scope, you can filter the Azure device inventory by *Network location* to view only the devices defined as *local*.

+ |**Import subnets** | Import a .CSV file of subnet definitions. The subnet information is updated with the information that you imported. If you import an empty field, you'll lose the data in that field. |

+ |**Clear all** | Clear all currently defined subnets. |

+ |**Auto subnet learning** | Selected by default. Clear this option to define your subnets manually instead of having them automatically detected by your OT sensor as new devices are detected. |

+ |**ICS subnet** | Read-only. ICS/OT subnets are marked automatically when the system recognizes OT activity or protocols. |

+1. Copy the public ranges that are private, and add them to the subnet list. For more information, see [Define OT and IoT subnets](how-to-control-what-traffic-is-monitored.md#define-ot-and-iot-subnets).

+| **No subnets configured** | No subnets are currently configured in your network. <br /><br /> We recommend configuring subnets for the ability to differentiate between OT and IT devices on the map. | - **Open Subnet Configuration** and [configure subnets](how-to-control-what-traffic-is-monitored.md#define-ot-and-iot-subnets). <br />- **Dismiss**: Remove the notification. |**Dismiss** |

+| **New subnets** | New subnets were discovered. |- **Learn**: Automatically add the subnet.<br />- **Open Subnet Configuration**: Add all missing subnet information.<br />- **Dismiss**: <br />Remove the notification. |**Dismiss** |

+| **OT networks** | **Cloud features**: <br>- [Microsoft Sentinel: Microsoft Defender for IoT solution version 2.0.2](#microsoft-sentinel-microsoft-defender-for-iot-solution-version-202) <br>- [Download updates from the Sites and sensors page (Public preview)](#download-updates-from-the-sites-and-sensors-page-public-preview) <br>- [Alerts page GA in the Azure portal](#alerts-ga-in-the-azure-portal) <br>- [Device inventory GA in the Azure portal](#device-inventory-ga-in-the-azure-portal) <br>- [Device inventory grouping enhancements (Public preview)](#device-inventory-grouping-enhancements-public-preview) <br>- [Focused inventory in the Azure device inventory (Public preview)](#focused-inventory-in-the-azure-device-inventory-public-preview) <br><br> **Sensor version 22.2.3**: [Configure OT sensor settings from the Azure portal (Public preview)](#configure-ot-sensor-settings-from-the-azure-portal-public-preview) |

+### Focused inventory in the Azure device inventory (Public preview)

+The **Device inventory** page on the Azure portal now includes a network location indication for your devices, to help focus your device inventory on the devices within your IoT/OT scope. See and filter which devices are defined as *local* or *routed*, according to your configured subnets. The *Network location* filter is on by default, and the *Network location* column can be added by editing the columns in the device inventory. For more information, see [Subnet](configure-sensor-settings-portal.md#subnet).

+- A dev center. If you don't have one available, follow the steps in [1. Create a dev center](quickstart-configure-dev-box-service.md#1-create-a-dev-center).

+- A dev center with an attached network connection. If you don't have a one, follow the steps in [2. Configure a network connection](quickstart-configure-dev-box-service.md#2-configure-a-network-connection).

+- [3. Create a dev box definition](quickstart-configure-dev-box-service.md#3-create-a-dev-box-definition)

+- [3. Create a dev box definition](quickstart-configure-dev-box-service.md#3-create-a-dev-box-definition)

+- [3. Create a dev box definition](quickstart-configure-dev-box-service.md#3-create-a-dev-box-definition)

+- [3. Create a dev box definition](quickstart-configure-dev-box-service.md#3-create-a-dev-box-definition)

+This quickstart describes how to set up Microsoft Dev Box Preview to enable development teams to self-serve their dev boxes. The setup process involves two distinct phases. In the first phase, dev infra admins configure the necessary Microsoft Dev Box resources through the Azure portal. After this phase is complete, users can proceed to the next phase, creating and managing their dev boxes through the developer portal. This quickstart shows you how to complete the first phase.

+The following graphic shows the steps required to configure Microsoft Dev Box in the Azure portal.

+First, you create a dev center to organize your dev box resources. Next, you configure network components to enable dev boxes to connect to your organizational resources. Then, you create a dev box definition that is used to create dev boxes. After that, you create a project and a dev box pool. Users who have access to a project can create dev boxes from the pools associated with that project.

+After you complete this quickstart, you'll have Microsoft Dev Box set up ready for users to create and connect to dev boxes.

+If you already have a Microsoft Dev Box configured and you want to learn how to create and connect to dev boxes, refer to: [Quickstart: Create a dev box by using the developer portal](quickstart-create-dev-box.md).

+- Owner or Contributor role on an Azure subscription or resource group.

+- If your organization routes egress traffic through a firewall, open the appropriate ports. For more information, see [Network requirements](/windows-365/enterprise/requirements-network).

+## 1. Create a dev center

+## 2. Configure a network connection

+1. Sign in to the [Azure portal](https://portal.azure.com).

+### Attach a network connection to a dev center

+## 3. Create a dev box definition

+Dev box definitions define the image and SKU (compute + storage) that's used in the creation of the dev boxes. To create and configure a dev box definition:

+ |**Image version**|Select a specific, numbered version to ensure that all the dev boxes in the pool always use the same version of the image. Select **Latest** to ensure that new dev boxes use the latest image available.|Selecting the **Latest** image version enables the dev box pool to use the most recent version of your chosen image from the gallery. This way, the created dev boxes stay up to date with the latest tools and code for your image. Existing dev boxes aren't modified when an image version is updated.|

+## 4. Create a project

+ |**Dev center**|Select the dev center that you want to associate with this project. All the settings at the dev center level apply to the project.|

+## 5. Create a dev box pool

+A dev box pool is a collection of dev boxes that have similar settings. Dev box pools specify the dev box definitions and network connections that dev boxes use. You must associate at least one pool with your project before users can create a dev box.

+ |**Stop time**| Select a time to shut down all the dev boxes in the pool. All dev boxes in this pool will shut down at this time every day.|

+## 6. Provide access to a dev box project

+You can assign the DevCenter Project Admin role by using the steps described earlier in [6. Provide access to a dev box project](#6-provide-access-to-a-dev-box-project) and select the Project Admin role instead of the Dev Box User role. For more information, see [Provide access to projects for project admins](how-to-project-admin.md).

+In this quickstart, you configured the Microsoft Dev Box resources that are required to enable users to create their own dev boxes. To learn how to create and connect to a dev box, advance to the next quickstart:

+- Permissions as a [Dev Box User](quickstart-configure-dev-box-service.md#6-provide-access-to-a-dev-box-project) for a project that has an available dev box pool. If you don't have permissions to a project, contact your administrator.

+ Title: Enable Top flows and Flow trace logs in Azure Firewall

+description: Learn how to enable the Top flows and Flow trace logs in Azure Firewall

+# Enable Top flows (preview) and Flow trace logs (preview) in Azure Firewall

+- Top flows

+## Top flows

+The Top flows log (known in the industry as Fat Flows), shows the top connections that are contributing to the highest throughput through the firewall.

+ :::image type="content" source="media/enable-top-ten-and-flow-trace/top-ten-flow-log.png" alt-text="Screenshot showing the Top flow log." lightbox="media/enable-top-ten-and-flow-trace/top-ten-flow-log.png":::

+- [Top flow log (preview)](/azure/azure-monitor/reference/tables/azfwfatflow) - The Top Flows (Fat Flows) log shows the top connections that are contributing to the highest throughput through the firewall.

+- To learn more about Azure Firewall logs and metrics, see [Azure Firewall logs and metrics](logs-and-metrics.md)

+ - There may be various reasons that can cause high latency in Azure Firewall. For example, high CPU utilization, high throughput, or a possible networking issue.

+ This metric does not measure end-to-end latency of a given network path. In other words, this latency health probe does not measure how much latency Azure Firewall adds.

+ - When the latency metric is functioning as expected, a value of 0 appears in the metrics dashboard.

+ - As a reference, the average expected latency for a firewall is approximately 1 m/s. This may vary depending on deployment size and environment.

+[How to check the image number?](./view-hindsight-cluster-image-version.md)

+When you enable the Key Vault Firewall, you'll be given an option to 'Allow Trusted Microsoft Services to bypass this firewall.' The trusted services list does not cover every single Azure service. For example, Azure DevOps isn't on the trusted services list. **This does not imply that services that do not appear on the trusted services list are not trusted or insecure.** The trusted services list encompasses services where Microsoft controls all of the code that runs on the service. Since users can write custom code in Azure services such as Azure DevOps, Microsoft does not provide the option to create a blanket approval for the service. Furthermore, just because a service appears on the trusted service list, doesn't mean it is allowed for all scenarios.

+1. [Create an RFC destination.](#create-rfc-destination)

+1. [Create an ABAP connection.](#create-abap-connection)

+This destination will identify your logic app workflow for the receiver port.

+This destination will identify your SAP system for the sender port.

+1. For **RFC Destination**, enter the identifier for your test SAP system.

+1. By leaving the target host empty in the Technical Settings, you are creating a local connection to the SAP system itself.

+* [Built-in connectors for Azure Logic Apps](../connectors/built-in.md)

+You'll also learn how to view the logs and monitor the service-level agreement (SLA). You start with a model and end up with a scalable HTTPS/REST endpoint that you can use for real-time scoring.

+Online endpoints are endpoints that are used for real-time inferencing. There are two types of online endpoints: **managed online endpoints** and **Kubernetes online endpoints**. For more information on endpoints and differences between managed online endpoints and Kubernetes online endpoints, see [What are Azure Machine Learning endpoints?](concept-endpoints.md#managed-online-endpoints-vs-kubernetes-online-endpoints).

+Managed online endpoints help to deploy your ML models in a turnkey manner. Managed online endpoints work with powerful CPU and GPU machines in Azure in a scalable, fully managed way. Managed online endpoints take care of serving, scaling, securing, and monitoring your models, freeing you from the overhead of setting up and managing the underlying infrastructure.

+The main example in this doc uses managed online endpoints for deployment. To use Kubernetes instead, see the notes in this document that are inline with the managed online endpoint discussion.

+# [Studio](#tab/azure-studio)

+Before following the steps in this article, make sure you have the following prerequisites:

+* An Azure subscription. If you don't have an Azure subscription, create a free account before you begin. Try the [free or paid version of Azure Machine Learning](https://azure.microsoft.com/free/).

+* An Azure Machine Learning workspace and a compute instance. If you don't have these, use the steps in the [Quickstart: Create workspace resources](quickstart-create-resources.md) article to create them.

+* Azure role-based access controls (Azure RBAC) are used to grant access to operations in Azure Machine Learning. To perform the steps in this article, your user account must be assigned the __owner__ or __contributor__ role for the Azure Machine Learning workspace, or a custom role allowing `Microsoft.MachineLearningServices/workspaces/onlineEndpoints/*`. For more information, see [Manage access to an Azure Machine Learning workspace](how-to-assign-roles.md).

+### Virtual machine quota allocation for deployment

+For managed online endpoints, Azure Machine Learning reserves 20% of your compute resources for performing upgrades. Therefore, if you request a given number of instances in a deployment, you must have a quota for `ceil(1.2*number of instances requested for deployment)* number of cores for the VM SKU` available to avoid getting an error. For example, if you request 10 instances of a [Standard_DS2_v2](/azure/virtual-machines/dv2-dsv2-series) VM (that comes with 2 cores) in a deployment, you should have a quota for 24 cores (`12 instances*2 cores`) available. To view your usage and request quota increases, see [View your usage and quotas in the Azure portal](how-to-manage-quotas.md#view-your-usage-and-quotas-in-the-azure-portal).

+<!-- In this tutorial, you'll request one instance of a Standard_DS2_v2 VM SKU (that comes with 2 cores) in your deployment; therefore, you should have a minimum quota for 4 cores (`2 instances*2 cores`) available. -->

+### Set environment variables

+If you haven't already set the defaults for the Azure CLI, save your default settings. To avoid passing in the values for your subscription, workspace, and resource group multiple times, run this code:

+ ```azurecli

+ az account set --subscription <subscription ID>

+ az configure --defaults workspace=<Azure Machine Learning workspace name> group=<resource group>

+ ```

+### Clone the examples repository

+To follow along with this article, first clone the [examples repository (azureml-examples)](https://github.com/azure/azureml-examples). Then, run the following code to go to the repository's `cli/` directory:

+The commands in this tutorial are in the files `deploy-local-endpoint.sh` and `deploy-managed-online-endpoint.sh` in the `cli` directory, and the YAML configuration files are in the `endpoints/online/managed/sample/` subdirectory.

+> The YAML configuration files for Kubernetes online endpoints are in the `endpoints/online/kubernetes/` subdirectory.

+### Clone the examples repository

+The [workspace](concept-workspace.md) is the top-level resource for Azure Machine Learning, providing a centralized place to work with all the artifacts you create when you use Azure Machine Learning. In this section, we'll connect to the workspace in which you'll perform deployment tasks. To follow along, open your `online-endpoints-simple-deployment.ipynb` notebook.

+ > [!NOTE]

+ > If you're using the Kubernetes online endpoint, import the `KubernetesOnlineEndpoint` and `KubernetesOnlineDeployment` class from the `azure.ai.ml.entities` library.

+# [Studio](#tab/azure-studio)

+If you have Git installed on your local machine, you can follow the instructions to clone the examples repository. Otherwise, follow the instructions to download files from the examples repository.

+### Clone the examples repository

+To follow along with this article, first clone the [examples repository (azureml-examples)](https://github.com/azure/azureml-examples) and then change into the `azureml-examples/cli/endpoints/online/model-1` directory.

+```bash

+cd azureml-examples/cli/endpoints/online/model-1

+### Download files from the examples repository

+If you cloned the examples repo, your local machine already has copies of the files for this example, and you can skip to the next section. If you didn't clone the repo, you can download it to your local machine.

+1. Go to [https://github.com/Azure/azureml-examples/](https://github.com/Azure/azureml-examples/).

+1. Go to the **<> Code** button on the page, and then select **Download ZIP** from the **Local** tab.

+1. Locate the folder `/cli/endpoints/online/model-1/model` and the file `/cli/endpoints/online/model-1/onlinescoring/score.py`.

+# [ARM template](#tab/arm)

+### Set environment variables

+Set the following environment variables, as they're used in the examples in this article. Replace the values with your Azure subscription ID, the Azure region where your workspace is located, the resource group that contains the workspace, and the workspace name:

+A couple of the template examples require you to upload files to the Azure Blob store for your workspace. The following steps query the workspace and store this information in environment variables used in the examples:

+### Clone the examples repository

+To follow along with this article, first clone the [examples repository (azureml-examples)](https://github.com/azure/azureml-examples). Then, run the following code to go to the examples directory:

+```azurecli

+git clone --depth 1 https://github.com/Azure/azureml-examples

+cd azureml-examples

+```

+> [!TIP]

+> Use `--depth 1` to clone only the latest commit to the repository, which reduces time to complete the operation.

+## Define the endpoint

+To define an endpoint, you need to specify:

+* Endpoint name: The name of the endpoint. It must be unique in the Azure region. For more information on the naming rules, see [managed online endpoint limits](how-to-manage-quotas.md#azure-machine-learning-managed-online-endpoints).

+* Authentication mode: The authentication method for the endpoint. Choose between key-based authentication and Azure Machine Learning token-based authentication. A key doesn't expire, but a token does expire. For more information on authenticating, see [Authenticate to an online endpoint](how-to-authenticate-online-endpoint.md).

+* Optionally, you can add a description and tags to your endpoint.

+### Set an endpoint name

+To set your endpoint name, run the following command (replace `YOUR_ENDPOINT_NAME` with a unique name).

+For Linux, run this command:

+### Configure the endpoint

+The following snippet shows the *endpoints/online/managed/sample/endpoint.yml* file:

+The reference for the endpoint YAML format is described in the following table. To learn how to specify these attributes, see the [online endpoint YAML reference](reference-yaml-endpoint-online.md). For information about limits related to managed endpoints, see [Manage and increase quotas for resources with Azure Machine Learning](how-to-manage-quotas.md#azure-machine-learning-managed-online-endpoints).

+| `$schema` | (Optional) The YAML schema. To see all available options in the YAML file, you can view the schema in the preceding code snippet in a browser. |

+| `name` | The name of the endpoint. |

+| `auth_mode` | Use `key` for key-based authentication. Use `aml_token` for Azure Machine Learning token-based authentication. To get the most recent token, use the `az ml online-endpoint get-credentials` command. |

+# [Python](#tab/python)

+### Configure an endpoint

+In this article, we first define the name of the online endpoint.

+```python

+# Define an endpoint name

+endpoint_name = "my-endpoint"

+# Example way to define a random name

+import datetime

+endpoint_name = "endpt-" + datetime.datetime.now().strftime("%m%d%H%M%f")

+# create an online endpoint

+endpoint = ManagedOnlineEndpoint(

+ name = endpoint_name,

+ description="this is a sample endpoint"

+ auth_mode="key"

+)

+```

+For the authentication mode, we've used `key` for key-based authentication. To use Azure Machine Learning token-based authentication, use `aml_token`.

+# [Studio](#tab/azure-studio)

+### Configure an endpoint

+When you deploy to Azure, you'll create an endpoint and a deployment to add to it. At that time, you'll be prompted to provide names for the endpoint and deployment.

+# [ARM template](#tab/arm)

+### Set an endpoint name

+To set your endpoint name, run the following command (replace `YOUR_ENDPOINT_NAME` with a unique name).

+For Linux, run this command:

+### Configure the endpoint

+To define the endpoint and deployment, this article uses the Azure Resource Manager templates [online-endpoint.json](https://github.com/Azure/azureml-examples/tree/main/arm-templates/online-endpoint.json) and [online-endpoint-deployment.json](https://github.com/Azure/azureml-examples/tree/main/arm-templates/online-endpoint-deployment.json). To use the templates for defining an online endpoint and deployment, see the [Deploy to Azure](#deploy-to-azure) section.

+## Define the deployment

+A deployment is a set of resources required for hosting the model that does the actual inferencing. To deploy a model, you must have:

+- A scoring script, that is, code that executes the model on a given input request. The scoring script receives data submitted to a deployed web service and passes it to the model. The script then executes the model and returns its response to the client. The scoring script is specific to your model and must understand the data that the model expects as input and returns as output. In this example, we have a *score.py* file.

+- An environment in which your model runs. The environment can be a Docker image with Conda dependencies or a Dockerfile.

+The following table describes the key attributes of a deployment:

+| Attribute | Description |

+|--|-|

+| Name | The name of the deployment. |

+| Endpoint name | The name of the endpoint to create the deployment under. |

+| Model | The model to use for the deployment. This value can be either a reference to an existing versioned model in the workspace or an inline model specification. |

+| Code path | The path to the directory on the local development environment that contains all the Python source code for scoring the model. You can use nested directories and packages. |

+| Scoring script | The relative path to the scoring file in the source code directory. This Python code must have an `init()` function and a `run()` function. The `init()` function will be called after the model is created or updated (you can use it to cache the model in memory, for example). The `run()` function is called at every invocation of the endpoint to do the actual scoring and prediction. |

+| Environment | The environment to host the model and code. This value can be either a reference to an existing versioned environment in the workspace or an inline environment specification. |

+| Instance type | The VM size to use for the deployment. For the list of supported sizes, see [Managed online endpoints SKU list](reference-managed-online-endpoints-vm-sku-list.md). |

+| Instance count | The number of instances to use for the deployment. Base the value on the workload you expect. For high availability, we recommend that you set the value to at least `3`. We reserve an extra 20% for performing upgrades. For more information, see [managed online endpoint quotas](how-to-manage-quotas.md#azure-machine-learning-managed-online-endpoints). |

+# [Azure CLI](#tab/azure-cli)

+### Configure a deployment

+The following snippet shows the *endpoints/online/managed/sample/blue-deployment.yml* file, with all the required inputs to configure a deployment:

+> [!NOTE]

+> In the _blue-deployment.yml_ file, we've specified the following deployment attributes:

+> * `model` - In this example, we specify the model properties inline using the `path`. Model files are automatically uploaded and registered with an autogenerated name.

+> * `environment` - In this example, we have inline definitions that include the `path`. We'll use `environment.docker.image` for the image. The `conda_file` dependencies will be installed on top of the image.

+### Configure a deployment

+To configure a deployment:

+```python

+model = Model(path="../model-1/model/sklearn_regression_model.pkl")

+env = Environment(

+ conda_file="../model-1/environment/conda.yml",

+ image="mcr.microsoft.com/azureml/openmpi4.1.0-ubuntu20.04:latest",

+)

+blue_deployment = ManagedOnlineDeployment(

+ name="blue",

+ endpoint_name=endpoint_name,

+ model=model,

+ environment=env,

+ code_configuration=CodeConfiguration(

+ code="../model-1/onlinescoring", scoring_script="score.py"

+ ),

+ instance_type="Standard_DS3_v2",

+ instance_count=1,

+)

+```

+# [Studio](#tab/azure-studio)

+### Configure a deployment

+When you deploy to Azure, you'll create an endpoint and a deployment to add to it. At that time, you'll be prompted to provide names for the endpoint and deployment.

+### Configure the deployment

+To define the endpoint and deployment, this article uses the Azure Resource Manager templates [online-endpoint.json](https://github.com/Azure/azureml-examples/tree/main/arm-templates/online-endpoint.json) and [online-endpoint-deployment.json](https://github.com/Azure/azureml-examples/tree/main/arm-templates/online-endpoint-deployment.json). To use the templates for defining an online endpoint and deployment, see the [Deploy to Azure](#deploy-to-azure) section.

+For more information on registering your model as an asset, see [Register your model as an asset in Machine Learning by using the CLI](how-to-manage-models.md#register-your-model-as-an-asset-in-machine-learning-by-using-the-cli). For more information on creating an environment, see [Manage Azure Machine Learning environments with the CLI & SDK (v2)](how-to-manage-environments-v2.md#create-an-environment).

+In this example, we specify the `path` (where to upload files from) inline. The SDK automatically uploads the files and registers the model and environment. As a best practice for production, you should register the model and environment and specify the registered name and version separately in the codes.

+For more information on registering your model as an asset, see [Register your model as an asset in Machine Learning by using the SDK](how-to-manage-models.md#register-your-model-as-an-asset-in-machine-learning-by-using-the-sdk).

+For more information on creating an environment, see [Manage Azure Machine Learning environments with the CLI & SDK (v2)](how-to-manage-environments-v2.md#create-an-environment).

+# [Studio](#tab/azure-studio)

+### Register the model

+A model registration is a logical entity in the workspace that may contain a single model file or a directory of multiple files. As a best practice for production, you should register the model and environment. When creating the endpoint and deployment in this article, we'll assume that you've registered the [model folder](https://github.com/Azure/azureml-examples/tree/main/cli/endpoints/online/model-1/model) that contains the model.

+To register the example model, follow these steps:

+1. Go to the [Azure Machine Learning studio](https://ml.azure.com).

+1. In the left navigation bar, select the **Models** page.

+1. Select **Register**, and then choose **From local files**.

+1. Select __Unspecified type__ for the __Model type__.

+1. Select __Browse__, and choose __Browse folder__.

+ :::image type="content" source="media/how-to-deploy-online-endpoints/register-model-folder.png" alt-text="A screenshot of the browse folder option." lightbox="media/how-to-deploy-online-endpoints/register-model-folder.png":::

+1. Select the `\azureml-examples\cli\endpoints\online\model-1\model` folder from the local copy of the repo you cloned or downloaded earlier. When prompted, select __Upload__ and wait for the upload to complete.

+1. Select __Next__ after the folder upload is completed.

+1. Enter a friendly __Name__ for the model. The steps in this article assume the model is named `model-1`.

+1. Select __Next__, and then __Register__ to complete registration.

+For more information on working with registered models, see [Register and work with models](how-to-manage-models.md).

+For information on creating an environment in the studio, see [Create an environment](how-to-manage-environments-in-studio.md#create-an-environment).

+### Use different CPU and GPU instance types and images

+# [Azure CLI](#tab/azure-cli)

+The preceding definition in the _blue-deployment.yml_ file uses a general-purpose type `Standard_DS2_v2` instance and a non-GPU Docker image `mcr.microsoft.com/azureml/openmpi4.1.0-ubuntu20.04:latest`. For GPU compute, choose a GPU compute type SKU and a GPU Docker image.

+For supported general-purpose and GPU instance types, see [Managed online endpoints supported VM SKUs](reference-managed-online-endpoints-vm-sku-list.md). For a list of Azure Machine Learning CPU and GPU base images, see [Azure Machine Learning base images](https://github.com/Azure/AzureML-Containers).

+> [!NOTE]

+> To use Kubernetes instead of managed endpoints as a compute target, see [Introduction to Kubernetes compute target](./how-to-attach-kubernetes-anywhere.md).

+# [Python](#tab/python)

+The preceding definition of the `blue_deployment` uses a general-purpose type `Standard_DS2_v2` instance and a non-GPU Docker image `mcr.microsoft.com/azureml/openmpi4.1.0-ubuntu20.04:latest`. For GPU compute, choose a GPU compute type SKU and a GPU Docker image.

+> To use Kubernetes instead of managed endpoints as a compute target, see [Introduction to Kubernetes compute target](./how-to-attach-kubernetes-anywhere.md).

+# [Studio](#tab/azure-studio)

+When using the studio to deploy to Azure, you'll be prompted to specify the compute properties (instance type and instance count) and environment to use for your deployment.

+For supported general-purpose and GPU instance types, see [Managed online endpoints supported VM SKUs](reference-managed-online-endpoints-vm-sku-list.md). For more information on environments, see [Manage software environments in Azure Machine Learning studio](how-to-manage-environments-in-studio.md).

+# [ARM template](#tab/arm)

+The preceding registration of the environment specifies a non-GPU docker image `mcr.microsoft.com/azureml/openmpi3.1.2-ubuntu18.04:20210727.v1` by passing the value to the `environment-version.json` template using the `dockerImage` parameter. For a GPU compute, provide a value for a GPU docker image to the template (using the `dockerImage` parameter) and provide a GPU compute type SKU to the `online-endpoint-deployment.json` template (using the `skuName` parameter).

+For supported general-purpose and GPU instance types, see [Managed online endpoints supported VM SKUs](reference-managed-online-endpoints-vm-sku-list.md). For a list of Azure Machine Learning CPU and GPU base images, see [Azure Machine Learning base images](https://github.com/Azure/AzureML-Containers).

+### Use more than one model in a deployment

+Currently, you can specify only one model per deployment in the deployment definition when you use the Azure CLI, Python SDK, or any of the other client tools.

+To use more than one model in a deployment, register a model folder that contains all the models as files or subdirectories. In your scoring script, use the environment variable `AZUREML_MODEL_DIR` to get the path to the model root folder. The underlying directory structure will be retained. For an example of deploying multiple models to one deployment, see [Deploy multiple models to one deployment (CLI example)](https://github.com/Azure/azureml-examples/blob/main/cli/endpoints/online/custom-container/minimal/multimodel) and [Deploy multiple models to one deployment (SDK example)](https://github.com/Azure/azureml-examples/blob/main/sdk/python/endpoints/online/custom-container/online-endpoints-custom-container-multimodel.ipynb).

+As noted earlier, the scoring script specified in `code_configuration.scoring_script` must have an `init()` function and a `run()` function.

+The scoring script must have an `init()` function and a `run()` function.

+# [Studio](#tab/azure-studio)

+The scoring script must have an `init()` function and a `run()` function.

+The scoring script must have an `init()` function and a `run()` function. This example uses the [score.py file](https://github.com/Azure/azureml-examples/blob/main/cli/endpoints/online/model-1/onlinescoring/score.py).

+The `init()` function is called when the container is initialized or started. Initialization typically occurs shortly after the deployment is created or updated. The `init` function is the place to write logic for global initialization operations like caching the model in memory (as we do in this example).

+The `run()` function is called for every invocation of the endpoint, and it does the actual scoring and prediction. In this example, we'll extract data from a JSON input, call the scikit-learn model's `predict()` method, and then return the result.

+## Deploy and debug locally by using local endpoints

+We *highly recommend* that you test-run your endpoint locally by validating and debugging your code and configuration before you deploy to Azure. Azure CLI and Python SDK support local endpoints and deployments, while Azure Machine Learning studio and ARM template don't.

+To deploy locally, [Docker Engine](https://docs.docker.com/engine/install/) must be installed and running. Docker Engine typically starts when the computer starts. If it doesn't, you can [troubleshoot Docker Engine](https://docs.docker.com/config/daemon/#start-the-daemon-manually).

+Local endpoints have the following limitations:

+- They do *not* support traffic rules, authentication, or probe settings.

+- They support only one deployment per endpoint.

+- They support local model files only. If you want to test registered models, first download them using [CLI](/cli/azure/ml/model#az-ml-model-download) or [SDK](/python/api/azure-ai-ml/azure.ai.ml.operations.modeloperations#azure-ai-ml-operations-modeloperations-download), then use `path` in the deployment definition to refer to the parent folder.

+For more information on debugging online endpoints locally before deploying to Azure, see [Debug online endpoints locally in Visual Studio Code](how-to-debug-managed-online-endpoints-visual-studio-code.md).

+# [Studio](#tab/azure-studio)

+The studio doesn't support local endpoints. See the Azure CLI or Python tabs for steps to test the endpoint locally.

+# [Studio](#tab/azure-studio)

+The studio doesn't support local endpoints. See the Azure CLI or Python tabs for steps to test the endpoint locally.

+ml_client.online_endpoints.get(name=endpoint_name, local=True)

+ManagedOnlineEndpoint({'public_network_access': None, 'provisioning_state': 'Succeeded', 'scoring_uri': 'http://localhost:49158/score', 'swagger_uri': None, 'name': 'endpt-10061534497697', 'description': 'this is a sample endpoint', 'tags': {}, 'properties': {}, 'id': None, 'Resource__source_path': None, 'base_path': '/path/to/your/working/directory', 'creation_context': None, 'serialize': <msrest.serialization.Serializer object at 0x7ffb781bccd0>, 'auth_mode': 'key', 'location': 'local', 'identity': None, 'traffic': {}, 'mirror_traffic': {}, 'kind': None})

+# [Studio](#tab/azure-studio)

+The studio doesn't support local endpoints. See the Azure CLI or Python tabs for steps to test the endpoint locally.

+ endpoint_name=endpoint_name,

+# [Studio](#tab/azure-studio)

+The studio doesn't support local endpoints. See the Azure CLI or Python tabs for steps to test the endpoint locally.

+ name="blue", endpoint_name=endpoint_name, local=True, lines=50

+# [Studio](#tab/azure-studio)

+The studio doesn't support local endpoints. See the Azure CLI or Python tabs for steps to test the endpoint locally.

+> The `--all-traffic` flag in the above `az ml online-deployment create` allocates 100% of the endpoint traffic to the newly created blue deployment. Though this is helpful for development and testing purposes, for production, you might want to open traffic to the new deployment through an explicit command. For example, `az ml online-endpoint update -n $ENDPOINT_NAME --traffic "blue=100"`.

+ Using the `endpoint` we defined earlier and the `MLClient` created earlier, we'll now create the endpoint in the workspace. This command will start the endpoint creation and return a confirmation response while the endpoint creation continues.

+1. Create the deployment:

+ Using the `blue_deployment` that we defined earlier and the `MLClient` we created earlier, we'll now create the deployment in the workspace. This command will start the deployment creation and return a confirmation response while the deployment creation continues.

+# [Studio](#tab/azure-studio)

+### Create a managed online endpoint and deployment

+Use the studio to create a managed online endpoint directly in your browser. When you create a managed online endpoint in the studio, you must define an initial deployment. You can't create an empty managed online endpoint.

+One way to create a managed online endpoint in the studio is from the **Models** page. This method also provides an easy way to add a model to an existing managed online deployment. To deploy the model named `model-1` that you registered previously in the [Register the model](#register-the-model) section:

+1. Go to the [Azure Machine Learning studio](https://ml.azure.com).

+1. In the left navigation bar, select the **Models** page.

+1. Select the model named `model-1` by checking the circle next to its name.

+1. Select **Deploy** > **Deploy to real-time endpoint**.

+ :::image type="content" source="media/how-to-deploy-online-endpoints/deploy-from-models-page.png" lightbox="media/how-to-deploy-online-endpoints/deploy-from-models-page.png" alt-text="A screenshot of creating a managed online endpoint from the Models UI.":::

+

+ This action opens up a window where you can specify details about your endpoint.

+ :::image type="content" source="media/how-to-deploy-online-endpoints/online-endpoint-wizard.png" lightbox="media/how-to-deploy-online-endpoints/online-endpoint-wizard.png" alt-text="A screenshot of a managed online endpoint create wizard.":::

+1. Enter an __Endpoint name__.

+ > [!NOTE]

+ > * Endpoint name: The name of the endpoint. It must be unique in the Azure region. For more information on the naming rules, see [managed online endpoint limits](how-to-manage-quotas.md#azure-machine-learning-managed-online-endpoints).

+ > * Authentication type: The authentication method for the endpoint. Choose between key-based authentication and Azure Machine Learning token-based authentication. A `key` doesn't expire, but a token does expire. For more information on authenticating, see [Authenticate to an online endpoint](how-to-authenticate-online-endpoint.md).

+ > * Optionally, you can add a description and tags to your endpoint.

+1. Keep the default selections: __Managed__ for the compute type and __key-based authentication__ for the authentication type.

+1. Select __Next__, until you get to the "Deployment" page. Here, check the box for __Enable Application Insights diagnostics and data collection__ to allow you view graphs of your endpoint's activities in the studio later.

+1. Select __Next__ to go to the "Environment" page. Here, select the following options:

+ * __Select scoring file and dependencies__: Browse and select the `\azureml-examples\cli\endpoints\online\model-1\onlinescoring\score.py` file from the repo you cloned or downloaded earlier.

+ * __Choose an environment__ section: Select the **Scikit-learn 0.24.1** curated environment.

+1. Select __Next__, accepting defaults, until you're prompted to create the deployment.

+1. Review your deployment settings and select the __Create__ button.

+Alternatively, you can create a managed online endpoint from the **Endpoints** page in the studio.

+1. Go to the [Azure Machine Learning studio](https://ml.azure.com).

+1. In the left navigation bar, select the **Endpoints** page.

+1. Select **+ Create**.

+ :::image type="content" source="media/how-to-deploy-online-endpoints/endpoint-create-managed-online-endpoint.png" lightbox="media/how-to-deploy-online-endpoints/endpoint-create-managed-online-endpoint.png" alt-text="A screenshot for creating managed online endpoint from the Endpoints tab.":::

+This action opens up a window for you to specify details about your endpoint and deployment. Enter settings for your endpoint and deployment as described in the previous steps 5-10, accepting defaults until you're prompted to __Create__ the deployment.

+The `show` command contains information in `provisioning_state` for the endpoint and deployment:

+ml_client.online_endpoints.get(name=endpoint_name)

+The method returns a list (iterator) of `ManagedOnlineEndpoint` entities. You can get other information by specifying [parameters](/python/api/azure-ai-ml/azure.ai.ml.entities.managedonlineendpoint#parameters).

+# [Studio](#tab/azure-studio)

+### View managed online endpoints

+You can view all your managed online endpoints in the **Endpoints** page. Go to the endpoint's **Details** page to find critical information including the endpoint URI, status, testing tools, activity monitors, deployment logs, and sample consumption code:

+1. In the left navigation bar, select **Endpoints**. Here, you can see a list of all the endpoints in the workspace.

+1. (Optional) Create a **Filter** on **Compute type** to show only **Managed** compute types.

+1. Select an endpoint name to view the endpoint's __Details__ page.

+> While templates are useful for deploying resources, they can't be used to list, show, or invoke resources. Use the Azure CLI, Python SDK, or the studio to perform these operations. The following code uses the Azure CLI.

+The `show` command contains information in the `provisioning_state` for the endpoint and deployment:

+Check the logs to see whether the model was deployed without error.

+To see log output from a container, use the following CLI command:

+By default, logs are pulled from the inference server container. To see logs from the storage initializer container, add the `--container storage-initializer` flag. For more information on deployment logs, see [Get container logs](how-to-troubleshoot-online-endpoints.md#get-container-logs).

+ name="blue", endpoint_name=endpoint_name, lines=50

+By default, logs are pulled from the inference server container. To see logs from the storage initializer container, add the `container_type="storage-initializer"` option. For more information on deployment logs, see [Get container logs](how-to-troubleshoot-online-endpoints.md#get-container-logs).

+ name="blue", endpoint_name=endpoint_name, lines=50, container_type="storage-initializer"

+# [Studio](#tab/azure-studio)

+To view log output, select the **Deployment logs** tab in the endpoint's **Details** page. If you have multiple deployments in your endpoint, use the dropdown to select the deployment whose log you want to see.

+By default, logs are pulled from the inference server. To see logs from the storage initializer container, use the Azure CLI or Python SDK (see each tab for details). For more information on deployment logs, see [Get container logs](how-to-troubleshoot-online-endpoints.md#get-container-logs).

+> While templates are useful for deploying resources, they can't be used to list, show, or invoke resources. Use the Azure CLI, Python SDK, or the studio to perform these operations. The following code uses the Azure CLI.

+By default, logs are pulled from the inference server container. To see logs from the storage initializer container, add the `--container storage-initializer` flag. For more information on deployment logs, see [Get container logs](how-to-troubleshoot-online-endpoints.md#get-container-logs).

+ endpoint_name=endpoint_name,

+# [Studio](#tab/azure-studio)

+Use the **Test** tab in the endpoint's details page to test your managed online deployment. Enter sample input and view the results.

+1. Select the **Test** tab in the endpoint's detail page.

+1. Use the dropdown to select the deployment you want to test.

+1. Enter sample input.

+1. Select **Test**.

+> While templates are useful for deploying resources, they can't be used to list, show, or invoke resources. Use the Azure CLI, Python SDK, or the studio to perform these operations. The following code uses the Azure CLI.

+If you want to update the code, model, or environment, update the YAML file, and then run the `az ml online-endpoint update` command.

+> If you update instance count (to scale your deployment) along with other model settings (such as code, model, or environment) in a single `update` command, the scaling operation will be performed first, then the other updates will be applied. It's a good practice to perform these operations separately in a production environment.

+ > You can use [generic update parameters](/cli/azure/use-cli-effectively#generic-update-parameters), such as the `--set` parameter, with the CLI `update` command to override attributes in your YAML *or* to set specific attributes without passing them in the YAML file. Using `--set` for single attributes is especially valuable in development and test scenarios. For example, to scale up the `instance_count` value for the first deployment, you could use the `--set instance_count=2` flag. However, because the YAML isn't updated, this technique doesn't facilitate [GitOps](https://www.atlassian.com/git/tutorials/gitops).

+1. Because you modified the `init()` function, which runs when the endpoint is created or updated, the message `Updated successfully` will be in the logs. Retrieve the logs by running:

+If you want to update the code, model, or environment, update the configuration, and then run the `MLClient`'s `online_deployments.begin_create_or_update` method to [create or update a deployment](/python/api/azure-ai-ml/azure.ai.ml.operations.onlinedeploymentoperations#azure-ai-ml-operations-onlinedeploymentoperations-begin-create-or-update).

+> If you update instance count (to scale your deployment) along with other model settings (such as code, model, or environment) in a single `begin_create_or_update` method, the scaling operation will be performed first, then the other updates will be applied. It's a good practice to perform these operations separately in a production environment.

+5. Because you modified the `init()` function, which runs when the endpoint is created or updated, the message `Updated successfully` will be in the logs. Retrieve the logs by running:

+ name="blue", endpoint_name=endpoint_name, lines=50

+# [Studio](#tab/azure-studio)

+Currently, the studio allows you to make updates only to the instance count of a deployment. Use the following instructions to scale an individual deployment up or down by adjusting the number of instances:

+1. Open the endpoint's **Details** page and find the card for the deployment you want to update.

+1. Select the edit icon (pencil icon) next to the deployment's name.

+1. Update the instance count associated with the deployment. You can choose between **Default** or **Target Utilization** for "Deployment scale type".

+ - If you select **Default**, you cal also specify a numerical value for the **Instance count**.

+ - If you select **Target Utilization**, you can specify values to use for parameters when autoscaling the deployment.

+1. Select **Update** to finish updating the instance counts for your deployment.

+There currently isn't an option to update the deployment using an ARM template.

+> The previous update to the deployment is an example of an inplace rolling update.

+> * For a managed online endpoint, the deployment is updated to the new configuration with 20% nodes at a time. That is, if the deployment has 10 nodes, 2 nodes at a time will be updated.

+> * For a Kubernetes online endpoint, the system will iteratively create a new deployment instance with the new configuration and delete the old one.

+> * For production usage, you should consider [blue-green deployment](how-to-safely-rollout-online-endpoints.md), which offers a safer alternative for updating a web service.

+The `get-logs` command for CLI or the `get_logs` method for SDK provides only the last few hundred lines of logs from an automatically selected instance. However, Log Analytics provides a way to durably store and analyze logs. For more information on using logging, see [Monitor online endpoints](how-to-monitor-online-endpoints.md#logs).

+<!-- [!INCLUDE [Email Notification Include](../../includes/machine-learning-email-notifications.md)] -->

+If you aren't going use the deployment, you should delete it by running the following code (it deletes the endpoint and all the underlying deployments):

+If you aren't going use the deployment, you should delete it by running the following code (it deletes the endpoint and all the underlying deployments):

+ml_client.online_endpoints.begin_delete(name=endpoint_name)

+# [Studio](#tab/azure-studio)

+If you aren't going use the endpoint and deployment, you should delete them. By deleting the endpoint, you'll also delete all its underlying deployments.

+1. Go to the [Azure Machine Learning studio](https://ml.azure.com).

+1. In the left navigation bar, select the **Endpoints** page.

+1. Select an endpoint by checking the circle next to the model name.

+1. Select **Delete**.

+Alternatively, you can delete a managed online endpoint directly by selecting the **Delete** icon in the [endpoint details page](#view-managed-online-endpoints).

+If you aren't going use the deployment, you should delete it by running the following code (it deletes the endpoint and all the underlying deployments):

+- [How to monitor managed online endpoints](how-to-monitor-online-endpoints.md)

+- [Manage and increase quotas for resources with Azure Machine Learning](how-to-manage-quotas.md#azure-machine-learning-managed-online-endpoints)

+- [Use batch endpoints for batch scoring](batch-inference/how-to-use-batch-endpoint.md)

+The model we are going to work with was built using TensorFlow along with the RestNet architecture ([Identity Mappings in Deep Residual Networks](https://arxiv.org/abs/1603.05027)). A sample of this model can be downloaded from [here](https://azuremlexampledata.blob.core.windows.net/data/imagenet/model.zip). The model has the following constrains that is important to keep in mind for deployment:

+The information in this article is based on code samples contained in the [azureml-examples](https://github.com/azure/azureml-examples) repository. To run the commands locally without having to copy/paste YAML and other files, clone the repo, and then change directories to the `cli/endpoints/batch/deploy-models/imagenet-classifier` if you are using the Azure CLI or `sdk/python/endpoints/batch/deploy-models/imagenet-classifier` if you are using our SDK for Python.

+cd azureml-examples/cli/endpoints/batch/deploy-models/imagenet-classifier

+You can follow along this sample in a Jupyter Notebook. In the cloned repository, open the notebook: [imagenet-classifier-batch.ipynb](https://github.com/Azure/azureml-examples/blob/main/sdk/python/endpoints/batch/deploy-models/imagenet-classifier/imagenet-classifier-batch.ipynb).

+### Create the endpoint

+First, let's create the endpoint that will host the model:

+# [Azure CLI](#tab/azure-cli)

+Decide on the name of the endpoint:

+```azurecli

+ENDPOINT_NAME="imagenet-classifier-batch"

+```

+The following YAML file defines a batch endpoint:

+__endpoint.yml__

+Run the following code to create the endpoint.

+# [Python](#tab/python)

+Decide on the name of the endpoint:

+```python

+endpoint_name="imagenet-classifier-batch"

+```

+Configure the endpoint:

+```python

+endpoint = BatchEndpoint(

+ name=endpoint_name,

+ description="An batch service to perform ImageNet image classification",

+)

+```

+Run the following code to create the endpoint:

+```python

+ml_client.batch_endpoints.begin_create_or_update(endpoint)

+```

+ :::code language="azurecli" source="~/azureml-examples-main/cli/endpoints/batch/deploy-models/imagenet-classifier/deploy-and-run.sh" ID="download_model" :::

+ az ml model create --name $MODEL_NAME --path "model"

+__code/score-by-file/batch_driver.py__

+1. Ensure you have a compute cluster created where we can create the deployment. In this example we are going to use a compute cluster named `gpu-cluster`. Although it's not required, we use GPUs to speed up the processing.

+ The environment definition will be included in the deployment file.

+

+ :::code language="yaml" source="~/azureml-examples-main/cli/endpoints/batch/deploy-models/imagenet-classifier/deployment-by-file.yml" range="7-10":::

+ name="tensorflow27-cuda11-gpu",

+ conda_file="environment/conda.yml",

+ image="mcr.microsoft.com/azureml/curated/tensorflow-2.7-ubuntu20.04-py38-cuda11-gpu:latest",

+ :::code language="yaml" source="~/azureml-examples-main/cli/endpoints/batch/deploy-models/imagenet-classifier/deployment-by-file.yml":::

+ :::code language="azurecli" source="~/azureml-examples-main/cli/endpoints/batch/deploy-models/imagenet-classifier/deploy-and-run.sh" ID="create_batch_deployment_set_default" :::

+ code="code/score-by-file",

+ scoring_script="batch_driver.py",

+ :::code language="azurecli" source="~/azureml-examples-main/cli/endpoints/batch/deploy-models/imagenet-classifier/deploy-and-run.sh" ID="download_sample_data" :::

+ !unzip imagenet-1000.zip -d data

+ :::code language="yaml" source="~/azureml-examples-main/cli/endpoints/batch/deploy-models/imagenet-classifier/imagenet-sample-unlabeled.yml":::

+ :::code language="azurecli" source="~/azureml-examples-main/cli/endpoints/batch/deploy-models/imagenet-classifier/deploy-and-run.sh" ID="create_sample_data_asset" :::

+ data_path = "data"

+ :::code language="azurecli" source="~/azureml-examples-main/cli/endpoints/batch/deploy-models/imagenet-classifier/deploy-and-run.sh" ID="start_batch_scoring_job" :::

+ :::code language="azurecli" source="~/azureml-examples-main/cli/endpoints/batch/deploy-models/imagenet-classifier/deploy-and-run.sh" ID="show_job_in_studio" :::

+ :::code language="azurecli" source="~/azureml-examples-main/cli/endpoints/batch/deploy-models/imagenet-classifier/deploy-and-run.sh" ID="download_scores" :::

+1. Creating the scoring script:

+ __code/score-by-batch/batch_driver.py__

+

+ :::code language="python" source="~/azureml-examples-main/cli/endpoints/batch/deploy-models/imagenet-classifier/code/score-by-file/batch_driver.py" :::

+ > [!TIP]

+ > * Notice that this script is constructing a tensor dataset from the mini-batch sent by the batch deployment. This dataset is preprocessed to obtain the expected tensors for the model using the `map` operation with the function `decode_img`.

+ > * The dataset is batched again (16) send the data to the model. Use this parameter to control how much information you can load into memory and send to the model at once. If running on a GPU, you will need to carefully tune this parameter to achieve the maximum utilization of the GPU just before getting an OOM exception.

+ > * Once predictions are computed, the tensors are converted to `numpy.ndarray`.

+1. Now, let create the deployment.

+ # [Azure CLI](#tab/cli)

+

+ To create a new deployment under the created endpoint, create a `YAML` configuration like the following:

+

+ :::code language="yaml" source="~/azureml-examples-main/cli/endpoints/batch/deploy-models/imagenet-classifier/deployment-by-batch.yml":::

+

+ Then, create the deployment with the following command:

+

+ :::code language="azurecli" source="~/azureml-examples-main/cli/endpoints/batch/deploy-models/imagenet-classifier/deploy-and-run.sh" ID="create_batch_deployment_ht" :::

+

+ # [Python](#tab/sdk)

+

+ To create a new deployment with the indicated environment and scoring script use the following code:

+

+ ```python

+ deployment = BatchDeployment(

+ name="imagenet-classifier-resnetv2",

+ description="A ResNetV2 model architecture for performing ImageNet classification in batch",

+ endpoint_name=endpoint.name,

+ model=model,

+ environment=environment,

+ code_configuration=CodeConfiguration(

+ code="code/score-by-batch",

+ scoring_script="batch_driver.py",

+ ),

+ compute=compute_name,

+ instance_count=2,

+ tags={ "device_acceleration": "CUDA", "device_batching": "16" }

+ max_concurrency_per_instance=1,

+ mini_batch_size=10,

+ output_action=BatchDeploymentOutputAction.APPEND_ROW,

+ output_file_name="predictions.csv",

+ retry_settings=BatchRetrySettings(max_retries=3, timeout=300),

+ logging_level="info",

+ )

+ ```

+

+ Then, create the deployment with the following command:

+

+ ```python

+ ml_client.batch_deployments.begin_create_or_update(deployment)

+ ```

+1. You can use this new deployment with the sample data shown before. Remember that to invoke this deployment you should either indicate the name of the deployment in the invocation method or set it as the default one.

+MLflow models in Batch Endpoints support reading images as input data. Since MLflow deployments don't require a scoring script, have the following considerations when using them:

+> * For models that include a signature and are expected to handle variable size of images, then include a signature that can guarantee it. For instance, the following signature example will allow batches of 3 channeled images.

+(...)

+mlflow.<flavor>.log_model(..., signature=signature)

+You can find a working example in the Jupyter notebook [imagenet-classifier-mlflow.ipynb](https://github.com/Azure/azureml-examples/blob/main/sdk/python/endpoints/batch/deploy-models/imagenet-classifier/imagenet-classifier-mlflow.ipynb). For more information about how to use MLflow models in batch deployments read [Using MLflow models in batch deployments](how-to-mlflow-batch.md).

+- When working on a private link-enabled workspace, batch endpoints can be created and managed using Azure Machine Learning studio. However, they can't be invoked from the UI in studio. Use the Azure Machine Learning CLI v2 instead for job creation. For more details about how to use it see [Run batch endpoint to start a batch scoring job](how-to-use-batch-endpoint.md#run-batch-endpoints-and-access-results).

+The information in this article is based on code samples contained in the [azureml-examples](https://github.com/azure/azureml-examples) repository. To run the commands locally without having to copy/paste YAML and other files, first clone the repo. Then, change directories to either `cli/endpoints/batch/deploy-models/mnist-classifier` if you're using the Azure CLI or `sdk/python/endpoints/batch/deploy-models/mnist-classifier` if you're using the Python SDK.

+cd azureml-examples/cli/endpoints/batch/deploy-models/mnist-classifier

+1. Let's start by registering the model we want to deploy. Batch Deployments can only deploy models registered in the workspace. You can skip this step if the model you're trying to deploy is already registered. In this case, we're registering a Torch model for the popular digit recognition problem (MNIST).

+ > [!TIP]

+ > Models are associated with the deployment rather than with the endpoint. This means that a single endpoint can serve different models or different model versions under the same endpoint as long as they are deployed in different deployments.

+

+ # [Azure CLI](#tab/azure-cli)

+ ```azurecli

+ MODEL_NAME='mnist-classifier-torch'

+ az ml model create --name $MODEL_NAME --type "custom_model" --path "deployment-torch/model"

+ ```

+ # [Python](#tab/python)

+ ```python

+ model_name = 'mnist-classifier-torch'

+ model = ml_client.models.create_or_update(

+ Model(name=model_name, path='deployment-torch/model/', type=AssetTypes.CUSTOM_MODEL)

+ )

+ ```

+ # [Studio](#tab/azure-studio)

+ 1. Navigate to the __Models__ tab on the side menu.

+ 1. Select __Register__ > __From local files__.

+ 1. In the wizard, leave the option *Model type* as __Unspecified type__.

+ 1. Select __Browse__ > __Browse folder__ > Select the folder `deployment-torch/model` > __Next__.

+ 1. Configure the name of the model: `mnist-classifier-torch`. You can leave the rest of the fields as they are.

+ 1. Select __Register__.

+1. Now it's time to create a scoring script. Batch deployments require a scoring script that indicates how a given model should be executed and how input data must be processed. Batch Endpoints support scripts created in Python. In this case, we're deploying a model that reads image files representing digits and outputs the corresponding digit. The scoring script is as follows:

+ > [!NOTE]

+ > For MLflow models, Azure Machine Learning automatically generates the scoring script, so you're not required to provide one. If your model is an MLflow model, you can skip this step. For more information about how batch endpoints work with MLflow models, see the dedicated tutorial [Using MLflow models in batch deployments](how-to-mlflow-batch.md).

+ > [!WARNING]

+ > If you're deploying an Automated ML model under a batch endpoint, notice that the scoring script that Automated ML provides only works for online endpoints and is not designed for batch execution. Please see [Author scoring scripts for batch deployments](how-to-batch-scoring-script.md) to learn how to create one depending on what your model does.

+ __deployment-torch/code/batch_driver.py__

+ :::code language="python" source="~/azureml-examples-main/cli/endpoints/batch/deploy-models/mnist-classifier/deployment-torch/code/batch_driver.py" :::

+ :::code language="yaml" source="~/azureml-examples-main/cli/endpoints/batch/deploy-models/mnist-classifier/deployment-torch/deployment.yml" range="11-14":::

+ name="batch-torch-py38",

+ __deployment-torch/deployment.yml__

+## Run batch endpoints and access results

+Invoking a batch endpoint triggers a batch scoring job. A job `name` will be returned from the invoke response and can be used to track the batch scoring progress.

+When running models for scoring in Batch Endpoints, you need to indicate the input data path where the endpoints should look for the data you want to score. The following example shows how to start a new job over a sample data of the MNIST dataset stored in an Azure Storage Account:

+> [!NOTE]

+> __How does parallelization work?__:

+>

+> Batch deployments distribute work at the file level, which means that a folder containing 100 files with mini-batches of 10 files will generate 10 batches of 10 files each. Notice that this will happen regardless of the size of the files involved. If your files are too big to be processed in large mini-batches we suggest to either split the files in smaller files to achieve a higher level of parallelism or to decrease the number of files per mini-batch. At this moment, batch deployment can't account for skews in the file's size distribution.

+Batch endpoints support reading files or folders that are located in different locations. To learn more about how the supported types and how to specify them read [Accessing data from batch endpoints jobs](how-to-access-data-batch-endpoints-jobs.md).

+### Monitor batch job execution progress

+Batch scoring jobs usually take some time to process the entire set of inputs.

+# [Azure CLI](#tab/azure-cli)

+You can use CLI `job show` to view the job. Run the following code to check job status from the previous endpoint invoke. To learn more about job commands, run `az ml job -h`.

+# [Python](#tab/python)

+The following code checks the job status and outputs a link to the Azure Machine Learning studio for further details.

+```python

+ml_client.jobs.get(job.name)

+```

+# [Studio](#tab/azure-studio)

+1. Navigate to the __Endpoints__ tab on the side menu.

+1. Select the tab __Batch endpoints__.

+1. Select the batch endpoint you want to monitor.

+1. Select the tab __Jobs__.

+ :::image type="content" source="media/how-to-use-batch-endpoints-studio/summary-jobs.png" alt-text="Screenshot of summary of jobs submitted to a batch endpoint.":::

+1. You'll see a list of the jobs created for the selected endpoint.

+1. Select the last job that is running.

+1. You'll be redirected to the job monitoring page.

+### Check batch scoring results

+The job outputs will be stored in cloud storage, either in the workspace's default blob storage, or the storage you specified. See [Configure the output location](#configure-the-output-location) to know how to change the defaults. Follow the following steps to view the scoring results in Azure Storage Explorer when the job is completed:

+1. Run the following code to open batch scoring job in Azure Machine Learning studio. The job studio link is also included in the response of `invoke`, as the value of `interactionEndpoints.Studio.endpoint`.

+ :::code language="azurecli" source="~/azureml-examples-main/cli/endpoints/batch/deploy-models/mnist-classifier/deploy-and-run.sh" ID="show_job_in_studio" :::

+1. In the graph of the job, select the `batchscoring` step.

+1. Select the __Outputs + logs__ tab and then select **Show data outputs**.

+1. From __Data outputs__, select the icon to open __Storage Explorer__.

+ :::image type="content" source="media/how-to-use-batch-endpoint/view-data-outputs.png" alt-text="Studio screenshot showing view data outputs location." lightbox="media/how-to-use-batch-endpoint/view-data-outputs.png":::

+ The scoring results in Storage Explorer are similar to the following sample page:

+ :::image type="content" source="media/how-to-use-batch-endpoint/scoring-view.png" alt-text="Screenshot of the scoring output." lightbox="media/how-to-use-batch-endpoint/scoring-view.png":::

+ The environment definition will be included in the deployment definition itself as an anonymous environment. You'll see in the following lines in the deployment:

+

+ :::code language="yaml" source="~/azureml-examples-main/cli/endpoints/batch/deploy-models/mnist-classifier/deployment-keras/deployment.yml" range="11-14":::

+ name="batch-tensorflow-py38",

+ conda_file="deployment-keras/environment/conda.yml",

+ image="mcr.microsoft.com/azureml/openmpi4.1.0-ubuntu20.04:latest",

+ 1. On __Container registry image path__, enter `mcr.microsoft.com/azureml/openmpi4.1.0-ubuntu20.0`.

+ 1. On __Customize__ section copy the content of the file `deployment-keras/environment/conda.yml` included in the repository into the portal.

+> `Standard_DS1_v2` and `Standard_F2s_v2` may be too small for bigger models and may lead to container termination due to insufficient memory, not enough space on the disk, or probe failure as it takes too long to initiate the container. If you want to reduce the cost of deploying multiple models with managed online endpoint, see [the example for multi models](how-to-deploy-online-endpoints.md#use-more-than-one-model-in-a-deployment). If you face [OutOfQuota errors](how-to-troubleshoot-online-endpoints.md?tabs=cli#error-outofquota) or [ReourceNotReady errors](how-to-troubleshoot-online-endpoints.md?tabs=cli#error-resourcenotready), try bigger VM SKUs.

+ Title: Azure RBAC permissions required to use Azure Network Watcher capabilities

+description: Learn which Azure role-based access control (Azure RBAC) permissions are required to use Azure Network Watcher capabilities.

+Azure role-based access control (Azure RBAC) enables you to assign only the specific actions to members of your organization that they require to complete their assigned responsibilities. To use Azure Network Watcher capabilities, the account you log into Azure with, must be assigned to the [Owner](../role-based-access-control/built-in-roles.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json#owner), [Contributor](../role-based-access-control/built-in-roles.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json#contributor), or [Network contributor](../role-based-access-control/built-in-roles.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json#network-contributor) built-in roles, or assigned to a [custom role](../role-based-access-control/custom-roles.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json) that is assigned the actions listed for each Network Watcher capability in the sections that follow. To learn more about Network Watcher's capabilities, see [What is Network Watcher?](network-watcher-monitoring-overview.md).

+> [!IMPORTANT]

+> [Network contributor](../role-based-access-control/built-in-roles.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json#network-contributor) does not cover Microsoft.Storage/* or Microsoft.Compute/* actions listed in [Additional actions](#additional-actions) section.

+| Microsoft.Compute/virtualMachines/extensions/Read </br> Microsoft.Compute/virtualMachines/extensions/Write| Used to check if Network Watcher extension is present, and install if necessary |

+| Microsoft.Compute/virtualMachineScaleSets/extensions/Read, </br> Microsoft.Compute/virtualMachineScaleSets/extensions/Write| Used to check if Network Watcher extension is present, and install if necessary |

+| Microsoft.Support/* | Used to create and update support tickets from Network Watcher |

+4. Select your preferred endpoint (Log Analytics workspace, Storage account, Event hub).

+5. Select the log type from the list of categories (Server Logs, Sessions data, Query Store Runtime / Wait Statistics etc.)

+ :::image type="content" source="media/howto-logging/diagnostic-setting-log-category.png" alt-text="Screenshot of choosing log categories.":::

+You can use [pg_dump](https://www.postgresql.org/docs/current/static/app-pgdump.html) to extract a PostgreSQL database into a script file and [psql](https://www.postgresql.org/docs/current/static/app-psql.html) to import the data into the target database from that file. If you want to migrate all the databases, you can use [pg_dumpall](https://www.postgresql.org/docs/current/app-pg-dumpall.html) to dump all the databases into one script file.

+zone_pivot_groups: ap5gc-portal-powershell

+ `kubectl exec -it -n core core-upf-pp-0 -c troubleshooter -- rm <path to output file>`

+ Title: Deploy a private mobile network and site - Azure CLI

+description: Learn how to deploy a private mobile network and site using Azure Command-Line Interface (Azure CLI).

+# Quickstart: Deploy a private mobile network and site - Azure CLI

+Azure Private 5G Core is an Azure cloud service for deploying and managing 5G core network functions on an Azure Stack Edge device, as part of an on-premises private mobile network for enterprises. This quickstart describes how to use an Azure CLI to deploy the following.

+- A private mobile network.

+- A site.

+- The default service and SIM policy (as described in [Default service and SIM policy](default-service-sim-policy.md)).

+- Optionally, one or more SIMs, and a SIM group.

+## Prerequisite: Prepare to deploy a private mobile network and site

+- [Complete the prerequisite tasks for deploying a private mobile network](complete-private-mobile-network-prerequisites.md) and [Commission the AKS cluster](commission-cluster.md).

+- Ensure you can sign in to the Azure portal using an account with access to the active subscription you identified in [Complete the prerequisite tasks for deploying a private mobile network](complete-private-mobile-network-prerequisites.md). This account must have the built-in Contributor or Owner role at the subscription scope.

+- [Collect the required information to deploy a private mobile network](collect-required-information-for-private-mobile-network.md). If you want to provision SIMs, you'll need to prepare a JSON file containing your SIM information, as described in [JSON file format for provisioning SIMs](collect-required-information-for-private-mobile-network.md#json-file-format-for-provisioning-sims).

+- Identify the names of the interfaces corresponding to ports 5 and 6 on the Azure Stack Edge Pro device in the site.

+- [Collect the required information for a site](collect-required-information-for-a-site.md).

+- Refer to the release notes for the current version of packet core, and whether it's supported by the version your Azure Stack Edge (ASE) is currently running. If your ASE version is incompatible with the latest packet core, [update your Azure Stack Edge Pro GPU](../databox-online/azure-stack-edge-gpu-install-update.md).

+## Azure CLI commands used in this article

+- [az mobile-network create](/cli/azure/mobile-network#az-mobile-network-create)

+- [az mobile-network site create](/cli/azure/mobile-network/site#az-mobile-network-site-create)

+- [az mobile-network pccp create](/cli/azure/mobile-network/pccp#az-mobile-network-pccp-create)

+- [az mobile-network pcdp create](/cli/azure/mobile-network/pcdp#az-mobile-network-pcdp-create)

+- [az mobile-network data-network create](/cli/azure/mobile-network/data-network#az-mobile-network-data-network-create)

+- [az mobile-network sim group create](/cli/azure/mobile-network/sim/group#az-mobile-network-sim-group-create)

+- [az mobile-network slice create](/cli/azure/mobile-network/slice#az-mobile-network-slice-create)

+- [az mobile-network service create](/cli/azure/mobile-network/service#az-mobile-network-service-create)

+- [az mobile-network sim policy create](/cli/azure/mobile-network/sim/policy#az-mobile-network-sim-policy-create)

+- [az mobile network sim create](/cli/azure/mobile-network/sim#az-mobile-network-sim-create)

+- [az mobile-network attached-data-network create](/cli/azure/mobile-network/attached-data-network#az-mobile-network-attached-data-network-create)

+## Deploy a private mobile network, site and SIM

+You must complete the following steps in order to successfully deploy a private mobile network, site and SIM. Each step must be fully complete before proceeding to the next.

+### Create a Mobile Network resource

+Use `az mobile-network create` to create a new **Mobile Network** resource. The example command uses the following placeholder values, replace them with the information gathered in [Prerequisite: Prepare to deploy a private mobile network and site](#prerequisite-prepare-to-deploy-a-private-mobile-network-and-site).

+|Placeholder|Value|

+|-|-|

+| `<MOBILENETWORK>` | Enter a name for the private mobile network. |

+| `<RESOURCEGROUP>` | Enter the name of the resource group. |

+```azurecli

+az mobile-network create --location eastus -n <MOBILENETWORK> -g <RESOURCEGROUP> --identifier mcc=001 mnc=01

+```

+### Create a Site resource

+Use `az mobile-network site` to create a new **Site** resource. The example command uses the following placeholder values, replace them with the information gathered in [Prerequisite: Prepare to deploy a private mobile network and site](#prerequisite-prepare-to-deploy-a-private-mobile-network-and-site).

+|Placeholder|Value|

+|-|-|

+| `<MOBILENETWORK>` | Enter the name of the private mobile network you created. |

+| `<SITE>` | Enter the name for the site. |

+| `<RESOURCEGROUP>` | Enter the name of the resource group. |

+```azurecli

+az mobile-network site create --mobile-network-name <MOBILENETWORK> -n <SITE> -g <RESOURCEGROUP>

+```

+### Create a Packet Core Control Plane resource

+Use `az mobile-network pccp create` to create a new **Packet Core Control Plane** resource. The example command uses the following placeholder values, replace them with the information gathered in [Prerequisite: Prepare to deploy a private mobile network and site](#prerequisite-prepare-to-deploy-a-private-mobile-network-and-site).

+|Placeholder|Value|

+|-|-|

+| `<ASE>` | Enter the name of the ASE. |

+| `<CUSTOMLOCATION>` | Enter the name of the custom location. |

+| `<MOBILENETWORK>` | Enter the name of the mobile network. |

+| `<RESOURCEGROUP>` | Enter the name of the resource group. |

+| `<CONTROLPLANE>` | Enter the name for the packet core control plane. |

+| `<SITE>` | Enter the name of the site. |

+| `<IPV4ADDRESS>` | Enter the IPv4 address of the site. |

+Obtain the ASE ID and assign it to a variable.

+```azurecli

+ASE_ID=$(databoxedge device show --device-name <ASE> -g <RESOURCEGROUP> --query "id")

+```

+Obtain the custom location ID and assign it to a variable.

+```azurecli

+CUSTOM_LOCATION_ID=$(customlocation show --name <CUSTOMLOCATION> -g <RESOURCEGROUP> --query "id")

+```

+Obtain the site ID and assign it to a variable.

+```azurecli

+SITE_ID=$(mobile-network site show --mobile-network-name <MOBILENETWORK> -g <RESOURCEGROUP> -n <SITE> --query "id")

+```

+Create the packet core control plane.

+```azurecli

+az mobile-network pccp create -n <CONTROLPLANE> -g <RESOURCEGROUP> --access-interface name=N2 ipv4Address=<IPV4ADDRESS> --local-diagnostics authentication-type=Password --platform type=AKS-HCI azure-stack-edge-device="{id:$ASE_ID}" customLocation="{id:$CUSTOM_LOCATION_ID}" --sites "[{id:$SITE_ID}]" --sku G0 --location eastus

+```

+### Create a Packet Core Data Plane resource

+Use `az mobile-network pcdp create` to create a new **Packet Core Data Plane** resource. The example command uses the following placeholder values, replace them with the information gathered in [Prerequisite: Prepare to deploy a private mobile network and site](#prerequisite-prepare-to-deploy-a-private-mobile-network-and-site).

+|Placeholder|Value|

+|-|-|

+| `<DATAPLANE>` | Enter the name for the data plane. |

+| `<RESOURCEGROUP>` | Enter the name of the resource group. |

+| `<CONTROLPLANE>` | Enter the name of the packet core control plane. |

+```azurecli

+az mobile-network pcdp create -n <DATAPLANE> -g <RESOURCEGROUP> --pccp-name <CONTROLPLANE> --access-interface name=N3

+```

+### Create a Data Network

+Use `az mobile-network data-network create` to create a new **Data Network** resource. The example command uses the following placeholder values, replace them with the information gathered in [Prerequisite: Prepare to deploy a private mobile network and site](#prerequisite-prepare-to-deploy-a-private-mobile-network-and-site).

+|Placeholder|Value|

+|-|-|

+| `<DATANETWORK>` | Enter the name for the data network. |

+| `<RESOURCEGROUP>` | Enter the name of the resource group. |

+| `<MOBILENETWORK>` | Enter the name of the private mobile network. |

+```azurecli

+az mobile-network data-network create -n <DATANETWORK> -g <RESOURCEGROUP> --mobile-network-name <MOBILENETWORK> --location eastus

+```

+### Create a SIM Group

+Use `az mobile-network sim group create` to create a new **Packet Core Data Plane** resource. The example command uses the following placeholder values, replace them with the information gathered in [Prerequisite: Prepare to deploy a private mobile network and site](#prerequisite-prepare-to-deploy-a-private-mobile-network-and-site).

+Use `` to create a new **SIM Group**. The example command uses the following placeholder values, replace them with the information gathered in [Prerequisite: Prepare to deploy a private mobile network and site](#prerequisite-prepare-to-deploy-a-private-mobile-network-and-site).

+|Variable|Placeholder|Value|

+|-|-|

+| `<MOBILENETWORK>` | Enter the name of the private mobile network. |

+| `<SIMGROUP>` | Enter the name for the sim group. |

+| `<RESOURCEGROUP>` | Enter the name of the resource group. |

+Obtain the mobile network ID and assign it to a variable.

+```azurecli

+NETWORK_ID=$(mobile-network show --mobile-network-name <MOBILENETWORK> -g <RESOURCEGROUP> --query "id")

+```

+Create the SIM group.

+```azurecli

+az mobile-network sim group create -n <SIMGROUP> -g <RESOURCEGROUP> --mobile-network "{id:$NETWORK_ID}"

+```

+### Create a Slice

+Use `az mobile-network slice create` to create a new **Slice**. The example command uses the following placeholder values, replace them with the information gathered in [Prerequisite: Prepare to deploy a private mobile network and site](#prerequisite-prepare-to-deploy-a-private-mobile-network-and-site).

+|Placeholder|Value|

+|-|-|

+| `<MOBILENETWORK>` | Enter the name for the private mobile network. |

+| `<RESOURCEGROUP>` | Enter the name of the resource group. |

+| `<SLICE>` | Enter the name of the slice. |

+```azurecli

+az mobile-network slice create --mobile-network-name <MOBILENETWORK> -n <SLICE> -g <RESOURCEGROUP> --snssai "{sst:1,sd:123abc}"

+```

+### Create a Service

+Use `az mobile-network service create` to create a new **Service**. The example command uses the following placeholder values, replace them with the information gathered in [Prerequisite: Prepare to deploy a private mobile network and site](#prerequisite-prepare-to-deploy-a-private-mobile-network-and-site).

+|Placeholder|Value|

+|-|-|

+| `<SERVICE>` | Enter the name of the service. |

+| `<MOBILENETWORK>` | Enter the name for the private mobile network. |

+| `<RESOURCEGROUP>` | Enter the name of the resource group. |

+```azurecli

+az mobile-network service create -n <SERVICE> -g <RESOURCEGROUP> --mobile-network-name <MOBILENETWORK> --pcc-rules "[{ruleName:default-rule,rulePrecedence:10,serviceDataFlowTemplates:[{templateName:IP-to-server,direction:Uplink,protocol:[ip],remoteIpList:[10.3.4.0/24]}]}]" --service-precedence 10

+```

+### Create a SIM Policy

+Use `az mobile-network sim policy create` to create a new **SIM Policy**. The example command uses the following placeholder values, replace them with the information gathered in [Prerequisite: Prepare to deploy a private mobile network and site](#prerequisite-prepare-to-deploy-a-private-mobile-network-and-site).

+|Placeholder|Value|

+|-|-|

+| `<SLICE>` | Enter the name of the slice. |

+| `<DATANETWORK>` | Enter the name of the data network. |

+| `<SERVICE>` | Enter the name of the service. |

+| `<RESOURCEGROUP>` | Enter the name of the resource group. |

+| `<SIMPOLICY>` | Enter the name for the SIM policy. |

+| `<MOBILENETWORK>` | Enter the name for the private mobile network. |

+Obtain the slice ID and assign it to a variable.

+```azurecli

+SLICE_ID=$(mobile-network slice show --mobile-network-name <MOBILENETWORK> -g <RESOURCEGROUP> -n <SLICE> --query "id")

+```

+Obtain the data network ID and assign it to a variable.

+```azurecli

+DATANETWORK_ID=$(mobile-network data-network show -n <DATANETWORK> --mobile-network-name <MOBILENETWORK> -g <RESOURCEGROUP> --query "id")

+```

+Obtain the service ID and assign it to a variable.

+```azurecli

+SERVICE_ID=$(mobile-network service show -n <SERVICE> --mobile-network-name <MOBILENETWORK> -g <RESOURCEGROUP> --query "id")

+```

+Create the SIM policy.

+```azurecli

+az mobile-network sim policy create -g <RESOURCEGROUP> -n <SIMPOLICY> --mobile-network-name <MOBILENETWORK> --default-slice '{id:$SLICE_ID}' --slice-config "[{slice:{id:$SLICE_ID},defaultDataNetwork:{id:$DATANETWORK_ID},dataNetworkConfigurations:[{dataNetwork:{id:$DATANETWORK_ID},allowed

+```

+### Create a SIM

+Use `` to create a new **SIM**. The example command uses the following placeholder values, replace them with the information gathered in [Prerequisite: Prepare to deploy a private mobile network and site](#prerequisite-prepare-to-deploy-a-private-mobile-network-and-site).

+|Placeholder|Value|

+|-|-|

+| `<SIMGROUP>` | Enter the name of the SIM group. |

+| `<SIM> ` | Enter the name for the SIM. |

+| `<RESOURCEGROUP>` | Enter the name of the resource group. |

+```azurecli

+az mobile-network sim create -g <RESOURCEGROUP> --sim-group-name <SIMGROUP> -n <SIM> --international-msi 0000000000 --operator-key-code 00000000000000000000000000000000 --authentication-key 00000000000000000000000000000000

+```

+### Attach the Data Network

+Use `az mobile-network attached-data-network create` to attach the **Data Network** you created. The example command uses the following placeholder values, replace them with the information gathered in [Prerequisite: Prepare to deploy a private mobile network and site](#prerequisite-prepare-to-deploy-a-private-mobile-network-and-site).

+|Placeholder|Value|

+|-|-|

+| `<DATANETWORK>` | Enter the name for the data network. |

+| `<CONTROLPLANE>` | Enter the name of the packet core control plane. |

+| `<DATAPLANE>` | Enter the name of the packet core data plane. |

+| `<RESOURCEGROUP>` | Enter the name of the resource group. |

+```azurecli

+az mobile-network attached-data-network create -n <DATANETWORK> -g <RESOURCEGROUP> --pccp-name <CONTROLPLANE> --pcdp-name <DATAPLANE> --dns-addresses "[1.1.1.1]" --data-interface name=N6 --address-pool 192.168.1.0/24

+```

+## Clean up resources

+If you do not want to keep your deployment, [delete the resource group](../azure-resource-manager/management/delete-resource-group.md?tabs=azure-portal#delete-resource-group).

+## Next steps

+If you have kept your deployment, you can either begin designing policy control to determine how your private mobile network handles traffic, or you can add more sites to your private mobile network.

+- [Learn more about designing the policy control configuration for your private mobile network](policy-control.md).

+- [Collect the required information for a site](collect-required-information-for-a-site.md).

+ Title: Deploy a private mobile network and site - Azure PowerShell

+description: Learn how to deploy a private mobile network and site using Azure PowerShell.

+# Quickstart: Deploy a private mobile network and site - Azure PowerShell

+Azure Private 5G Core is an Azure cloud service for deploying and managing 5G core network functions on an Azure Stack Edge device, as part of an on-premises private mobile network for enterprises. This quickstart describes how to use an Azure PowerShell to deploy the following.

+- A private mobile network.

+- A site.

+- The default service and SIM policy (as described in [Default service and SIM policy](default-service-sim-policy.md)).

+- Optionally, one or more SIMs, and a SIM group.

+## Prerequisite: Prepare to deploy a private mobile network and site

+- [Complete the prerequisite tasks for deploying a private mobile network](complete-private-mobile-network-prerequisites.md) and [Commission the AKS cluster](commission-cluster.md).

+- Ensure you can sign in to the Azure portal using an account with access to the active subscription you identified in [Complete the prerequisite tasks for deploying a private mobile network](complete-private-mobile-network-prerequisites.md). This account must have the built-in Contributor or Owner role at the subscription scope.

+- [Collect the required information to deploy a private mobile network](collect-required-information-for-private-mobile-network.md). If you want to provision SIMs, you'll need to prepare a JSON file containing your SIM information, as described in [JSON file format for provisioning SIMs](collect-required-information-for-private-mobile-network.md#json-file-format-for-provisioning-sims).

+- Identify the names of the interfaces corresponding to ports 5 and 6 on the Azure Stack Edge Pro device in the site.

+- [Collect the required information for a site](collect-required-information-for-a-site.md).

+- Refer to the release notes for the current version of packet core, and whether it's supported by the version your Azure Stack Edge (ASE) is currently running. If your ASE version is incompatible with the latest packet core, [update your Azure Stack Edge Pro GPU](../databox-online/azure-stack-edge-gpu-install-update.md).

+## Azure PowerShell commands used in this article

+- [New-AzMobileNetwork](/powershell/module/az.mobilenetwork/new-azmobilenetwork)

+- [New-AzMobileNetworkSite](/powershell/module/az.mobilenetwork/new-azmobilenetworksite)

+- [New-AzMobileNetworkPacketCoreControlPlane](/powershell/module/az.mobilenetwork/new-azmobilenetworkpacketcorecontrolplane)

+- [New-AzMobileNetworkPacketCoreDataPlane](/powershell/module/az.mobilenetwork/new-azmobilenetworkpacketcoredataplane)

+- [New-AzMobileNetworkDataNetwork](/powershell/module/az.mobilenetwork/new-azmobilenetworkdatanetwork)

+- [New-AzMobileNetworkSimGroup](/powershell/module/az.mobilenetwork/new-azmobilenetworksimgroup)

+- [New-AzMobileNetworkSlice](/powershell/module/az.mobilenetwork/new-azmobilenetworkslice)

+- [New-AzMobileNetworkServiceResourceIdObject](/powershell/module/az.mobilenetwork/new-azmobilenetworkserviceresourceidobject)

+- [New-AzMobileNetworkSim](/powershell/module/az.mobilenetwork/new-azmobilenetworksim)

+- [New-AzMobileNetworkSimStaticIPPropertiesObject](/powershell/module/az.mobilenetwork/new-azmobilenetworksimstaticippropertiesobject)

+- [New-AzMobileNetworkAttachedDataNetwork](/powershell/module/az.mobilenetwork/new-azmobilenetworkattacheddatanetwork)

+## Sign in to Azure

+## Deploy a private mobile network, site and SIM

+You must complete the following steps in order to successfully deploy a private mobile network, site and SIM. Each step must be fully complete before proceeding to the next.

+Several commands will require the ID of the Azure subscription in which the Azure resources are to be deployed. This appears as `<SUB_ID>` in the commands below. Obtain that value before you proceed.

+### Create a Mobile Network resource

+Use `New-AzMobileNetwork` to create a new **Mobile Network** resource. The example command uses the following placeholder values, replace them with the information gathered in [Prerequisite: Prepare to deploy a private mobile network and site](#prerequisite-prepare-to-deploy-a-private-mobile-network-and-site).

+|Placeholder|Value|

+|-|-|

+| `<MOBILENETWORK>` | Enter a name for the private mobile network. |

+| `<RESOURCEGROUP>` | Enter the name of the resource group. |

+```powershell

+New-AzMobileNetwork -Name <MOBILENETWORK> -ResourceGroupName <RESOURCEGROUP> -Location eastus -PublicLandMobileNetworkIdentifierMcc 001 -PublicLandMobileNetworkIdentifierMnc 01

+```

+### Create a Site resource

+Use `New-AzMobileNetworkSite` to create a new **Site** resource. The example command uses the following placeholder values, replace them with the information gathered in [Prerequisite: Prepare to deploy a private mobile network and site](#prerequisite-prepare-to-deploy-a-private-mobile-network-and-site).

+|Placeholder|Value|

+|-|-|

+| `<MOBILENETWORK>` | Enter the name of the private mobile network you created. |

+| `<SITE>` | Enter the name for the site. |

+| `<RESOURCEGROUP>` | Enter the name of the resource group. |

+| `<SUB_ID>` | The ID of the Azure subscription in which the Azure resources are to be deployed. |

+```powershell

+New-AzMobileNetworkSite -MobileNetworkName <MOBILENETWORK> -Name <SITE> -ResourceGroupName <RESOURCEGROUP> -Location eastus

+```

+Create a variable containing the **Site** resource's ID.

+```powershell

+$siteResourceId = New-AzMobileNetworkSiteResourceIdObject -Id /subscriptions/<SUB_ID>/resourceGroups/<RESOURCEGROUP>/providers/Microsoft.MobileNetwork/mobileNetworks/<MOBILENETWORK>/sites/<SITE>

+```

+### Create a Packet Core Control Plane resource

+Use `New-AzMobileNetworkPacketCoreControlPlane` to create a new **Packet Core Control Plane** resource. The example command uses the following placeholder values, replace them with the information gathered in [Prerequisite: Prepare to deploy a private mobile network and site](#prerequisite-prepare-to-deploy-a-private-mobile-network-and-site).

+|Placeholder|Value|

+|-|-|

+| `<CONTROLPLANE>` | Enter the name for the packet core control plane. |

+| `<RESOURCEGROUP>` | Enter the name of the resource group. |

+| `<SUB_ID>` | The ID of the Azure subscription in which the Azure resources are to be deployed. |

+```powershell

+$aseId = "/subscriptions/<SUB_ID>/resourceGroups/<RESOURCEGROUP>/providers/Microsoft.DataBoxEdge/DataBoxEdgeDevices/<ASE>"

+$customLocationId = "/subscriptions/<SUB_ID>/resourceGroups/<RESOURCEGROUP>/providers/Microsoft.ExtendedLocation/customLocations/<CUSTOMLOCATION>"

+New-AzMobileNetworkPacketCoreControlPlane -Name <CONTROLPLANE> -ResourceGroupName <RESOURCEGROUP> -LocalDiagnosticAccessAuthenticationType Password -Location eastus -PlatformType AKS-HCI -Site $siteResourceId -Sku G0 -ControlPlaneAccessInterfaceIpv4Address 10.232.44.56 -ControlPlaneAccessInterfaceName N2 -AzureStackEdgeDeviceId $aseId -CustomLocationId $customLocationId

+```

+### Create a Packet Core Data Plane resource

+Use `New-AzMobileNetworkPacketCoreDataPlane` to create a new **Packet Core Data Plane** resource. The example command uses the following placeholder values, replace them with the information gathered in [Prerequisite: Prepare to deploy a private mobile network and site](#prerequisite-prepare-to-deploy-a-private-mobile-network-and-site).

+|Placeholder|Value|

+|-|-|

+| `<DATAPLANE>` | Enter the name for the data plane. |

+| `<CONTROLPLANE>` | Enter the name of the packet core control plane. |

+| `<RESOURCEGROUP>` | Enter the name of the resource group. |

+```powershell

+New-AzMobileNetworkPacketCoreDataPlane -Name <DATAPLANE> -PacketCoreControlPlaneName <CONTROLPLANE> -ResourceGroupName <RESOURCEGROUP> -Location eastus -UserPlaneAccessInterfaceName N3

+```

+### Create a Data Network

+Use `New-AzMobileNetworkDataNetwork` to create a new **Data Network** resource. The example command uses the following placeholder values, replace them with the information gathered in [Prerequisite: Prepare to deploy a private mobile network and site](#prerequisite-prepare-to-deploy-a-private-mobile-network-and-site).

+|Placeholder|Value|

+|-|-|

+| `<MOBILENETWORK>` | Enter the name of the private mobile network. |

+| `<DATANETWORK>` | Enter the name for the data network. |

+| `<RESOURCEGROUP>` | Enter the name of the resource group. |

+| `<SUB_ID>` | The ID of the Azure subscription in which the Azure resources are to be deployed. |

+```powershell

+New-AzMobileNetworkDataNetwork -MobileNetworkName <MOBILENETWORK> -Name

+ <DATANETWORK> -ResourceGroupName <RESOURCEGROUP> -Location eastus

+```

+Create a variable for the **Data Network** resource's configuration.

+```powershell

+$dataNetworkConfiguration = New-AzMobileNetworkDataNetworkConfigurationObject -AllowedService $ServiceResourceId -DataNetworkId "/subscriptions/<SUB_ID>/resourceGroups/<RESOURCEGROUP>/providers/Microsoft.MobileNetwork/mobileNetworks/<MOBILENETWORK>/dataNetworks/<DATANETWORK>" -SessionAmbrDownlink "1 Gbps" -SessionAmbrUplink "500 Mbps" -FiveQi 9 -AllocationAndRetentionPriorityLevel 9 -DefaultSessionType 'IPv4' -MaximumNumberOfBufferedPacket 200 -PreemptionCapability 'NotPreempt' -PreemptionVulnerability 'Preemptable'

+```

+### Create a SIM Group

+Use `New-AzMobileNetworkSimGroup` to create a new **SIM Group**. The example command uses the following placeholder values, replace them with the information gathered in [Prerequisite: Prepare to deploy a private mobile network and site](#prerequisite-prepare-to-deploy-a-private-mobile-network-and-site).

+|Variable|Placeholder|Value|

+|-|-|

+| `<SIMGROUP>` | Enter the name for the sim group. |

+| `<RESOURCEGROUP>` | Enter the name of the resource group. |

+| `<SUB_ID>` | The ID of the Azure subscription in which the Azure resources are to be deployed. |

+```powershell

+New-AzMobileNetworkSimGroup -Name <SIMGROUP> -ResourceGroupName <RESOURCEGROUP> -Location eastus -MobileNetworkId "/subscriptions/<SUB_ID>/resourceGroups/<RESOURCEGROUP>/providers/Microsoft.MobileNetwork/mobileNetworks/MOBILENETWORK8"

+```

+Confirm that you want to perform the action by typing <kbd>Y</kbd>.

+### Create a Slice

+Use `New-AzMobileNetworkSlice` to create a new **Slice**. The example command uses the following placeholder values, replace them with the information gathered in [Prerequisite: Prepare to deploy a private mobile network and site](#prerequisite-prepare-to-deploy-a-private-mobile-network-and-site).

+|Placeholder|Value|

+|-|-|

+| `<MOBILENETWORK>` | Enter the name for the private mobile network. |

+| `<RESOURCEGROUP>` | Enter the name of the resource group. |

+| `<SLICE>` | Enter the name of the slice. |

+| `<SUB_ID>` | The ID of the Azure subscription in which the Azure resources are to be deployed. |

+```powershell

+New-AzMobileNetworkSlice -MobileNetworkName <MOBILENETWORK> -ResourceGroupName <RESOURCEGROUP> -SliceName <SLICE> -Location eastus -SnssaiSst 1

+```

+Create a variable for the **Slice** resource's configuration.

+```powershell

+$sliceConfiguration = New-AzMobileNetworkSliceConfigurationObject -DataNetworkConfiguration $dataNetworkConfiguration -DefaultDataNetworkId "/subscriptions/<SUB_ID>/resourceGroups/<RESOURCEGROUP>/providers/Microsoft.MobileNetwork/mobileNetworks/<MOBILENETWORK>/dataNetworks/<DATANETWORK>" -SliceId "/subscriptions/<SUB_ID>/resourceGroups/<RESOURCEGROUP>/providers/Microsoft.MobileNetwork/mobileNetworks/<MOBILENETWORK>/slices/<SLICE>"

+```

+### Create a Service

+Use `New-AzMobileNetworkService` to create a new **Service**. The example command uses the following placeholder values, replace them with the information gathered in [Prerequisite: Prepare to deploy a private mobile network and site](#prerequisite-prepare-to-deploy-a-private-mobile-network-and-site).

+|Placeholder|Value|

+|-|-|

+| `<MOBILENETWORK>` | Enter the name for the private mobile network. |

+| `<RESOURCEGROUP>` | Enter the name of the resource group. |

+| `<SERVICE>` | Enter the name of the service. |

+| `<SUB_ID>` | The ID of the Azure subscription in which the Azure resources are to be deployed. |

+```powershell

+$dataFlowTemplates = New-AzMobileNetworkServiceDataFlowTemplateObject -Direction Bidirectional -Protocol ip -RemoteIPList any -TemplateName any

+$pccRule = New-AzMobileNetworkPccRuleConfigurationObject -RuleName rule_any -RulePrecedence 199 -ServiceDataFlowTemplate $dataFlowTemplates

+New-AzMobileNetworkService -MobileNetworkName <MOBILENETWORK> -Name <SERVICE> -ResourceGroupName <RESOURCEGROUP> -Location eastus -PccRule $pccRule -ServicePrecedence 255

+```

+Create a variable for the **Service** resource's ID.

+```powershell

+$serviceResourceId = New-AzMobileNetworkServiceResourceIdObject -Id "/subscriptions/<SUB_ID>/resourceGroups/<RESOURCEGROUP>/providers/Microsoft.MobileNetwork/mobileNetworks/<MOBILENETWORK>/services/<SERVICE>"

+```

+### Create a SIM Policy

+Use `New-AzMobileNetworkSimPolicy` to create a new **SIM Policy**. The example command uses the following placeholder values, replace them with the information gathered in [Prerequisite: Prepare to deploy a private mobile network and site](#prerequisite-prepare-to-deploy-a-private-mobile-network-and-site).

+|Placeholder|Value|

+|-|-|

+| `<RESOURCEGROUP>` | Enter the name of the resource group. |

+| `<MOBILENETWORK>` | Enter the name for the private mobile network. |

+| `<SERVICE>` | Enter the name of the service. |

+| `<DATANETWORK>` | Enter the name for the data network. |

+| `<SLICE>` | Enter the name of the slice. |

+| `<SIMPOLICY>` | Enter the name for the SIM policy. |

+| `<SUB_ID>` | The ID of the Azure subscription in which the Azure resources are to be deployed. |

+```powershell

+New-AzMobileNetworkSimPolicy -MobileNetworkName <MOBILENETWORK> -Name <SIMPOLICY> -ResourceGroupName <RESOURCEGROUP> -DefaultSliceId "/subscriptions/<SUB_ID>/resourceGroups/<RESOURCEGROUP>/providers/Microsoft.MobileNetwork/mobileNetworks/<MOBILENETWORK>/slices/<SLICE>" -Location eastus -SliceConfiguration $sliceConfiguration -UeAmbrDownlink "2 Gbps" -UeAmbrUplink "2 Gbps"

+```

+### Create a SIM

+Use `New-AzMobileNetworkSim` to create a new **SIM**. The example command uses the following placeholder values, replace them with the information gathered in [Prerequisite: Prepare to deploy a private mobile network and site](#prerequisite-prepare-to-deploy-a-private-mobile-network-and-site).

+|Placeholder|Value|

+|-|-|

+| `<SIMGROUP>` | Enter the name of the SIM group. |

+| `<SIM>` | Enter the name for the SIM. |

+| `<RESOURCEGROUP>` | Enter the name of the resource group. |

+| `<MOBILENETWORK>` | Enter the name for the private mobile network. |

+| `<SERVICE>` | Enter the name of the service. |

+| `<DATANETWORK>` | Enter the name for the data network. |

+| `<SLICE>` | Enter the name of the slice. |

+| `<SIMPOLICY>` | Enter the name of the SIM policy. |

+| `<SUB_ID>` | The ID of the Azure subscription in which the Azure resources are to be deployed. |

+```powershell

+$staticIp = New-AzMobileNetworkSimStaticIPPropertiesObject -StaticIPIpv4Address 10.0.0.20

+New-AzMobileNetworkSim -GroupName <SIMGROUP> -Name <SIM> -ResourceGroupName <RESOURCEGROUP> -InternationalMobileSubscriberIdentity 000000000000001 -AuthenticationKey 00112233445566778899AABBCCDDEEFF -DeviceType Mobile -IntegratedCircuitCardIdentifier 8900000000000000001 -OperatorKeyCode 00000000000000000000000000000001 -SimPolicyId "/subscriptions/<SUB_ID>/resourceGroups/<RESOURCEGROUP>/providers/Microsoft.MobileNetwork/mobileNetworks/<MOBILENETWORK>/simPolicies/<SIMPOLICY>" -StaticIPConfiguration $staticIp

+```

+### Attach the Data Network

+Use `New-AzMobileNetworkAttachedDataNetwork` to attach the **Data Network** you created. The example command uses the following placeholder values, replace them with the information gathered in [Prerequisite: Prepare to deploy a private mobile network and site](#prerequisite-prepare-to-deploy-a-private-mobile-network-and-site).

+|Placeholder|Value|

+|-|-|

+| `<DATANETWORK>` | Enter the name for the data network. |

+| `<CONTROLPLANE>` | Enter the name of the packet core control plane. |

+| `<DATAPLANE>` | Enter the name of the packet core data plane. |

+| `<RESOURCEGROUP>` | Enter the name of the resource group. |

+```powershell

+ New-AzMobileNetworkAttachedDataNetwork -Name <DATANETWORK> -PacketCoreControlPlaneName <CONTROLPLANE> -PacketCoreDataPlaneName <DATAPLANE> -ResourceGroupName <RESOURCEGROUP> -DnsAddress "1.1.1.1" -Location eastus -UserPlaneDataInterfaceName N6 -UserEquipmentAddressPoolPrefix "192.168.1.0/24"

+```

+## Clean up resources

+If you do not want to keep your deployment, [delete the resource group](../azure-resource-manager/management/delete-resource-group.md?tabs=azure-portal#delete-resource-group).

+## Next steps

+If you have kept your deployment, you can either begin designing policy control to determine how your private mobile network handles traffic, or you can add more sites to your private mobile network.

+- [Learn more about designing the policy control configuration for your private mobile network](policy-control.md).

+- [Collect the required information for a site](collect-required-information-for-a-site.md).

+zone_pivot_groups: ap5gc-portal-powershell

+- The Copy and Clone commands in Azure Storage Explorer require additional IAM permissions to work in addition to the Allow Modify policy from Purview. Provide Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action permission in IAM to the Azure AD principal.

+> * If a field contains double quotes, the double quotes can only appear at the beginning and end of the field and must be matched. Double quotes that appear in the middle of the field or appear at the beginning and end but are not matched will be recognized as bad data and there will be no schema get parsed from the file. Rows that have different number of columns than the header row will be judged as error rows. (numbers of error rows / numbers of rows sampled ) must be less than 0.1.

+A compound or embedded document (such as a ZIP archive, a Word document with embedded Outlook email containing attachments, or an .MSG file with attachments) is also indexed as a single document. For example, all images extracted from the attachments of an .MSG file will be returned in the normalized_images field. If you have images, consider adding [AI enrichment](cognitive-search-concept-intro.md) to get more search utility from that content.

+Textual content of a document is extracted into a string field named "content". You can also extract standard and user-defined metadata.

+Azure subscribers may manage their cloud environments from multiple devices, including management workstations, developer PCs, and even privileged end-user devices that have task-specific permissions. In some cases, administrative functions are performed through web-based consoles such as the [Azure portal](https://azure.microsoft.com/features/azure-portal/). In other cases, there may be direct connections to Azure from on-premises systems over Virtual Private Networks (VPNs), Terminal Services, client application protocols, or (programmatically) the Azure classic deployment model. Additionally, client endpoints can be either domain joined or isolated and unmanaged, such as tablets or smartphones.

+The potential for attacks increases in this type of environment because it's challenging to construct security policies and mechanisms to appropriately manage access to Azure interfaces (such as SMAPI) from widely varied endpoints.

+Even with tight controls on primary administrator accounts, lower-level user accounts can be used to exploit weaknesses in one's security strategy. Lack of appropriate security training can also lead to breaches through accidental disclosure or exposure of account information.

+For more secure management and operations, you can minimize a client's attack surface by reducing the number of possible entry points. This can be done through security principles: "separation of duties" and "segregation of environments."

+* Administrative tasks shouldn't be combined with activities that might lead to a compromise (for example, malware in an administrator's email that then infects an infrastructure server).

+* A workstation used for high-sensitivity operations shouldn't be the same system used for high-risk purposes such as browsing the Internet.

+Reduce the system's attack surface by removing unnecessary software. Example:

+* Standard administrative, support, or development workstation shouldn't require installation of an email client or other productivity applications if the device's main purpose is to manage cloud services.

+* Authentication and [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md).

+With client-side security configuration and datacenter deployment of a management gateway, it's possible to restrict and monitor administrator access to cloud applications and data.

+Using a least-privilege minimized software footprint in a locked-down workstation for cloud management and for application development can reduce the risk of security incidents by standardizing the remote management and development environments. A hardened workstation configuration can help prevent the compromise of accounts that are used to manage critical cloud resources by closing many common avenues used by malware and exploits. Specifically, you can use [Windows AppLocker](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759117(v=ws.11)) and Hyper-V technology to control and isolate client system behavior and mitigate threats, including email or Internet browsing.

+On a hardened workstation, the administrator runs a standard user account (which blocks administrative-level execution) and associated applications are controlled by an allowlist. The basic elements of a hardened workstation are as follows:

+* Limited functionality. Uninstall any applications that aren't needed and disable unnecessary (startup) services.

+* Execution restriction. Allow only a set of predefined executable files that are needed for management to run (referred to as "default-deny"). By default, users should be denied permission to run any program unless it's explicitly defined in the allowlist.

+* Least privilege. Management workstation users shouldn't have any administrative privileges on the local machine itself. This way, they can't change the system configuration or the system files, either intentionally or unintentionally.

+Virtual Machine deployed applications provide their own client tools and interfaces as needed, such as the Microsoft Management Console (MMC), an enterprise management console (such as Microsoft System Center or Windows Intune), or another management application Microsoft SQL Server Management Studio, for example. These tools typically reside in an enterprise environment or client network. They may depend on specific network protocols, such as Remote Desktop Protocol (RDP), that require direct, stateful connections. Some may have web-enabled interfaces that shouldn't be openly published or accessible via the Internet.

+You can restrict access to infrastructure and platform services management in Azure by using [multi-factor authentication](../../active-directory/authentication/concept-mfa-howitworks.md), X.509 management certificates, and firewall rules. The Azure portal and SMAPI require Transport Layer Security (TLS). However, services and applications that you deploy into Azure require you to take protection measures that are appropriate based on your application. These mechanisms can frequently be enabled more easily through a standardized hardened workstation configuration.

+In general, helping to secure administrator workstations for use with the cloud is similar to the practices used for any workstation on-premises. For example, minimized build and restrictive permissions. Some unique aspects of cloud management are more akin to remote or out-of-band enterprise management. These include the use and auditing of credentials, security-enhanced remote access, and threat detection and response.

+Some applications or services that you deploy into Azure may have their own authentication mechanisms for both end-user and administrator access, whereas others take full advantage of Azure AD. Depending on whether you're federating credentials via Active Directory Federation Services (AD FS), using directory synchronization or maintaining user accounts solely in the cloud, using [Microsoft Identity Manager](/microsoft-identity-manager/) (part of Azure AD Premium) helps you manage identity lifecycles between the resources.

+Several mechanisms are available to help secure client connections to your Azure virtual networks. Two of these mechanisms, site-to-site VPN (S2S) and [point-to-site VPN](../../vpn-gateway/vpn-gateway-howto-point-to-site-classic-azure-portal.md) (P2S), enable the use of industry standard IPsec (S2S) for encryption and tunneling. When Azure is connecting to public-facing Azure services management such as the Azure portal, Azure requires Hypertext Transfer Protocol Secure (HTTPS).

+A stand-alone hardened workstation that doesn't connect to Azure through an RD Gateway should use the SSTP-based point-to-site VPN to create the initial connection to the Azure Virtual Network, and then establish RDP connection to individual virtual machines from with the VPN tunnel.

+We recommend three primary configurations for a hardened workstation. The biggest differentiators between them are cost, usability, and accessibility, while maintaining a similar security profile across all options. The following table provides a short analysis of the benefits and risks to each. (Note that "corporate PC" refers to a standard desktop PC configuration that would be deployed for all domain users, regardless of roles.)

+It's important that the hardened workstation is the host and not the guest, with nothing between the host operating system and the hardware. Following the "clean source principle" (also known as "secure origin") means that the host should be the most hardened. Otherwise, the hardened workstation (guest) is subject to attacks on the system on which it's hosted.

+With a stand-alone hardened workstation, administrators have a PC or laptop that they use for administrative tasks and another, separate PC or laptop for non-administrative tasks. In the stand-alone hardened workstation scenario (shown below), the local instance of Windows Firewall (or a non-Microsoft client firewall) is configured to block inbound connections, such as RDP. The administrator can log on to the hardened workstation and start an RDP session that connects to Azure after establishing a VPN connect with an Azure Virtual Network, but can't log on to a corporate PC and use RDP to connect to the hardened workstation itself.

+To avoid several security risks that can arise from using one workstation for systems management and other daily work tasks, you can deploy a Windows Hyper-V virtual machine to the hardened workstation. This virtual machine can be used as the corporate PC. The corporate PC environment can remain isolated from the Host, which reduces its attack surface and removes the user's daily activities (such as email) from coexisting with sensitive administrative tasks.

+The corporate PC virtual machine runs in a protected space and provides user applications. The host remains a "clean source" and enforces strict network policies in the root operating system (for example, blocking RDP access from the virtual machine).

+Consider the following additional guidelines when you're managing applications and data in Azure.

+Don't assume that because a workstation has been locked down that other common security requirements don't need to be met. The potential risk is higher because of elevated access levels that administrator accounts generally possess. Examples of risks and their alternate safe practices are shown in the table below.

+| Don't share accounts and passwords between administrators, or reuse passwords across multiple user accounts or services, particularly those for social media or other nonadministrative activities. |Create a dedicated Microsoft account to manage your Azure subscription, an account that is not used for personal email. |

+| Don't expose management ports to the Internet. |Lock down Azure ports and IP addresses to restrict management access. |

+Within Microsoft's operation of Azure, operations engineers and support personnel who access Azure's production systems use [hardened workstation PCs with VMs](#stand-alone-hardened-workstation-for-management) provisioned on them for internal corporate network access and applications (such as e-mail, intranet, etc.). All management workstation computers have TPMs, the host boot drive is encrypted with BitLocker, and they're joined to a special organizational unit (OU) in Microsoft's primary corporate domain.

+In addition, dedicated jump-boxes on Microsoft's network that require two-factor authentication are used to connect to Azure's production network.

+* A web browser is a key entry point for harmful code due to its extensive interactions with external servers. Review your client policies and enforce running in protected mode, disabling add-ons, and disabling file downloads. Ensure that security warnings are displayed. Take advantage of Internet zones and create a list of trusted sites for which you have configured reasonable hardening. Block all other sites and in-browser code, such as ActiveX and Java.

+* Standard user. Running as a standard user brings a number of benefits, the biggest of which is that stealing administrator credentials via malware becomes more difficult. In addition, a standard user account doesn't have elevated privileges on the root operating system, and many configuration options and APIs are locked out by default.

+* Code signing. Code signing all tools and scripts used by administrators provides a manageable mechanism for deploying application lockdown policies. Hashes don't scale with rapid changes to the code, and file paths don't provide a high level of security. [Set the PowerShell execution policies for Windows computers](/powershell/module/microsoft.powershell.security/set-executionpolicy).

+* Patching. Maintain a consistent build (or have separate images for development, operations, and other administrative tasks), scan for changes and malware routinely, keep the build up to date, and only activate machines when they're needed.

+* Governance. Use AD DS GPOs to control all the administrators' Windows interfaces, such as file sharing. Include management workstations in auditing, monitoring, and logging processes. Track all administrator and developer access and usage.

+The following resources are available to provide more general information about Azure and related Microsoft

+* [Securing Privileged Access](/windows-server/identity/securing-privileged-access/securing-privileged-access) - get the technical details for designing and building a secure administrative workstation for Azure management

+* [Microsoft Trust Center](https://microsoft.com/trustcenter/cloudservices/azure) - learn about Azure platform capabilities that protect the Azure fabric and the workloads that run on Azure

+* [Microsoft Security Response Center](https://www.microsoft.com/msrc) - where Microsoft security vulnerabilities, including issues with Azure, can be reported or via email to [secure@microsoft.com](mailto:secure@microsoft.com)

+| <a name="eventuid"></a>**EventUid** | Recommended | String | The unique ID of the record, as assigned by Microsoft Sentinel. This field is typically mapped to the `_ItemId` Log Analytics field. |

+| <a name="eventoriginaltype"></a>**EventOriginalType** | Optional | String | The original event type or ID, if provided by the source. For example, this field is used to store the original Windows event ID. This value is used to derive [EventType](#eventtype), which should have only one of the values documented for each schema.<br><br>Example: `4624`|

+| <a name="eventoriginalsubtype"></a>**EventOriginalSubType** | Optional | String | The original event subtype or ID, if provided by the source. For example, this field is used to store the original Windows logon type. This value is used to derive [EventSubType](#eventsubtype), which should have only one of the values documented for each schema.<br><br>Example: `2`|

+The role of the device fields is different for different schemas and event types. For example:

+- For the Network Session events, device fields usually provide information about the device that generated the event

+- For the Process events, the device fields provide information on the device on that the process is executed.

+Each schema document specifies the role of the device for the schema.

+| <a name="dvcdomaintype"></a>**DvcDomainType** | Conditional | Enumerated | The type of [DvcDomain](#dvcdomain). For a list of allowed values and further information, refer to [DomainType](normalization-about-schemas.md#domaintype).<br><br>**Note**: This field is required if the [DvcDomain](#dvcdomain) field is used. |

+| <a name="dvcidtype"></a>**DvcIdType** | Conditional | Enumerated | The type of [DvcId](#dvcid). For a list of allowed values and further information, refer to [DvcIdType](#dvcidtype).<br>- `MDEid`<br><br>If multiple IDs are available, use the first one from the list, and store the others by using the field names **DvcAzureResourceId** and **DvcMDEid**, respectively.<br><br>**Note**: This field is required if the [DvcId](#dvcid) field is used. |

+| <a name="dvcinterface"></a>**DvcInterface** | Optional | String | The network interface on which data was captured. This field is typically relevant to network related activity, which is captured by an intermediate or tap device. |

+- The `EventOwner` field has been added to the common fields on Dec 1, 2022, and therefore to all of the schemas.

+- The `EventUid` field has been added to the common fields on Dec 26, 2022, and therefore to all of the schemas.

+| `AWS` | - `CloudTrail`<br> - `VPC` |

+| `Cisco` | - `ASA`<br> - `Umbrella`<br> - `IOS`<br> - `Meraki` |

+| `Corelight` | `Zeek` |

+| `Cynerio` | `Cynerio` |

+| `Dataminr` | `Dataminr Pulse` |

+| `GCP` | `Cloud DNS` |

+| `Infoblox` | `NIOS` |

+| `Microsoft` | - Microsoft Azure Active Directory (Azure AD)<br> - `Azure`<br> - `Azure Firewall`<br> - `Azure Blob Storage`<br> - `Azure File Storage`<br> - `Azure NSG flows`<br> - `Azure Queue Storage`<br> - `Azure Table Storage` <br> - `DNS Server`<br> - `Microsoft 365 Defender for Endpoint`<br> - `Microsoft Defender for IoT`<br> - `Security Events`<br>- `SharePoint`<br>- `OneDrive`<br>- `Sysmon`<br> - `Sysmon for Linu`x<br> - `VMConnection`<br> - `Windows Firewall`<br> - `WireData`

+| `Linux` | - `su`<br> - `sudo`|

+| `Okta` | - `Okta`<br> - `Auth0` |

+| `OpenBSD` | `OpenSSH` |

+| `Palo Alto` | - `PanOS`<br> - `CDL` |

+| `PostgreSQL` | `PostgreSQL` |

+| `Squid` | `Squid Proxy`|

+| `Vectra AI` | `Vectra Steam` |

+| `WatchGuard` | `Fireware` |

+| `Zscaler` | - `ZIA DNS`<br> - `ZIA Firewall`<br> - `ZIA Proxy` |

+If you are developing a parser for a vendor or a product,s which are not listed here, contact the [Microsoft Sentinel](mailto:azuresentinel@microsoft.com) team to allocate a new allowed vendor and product designators.

+The Network Session parsers support [filtering parameters](normalization-about-parsers.md#optimizing-parsing-using-parameters). While these parameters are optional, they can improve your query performance.

+The Network Session schema serves several types of similar but distinct scenarios, which share the same fields. Those scenarios are identified by the EventType field:

+- `NetworkSession` - a network session reported by an intermediate device monitoring the network, such as a Firewall, a router, or a network tap.

+- `L2NetworkSession` - a network sessions for which only layer 2 information is available. Such events will include MAC addresses but not IP addresses.

+- `Flow` - an aggregated event that reports multiple similar network sessions, typically over a predefined time period, such as **Netflow** events.

+- `EndpointNetworkSession` - a network session reported by one of the end points of the session, including clients and servers. For such events, the schema supports the `remote` and `local` alias fields.

+- `IDS` - a network session reported as suspicious. Such an event will have some of the inspection fields populated, and may have just one IP address field populated, either the source or the destination.

+Typically, a query should either select just a subset of those event types, and may need to address separately unique aspects of the use cases. For example, IDS events do not reflect the entire network volume and should not be taken into account in column based analytics.

+| <a name="eventtype"></a> **EventType** | Mandatory | Enumerated | Describes the scenario reported by the record.<br><br> For Network Session records, the allowed values are:<br> - `EndpointNetworkSession`<br> - `NetworkSession` <br> - `L2NetworkSession`<br>- `IDS` <br> - `Flow`<br><br>For more information on event types, refer to the the [schema overview](#schema-overview) |

+| <a name="eventsubtype"></a>**EventSubType** | Optional | String | Additional description of the event type, if applicable. <br> For Network Session records, supported values include:<br>- `Start`<br>- `End`<br><br>This is field is not relevant for `Flow` events. |

+| **EventSchemaVersion** | Mandatory | String | The version of the schema. The version of the schema documented here is `0.2.6`. |

+The following are the changes in version 0.2.6 of the schema:

+- Added IDS as an event type

+Learn more about how the Microsoft Sentinel solution for SAP® applications monitors [suspicious configuration changes to security parameters](sap-solution-security-content.md#monitoring-the-configuration-of-static-sap-security-parameters-preview).

+### Monitoring the configuration of static SAP security parameters (Preview)

+> [!NOTE]

+> For the Microsoft Sentinel solution for SAP® applications to successfully monitor the SAP security parameters, the solution needs to successfully monitor the SAP PAHI table at regular intervals. [Verify that the solution can successfully monitor the PAHI table](preparing-sap.md#verify-that-the-pahi-table-history-of-system-database-and-sap-parameters-is-updated-at-regular-intervals).

+| <a name="systemparameters"></a>**SAPSystemParameters** | Parameters to watch for [suspicious configuration changes](#monitoring-the-configuration-of-static-sap-security-parameters-preview). This watchlist is prefilled with recommended values (according to SAP best practice), and you can extend the watchlist to include more parameters. If you don't want to receive alerts for a parameter, set `EnableAlerts` to `false`.<br><br>- **ParameterName**: The name of the parameter.<br>- **Comment**: The SAP standard parameter description.<br>- **EnableAlerts**: Defines whether to enable alerts for this parameter. Values are `true` and `false`.<br>- **Option**: Defines in which case to trigger an alert: If the parameter value is greater or equal (`GE`), less or equal (`LE`), or equal (`EQ`).<br> For example, if the `login/fails_to_user_lock` SAP parameter is set to `LE` (less or equal), and a value of `5`, once Microsoft Sentinel detects a change to this specific parameter, it compares the newly-reported value and the expected value. If the new value is `4`, Microsoft Sentinel doesn't trigger an alert. If the new value is `6`, Microsoft Sentinel triggers an alert.<br>- **ProductionSeverity**: The incident severity for production systems.<br>- **ProductionValues**: Permitted values for production systems.<br>- **NonProdSeverity**: The incident severity for non-production systems.<br>- **NonProdValues**: Permitted values for non-production systems. |

+This article details the security parameters in the SAP system that the Microsoft Sentinel solution for SAP® applications monitors as part of the ["SAP - (Preview) Sensitive Static Parameter has Changed" analytics rule](sap-solution-security-content.md#monitoring-the-configuration-of-static-sap-security-parameters-preview).

+> [!NOTE]

+> For the Microsoft Sentinel solution for SAP® applications to successfully monitor the SAP security parameters, the solution needs to successfully monitor the SAP PAHI table at regular intervals. [Verify that the solution can successfully monitor the PAHI table](preparing-sap.md#verify-that-the-pahi-table-history-of-system-database-and-sap-parameters-is-updated-at-regular-intervals).

+- [Monitoring the configuration of static SAP security parameters](#monitoring-the-configuration-of-static-sap-security-parameters-preview)

+### Monitoring the configuration of static SAP security parameters (Preview)

+To secure the SAP system, SAP has identified security-related parameters that need to be monitored for changes. With the ["SAP - (Preview) Sensitive Static Parameter has Changed" analytics rule](sap/sap-solution-security-content.md#monitoring-the-configuration-of-static-sap-security-parameters-preview), the Microsoft Sentinel solution for SAP® applications tracks [over 52 security-related parameters](sap/sap-suspicious-configuration-security-parameters.md) in the SAP system, and triggers an alert once these parameters are changed not according to the policy.

+For the Microsoft Sentinel solution for SAP® applications to successfully monitor the SAP security parameters, the solution needs to successfully monitor the SAP PAHI table at regular intervals. [Verify that the solution can successfully monitor the PAHI table](sap/preparing-sap.md#verify-that-the-pahi-table-history-of-system-database-and-sap-parameters-is-updated-at-regular-intervals).

+Check out the [Tech Community blog](https://techcommunity.microsoft.com/t5/microsoft-defender-threat/what-s-new-at-microsoft-secure/ba-p/3773576) for more information on announcements from Microsoft Secure.

+This feature is helpful in scenarios in which Azure Service Bus should be only accessible from certain well-known sites. Firewall rules enable you to configure rules to accept traffic originating from specific IPv4 addresses. For example, if you use Service Bus with [Azure Express Route](../expressroute/expressroute-introduction.md), you can create a **firewall rule** to allow traffic from only your on-premises infrastructure IP addresses or addresses of a corporate NAT gateway.

+- [How to configure private endpoints for a Service Bus namespace](private-link-service.md)

+ defer sender.Close(context.TODO())

+

+> [!NOTE]

+> Ensure that the System assigned Managed Identity is turned off for the Automation account for the _"Migrate"_ button to appear. If the account is not migrated and the _"Migrate"_ button isn't appearing, turn off the Managed Identity for the Automation Account and try again.

+3. After the successful migration of your automation account, the authentication type for the linked account details on the **Extension update settings** page is updated.

+1. Once the _Migrate_ operation is completed, toggle the **Site Recovery to manage** button to turn it _On_ again.

+1. Navigate to the **Extension update settings** under the Recovery Services Vault, toggle the **Site Recovery to manage** button to turn it _On_ again.

+* Deploy your JARs or code for your Spring Boot app or Zip for your Steeltoe app, and Azure Spring Apps automatically wires your apps with Spring service runtime and built-in app lifecycle.

+The following articles help you get started:

+The following articles help you migrate existing Spring Boot apps to Azure Spring Apps:

+The following quickstarts apply to the Basic/Standard plan only. For Enterprise quickstarts, see the next section.

+The Standard consumption plan simplifies the virtual network experience for running polyglot apps. When you deploy frontend apps as containers in Azure Container Apps and Spring apps in the Standard consumption plan, all your apps share the same virtual network in the same Azure Container Apps environment. There's no need to create disparate subnets and Network Security Groups for frontend apps, Spring apps, and the Spring service runtime.

+The Enterprise plan provides commercially supported Tanzu components with SLA assurance. For more information, see the [SLA for Azure Spring Apps](https://azure.microsoft.com/support/legal/sla/spring-apps). This support helps enterprise customers ship faster for mission-critical workloads with peace of mind. The Enterprise plan helps unlock SpringΓÇÖs full potential while including feature parity and region parity with the Standard plan.

+The following video introduces the Azure Spring Apps Enterprise plan.

+The fully managed VMware Tanzu® Build Service™ in the Azure Spring Apps Enterprise plan automates container creation, management and governance at enterprise scale using open-source [Cloud Native Buildpacks](https://buildpacks.io/) and commercial [VMware Tanzu® Buildpacks](https://docs.pivotal.io/tanzu-buildpacks/). Tanzu Build Service offers a higher-level abstraction for building apps. Tanzu Build Service also provides a balance of control that reduces the operational burden on developers and supports enterprise IT operators who manage applications at scale. You can configure what Buildpacks to apply and build Spring applications and polyglot applications that run alongside Spring applications on Azure Spring Apps.

+Spring Cloud Gateway for Tanzu effectively routes diverse client requests to applications in Azure Spring Apps, Azure, and on-premises. Spring Cloud Gateway also addresses cross-cutting considerations for applications behind the Gateway, such as securing, routing, rate limiting, caching, monitoring, resiliency and hiding applications. You can make the following configurations:

+* Single sign-on integration with your preferred identity provider without any extra code or dependencies.

+With the Azure Spring Apps Enterprise plan, you can use fully managed VMware Tanzu components on Azure without operational hassle. You can select which VMware Tanzu components you want to use in your environment, either during or after Enterprise instance creation. The following components are available today:

+* Tanzu Build Service

+* Spring Cloud Gateway for Tanzu

+* API Portal for VMware Tanzu

+* Application Configuration Service for VMware Tanzu®

+* VMware Tanzu® Service Registry

+* Application Live View for VMware Tanzu®

+* Application Accelerator for VMware Tanzu®

+VMware Tanzu components deliver increased value so you can accomplish the following tasks:

+The Azure Spring Apps Enterprise plan includes VMware Spring Runtime Support for application development and deployments. This support gives you access to Spring experts, enabling you to unlock the full potential of the Spring ecosystem to develop and deploy applications faster.

+Typically, open-source Spring project minor releases are supported for a minimum of 12 months from the date of initial release. In the Azure Spring Apps Enterprise plan, Spring project minor releases receive commercial support for a minimum of 24 months from the date of initial release through the VMware Spring Runtime Support entitlement. This extended support ensures the security and stability of your Spring application portfolio even after the open source end of life dates. For more information, see [Spring Boot support](https://spring.io/projects/spring-boot#support).

+Azure Spring Apps, including the Enterprise plan, runs on Azure in a fully managed environment. You get all the benefits of Azure and the Java ecosystem, and the experience is familiar and intuitive, as shown in the following table:

+After you create your Enterprise plan service instance and deploy your applications, you can monitor with Application Insights or any other application performance management tools of your choice.

+The following articles help you get started using the Standard consumption plan:

+* [Customer responsibilities for Azure Spring Apps Standard consumption plan in a virtual network](standard-consumption-customer-responsibilities.md)

+### Get started with the Enterprise plan

+The following articles help you get started using the Enterprise plan:

+* [The Enterprise plan in Azure Marketplace](how-to-enterprise-marketplace-offer.md)

+Most of the Azure Spring Apps documentation applies to all the service plans. Some articles apply only to the Enterprise plan or only to the Basic/Standard plan, as indicated at the beginning of each article.

+As a quick reference, the articles listed previously and the articles in the following list apply to the Enterprise plan only, or contain significant content that applies only to the Enterprise plan:

+ Title: Scalability targets for the Azure Storage resource provider

+You can improve performance by reducing the number of log entries that AzCopy creates as it completes an operation. By default, AzCopy logs all activity related to an operation. To achieve optimal performance, consider setting the `--log-level` parameter of your copy, sync, or remove command to `ERROR`. That way, AzCopy logs only errors. By default, the value log level is set to `INFO`.

+> [!NOTE]

+> Ensure hostname part of the FQDN matches the storage account name as described above. Otherwise you will get an access denied error: "The filename, directory name, or volume label syntax is incorrect." A network trace will show STATUS_OBJECT_NAME_INVALID (0xc0000033) message during the SMB session setup.

+> [!IMPORTANT]

+> RDP Shortpath is only available in the Azure public cloud.

+> - RDP Shortpath is only available in the Azure public cloud.

+>

+> - During the preview, TURN is only available for connections to session hosts in a validation host pool. To configure your host pool as a validation environment, see [Define your host pool as a validation environment](create-validation-host-pool.md#define-your-host-pool-as-a-validation-host-pool).

+Each RDP session uses a dynamically assigned UDP port from an ephemeral port range (**49152** to **65535** by default) that accepts the RDP Shortpath traffic. Port 65330 is ignored from this range as it is reserved for use internally by Azure. You can also use a smaller, predictable port range. For more information, see [Limit the port range used by clients for public networks](configure-rdp-shortpath-limit-ports-public-networks.md).

+>To publish a community gallery, you'll need to enable the preview feature using the azure CLI: `az feature register --name CommunityGallery --namespace Microsoft.Compute` or PowerShell: `Register-AzProviderFeature -FeatureName "CommunityGallery" -ProviderNamespace "Microsoft.Compute"`. For more information on enabling preview features and checking the status, see [Set up preview features in your Azure subscription](../azure-resource-manager/management/preview-features.md). Creating VMs from community gallery images is open to all Azure users.

+ The policy rules and parameters are the files you created and stored as .json files in your cloud shell. Replace the example `-Policy` and `-Parameter` file paths as needed.

+Azure virtual machine (VM) extensions are small applications that provide post-deployment configuration and automation tasks on Azure VMs. For example, if a virtual machine requires software installation, antivirus protection, or the ability to run a script inside of the VM, you can use a VM extension.

+You can run Azure VM extensions by using the Azure CLI, PowerShell, Azure Resource Manager (ARM) templates, and the Azure portal. You can bundle extensions with a new VM deployment or run them against any existing system.

+This article provides an overview of Azure VM extensions, including prerequisites and guidance on how to detect, manage, and remove extensions. This article provides generalized information because many VM extensions are available. Each extension has a potentially unique configuration and its own documentation.

+Each Azure VM extension has a specific use case. Here are some examples:

+- Configure monitoring of a VM by using the [Azure Monitor agent](/azure/azure-monitor/vm/monitor-virtual-machine) and [VM insights](/azure/azure-monitor/vm/vminsights-overview).

+- Configure monitoring of your Azure infrastructure by using the [Datadog extension](https://www.datadoghq.com/blog/introducing-azure-monitoring-with-one-click-datadog-deployment/).

+In addition to process-specific extensions, a Custom Script Extension is available for both Windows and Linux virtual machines. The [Custom Script Extension for Windows](custom-script-windows.md) allows any PowerShell script to run on a VM. Custom scripts are useful for designing Azure deployments that require configuration beyond what native Azure tooling can provide.

+Review the following prerequisites for working with Azure VM extensions.

+To handle extensions on the VM, you need the [Azure Virtual Machine Agent for Windows](agent-windows.md) installed. This agent is also referred to as the Azure VM Agent or the Windows Guest Agent. As you prepare to install extensions, keep in mind that some extensions have individual prerequisites, such as access to resources or dependencies.

+The Azure VM Agent is preinstalled on Azure Marketplace images. The agent can also be installed manually on supported operating systems.

+The agent runs on multiple operating systems. However, the extensions framework has a [limit for the operating systems that extensions use](/troubleshoot/azure/virtual-machines/extension-supported-os). Some extensions aren't supported across all operating systems and might emit error code 51 ("Unsupported OS"). Check the individual extension documentation for supportability.

+If you use a [supported version of the Azure VM Agent](/troubleshoot/azure/virtual-machines/support-extensions-agent-version), you don't need to allow access to Azure Storage in the VM region. You can use the VM Agent to redirect the communication to the Azure fabric controller for agent communications (via the `HostGAPlugin` feature through the privileged channel on private IP address [168.63.129.16](/azure/virtual-network/what-is-ip-address-168-63-129-16)). If you're on an unsupported version of the VM Agent, you need to allow outbound access to Azure Storage in that region from the VM.

+> If you block access to IP address 168.63.129.16 by using the guest firewall or via a proxy, extensions fail. Failure occurs even if you use a supported version of the VM Agent or you configure outbound access. Ports 80, 443, and 32526 are required.

+Agents can only be used to download extension packages and report status. For example, if an extension installation needs to download a script from GitHub (Custom Script Extension) or requires access to Azure Storage (Azure Backup), then you need to open other firewall or network security group (NSG) ports. Different extensions have different requirements because they're applications in their own right. For extensions that require access to Azure Storage or Azure Active Directory, you can allow access by using Azure NSG [service tags](/azure/virtual-network/network-security-groups-overview#service-tags).

+The Azure VM Agent doesn't provide proxy server support to enable redirection of agent traffic requests. The VM Agent relies on your custom proxy (if you have one) to access resources on the internet or on the host through IP address 168.63.129.16.

+Many VM extensions are available for use with Azure VMs. To see a complete list, use the [`Get-AzVMExtensionImage`](/powershell/module/az.compute/get-azvmextensionimage) PowerShell cmdlet.

+The following command lists all available VM extensions in the West US region location:

+Get-AzVmImagePublisher -Location "West US" |

+This command provides output similar to the following example:

+```powershell

+Type Version

+- -

+AcronisBackup 1.0.33

+AcronisBackup 1.0.51

+AcronisBackupLinux 1.0.33

+AlertLogicLM 1.3.0.1

+AlertLogicLM 1.3.0.0

+AlertLogicLM 1.4.0.1

+```

+Azure VM extensions run on existing VMs, which is useful when you need to make configuration changes or recover connectivity on an already deployed VM. VM extensions can also be bundled with ARM template deployments. By using extensions with ARM templates, you can deploy and configure Azure VMs without post-deployment intervention.

+You can use the following methods to run an extension against an existing VM.

+> [!NOTE]

+> Some of the following examples use `"<placeholder>"` parameter values in the commands. Before you run each command, make sure to replace any `"<placeholder>"` values with specific values for your configuration.

+Several PowerShell commands exist for running individual extensions. To see a list, use the [Get-Command](/powershell/module/microsoft.powershell.core/get-command) command and filter on *Extension*:

+This command provides output similar to the following example:

+The following example uses the [Custom Script Extension](custom-script-windows.md) to download a script from a GitHub repository onto the target virtual machine and then run the script.

+Set-AzVMCustomScriptExtension -ResourceGroupName "<myResourceGroup>" `

+ -VMName "<myVM>" -Name "<myCustomScript>" `

+ -Run "Create-File.ps1" -Location "<myVMregion>"

+<!-- Note for reviewers: The following command fails on the -UserName and -Password parameters. -->

+ -Location "myVMregion" -UserName $cred.GetNetworkCredential().Username `

+You can apply VM extensions to an existing VM through the Azure portal. Select the VM in the portal, select **Extensions + Applications**, and then select **+ Add**. Choose the extension that you want from the list of available extensions, and follow the instructions in the wizard.

+The following JSON example is from an [ARM template](https://github.com/Microsoft/dotnet-core-sample-templates/tree/master/dotnet-core-music-windows) that deploys a set of load-balanced VMs and an Azure SQL database, and then installs a .NET Core application on each VM. The VM extension takes care of the software installation.

+For more information on creating ARM templates, see [Virtual machines in an ARM template](../windows/template-description.md#extensions).

+When you run a VM extension, it might be necessary to include sensitive information such as credentials, storage account names, and access keys. Many VM extensions include a protected configuration that encrypts data and only decrypts it inside the target VM. Each extension has a specific protected configuration schema, and each schema is detailed in extension-specific documentation.

+The following JSON example shows an instance of the Custom Script Extension for Windows. The command to run includes a set of credentials. In this example, the command to run isn't encrypted.

+These certificates secure the communication between the VM and its host during the transfer of protected settings (password and other credentials) that extensions use. The Azure fabric controller builds the certificates and passes them to the Azure VM Agent. If you stop and start the VM every day, the fabric controller might create a new certificate. The certificate is stored in the computer's personal certificate store. These certificates can be deleted. The Azure VM Agent re-creates certificates if needed.

+When an update is available and automatic updates are enabled, the update is installed on the VM only after an extension or other VM model changes. Changes can include:

+Publishers make updates available to regions at various times. It's possible you can have VMs in different regions on different versions.

+> Some updates might require additional firewall rules. For more information, see [Network access](#network-access).

+#### List extensions deployed to a VM

+You can use the following command to list the extensions deployed to a VM:

+$vm = Get-AzVM -ResourceGroupName "<myResourceGroup>" -VMName "<myVM>"

+This command produces output similar to the following example:

+The extension-handling code is responsible for the following tasks:

+- Communicate with the Azure fabric.

+- Handle the VM extension operations, such as installations, reporting status, updating the individual extensions, and removing extensions. Updates contain security fixes, bug fixes, and enhancements to the extension-handling code.

+To check what version you're running, see [Detect the Azure VM Agent](agent-windows.md#detect-the-vm-agent).

+When an extension update is available and automatic updates are enabled, if a [VM model changes](#how-agents-and-extensions-are-updated), the Azure VM Agent downloads and upgrades the extension.

+Automatic extension updates are either *minor* or *hotfix*. You can opt in or opt out of minor updates when you provision the extension. The following example shows how to automatically upgrade minor versions in an ARM template by using the `"autoUpgradeMinorVersion": true,` parameter:

+If you disable automatic updates or you need to upgrade a major version, use the [Set-AzVMExtension](/powershell/module/az.compute/set-azvmextension) command and specify the target version.

+There are a few ways you can identify updates for an extension.

+You can view the VM model to determine if the extension is provisioned with the `autoUpgradeMinorVersion` parameter. To check the VM model, use the [Get-AzVm](/powershell/module/az.compute/get-azvm) command and provide the resource group and VM name as follows:

+The following example output shows the `autoUpgradeMinorVersion` parameter is set to `true`:

+#### Identify when an autoUpgradeMinorVersion event occurs

+To see when an update to the extension occurred, you can review the agent logs on the VM at *C:\WindowsAzure\Logs\WaAppAgent.log*.

+The following example shows the VM with `Microsoft.Compute.CustomScriptExtension` version `1.8` installed, and a hotfix available for version `1.9`.

+To perform its tasks, the Azure VM Agent needs to run as *Local System*.

+Each VM extension might have specific troubleshooting steps. For example, when you use the Custom Script Extension, you can find script execution details locally on the VM where the extension is run.

+Here are some common reasons an extension can fail:

+- Extensions have 20 minutes to run. (Exceptions are Custom Script, Chef, and DSC, which have 90 minutes.) If your deployment exceeds this time, it's marked as a timeout. The cause of this issue can be low-resource VMs, or other VM configurations or startup tasks are consuming large amounts of resources while the extension is trying to provision.

+After a VM extension is run against a VM, use the [Get-AzVM](/powershell/module/az.compute/get-azvm) command to return extension status. The `Substatuses[0]` result shows that the extension provisioning succeeded, which means it successfully deployed to the VM. If you see the `Substatuses[1]` result, then the execution of the extension inside the VM failed.

+In certain cases, you might need to rerun a VM extension. You can rerun an extension by removing the extension, and then rerunning the extension with an execution method of your choice. To remove an extension, use the [Remove-AzVMExtension](/powershell/module/az.compute/remove-azvmextension) command as follows:

+You can also remove an extension in the Azure portal. Select a VM, select **Extensions**, and then select the desired extension. Select **Uninstall**.

+The following table provides some common references for VM extensions.

+| [Custom Script Extension for Windows](custom-script-windows.md) | Run scripts against an Azure virtual machine. |

+| [DSC extension for Windows](dsc-overview.md) | Apply PowerShell desired state configurations to a virtual machine. |

+| [Azure Diagnostics extension](https://azure.microsoft.com/blog/windows-azure-virtual-machine-monitoring-with-wad-extension/) | Manage Azure Diagnostics. |

+| [VMAccess extension](https://azure.microsoft.com/blog/using-vmaccess-extension-to-reset-login-credentials-for-linux-vm/) | Manage users and credentials. |

+>To publish a community gallery, you'll need to enable the preview feature using the azure CLI: `az feature register --name CommunityGallery --namespace Microsoft.Compute` or PowerShell: `Register-AzProviderFeature -FeatureName "CommunityGallery" -ProviderNamespace "Microsoft.Compute"`. For more information on enabling preview features and checking the status, see [Set up preview features in your Azure subscription](../azure-resource-manager/management/preview-features.md). Creating VMs from community gallery images is open to all Azure users.

+# [**Routing Preference Internet IPv4 prefix**](#tab/ipv4-routing-pref)

+To create a IPv4 public IP prefix, enter **IPv4** in the **`-IpAddressVersion`** parameter. Remove the **`-Zone`** parameter to create a non-zonal IP prefix.

+```azurepowershell-interactive

+$tagproperty = @{

+IpTagType = 'RoutingPreference'

+Tag = 'Internet'

+}

+$routingprefinternettag = New-Object -TypeName Microsoft.Azure.Commands.Network.Models.PSPublicIpPrefixTag -Property $tagproperty

+$ipv4 =@{

+ Name = 'myPublicIpPrefix-routingprefinternet'

+ ResourceGroupName = 'QuickStartCreateIPPrefix-rg'

+ Location = 'eastus2'

+ PrefixLength = '28'

+ IpAddressVersion = 'IPv4'

+ IpTag = $routingprefinternettag

+}

+New-AzPublicIpPrefix @ipv4

+```