+## Download, install, and configure the Azure AD Connect Provisioning Agent Package

+If you have already downloaded the provisioning agent and configured it for another on-premises application, then continue reading in the next section.

+ 1. In the Azure portal, select **Azure Active Directory**.

+ 2. On the left, select **Azure AD Connect**.

+ 3. On the left, select **Cloud sync**.

+ :::image type="content" source="../../../includes/media/active-directory-cloud-sync-how-to-install/new-ux-1.png" alt-text="Screenshot of new UX screen." lightbox="../../../includes/media/active-directory-cloud-sync-how-to-install/new-ux-1.png":::

+ 4. On the left, select **Agent**.

+ 5. Select **Download on-premises agent**, and select **Accept terms & download**.

+ >[!NOTE]

+ >Please use different provisioning agents for on-premises application provisioning and Azure AD Connect Cloud Sync / HR-driven provisioning. All three scenarios should not be managed on the same agent.

+ 1. Open the provisioning agent installer, agree to the terms of service, and select **next**.

+ 1. When the provisioning agent wizard opens, continue to the **Select Extension** tab and select **On-premises application provisioning** when prompted for the extension you want to enable.

+ 1. The provisioning agent will use the operating system's web browser to display a popup window for you to authenticate to Azure AD, and potentially also your organization's identity provider. If you are using Internet Explorer as the browser on Windows Server, then you may need to add Microsoft web sites to your browser's trusted site list to allow JavaScript to run correctly.

+ 1. Provide credentials for an Azure AD administrator when you're prompted to authorize. The user is required to have the Hybrid Identity Administrator or Global Administrator role.

+ 1. Select **Confirm** to confirm the setting. Once installation is successful, you can select **Exit**, and also close the Provisioning Agent Package installer.

+Once the agent is installed, no further configuration is necessary on-premises, and all provisioning configurations are then managed from the portal. Repeat the below steps for every on-premises application being provisioned via SCIM.

+ 6. In the **Tenant URL** field, provide the SCIM endpoint URL for your application. The URL is typically unique to each target application and must be resolvable by DNS. An example for a scenario where the agent is installed on the same host as the application is https://localhost:8585/scim 

+The following video provides an overview of on-premises provisioning.

+>This information last updated on April 7th, 2023.<br/>You can also download a CSV version of this table [here](https://download.microsoft.com/download/e/3/e/e3e9faf2-f28b-490a-9ada-c6089a1fc5b0/Product%20names%20and%20service%20plan%20identifiers%20for%20licensing.csv).

+| App governance add-on to Microsoft Defender for Cloud Apps | Microsoft_Cloud_App_Security_App_Governance_Add_On | 9706eed9-966f-4f1b-94f6-bb2b4af99a5b | M365_AUDIT_PLATFORM (f6de4823-28fa-440b-b886-4783fa86ddba)<br/>MICROSOFT_APPLICATION_PROTECTION_AND_GOVERNANCE_A (5f3b1ded-75c0-4b31-8e6e-9b077eaadfd5)<br/>MICROSOFT_APPLICATION_PROTECTION_AND_GOVERNANCE_D (2e6ffd72-52d1-4541-8f6c-938f9a8d4cdc) | Microsoft 365 Audit Platform (f6de4823-28fa-440b-b886-4783fa86ddba)<br/>Microsoft Application Protection and Governance (A) (5f3b1ded-75c0-4b31-8e6e-9b077eaadfd5)<br/>Microsoft Application Protection and Governance (D) (2e6ffd72-52d1-4541-8f6c-938f9a8d4cdc) |

+| Microsoft Defender Vulnerability Management Add-on | TVM_Premium_Add_on | ad7a56e0-6903-4d13-94f3-5ad491e78960 | TVM_PREMIUM_1 (36810a13-b903-490a-aa45-afbeb7540832) | Microsoft Defender Vulnerability Management (36810a13-b903-490a-aa45-afbeb7540832) |

+| Microsoft Intune Suite | Microsoft_Intune_Suite | a929cd4d-8672-47c9-8664-159c1f322ba8 | Intune-MAMTunnel (a6e407da-7411-4397-8a2e-d9b52780849e)<br/>INTUNE_P2 (d9923fe3-a2de-4d29-a5be-e3e83bb786be)<br/>Intune-EPM (bb73f429-78ef-4ff2-83c8-722b04c3e7d1)<br/>REMOTE_HELP (a4c6cf29-1168-4076-ba5c-e8fe0e62b17e)<br/>Intune_AdvancedEA (2a4baa0e-5e99-4c38-b1f2-6864960f1bd1) | Microsoft Tunnel for Mobile Application Management (a6e407da-7411-4397-8a2e-d9b52780849e)<br/>Intune Plan 2 (d9923fe3-a2de-4d29-a5be-e3e83bb786be)<br/>Intune Endpoint Privilege Management (bb73f429-78ef-4ff2-83c8-722b04c3e7d1)<br/>Remote Help (a4c6cf29-1168-4076-ba5c-e8fe0e62b17e)<br/>Intune Advanced endpoint analytics (2a4baa0e-5e99-4c38-b1f2-6864960f1bd1) |

+| Microsoft Defender Vulnerability Management Add-on | TVM_Premium_Add_on | ad7a56e0-6903-4d13-94f3-5ad491e78960 | TVM_PREMIUM_1 (36810a13-b903-490a-aa45-afbeb7540832) | Microsoft Defender Vulnerability Management (36810a13-b903-490a-aa45-afbeb7540832) |

+| Microsoft Intune Suite | Microsoft_Intune_Suite | a929cd4d-8672-47c9-8664-159c1f322ba8 | Intune_AdvancedEA (2a4baa0e-5e99-4c38-b1f2-6864960f1bd1)<br/>Intune-EPM (bb73f429-78ef-4ff2-83c8-722b04c3e7d1)<br/>INTUNE_P2 (d9923fe3-a2de-4d29-a5be-e3e83bb786be)<br/>Intune-MAMTunnel (a6e407da-7411-4397-8a2e-d9b52780849e)<br/>REMOTE_HELP (a4c6cf29-1168-4076-ba5c-e8fe0e62b17e) | Intune Advanced endpoint analytics (2a4baa0e-5e99-4c38-b1f2-6864960f1bd1)<br/>Intune Endpoint Privilege Management (bb73f429-78ef-4ff2-83c8-722b04c3e7d1)<br/>Intune Plan 2 (d9923fe3-a2de-4d29-a5be-e3e83bb786be)<br/>Microsoft Tunnel for Mobile Application Management (a6e407da-7411-4397-8a2e-d9b52780849e)<br/>Remote help (a4c6cf29-1168-4076-ba5c-e8fe0e62b17e) |

+| Microsoft Teams Premium Introductory Pricing | Microsoft_Teams_Premium | 36a0f3b3-adb5-49ea-bf66-762134cf063a | MICROSOFT_ECDN (85704d55-2e73-47ee-93b4-4b8ea14db92b)<br/>TEAMSPRO_MGMT (0504111f-feb8-4a3c-992a-70280f9a2869)<br/>TEAMSPRO_CUST (cc8c0802-a325-43df-8cba-995d0c6cb373)<br/>TEAMSPRO_PROTECTION (f8b44f54-18bb-46a3-9658-44ab58712968)<br/>TEAMSPRO_VIRTUALAPPT (9104f592-f2a7-4f77-904c-ca5a5715883f)<br/>MCO_VIRTUAL_APPT (711413d0-b36e-4cd4-93db-0a50a4ab7ea3)<br/>TEAMSPRO_WEBINAR (78b58230-ec7e-4309-913c-93a45cc4735b) | Microsoft eCDN (85704d55-2e73-47ee-93b4-4b8ea14db92b)<br/>Microsoft Teams Premium Intelligent (0504111f-feb8-4a3c-992a-70280f9a2869)<br/>Microsoft Teams Premium Personalized (cc8c0802-a325-43df-8cba-995d0c6cb373)<br/>Microsoft Teams Premium Secure (f8b44f54-18bb-46a3-9658-44ab58712968)<br/>Microsoft Teams Premium Virtual Appointment (9104f592-f2a7-4f77-904c-ca5a5715883f)<br/>Microsoft Teams Premium Virtual Appointments (711413d0-b36e-4cd4-93db-0a50a4ab7ea3)<br/>Microsoft Teams Premium Webinar (78b58230-ec7e-4309-913c-93a45cc4735b) |

+| Microsoft Viva Suite | VIVA | 61902246-d7cb-453e-85cd-53ee28eec138 | GRAPH_CONNECTORS_SEARCH_INDEX_TOPICEXP (b74d57b2-58e9-484a-9731-aeccbba954f0)<br/>WORKPLACE_ANALYTICS_INSIGHTS_USER (b622badb-1b45-48d5-920f-4b27a2c0996c)<br/>WORKPLACE_ANALYTICS_INSIGHTS_BACKEND (ff7b261f-d98b-415b-827c-42a3fdf015af)<br/>CORTEX (c815c93d-0759-4bb8-b857-bc921a71be83)<br/>VIVAENGAGE_COMMUNITIES_AND_COMMUNICATIONS (43304c6a-1d4e-4e0b-9b06-5b2a2ff58a90)<br/>VIVAENGAGE_KNOWLEDGE (c244cc9e-622f-4576-92ea-82e233e44e36)<br/>Viva_Goals_Premium (b44c6eaf-5c9f-478c-8f16-8cea26353bfb)<br/>VIVA_LEARNING_PREMIUM (7162bd38-edae-4022-83a7-c5837f951759) | Graph Connectors Search with Index (Microsoft Viva Topics) (b74d57b2-58e9-484a-9731-aeccbba954f0)<br/>Microsoft Viva Insights (b622badb-1b45-48d5-920f-4b27a2c0996c)<br/>Microsoft Viva Insights Backend (ff7b261f-d98b-415b-827c-42a3fdf015af)<br/>Microsoft Viva Topics (c815c93d-0759-4bb8-b857-bc921a71be83)<br/>Viva Engage Communities and Communications (43304c6a-1d4e-4e0b-9b06-5b2a2ff58a90)<br/>Viva Engage Knowledge (c244cc9e-622f-4576-92ea-82e233e44e36)<br/>Viva Goals (b44c6eaf-5c9f-478c-8f16-8cea26353bfb)<br/>Viva Learning (7162bd38-edae-4022-83a7-c5837f951759) |

+>- **msDS-cloudExtensionAttribute1** is an example source.

+>- **Starting with [Azure AD Connect 2.0.3.0](../hybrid/reference-connect-version-history.md#functional-changes-10), `employeeHireDate` is added to the default 'Out to Azure AD' rule, so steps 10-16 are not required.**

+ Title: Azure Active Directory SSO integration with DDC Web

+description: Learn how to configure single sign-on between Azure Active Directory and DDC Web.

+# Azure Active Directory SSO integration with DDC Web

+In this article, you learn how to integrate DDC Web with Azure Active Directory (Azure AD). Engage and mobilize your advocates and PAC eligible class with ease using the flexible DDC Web platform with personalized content, simple activation, and PAC fundraising tools. When you integrate DDC Web with Azure AD, you can:

+* Control in Azure AD who has access to DDC Web.

+* Enable your users to be automatically signed-in to DDC Web with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You configure and test Azure AD single sign-on for DDC Web in a test environment. DDC Web supports **SP** and **IDP** initiated single sign-on.

+## Prerequisites

+To integrate Azure Active Directory with DDC Web, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* DDC Web single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the DDC Web application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add DDC Web from the Azure AD gallery

+Add DDC Web from the Azure AD application gallery to configure single sign-on with DDC Web. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **DDC Web** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a URL using the following pattern:

+ `https://<yourwebsite>.com`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://<yourwebsite>.com/sso/`

+1. If you wish to configure the application in **SP** initiated mode, then perform the following step:

+ In the **Sign on URL** textbox, type a URL using the following pattern:

+ `https://<yourwebsite>.com`

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [DDC Web Client support team](mailto:ondemand@ddcpublicaffairs.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up DDC Web** section, copy the appropriate URL(s) based on your requirement.

+ 

+## Configure DDC Web SSO

+To configure single sign-on on **DDC Web** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [DDC Web support team](mailto:ondemand@ddcpublicaffairs.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create DDC Web test user

+In this section, you create a user called Britta Simon at DDC Web. Work with [DDC Web support team](mailto:ondemand@ddcpublicaffairs.com) to add the users in the DDC Web platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to DDC Web Sign-on URL where you can initiate the login flow.

+* Go to DDC Web Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the DDC Web for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the DDC Web tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the DDC Web for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure DDC Web you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: Azure Active Directory SSO integration with Dozuki

+description: Learn how to configure single sign-on between Azure Active Directory and Dozuki.

+# Azure Active Directory SSO integration with Dozuki

+In this article, you learn how to integrate Dozuki with Azure Active Directory (Azure AD). Dozuki is standard work instruction software that empowers manufacturers to implement standardized procedures in support of continuous improvement and training efforts. When you integrate Dozuki with Azure AD, you can:

+* Control in Azure AD who has access to Dozuki.

+* Enable your users to be automatically signed-in to Dozuki with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You need to configure and test Azure AD single sign-on for Dozuki in a test environment. Dozuki supports both **SP** and **IDP** initiated single sign-on and **Just In Time** user provisioning.

+## Prerequisites

+To integrate Azure Active Directory with Dozuki, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Dozuki single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the Dozuki application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add Dozuki from the Azure AD gallery

+Add Dozuki from the Azure AD application gallery to configure single sign-on with Dozuki. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **Dozuki** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a URL using the following pattern:

+ `https://<dozukiSubdomain>.dozuki.com/`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://<dozukiSubdomain>.dozuki.com/Guide/User/remote_login`

+1. If you wish to configure the application in **SP** initiated mode, then perform the following step:

+ In the **Sign on URL** textbox, type a URL using the following pattern:

+ `https://<dozukiSubdomain>.dozuki.com/login`

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Dozuki Client support team](mailto:support@dozuki.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. Dozuki application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

+ 

+1. In addition to above, Dozuki application expects few more attributes to be passed back in SAML response, which are shown. These attributes are also pre populated but you can review them as per your requirements.

+ | Name | Source Attribute|

+ | | |

+ | email | user.mail |

+ | userid | user.objectid |

+ | username | user.displayname |

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Dozuki** section, copy the appropriate URL(s) based on your requirement.

+ 

+## Configure Dozuki SSO

+To configure single sign-on on **Dozuki** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Dozuki support team](mailto:support@dozuki.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Dozuki test user

+In this section, a user called B.Simon is created in Dozuki. Dozuki supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in Dozuki, a new one is commonly created after authentication.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to Dozuki Sign-on URL where you can initiate the login flow.

+* Go to Dozuki Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Dozuki for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the Dozuki tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Dozuki for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure Dozuki you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: Azure Active Directory SSO integration with Fountain

+description: Learn how to configure single sign-on between Azure Active Directory and Fountain.

+# Azure Active Directory SSO integration with Fountain

+In this article, you learn how to integrate Fountain with Azure Active Directory (Azure AD). FountainΓÇÖs all-in-one high volume hiring platform empowers the worldΓÇÖs leading enterprises to find the right people through smart, fast, and seamless recruiting. When you integrate Fountain with Azure AD, you can:

+* Control in Azure AD who has access to Fountain.

+* Enable your users to be automatically signed-in to Fountain with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You need to configure and test Azure AD single sign-on for Fountain in a test environment. Fountain supports both **SP** and **IDP** initiated single sign-on and **Just In Time** user provisioning.

+## Prerequisites

+To integrate Azure Active Directory with Fountain, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Fountain single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the Fountain application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add Fountain from the Azure AD gallery

+Add Fountain from the Azure AD application gallery to configure single sign-on with Fountain. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **Fountain** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a URL using the following pattern:

+ `https://www.okta.com/saml2/service-provider/<CustomerUniqueId>`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://fountain.okta.com/sso/saml2/<CustomerUniqueId>`

+1. If you wish to configure the application in **SP** initiated mode, then perform the following step:

+ In the **Sign on URL** textbox, type a URL using the following pattern:

+ `https://fountain.okta.com/sso/saml2/<CustomerUniqueId>`

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Fountain Client support team](mailto:support@fountain.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. Fountain application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

+ 

+1. In addition to above, Fountain application expects few more attributes to be passed back in SAML response, which are shown. These attributes are also pre populated but you can review them as per your requirements.

+ | Name | Source Attribute|

+ | | |

+ | email | user.mail |

+ | firstName | user.givenname |

+ | lastName | user.surname |

+

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Fountain** section, copy the appropriate URL(s) based on your requirement.

+ 

+## Configure Fountain SSO

+To configure single sign-on on **Fountain** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Fountain support team](mailto:support@fountain.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Fountain test user

+In this section, a user called B.Simon is created in Fountain. Fountain supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in Fountain, a new one is commonly created after authentication.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to Fountain Sign-on URL where you can initiate the login flow.

+* Go to Fountain Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Fountain for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the Fountain tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Fountain for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure Fountain you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: Azure Active Directory SSO integration with goFLUENT

+description: Learn how to configure single sign-on between Azure Active Directory and goFLUENT.

+# Azure Active Directory SSO integration with goFLUENT

+In this article, you learn how to integrate goFLUENT with Azure Active Directory (Azure AD). goFLUENT, the world's leading language training provider, delivers a hyper-personalized learning experience that builds confidence, empowers career growth, and establishes an inclusive global culture. When you integrate goFLUENT with Azure AD, you can:

+* Control in Azure AD who has access to goFLUENT.

+* Enable your users to be automatically signed-in to goFLUENT with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You configure and test Azure AD single sign-on for goFLUENT in a test environment. goFLUENT supports **SP** initiated single sign-on and **Just In Time** user provisioning.

+## Prerequisites

+To integrate Azure Active Directory with goFLUENT, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* goFLUENT single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the goFLUENT application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add goFLUENT from the Azure AD gallery

+Add goFLUENT from the Azure AD application gallery to configure single sign-on with goFLUENT. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **goFLUENT** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a URL using the following pattern:

+ `https://<CustomerName>.gofluent.com/samlsso/metadata.jsp?pid=<CustomerName>`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://<CustomerName>.gofluent.com/samlsso/acs.jsp?pid=<CustomerName>`

+ c. In the **Sign on URL** textbox, type a URL using the following pattern:

+ `https://<CustomerName>.gofluent.com`

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [goFLUENT Client support team](mailto:presales-team@gofluent.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up goFLUENT** section, copy the appropriate URL(s) based on your requirement.

+ 

+## Configure goFLUENT SSO

+To configure single sign-on on **goFLUENT** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [goFLUENT support team](mailto:presales-team@gofluent.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create goFLUENT test user

+In this section, a user called B.Simon is created in goFLUENT. goFLUENT supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in goFLUENT, a new one is commonly created after authentication.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to goFLUENT Sign-on URL where you can initiate the login flow.

+* Go to goFLUENT Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the goFLUENT tile in the My Apps, this will redirect to goFLUENT Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure goFLUENT you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: Azure Active Directory SSO integration with HashiCorp Cloud Platform (HCP)

+description: Learn how to configure single sign-on between Azure Active Directory and HashiCorp Cloud Platform (HCP).

+# Azure Active Directory SSO integration with HashiCorp Cloud Platform (HCP)

+In this article, you learn how to integrate HashiCorp Cloud Platform (HCP) with Azure Active Directory (Azure AD). HashiCorp Cloud platform hosting managed services of the developer tools created by HashiCorp, such Terraform, Vault, Boundary, and Consul. When you integrate HashiCorp Cloud Platform (HCP) with Azure AD, you can:

+* Control in Azure AD who has access to HashiCorp Cloud Platform (HCP).

+* Enable your users to be automatically signed-in to HashiCorp Cloud Platform (HCP) with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You configure and test Azure AD single sign-on for HashiCorp Cloud Platform (HCP) in a test environment. HashiCorp Cloud Platform (HCP) supports only **SP** initiated single sign-on.

+## Prerequisites

+To integrate Azure Active Directory with HashiCorp Cloud Platform (HCP), you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* HashiCorp Cloud Platform (HCP) single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the HashiCorp Cloud Platform (HCP) application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add HashiCorp Cloud Platform (HCP) from the Azure AD gallery

+Add HashiCorp Cloud Platform (HCP) from the Azure AD application gallery to configure single sign-on with HashiCorp Cloud Platform (HCP). For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **HashiCorp Cloud Platform (HCP)** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a value using the following pattern:

+ `urn:hashicorp:HCP-SSO-<HCP_ORG_ID>-samlp`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://auth.hashicorp.com/login/callback?connection=HCP-SSO-<ORG_ID>-samlp`

+ c. In the **Sign on URL** textbox, type a URL using the following pattern:

+ `https://portal.cloud.hashicorp.com/sign-in?conn-id=HCP-SSO-<HCP_ORG_ID>-samlp`

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [HashiCorp Cloud Platform (HCP) Client support team](mailto:support@hashicorp.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up HashiCorp Cloud Platform (HCP)** section, copy the appropriate URL(s) based on your requirement.

+ 

+## Configure HashiCorp Cloud Platform (HCP) SSO

+To configure single sign-on on **HashiCorp Cloud Platform (HCP)** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [HashiCorp Cloud Platform (HCP) support team](mailto:support@hashicorp.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create HashiCorp Cloud Platform (HCP) test user

+In this section, you create a user called Britta Simon at HashiCorp Cloud Platform (HCP). Work with [HashiCorp Cloud Platform (HCP) support team](mailto:support@hashicorp.com) to add the users in the HashiCorp Cloud Platform (HCP) platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to HashiCorp Cloud Platform (HCP) Sign-on URL where you can initiate the login flow.

+* Go to HashiCorp Cloud Platform (HCP) Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you select the HashiCorp Cloud Platform (HCP) tile in the My Apps, this will redirect to HashiCorp Cloud Platform (HCP) Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure HashiCorp Cloud Platform (HCP) you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+- JIRA Core and Software 6.4 to 9.7.0 or JIRA Service Desk 3.0 to 4.22.1 should be installed and configured on Windows 64-bit version.

+* JIRA Core and Software: 6.4 to 9.7.0.

+* Jira Core and Software: 6.0 to 9.7.0

+| | JIRA SAML SSO add-on redirects to incorrect URL from mobile browser. | 7.0.0 to 9.7.0 |

+ Title: Azure Active Directory SSO integration with O'Reilly learning platform

+description: Learn how to configure single sign-on between Azure Active Directory and O'Reilly learning platform.

+# Azure Active Directory SSO integration with O'Reilly learning platform

+In this article, you learn how to integrate O'Reilly learning platform with Azure Active Directory (Azure AD). Azure AD's integration with the OΓÇÖReilly learning platform allows you to enable single sign-on (SSO) with SAML. This creates a seamless login experience for end users. When you integrate O'Reilly learning platform with Azure AD, you can:

+* Control in Azure AD who has access to O'Reilly learning platform.

+* Enable your users to be automatically signed-in to O'Reilly learning platform with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You need to configure and test Azure AD single sign-on for O'Reilly learning platform in a test environment. O'Reilly learning platform supports both **SP** and **IDP** initiated single sign-on and **Just In Time** user provisioning.

+## Prerequisites

+To integrate Azure Active Directory with O'Reilly learning platform, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* O'Reilly learning platform single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the O'Reilly learning platform application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add O'Reilly learning platform from the Azure AD gallery

+Add O'Reilly learning platform from the Azure AD application gallery to configure single sign-on with O'Reilly learning platform. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **O'Reilly learning platform** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a value using the following pattern:

+ `urn:auth0:learning:<CONNECTION-NAME>`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://sso.oreilly.com/login/callback?connection=<CONNECTION-NAME>`

+1. If you wish to configure the application in **SP** initiated mode, then perform the following step:

+ In the **Sign on URL** textbox, type a URL using the following pattern:

+ `https://go.oreilly.com/<CONNECTION-NAME>`

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [O'Reilly learning platform Client support team](mailto:platform-integration@oreilly.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.

+ 

+## Configure O'Reilly learning platform SSO

+To configure single sign-on on **O'Reilly learning platform** side, you need to send the **App Federation Metadata Url** to [O'Reilly learning platform support team](mailto:platform-integration@oreilly.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create O'Reilly learning platform test user

+In this section, a user called B.Simon is created in O'Reilly learning platform. O'Reilly learning platform supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in O'Reilly learning platform, a new one is commonly created after authentication.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to O'Reilly learning platform Sign-on URL where you can initiate the login flow.

+* Go to O'Reilly learning platform Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the O'Reilly learning platform for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the O'Reilly learning platform tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the O'Reilly learning platform for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure O'Reilly learning platform you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: Azure Active Directory SSO integration with Predict360 SSO

+description: Learn how to configure single sign-on between Azure Active Directory and Predict360 SSO.

+# Azure Active Directory SSO integration with Predict360 SSO

+In this article, you learn how to integrate Predict360 SSO with Azure Active Directory (Azure AD). Predict360 is a Governance, Risk and Compliance solution for mid-sized banks and other Financial Institutions. When you integrate Predict360 SSO with Azure AD, you can:

+* Control in Azure AD who has access to Predict360 SSO.

+* Enable your users to be automatically signed-in to Predict360 SSO with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You configure and test Azure AD single sign-on for Predict360 SSO in a test environment. Predict360 SSO supports both **SP** and **IDP** initiated single sign-on.

+## Prerequisites

+To integrate Azure Active Directory with Predict360 SSO, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Predict360 SSO single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the Predict360 SSO application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add Predict360 SSO from the Azure AD gallery

+Add Predict360 SSO from the Azure AD application gallery to configure single sign-on with Predict360 SSO. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **Predict360 SSO** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, if you have **Service Provider metadata file**, perform the following steps:

+ a. Click **Upload metadata file**.

+ 

+ b. Click on **folder logo** to select the metadata file and click **Upload**.

+ 

+ c. After the metadata file is successfully uploaded, the **Identifier** and **Reply URL** values get auto populated in Basic SAML Configuration section.

+ d. If you wish to configure the application in **SP** initiated mode, then perform the following step:

+ In the **Sign on URL** textbox, type the URL:

+ `https://paadt.360factors.com/predict360/login.do`.

+ > [!Note]

+ > You will get the **Service Provider metadata file** from the [Predict360 SSO support team](mailto:support@360factors.com). If the **Identifier** and **Reply URL** values do not get auto populated, then fill in the values manually according to your requirement.

+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Predict360 SSO** section, copy the appropriate URL(s) based on your requirement.

+ 

+## Configure Predict360 SSO SSO

+To configure single sign-on on **Predict360 SSO** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Predict360 SSO support team](mailto:support@360factors.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Predict360 SSO test user

+In this section, you create a user called Britta Simon at Predict360 SSO. Work with [Predict360 SSO support team](mailto:support@360factors.com) to add the users in the Predict360 SSO platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to Predict360 SSO Sign-on URL where you can initiate the login flow.

+* Go to Predict360 SSO Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Predict360 SSO for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the Predict360 SSO tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Predict360 SSO for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure Predict360 SSO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: Azure Active Directory SSO integration with Proactis Rego Source-to-Contract

+description: Learn how to configure single sign-on between Azure Active Directory and Proactis Rego Source-to-Contract.

+# Azure Active Directory SSO integration with Proactis Rego Source-to-Contract

+In this article, you learn how to integrate Proactis Rego Source-to-Contract with Azure Active Directory (Azure AD). Proactis Rego is a powerful Source-to-Contract software platform designed for mid-market organizations. ItΓÇÖs easy to use and integrate, giving you control over your spend and supply-chain risks. When you integrate Proactis Rego Source-to-Contract with Azure AD, you can:

+* Control in Azure AD who has access to Proactis Rego Source-to-Contract.

+* Enable your users to be automatically signed-in to Proactis Rego Source-to-Contract with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You configure and test Azure AD single sign-on for Proactis Rego Source-to-Contract in a test environment. Proactis Rego Source-to-Contract supports **SP** initiated single sign-on.

+## Prerequisites

+To integrate Azure Active Directory with Proactis Rego Source-to-Contract, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Proactis Rego Source-to-Contract single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the Proactis Rego Source-to-Contract application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add Proactis Rego Source-to-Contract from the Azure AD gallery

+Add Proactis Rego Source-to-Contract from the Azure AD application gallery to configure single sign-on with Proactis Rego Source-to-Contract. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **Proactis Rego Source-to-Contract** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a URL using the following pattern:

+ `https://www.proactisplaza.com/authentication/saml/<CustomerName>`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://www.proactisplaza.com/authentication/saml/<CustomerName>/consume`

+

+ c. In the **Sign on URL** textbox, type a URL using the following pattern:

+ `https://www.proactisplaza.com/authentication/saml/<CustomerName>`

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Proactis Rego Source-to-Contract Client support team](mailto:helpdesk@proactis.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (PEM)** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Proactis Rego Source-to-Contract** section, copy the appropriate URL(s) based on your requirement.

+ 

+## Configure Proactis Rego Source-to-Contract SSO

+To configure single sign-on on **Proactis Rego Source-to-Contract** side, you need to send the downloaded **Certificate (PEM)** and appropriate copied URLs from Azure portal to [Proactis Rego Source-to-Contract support team](mailto:helpdesk@proactis.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Proactis Rego Source-to-Contract test user

+In this section, you create a user called Britta Simon at Proactis Rego Source-to-Contract. Work with [Proactis Rego Source-to-Contract support team](mailto:helpdesk@proactis.com) to add the users in the Proactis Rego Source-to-Contract platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to Proactis Rego Source-to-Contract Sign-on URL where you can initiate the login flow.

+* Go to Proactis Rego Source-to-Contract Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the Proactis Rego Source-to-Contract tile in the My Apps, this will redirect to Proactis Rego Source-to-Contract Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure Proactis Rego Source-to-Contract you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: Azure Active Directory SSO integration with Theom

+description: Learn how to configure single sign-on between Azure Active Directory and Theom.

+# Azure Active Directory SSO integration with Theom

+In this article, you learn how to integrate Theom with Azure Active Directory (Azure AD). Theom detects active attacks on data clouds, data lakehouses and prevents breaches. Customers can seamlessly use TheomΓÇÖs AI threat intelligence while using their trusted environment for remediation. When you integrate Theom with Azure AD, you can:

+* Control in Azure AD who has access to Theom.

+* Enable your users to be automatically signed-in to Theom with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You configure and test Azure AD single sign-on for Theom in a test environment. Theom supports **SP** initiated single sign-on.

+## Prerequisites

+To integrate Azure Active Directory with Theom, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Theom single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the Theom application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add Theom from the Azure AD gallery

+Add Theom from the Azure AD application gallery to configure single sign-on with Theom. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **Theom** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a value using the following pattern:

+ `urn:auth0:theom:<connection-name>`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://theom.us.auth0.com/login/callback?connection=<connection-name>`

+

+ c. In the **Sign on URL** textbox, type a URL using the following pattern:

+ `https://<CUSTOMER_SUBDOMAIN>.theom.ai`

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Theom Client support team](mailto:help@theom.ai) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Theom** section, copy the appropriate URL(s) based on your requirement.

+ 

+## Configure Theom SSO

+To configure single sign-on on **Theom** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Theom support team](mailto:help@theom.ai). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Theom test user

+In this section, you create a user called Britta Simon at Theom. Work with [Theom support team](mailto:help@theom.ai) to add the users in the Theom platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to Theom Sign-on URL where you can initiate the login flow.

+* Go to Theom Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the Theom tile in the My Apps, this will redirect to Theom Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure Theom you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+* Azure CLI version 2.41.0 or later. Run `az --version` to see the currently installed version. If you need to install or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli).

+Create the cluster using `--network-dataplane cilium`:

+ --network-dataplane cilium

+> The `--network-dataplane cilium` flag replaces the deprecated `--enable-ebpf-dataplane` flag used in earlier versions of the aks-preview CLI extension.

+ --network-dataplane cilium

+ Title: Abort an Azure Kubernetes Service (AKS) long running operation

+AKS now supports aborting a long running operation, which is now generally available. This feature allows you to take back control and run another operation seamlessly. This design is supported using the [Azure REST API](/rest/api/azure/) or the [Azure CLI](/cli/azure/).

+- The Azure CLI version 2.47.0 or later. Run `az --version` to find the version, and run `az upgrade` to upgrade the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].

+ Title: Open Service Mesh in Azure Kubernetes Service (AKS)

+description: Learn about the Open Service Mesh (OSM) add-on in Azure Kubernetes Service (AKS).

+# Open Service Mesh (OSM) add-on in Azure Kubernetes Service (OSM)

+[Open Service Mesh (OSM)](https://docs.openservicemesh.io/) is a lightweight, extensible, cloud native service mesh that allows you to uniformly manage, secure, and get out-of-the-box observability features for highly dynamic microservice environments.

+OSM runs an Envoy-based control plane on Kubernetes and can be configured with [SMI](https://smi-spec.io/) APIs. OSM works by injecting an Envoy proxy as a sidecar container with each instance of your application. The Envoy proxy contains and executes rules around access control policies, implements routing configuration, and captures metrics. The control plane continually configures the Envoy proxies to ensure policies and routing rules are up to date and proxies are healthy.

+Microsoft started the OSM project, but it's now governed by the [Cloud Native Computing Foundation (CNCF)](https://www.cncf.io/).

+## Enable the OSM add-on

+OSM can be added to your Azure Kubernetes Service (AKS) cluster by enabling the OSM add-on using the [Azure CLI][osm-azure-cli] or a [Bicep template][osm-bicep]. The OSM add-on provides a fully supported installation of OSM that's integrated with AKS.

+> Based on the version of Kubernetes your cluster is running, the OSM add-on installs a different version of OSM.

+>

+> |Kubernetes version | OSM version installed |

+> ||--|

+> | 1.24.0 or greater | 1.2.3 |

+> | Between 1.23.5 and 1.24.0 | 1.1.3 |

+> | Below 1.23.5 | 1.0.0 |

+- Secure service-to-service communication by enabling mutual TLS (mTLS).

+- Define and execute fine-grained access control policies for services.

+- Integrate with external certificate management.

+- Integrate with existing ingress solutions such as [NGINX][nginx], [Contour][contour], and [Web Application Routing][web-app-routing].

+For more information on ingress and OSM, see [Using ingress to manage external access to services within the cluster][osm-ingress] and [Integrate OSM with Contour for ingress][osm-contour]. For an example of how to integrate OSM with ingress controllers using the `networking.k8s.io/v1` API, see [Ingress with Kubernetes Nginx ingress controller][osm-nginx]. For more information on using Web Application Routing, which automatically integrates with OSM, see [Web Application Routing][web-app-routing].

+## Limitations

+- After installation, you must enable Iptables redirection for port IP address and port range exclusion using `kubectl patch`. For more information, see [iptables redirection][ip-tables-redirection].

+- Any pods that need access to IMDS, Azure DNS, or the Kubernetes API server must have their IP addresses added to the global list of excluded outbound IP ranges using [Global outbound IP range exclusions][global-exclusion].

+- OSM doesn't support Windows Server containers.

+- [Deploy a sample application][osm-deploy-sample-app]

+- [Onboard an existing application][osm-onboard-app]

+A service mesh is an infrastructure layer in your application that facilitates communication between services. Service meshes provide capabilities like traffic management, resiliency, policy, security, strong identity, and observability to your workloads. Your application is decoupled from these operational capabilities, while the service mesh moves them out of the application layer and down to the infrastructure layer.

+When you use a service mesh, you can enable scenarios such as:

+- **Encrypting all traffic in cluster**: Enable mutual TLS between specified services in the cluster. This can be extended to ingress and egress at the network perimeter and provides a secure-by-default option with no changes needed for application code and infrastructure.

+- **Canary and phased rollouts**: Specify conditions for a subset of traffic to be routed to a set of new services in the cluster. On successful test of canary release, remove conditional routing and phase gradually increasing % of all traffic to a new service. Eventually, all traffic will be directed to the new service.

+- **Traffic management and manipulation**: Create a policy on a service that rate limits all traffic to a version of a service from a specific origin, or a policy that applies a retry strategy to classes of failures between specified services. Mirror live traffic to new versions of services during a migration or to debug issues. Inject faults between services in a test environment to test resiliency.

+- **Observability**: Gain insight into how your services are connected and the traffic that flows between them. Gather metrics, logs, and traces for all traffic in the cluster, including ingress/egress. Add distributed tracing abilities to applications.

+Before you select a service mesh, make sure you understand your requirements and reasoning for installing a service mesh. Ask the following questions:

+- **Is an ingress controller sufficient for my needs?**: Sometimes having a capability like A/B testing or traffic splitting at the ingress is sufficient to support the required scenario. Don't add complexity to your environment with no upside.

+- **Can my workloads and environment tolerate the additional overheads?**: All the components required to support the service mesh require resources like CPU and memory. All the proxies and their associated policy checks add latency to your traffic. If you have workloads that are very sensitive to latency or can't provide extra resources to cover service mesh components, you should reconsider using a service mesh.

+- **Is this adding unnecessary complexity?**: If you want to install a service mesh to use a capability that isn't critical to the business or operational teams, then consider whether the added complexity of installation, maintenance, and configuration is worth it.

+- **Can this be adopted in an incremental approach?**: Some of the service meshes that provide a lot of capabilities can be adopted in a more incremental approach. Install just the components you need to ensure your success. If you later find that more capabilities are required, explore them at a later time. Resist the urge to install *everything* from the start.

+> [Learn more about OSM][osm-about]

+There are also service meshes provided by open-source projects and third parties that are commonly used with AKS. These service meshes aren't covered by the [AKS support policy][aks-support-policy].

+For more details on service mesh standardization efforts, see:

+| 1.26 | Dec 2022 | Feb 2023 | Apr 2023 | Mar 2024

+## Requirements

+Version 2 of the Python programming model requires the following minimum versions:

+- [Azure Functions Runtime](../functions-versions.md) v4.16+

+- [Azure Functions Core Tools](../functions-run-local.md) v4.0.5095+ (if running locally)

+## Enable v2 programming model

+The following application setting is required to run the v2 programming model while it is in preview:

+- Name: `AzureWebJobsFeatureFlags`

+- Value: `EnableWorkerIndexing`

+If you're running locally using [Azure Functions Core Tools](../functions-run-local.md), you should add this setting to your `local.settings.json` file. If you're running in Azure, follow these steps with the tool of your choice:

+# [Azure CLI](#tab/azure-cli-set-indexing-flag)

+Replace `<FUNCTION_APP_NAME>` and `<RESOURCE_GROUP_NAME>` with the name of your function app and resource group, respectively.

+```azurecli

+az functionapp config appsettings set --name <FUNCTION_APP_NAME> --resource-group <RESOURCE_GROUP_NAME> --settings AzureWebJobsFeatureFlags=EnableWorkerIndexing

+```

+# [Azure PowerShell](#tab/azure-powershell-set-indexing-flag)

+Replace `<FUNCTION_APP_NAME>` and `<RESOURCE_GROUP_NAME>` with the name of your function app and resource group, respectively.

+```azurepowershell

+Update-AzFunctionAppSetting -Name <FUNCTION_APP_NAME> -ResourceGroupName <RESOURCE_GROUP_NAME> -AppSetting @{"AzureWebJobsFeatureFlags" = "EnableWorkerIndexing"}

+```

+# [VS Code](#tab/vs-code-set-indexing-flag)

+1. Make sure you have the [Azure Functions extension for VS Code](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azurefunctions) installed

+1. Press <kbd>F1</kbd> to open the command palette. In the command palette, search for and select `Azure Functions: Add New Setting...`.

+1. Choose your subscription and function app when prompted

+1. For the name, type `AzureWebJobsFeatureFlags` and press <kbd>Enter</kbd>.

+1. For the value, type `EnableWorkerIndexing` and press <kbd>Enter</kbd>.

+Each instance of the Functions host in the Consumption plan is limited, typically to 1.5 GB of memory and one CPU. An instance of the host is the entire function app, meaning all functions within a function app share resource within an instance and scale at the same time. Function apps that share the same Consumption plan scale independently. In the Premium plan, the plan size determines the available memory and CPU for all apps in that plan on that instance.

+Azure Functions uses a component called the *scale controller* to monitor the rate of events and determine whether to scale out or scale in. The scale controller uses heuristics for each trigger type. For example, when you're using an Azure Queue storage trigger, it uses [target-based scaling](functions-target-based-scaling.md).

+The unit of scale for Azure Functions is the function app. When the function app is scaled out, more resources are allocated to run multiple instances of the Azure Functions host. Conversely, as compute demand is reduced, the scale controller removes function host instances. The number of instances is eventually "scaled in" when no functions are running within a function app.

+After your function app has been idle for a number of minutes, the platform may scale the number of instances on which your app runs down to zero. The next request has the added latency of scaling from zero to one. This latency is referred to as a _cold start_. The number of dependencies required by your function app can affect the cold start time. Cold start is more of an issue for synchronous operations, such as HTTP triggers that must return a response. If cold starts are impacting your functions, consider running in a [Premium plan](functions-premium-plan.md#eliminate-cold-starts) or in a Dedicated plan with the **Always on** setting enabled.

+Scaling can vary based on several factors, and apps scale differently based on the triggers and language selected. There are a few intricacies of scaling behaviors to be aware of:

+* **Maximum instances:** A single function app only scales out to a [maximum allowed by the plan](functions-scale.md#scale). A single instance may process more than one message or request at a time though, so there isn't a set limit on number of concurrent executions. You can [specify a lower maximum](#limit-scale-out) to throttle scale as required.

+* **Target-based scaling:** Target-based scaling provides a fast and intuitive scaling model for customers and is currently supported for Service Bus Queues and Topics, Storage Queues, Event Hubs, and Cosmos DB extensions. Make sure to review target-based scaling to understand their scaling behavior.

+You may wish to restrict the maximum number of instances an app used to scale out. This is most common for cases where a downstream component like a database has limited throughput. By default, Consumption plan functions scale out to as many as 200 instances, and Premium plan functions will scale out to as many as 100 instances. You can specify a lower maximum for a specific app by modifying the `functionAppScaleLimit` value. The `functionAppScaleLimit` can be set to `0` or `null` for unrestricted, or a valid value between `1` and the app maximum.

+To learn more, see the following articles:

+Cosmos DB scaling decisions for the Consumption and Premium plans are done via target-based scaling. For more information, see [Target-based scaling](functions-target-based-scaling.md).

+|`collection_name` | The name of the Azure Cosmos DB collection being monitored. |

+Service Bus scaling decisions for the Consumption and Premium plans are made based on target-based scaling. For more information, see [Target-based scaling](functions-target-based-scaling.md).

+Azure Queue storage scaling decisions for the Consumption and Premium plans are done via target-based scaling. For more information, see [Target-based scaling](functions-target-based-scaling.md).

+## Testing considerations

+* `https://functions-next.azure.com`

+* `https://functions-staging.azure.com`

+* `https://functions.azure.com`

+* `https://portal.azure.com`

+app = func.FunctionApp()

+ "connection": "STORAGE_CONNECTION_STRING"

+ "STORAGE_CONNECTION_STRING": "<AZURE_STORAGE_CONNECTION_STRING>",

+def main(req: func.HttpRequest, obj: func.InputStream):

+When the function is invoked, the HTTP request is passed to the function as `req`. An entry will be retrieved from the Azure Blob Storage account based on the _ID_ in the route URL and made available as `obj` in the function body. Here, the specified storage account is the connection string that's found in the `CONNECTION_STRING` app setting.

+ "STORAGE_CONNECTION_STRING": "<AZURE_STORAGE_CONNECTION_STRING>",

+@app.read_blob(arg_name="obj", path="samples/{id}",

+ connection="STORAGE_CONNECTION_STRING")

+def main(req: func.HttpRequest, obj: func.InputStream):

+When the function is invoked, the HTTP request is passed to the function as `req`. An entry will be retrieved from the Azure Blob Storage account based on the _ID_ in the route URL and made available as `obj` in the function body. Here, the specified storage account is the connection string that's found in the `STORAGE_CONNECTION_STRING` app setting.

+ "connection": "STORAGE_CONNECTION_STRING"

+app = func.FunctionApp()

+ connection="CONNECTION_STRING")

+ # Get the setting named 'myAppSetting'

+ my_app_setting_value = os.environ["myAppSetting"]

+ logging.info(f'My app setting value:{my_app_setting_value}')

+app = func.FunctionApp()

+ # Get the setting named 'myAppSetting'

+ my_app_setting_value = os.environ["myAppSetting"]

+ logging.info(f'My app setting value:{my_app_setting_value}')

+ logging.info('Executing my_second_function.')

+ initial_value: int = int(req.params.get('value'))

+ doubled_value: int = my_second_helper_function.double(initial_value)

+ return func.HttpResponse(

+ body=f"{initial_value} * 2 = {doubled_value}",

+ status_code=200

+ def test_my_second_function(self):

+ # Construct a mock HTTP request.

+ req = func.HttpRequest(method='GET',

+ body=None,

+ url='/api/my_second_function',

+ params={'value': '21'})

+ # Call the function.

+ resp = main(req)

+ # Check the output.

+ self.assertEqual(resp.get_body(), b'21 * 2 = 42',)

+from function_app import main

+ def test_my_second_function(self):

+ # Construct a mock HTTP request.

+ req = func.HttpRequest(method='GET',

+ body=None,

+ url='/api/my_second_function',

+ params={'value': '21'})

+ # Call the function.

+ func_call = main.build().get_user_function()

+ resp = func_call(req)

+ # Check the output.

+ self.assertEqual(

+ resp.get_body(),

+ b'21 * 2 = 42',

+ )

+ Title: Target-based scaling in Azure Functions

+description: Explains target-based scaling behaviors of Consumption plan and Premium plan function apps.

+# Target-based scaling

+Target-based scaling provides a fast and intuitive scaling model for customers and is currently supported for the following extensions:

+- Service Bus queues and topics

+- Storage Queues

+- Event Hubs

+- Azure Cosmos DB

+Target-based scaling replaces the previous Azure Functions incremental scaling model as the default for these extension types. Incremental scaling added or removed a maximum of one worker at [each new instance rate](event-driven-scaling.md#understanding-scaling-behaviors), with complex decisions for when to scale. In contrast, target-based scaling allows scale up of four instances at a time, and the scaling decision is based on a simple target-based equation:

+

+The default _target executions per instance_ values come from the SDKs used by the Azure Functions extensions. You don't need to make any changes for target-based scaling to work.

+> [!NOTE]

+> In order to achieve the most accurate scaling based on metrics, we recommend one target-based triggered function per function app.

+## Prerequisites

+Target-based scaling is supported for the [Consumption](consumption-plan.md) and [Premium](functions-premium-plan.md) plans. Your function app runtime must be 4.3.0 or higher.

+## Opting out

+Target-based scaling is enabled by default for function apps on the Consumption plan or Premium plans without runtime scale monitoring. If you wish to disable target-based scaling and revert to incremental scaling, add the following app setting to your function app:

+| App Setting | Value |

+| -- | -- |

+|`TARGET_BASED_SCALING_ENABLED` | 0 |

+## Customizing target-based scaling

+You can make the scaling behavior more or less aggressive based on your app's workload by adjusting _target executions per instance_. Each extension has different settings that you can use to set _target executions per instance_.

+This table summarizes the `host.json` values that are used for the _target executions per instance_ values and the defaults:

+| Extension | host.json values | Default Value |

+| -- | -- | - |

+| Service Bus (Extension v5.x+, Single Dispatch) | extensions.serviceBus.maxConcurrentCalls | 16 |

+| Service Bus (Extension v5.x+, Single Dispatch Sessions Based) | extensions.serviceBus.maxConcurrentSessions | 8 |

+| Service Bus (Extension v5.x+, Batch Processing) | extensions.serviceBus.maxMessageBatchSize | 1000 |

+| Service Bus (Functions v2.x+, Single Dispatch) | extensions.serviceBus.messageHandlerOptions.maxConcurrentCalls | 16 |

+| Service Bus (Functions v2.x+, Single Dispatch Sessions Based) | extensions.serviceBus.sessionHandlerOptions.maxConcurrentSessions | 2000 |

+| Service Bus (Functions v2.x+, Batch Processing) | extensions.serviceBus.batchOptions.maxMessageCount | 1000 |

+| Event Hubs (Extension v5.x+) | extensions.eventHubs.maxEventBatchSize | 10 |

+| Event Hubs (Extension v3.x+) | extensions.eventHubs.eventProcessorOptions.maxBatchSize | 10 |

+| Event Hubs (if defined) | extensions.eventHubs.targetUnprocessedEventThreshold | n/a |

+| Storage Queue | extensions.queues.batchSize | 16 |

+For Azure Cosmos DB _target executions per instance_ is set in the function attribute:

+| Extension | Function trigger setting | Default Value |

+| -- | | - |

+| Azure Cosmos DB | maxItemsPerInvocation | 100 |

+To learn more, see the [example configurations for the supported extensions](#supported-extensions).

+## Premium plan with runtime scale monitoring enabled

+In [runtime scale monitoring](functions-networking-options.md?tabs=azure-cli#premium-plan-with-virtual-network-triggers), the extensions handle target-based scaling. Hence, in addition to the function app runtime version requirement, your extension packages must meet the following minimum versions:

+| Extension Name | Minimum Version Needed |

+| -- | - |

+| Storage Queue | 5.1.0 |

+| Event Hubs | 5.2.0 |

+| Service Bus | 5.9.0 |

+| Azure Cosmos DB | 4.1.0 |

+Additionally, target-based scaling is currently an **opt-in** feature with runtime scale monitoring. In order to use target-based scaling with the Premium plan when runtime scale monitoring is enabled, add the following app setting to your function app:

+| App Setting | Value |

+| -- | -- |

+|`TARGET_BASED_SCALING_ENABLED` | 1 |

+## Dynamic concurrency support

+Target-based scaling introduces faster scaling, and uses defaults for _target executions per instance_. When using Service Bus or Storage queues, you can also enable [dynamic concurrency](functions-concurrency.md#dynamic-concurrency). In this configuration, the _target executions per instance_ value is determined automatically by the dynamic concurrency feature. It starts with limited concurrency and identifies the best setting over time.

+## Supported extensions

+The way in which you configure target-based scaling in your host.json file depends on the specific extension type. This section provides the configuration details for the extensions that currently support target-based scaling.

+### Service Bus queues and topics

+The Service Bus extension support three execution models, determined by the `IsBatched` and `IsSessionsEnabled` attributes of your Service Bus trigger. The default value for `IsBatched` and `IsSessionsEnabled` is `false`.

+| Execution Model | IsBatched | IsSessionsEnabled | Setting Used for _target executions per instance_ |

+| | | -- | - |

+| Single dispatch processing | false | false | maxConcurrentCalls |

+| Single dispatch processing (session-based) | false | true | maxConcurrentSessions |

+| Batch processing | true | false | maxMessageBatchSize or maxMessageCount |

+> [!NOTE]

+> **Scale efficiency:** For the Service Bus extension, use _Manage_ rights on resources for the most efficient scaling. With _Listen_ rights scaling reverts to incremental scale because the queue or topic length can't be used to inform scaling decisions. To learn more about setting rights in Service Bus access policies, see [Shared Access Authorization Policy](../service-bus-messaging/service-bus-sas.md#shared-access-authorization-policies).

+#### Single dispatch processing

+In this model, each invocation of your function processes a single message. The `maxConcurrentCalls` setting governs _target executions per instance_. The specific setting depends on the version of the Service Bus extension.

+# [v5.x+](#tab/v5)

+Modify the `host.json` setting `maxConcurrentCalls`, as in the following example:

+```json

+{

+ "version": "2.0",

+ "extensions": {

+ "serviceBus": {

+ "maxConcurrentCalls": 16

+ }

+ }

+}

+```

+# [v2.x+](#tab/v2)

+Modify the `host.json` setting `maxConcurrentCalls` in `messageHandlerOptions`, as in the following example:

+```json

+{

+ "version": "2.0",

+ "extensions": {

+ "serviceBus": {

+ "messageHandlerOptions": {

+ "maxConcurrentCalls": 16

+ }

+ }

+ }

+}

+```

+#### Single dispatch processing (session-based)

+In this model, each invocation of your function processes a single message. However, depending on the number of active sessions for your Service Bus topic or queue, each instance leases one or more sessions. The specific setting depends on the version of the Service Bus extension.

+# [v5.x+](#tab/v5)

+Modify the `host.json` setting `maxConcurrentSessions` to set _target executions per instance_, as in the following example:

+```json

+{

+ "version": "2.0",

+ "extensions": {

+ "serviceBus": {

+ "maxConcurrentSessions": 8

+ }

+ }

+}

+```

+# [v2.x+](#tab/v2)

+Modify the `host.json` setting `maxConcurrentSessions` in `sessionHandlerOptions` to set _target executions per instance_, as in the following example:

+```json

+{

+ "version": "2.0",

+ "extensions": {

+ "serviceBus": {

+ "sessionHandlerOptions": {

+ "maxConcurrentSessions": 2000

+ }

+ }

+ }

+}

+```

+#### Batch processing

+In this model, each invocation of your function processes a batch of messages. The specific setting depends on the version of the Service Bus extension.

+# [v5.x+](#tab/v5)

+Modify the `host.json` setting `maxMessageBatchSize` to set _target executions per instance_, as in the following example:

+```json

+{

+ "version": "2.0",

+ "extensions": {

+ "serviceBus": {

+ "maxMessageBatchSize": 1000

+ }

+ }

+}

+```

+# [v2.x+](#tab/v2)

+Modify the `host.json` setting `maxMessageCount` in `batchOptions` to set _target executions per instance_, as in the following example:

+```json

+{

+ "version": "2.0",

+ "extensions": {

+ "serviceBus": {

+ "batchOptions": {

+ "maxMessageCount": 1000

+ }

+ }

+ }

+}

+```

+### Event Hubs

+For Azure Event Hubs, Azure Functions scales based on the number of unprocessed events distributed across all the partitions in the event hub. By default, the `host.json` attributes used for _target executions per instance_ are `maxEventBatchSize` and `maxBatchSize`. However, if you choose to fine-tune target-based scaling, you can define a separate parameter `targetUnprocessedEventThreshold` that overrides to set _target executions per instance_ without changing the batch settings. If `targetUnprocessedEventThreshold` is set, the total unprocessed event count is divided by this value to determine the number of instances, which is then be rounded up to a worker instance count that creates a balanced partition distribution.

+> [!NOTE]

+> Since Event Hubs is a partitioned workload, the target instance count for Event Hubs is capped by the number of partitions in your event hub.

+The specific setting depends on the version of the Event Hubs extension.

+# [v5.x+](#tab/v5)

+Modify the `host.json` setting `maxEventBatchSize` to set _target executions per instance_, as in the following example:

+```json

+{

+ "version": "2.0",

+ "extensions": {

+ "eventHubs": {

+ "maxEventBatchSize" : 10

+ }

+ }

+}

+```

+When defined in `host.json`, `targetUnprocessedEventThreshold` is used as _target executions per instance_ instead of `maxEventBatchSize`, as in the following example:

+```json

+{

+ "version": "2.0",

+ "extensions": {

+ "eventHubs": {

+ "targetUnprocessedEventThreshold": 23

+ }

+ }

+}

+```

+# [v3.x+](#tab/v2)

+For **v3.x+** of the Event Hubs extension, modify the `host.json` setting `maxBatchSize` under `eventProcessorOptions` to set _target executions per instance_:

+```json

+{

+ "version": "2.0",

+ "extensions": {

+ "eventHubs": {

+ "eventProcessorOptions": {

+ "maxBatchSize": 10

+ }

+ }

+ }

+}

+```

+When defined in `host.json`, `targetUnprocessedEventThreshold` is used as _target executions per instance_ instead of `maxBatchSize`, as in the following example:

+```json

+{

+ "version": "2.0",

+ "extensions": {

+ "eventHubs": {

+ "targetUnprocessedEventThreshold": 23

+ }

+ }

+}

+```

+### Storage Queues

+For **v2.x+** of the Storage extension, modify the `host.json` setting `batchSize` to set _target executions per instance_:

+```json

+{

+ "version": "2.0",

+ "extensions": {

+ "queues": {

+ "batchSize": 16

+ }

+ }

+}

+```

+### Azure Cosmos DB

+Azure Cosmos DB uses a function-level attribute, `MaxItemsPerInvocation`. The way you set this function-level attribute depends on your function language.

+# [C#](#tab/csharp)

+For a compiled C# function, set `MaxItemsPerInvocation` in your trigger definition, as shown in the following examples for an in-process C# function:

+```C#

+namespace CosmosDBSamplesV2

+{

+ public static class CosmosTrigger

+ {

+ [FunctionName("CosmosTrigger")]

+ public static void Run([CosmosDBTrigger(

+ databaseName: "ToDoItems",

+ collectionName: "Items",

+ MaxItemsPerInvocation: 100,

+ ConnectionStringSetting = "CosmosDBConnection",

+ LeaseCollectionName = "leases",

+ CreateLeaseCollectionIfNotExists = true)]IReadOnlyList<Document> documents,

+ ILogger log)

+ {

+ if (documents != null && documents.Count > 0)

+ {

+ log.LogInformation($"Documents modified: {documents.Count}");

+ log.LogInformation($"First document Id: {documents[0].Id}");

+ }

+ }

+ }

+}

+```

+# [Java](#tab/java)

+Java example pending.

+# [JavaScript/PowerShell/Python](#tab/node+powershell+python)

+For Functions languages that use `function.json`, the `MaxItemsPerInvocation` parameter is defined in the specific binding, as in this Azure Cosmos DB trigger example:

+```json

+{

+ "bindings": [

+ {

+ "type": "cosmosDBTrigger",

+ "maxItemsPerInvocation": 100,

+ "connection": "MyCosmosDb",

+ "leaseContainerName": "leases",

+ "containerName": "collectionName",

+ "databaseName": "databaseName",

+ "leaseDatabaseName": "databaseName",

+ "createLeaseContainerIfNotExists": false,

+ "startFromBeginning": false,

+ "name": "input"

+ }

+ ]

+}

+```

+Examples for the Python v2 programming model and the JavaScript v4 programming model aren't yet available.

+> [!NOTE]

+> Since Azure Cosmos DB is a partitioned workload, the target instance count for the database is capped by the number of physical partitions in your container. To learn more about Azure Cosmos DB scaling, see [physical partitions](../cosmos-db/nosql/change-feed-processor.md#dynamic-scaling) and [lease ownership](../cosmos-db/nosql/change-feed-processor.md#dynamic-scaling).

+## Next steps

+To learn more, see the following articles:

+For more information on how to create and add data to the map, see [Create a data source].

+When a user interacts with a feature on the map, events can be used to react to those actions. A common scenario is to display a message made of the metadata properties of a feature the user interacted with. The `OnFeatureClick` event is the main event used to detect when the user tapped a feature on the map. There's also an `OnLongFeatureClick` event. When the `OnFeatureClick` event is added to the map, it can be limited to a single layer by passing in the ID of a layer to limit it to. If no layer ID is passed in, tapping any feature on the map, regardless of which layer it is in, would fire this event. The following code creates a symbol layer to render point data on the map, then adds an `OnFeatureClick` event and limits it to this symbol layer.

+- [Snackbar widget] - `Snackbars` provide lightweight feedback about an operation. They show a brief message at the bottom of the screen on mobile and lower left on larger devices. `Snackbars` appear above all other elements on screen and only one can be displayed at a time.

+- [Dialogs] - A dialog is a small window that prompts the user to make a decision or enter additional information. A dialog doesn't fill the screen and is normally used for modal events that require users to take an action before they can continue.

+- Add a [Fragment] to the current activity.

+> [React to map events]

+> [Create a data source]

+> [Add a symbol layer]

+> [Add a bubble layer]

+> [Add a line layer]

+> [Add a polygon layer]

+[Create a data source]: create-data-source-android-sdk.md

+[Snackbar widget]: https://developer.android.com/training/snackbar/showing.html

+[Dialogs]: https://developer.android.com/guide/topics/ui/dialogs

+[Fragment]: https://developer.android.com/guide/components/fragments

+[React to map events]: android-map-events.md

+[Add a symbol layer]: how-to-add-symbol-to-android-map.md

+[Add a bubble layer]: map-add-bubble-layer-android.md

+[Add a line layer]: android-map-add-line-layer.md

+[Add a polygon layer]: how-to-add-shapes-to-android-map.md

+For more information on how to create and add data to the map, see [Create a data source].

+When a user interacts with a feature on the map, events can be used to react to those actions. A common scenario is to display a message made of the metadata properties of a feature the user interacted with. The `azureMap(_:didTapOn:)` event is the main event used to detect when the user tapped a feature on the map. There's also an `azureMap(_:didLongPressOn:)` event. When a delegate is added to the map, it can be limited to a single layer by passing in the ID of a layer to limit it to. If no layer ID is passed in, tapping any feature on the map, regardless of which layer it is in, would fire this event. The following code creates a symbol layer to render point data on the map, then adds a delegate, limited to this symbol layer, which handles the `azureMap(_:didTapOn:)` event.

+[Create a data source]: create-data-source-ios-sdk.md

+The Azure Maps [Conversion service] lets you convert uploaded drawing packages into map data. Drawing packages must adhere to the [Drawing package requirements]. If one or more requirements aren't met, then the Conversion service returns errors or warnings. This article lists the conversion error and warning codes, with recommendations on how to resolve them. It also provides some examples of drawings that can cause the Conversion service to return these codes.

+The Conversion service succeeds if there are any conversion warnings. However, it's recommended that you review and resolve all warnings. A warning means part of the conversion was ignored or automatically fixed. Failing to resolve the warnings could result in errors in latter processes.

+A **geometryWarning** occurs when the drawing contains an invalid entity. An invalid entity is an entity that doesn't conform to geometric constraints. Examples of an invalid entity are a self-intersecting polygon or an open PolyLine in a layer that only supports closed geometry.

+* The following two images show examples of self-intersecting polygons.

+* The following image shows an open PolyLine. Assume that the layer only supports closed geometry.

+ 

+An **unexpectedGeometryInLayer** warning occurs when the drawing contains geometry that is incompatible with the expected geometry type for a given layer. When the Conversion service returns an **unexpectedGeometryInLayer** warning, it ignores that geometry.

+The following image shows an open PolyLine. Assume that the layer only supports closed geometry.

+

+The following image shows an unsupported entity type as a multi-line text object on a label layer.

+Ensure that your DWG files contain only the supported entity types. Supported types are listed under the [Drawing files requirements] section in the drawing package requirements article.

+* The following image shows the Conversion service snapping the first and last vertex of an open PolyLine to create a closed PolyLine, where the first and last vertex were less than 1 mm apart.

+* The following image shows how, in a layer that supports only closed PolyLines, the Conversion service repaired multiple open PolyLines. To avoid discarding the open PolyLines, the service combined them into a single closed PolyLine.

+ 

+* The following JSON example contains two or more `unitProperties` objects with the same `name`.

+* In the following JSON snippet, two or more `zoneProperties` objects have the same `name`.

+* The following image shows an interior wall, in red, outside the yellow level boundary.

+An **invalidArchiveFormat** error also occurs if the ZIP archive is empty.

+The _manifest.json_file can't be read because of JSON formatting or syntax errors. To learn more about how JSON format and syntax, see [The JavaScript Object Notation (JSON) Data Interchange Format].

+To fix a **missingRequiredField** error, verify that the manifest contains all required properties. For a full list of required manifest object, see the [manifest section in the Drawing package requirements].

+The Conversion service returns a **conflict** error when more than one level is defined with the same level ordinal. The following JSON snippet shows two levels defined with the same ordinal.

+In the following JSON snippet, the latitude is above the upper limit.

+> [!IMPORTANT]

+> In GeoJSON, the coordinates order is longitude and latitude. If you don't use the correct order, you may accidentally refer a latitude or longitude value that is out of range.

+### **wallError**s

+The following image shows a vertical penetration area with no overlapping vertical penetration areas on levels above or below it.

+To fix a **verticalPenetrationError** error, read about how to use a vertical penetration feature in the [Drawing package requirements] article.

+> [How to use Azure Maps Drawing error visualizer]

+> [Drawing Package Guide]

+> [Creator for indoor mapping]

+[Conversion service]: /rest/api/maps/v2/conversion

+[Drawing package requirements]: drawing-requirements.md

+[Drawing files requirements]: drawing-requirements.md#drawing-package-requirements

+[The JavaScript Object Notation (JSON) Data Interchange Format]: https://tools.ietf.org/html/rfc7159

+[manifest section in the Drawing package requirements]: drawing-requirements.md#manifest-file-requirements

+[How to use Azure Maps Drawing error visualizer]: drawing-error-visualizer.md

+[Drawing Package Guide]: drawing-package-guide.md

+[Creator for indoor mapping]: creator-indoor-maps.md

+ Title: Review TrackAvailability() test results

+description: This article explains how to review data logged by TrackAvailability() tests

+# Review TrackAvailability() test results

+This article explains how to review TrackAvailability() test results in the Azure portal and query the data using Log Analytics.

+## Prerequisites

+> [!div class="checklist"]

+> - [Azure subscription](https://azure.microsoft.com/free) and user account with the ability to create and delete resources

+> - [Workspace-based Application Insights resource](create-workspace-resource.md)

+> - Custom [Azure Functions app](../../azure-functions/functions-overview.md#introduction-to-azure-functions) running [TrackAvailability()](/dotnet/api/microsoft.applicationinsights.telemetryclient.trackavailability) with your own business logic

+Start by reviewing the graph on the **Availability** tab of your Application Insights resource.

+* [Standard tests](availability-standard-tests.md)

+* [Availability alerts](availability-alerts.md)

+* [Application Map](./app-map.md)

+* [Transaction diagnostics](./transaction-diagnostics.md)

+## How do the Netlogon protocol changes in the April 2023 Windows Update affect Azure NetApp Files?

+The Windows April 2023 update will include a patch for Netlogon protocol changes, however these changes are not enforced at this time.

+

+You should not modify the `RequireSeal` value to 2 at this time. Azure NetApp Files adds support for setting `RequireSeal` to 2 in May 2023.

+The enforcement of setting `RequireSeal` value to 2 will occur by default with the June 2023 Azure update.

+For more information, see [KB5021130: How to manage the Netlogon protocol changes related to CVE-2022-38023](https://support.microsoft.com/topic/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25#timing5021130).

+- **Support for all resource types and API versions**: Bicep immediately supports all preview and GA versions for Azure services. As soon as a resource provider introduces new resource types and API versions, you can use them in your Bicep file. You don't have to wait for tools to be updated before using the new services.

+### Python

+You lock deployed resources with Python by using the [ManagementLockClient.management_locks.create_or_update_at_resource_group_level](/python/api/azure-mgmt-resource/azure.mgmt.resource.locks.v2016_09_01.operations.managementlocksoperations#azure-mgmt-resource-locks-v2016-09-01-operations-managementlocksoperations-create-or-update-at-resource-group-level) command.

+To lock a resource, provide the name of the resource, its resource type, and its resource group name.

+```python

+import os

+from azure.identity import AzureCliCredential

+from azure.mgmt.resource import ManagementLockClient

+credential = AzureCliCredential()

+subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

+lock_client = ManagementLockClient(credential, subscription_id)

+lock_result = lock_client.management_locks.create_or_update_at_resource_level(

+ "exampleGroup",

+ "Microsoft.Web",

+ "",

+ "sites",

+ "examplesite",

+ "lockSite",

+ {

+ "level": "CanNotDelete"

+ }

+)

+```

+To lock a resource group, provide the name of the resource group.

+```python

+import os

+from azure.identity import AzureCliCredential

+from azure.mgmt.resource import ManagementLockClient

+credential = AzureCliCredential()

+subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

+lock_client = ManagementLockClient(credential, subscription_id)

+lock_result = lock_client.management_locks.create_or_update_at_resource_group_level(

+ "exampleGroup",

+ "lockGroup",

+ {

+ "level": "CanNotDelete"

+ }

+)

+```

+To get information about all locks in your subscription, use [ManagementLockClient.management_locks.get](/python/api/azure-mgmt-resource/azure.mgmt.resource.locks.v2016_09_01.operations.managementlocksoperations#azure-mgmt-resource-locks-v2016-09-01-operations-managementlocksoperations-list-at-subscription-level). To get all the locks in your subscription, use:

+```python

+import os

+from azure.identity import AzureCliCredential

+from azure.mgmt.resource import ManagementLockClient

+credential = AzureCliCredential()

+subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

+lock_client = ManagementLockClient(credential, subscription_id)

+lock_result = lock_client.management_locks.list_at_subscription_level()

+for lock in lock_result:

+ print(f"Lock name: {lock.name}")

+ print(f"Lock level: {lock.level}")

+ print(f"Lock notes: {lock.notes}")

+```

+To get a lock for a resource, use:

+```python

+import os

+from azure.identity import AzureCliCredential

+from azure.mgmt.resource import ManagementLockClient

+credential = AzureCliCredential()

+subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

+lock_client = ManagementLockClient(credential, subscription_id)

+lock_result = lock_client.management_locks.get_at_resource_level(

+ "exampleGroup",

+ "Microsoft.Web",

+ "",

+ "sites",

+ "examplesite",

+ "lockSite"

+)

+print(f"Lock ID: {lock_result.id}")

+print(f"Lock Name: {lock_result.name}")

+print(f"Lock Level: {lock_result.level}")

+```

+To get a lock for a resource group, use:

+```python

+import os

+from azure.identity import AzureCliCredential

+from azure.mgmt.resource import ManagementLockClient

+credential = AzureCliCredential()

+subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

+lock_client = ManagementLockClient(credential, subscription_id)

+lock_result = lock_client.management_locks.get_at_resource_group_level(

+ "exampleGroup",

+ "lockGroup"

+)

+print(f"Lock ID: {lock_result.id}")

+print(f"Lock Level: {lock_result.level}")

+```

+To delete a lock for a resource, use:

+```python

+import os

+from azure.identity import AzureCliCredential

+from azure.mgmt.resource import ManagementLockClient

+credential = AzureCliCredential()

+subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

+lock_client = ManagementLockClient(credential, subscription_id)

+lock_client.management_locks.delete_at_resource_level(

+ "exampleGroup",

+ "Microsoft.Web",

+ "",

+ "sites",

+ "examplesite",

+ "lockSite"

+)

+```

+To delete a lock for a resource group, use:

+```python

+import os

+from azure.identity import AzureCliCredential

+from azure.mgmt.resource import ManagementLockClient

+credential = AzureCliCredential()

+subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

+lock_client = ManagementLockClient(credential, subscription_id)

+lock_client.management_locks.delete_at_resource_group_level("exampleGroup", "lockGroup")

+```

+In this article, you'll learn how to enable Azure VMware SolutionΓÇÖs Managed Source NAT (SNAT) to connect to the Internet outbound. A SNAT service translates from RFC1918 space to the public Internet for simple outbound Internet access. Note that ICMP (ping) is disabled by design; you cannot ping an Internet host. The SNAT service won't work when you have a default route from Azure.

+| ```temperature``` | number | Optional | 1 | What sampling temperature to use, between 0 and 2. Higher values means the model will take more risks. Try 0.9 for more creative applications, and 0 (`argmax sampling`) for ones with a well-defined answer. We generally recommend altering this or top_p but not both. |

+You need to be part of the Azure Communication Services TAP program. It's likely that youΓÇÖre already part of this program, and if you aren't, sign-up using https://aka.ms/acs-tap-invite. Bring your own Azure Storage uses Managed Identities, to access to this functionality for Call Recording, submit your Azure Communication Services Resource IDs by filling this - [Registration form](https://forms.office.com/r/njact5SiVJ). You need to fill the form every time you need a new resource ID allow-listed.

+In addition, if you're using the Azure CLI with the Consumption only architecture and the [platformReservedCidr](vnet-custom-internal.md#networking-parameters) range is defined, both subnets must not overlap with the IP range defined in `platformReservedCidr`.

+The name of the resource group created in the Azure subscription where your environment is hosted is prefixed with `ME_` by default, and the resource group name *can* be customized during container app environment creation. For external environments, the resource group contains a public IP address used specifically for inbound connectivity to your external environment and a load balancer. For internal environments, the resource group only contains a Load Balancer.

+> [!NOTE]

+> You can use an existing virtual network, but a dedicated subnet with a CIDR range of `/23` or larger is required for use with Container Apps when using the Consumption only Architecture. When using the Workload Profiles Architecture, a `/27` or larger is required. To learn more about subnet sizing, see the [networking architecture overview](./networking.md#subnet).

+> Network subnet address prefix requires a minimum CIDR range of `/23` for use with Container Apps when using the Consumption only Architecture. When using the Workload Profiles Architecture, a `/27` or larger is required. To learn more about subnet sizing, see the [networking architecture overview](./networking.md#subnet).

+ --address-prefixes 10.0.0.0/23

+ AddressPrefix = '10.0.0.0/23'

+| `platform-reserved-cidr` | The address range used internally for environment infrastructure services. Must have a size between `/23` and `/12` when using the [Consumption only architecture](./networking.md)|

+| `VnetConfigurationPlatformReservedCidr` | The address range used internally for environment infrastructure services. Must have a size between `/23` and `/12` when using the [Consumption only architecture](./networking.md) |

+> You can use an existing virtual network, but a dedicated subnet with a CIDR range of `/23` or larger is required for use with Container Apps when using the Consumption only Architecture. When using the Workload Profiles Architecture, a `/27` or larger is required. To learn more about subnet sizing, see the [networking architecture overview](./networking.md#subnet).

+> Network subnet address prefix requires a minimum CIDR range of `/23` for use with Container Apps when using the Consumption only Architecture. When using the Workload Profiles Architecture, a `/27` or larger is required. To learn more about subnet sizing, see the [networking architecture overview](./networking.md#subnet).

+| `platform-reserved-cidr` | The address range used internally for environment infrastructure services. Must have a size between `/23` and `/12` when using the [Consumption only architecture](./networking.md)|

+| `VnetConfigurationPlatformReservedCidr` | The address range used internally for environment infrastructure services. Must have a size between `/23` and `/12` when using the [Consumption only architecture](./networking.md) |

+> When merge is enabled on an account, only requests from .NET SDK version >= 3.27.0 or Java SDK >= 4.42.0 or Azure Cosmos DB Spark connector >= 4.18.0 will be allowed on the account, regardless of whether merges are ongoing or not. Requests from other SDKs (older .NET SDK, older Java SDK, any JavaScript SDK, any Python SDK, any Go SDK) or unsupported connectors (Azure Data Factory, Azure Search, Azure Functions, Azure Stream Analytics, and others) will be blocked and fail. Ensure you have upgraded to a supported SDK version before enabling the feature. After the feature is enabled or disabled, it may take 15-20 minutes to fully propagate to the account. If you plan to disable the feature after you've completed using it, it may take 15-20 minutes before requests from SDKs and connectors that are not supported for merge are allowed.

+For enhanced workflows and ease of use, you can use the MedTech service to receive messages from devices you create and manage through an IoT hub in [Azure IoT Hub](../../iot-hub/iot-concepts-and-iot-hub.md). This tutorial uses an Azure Resource Manager template (ARM template) and a **Deploy to Azure** button to deploy a MedTech service. The template deploys an IoT hub to create and manage devices, and then routes device messages to an event hub in Azure Event Hubs for the MedTech service to pick up and process.

+> To learn how the MedTech service transforms and persists device message data into the FHIR service as FHIR Observations, see [Overview of the MedTech service device message processing stages](overview-of-device-message-processing-stages.md).

+ - **Region**: The Azure region of the resource group that's used for the deployment. **Region** autofills by using the resource group region.

+> To learn about the MedTech service resolution types **Create** and **Lookup**, see [Destination properties](deploy-new-config.md#destination-properties).

+Now that you have successfully sent a test message to your IoT hub, review your MedTech service metrics. You review metrics to verify that your MedTech service received, grouped, transformed, and persisted the test message to your FHIR service. To learn more, see [How to display the MedTech service monitoring tab metrics](how-to-use-monitoring-tab.md).

+The following video presents an overview of the Mapping debugger:

+The following video presents an overview of the MedTech service:

+* We are going to use Torch as a backend.

+| `resources.shm_size` | string | The size of the docker container's shared memory block. This should be in the format of `<number><unit>` where number has to be greater than 0 and the unit can be one of `b` (bytes), `k` (kilobytes), `m` (megabytes), or `g` (gigabytes). | | `2g` |

+description: Learn how Microsoft builds and operates one of the largest backbone networks in the world, and why it's central to delivering a great cloud experience.

+The [Microsoft global network](https://azure.microsoft.com/global-infrastructure/global-network/) (WAN) is a central part of delivering a great cloud experience. The global network connects our Microsoft [data centers](https://azure.microsoft.com/global-infrastructure/) across 61 Azure regions with a large mesh of edge-nodes strategically placed around the world. The Microsoft global network offers both the availability, capacity, and the flexibility to meet any demand.

+Opting for the [best possible experience](https://www.sdxcentral.com/articles/news/azure-tops-aws-gcp-in-cloud-performance-says-thousandeyes/2018/11/) is easy when you use Microsoft cloud. From the moment when customer traffic enters our global network through our strategically placed edge-nodes, your data travels through optimized routes at near the speed of light. These edge-nodes, all interconnected to more than 4000 unique Internet partners (peers) through thousands of connections in more than 175 locations, provide the foundation of our interconnection strategy.

+Whether connecting from London to Tokyo, or from Washington DC to Los Angeles, latency, jitter, packet loss, and throughput affect network performance. At Microsoft, we choose and utilize direct interconnects instead of transit-links. This approach ensures symmetric response traffic and helps to minimize hops, peering parties, and paths to keep them as short and simple as possible.

+For example, if a user in London accesses a service in Tokyo, the Internet traffic enters one of our edges in London, travels over the Microsoft WAN through France, our Trans-Arabia paths between Europe and India, and then to Japan where the service resides. Response traffic is symmetric. This data travel is referred to as [cold-potato routing](https://en.wikipedia.org/wiki/Hot-potato_and_cold-potato_routing). Traffic stays on Microsoft network as long as possible before it's handed off.

+So, does that mean all traffic when using Microsoft services? Yes, any traffic between data centers, within Microsoft Azure or between Microsoft services such as Virtual Machines, Microsoft 365, XBox, SQL DBs, Storage, and virtual networks routes within our global network and never over the public Internet. This routing ensures optimal performance and integrity.

+Massive investments in fiber capacity and diversity across metro, terrestrial, and submarine paths are crucial for us to keep consistent and high service-level while fueling the extreme growth of our cloud and online services.

+Recent additions to our global network are:

+* [MAREA](https://www.submarinecablemap.com/#/submarine-cable/marea) submarine cable. The industry's first Open Line System (OLS) over subsea, between Bilbao, Spain and Virginia Beach, Virginia, USA.

+* [AEC](https://www.submarinecablemap.com/#/submarine-cable/aeconnect-1) between New York, USA and Dublin, Ireland.

+* [New Cross Pacific (NCP)](https://www.submarinecablemap.com/#/submarine-cable/new-cross-pacific-ncp-cable-system) between Tokyo, Japan, and Portland, Oregon, USA.

+We have put two decades of experience, along with massive investments into the network, to always ensure optimal performance. Businesses can take full advantage of our network assets and build advanced overlay architectures on top.

+Microsoft Azure offers the richest portfolio of services and capabilities, allowing customers to quickly and easily build, expand, and meet networking requirements anywhere. Our family of connectivity services spans virtual network peering between regions, hybrid, and in-cloud point-to-site and site-to-site architectures as well as global IP transit scenarios. Enterprises seeking to connect their datacenter or network to Azure or customers with significant data ingestion or transit needs can choose from options such as [ExpressRoute](../expressroute/expressroute-introduction.md) and [ExpressRoute Direct](../expressroute/expressroute-erdirect-about.md). These options provide bandwidth of up to 100 Gbps directly into Microsoft's global network at peering locations worldwide.

+* [**ExpressRoute Global Reach**](../expressroute/expressroute-global-reach.md) is designed to complement your service provider's WAN implementation and connect your on-premises sites across the world. If you run a global operation, you can use ExpressRoute Global Reach with your preferred and local service providers to connect all your global sites using the Microsoft global network. You can expand your cloud-based WAN to include a significant number of branch-sites using Azure Virtual WAN. This service enables you to connect your branches to Microsoft's global network seamlessly, using SDWAN and VPN devices (Customer Premises Equipment or CPE) with built-in ease of use and automated connectivity and configuration management.

+* [**Global virtual network peering**](../virtual-network/virtual-network-peering-overview.md) enables customers to connect two or more Azure virtual networks across regions seamlessly. Once peered, the virtual networks appear as one. The traffic between virtual machines in the peered virtual networks is routed through the Microsoft backbone infrastructure, much like traffic is routed between virtual machines in the same virtual network - through private IP addresses only.

+As one of the world's top cloud providers, Microsoft has acquired substantial insight and expertise in constructing and managing high-performance global infrastructure.

+- Deploy new features with zero effect to end users.

+- Make use of comprehensive cloud-based monitoring and fully automated fault mitigation.

+- Use unified and software-defined Networking technology to control all hardware elements in the network. To eliminate duplication and reduce failures.

+These principles apply to all layers of the network: from the host network interface, switching platform, network functions in the data center such as load balancers, all the way up to the WAN with our traffic engineering platform and our optical networks.

+The exponential growth of Azure and its network has reached a point where we eventually realized that human intuition could no longer be relied on to manage the global network operations. To fulfill the need to validate long, medium, and short-term changes on the network, we developed a platform to mirror and emulate our production network synthetically. The ability to create mirrored environments and run millions of simulations, allows us to test software and hardware changes and their effect, before committing them to our production platform and network.

+## Data residency

+> [!IMPORTANT]

+Azure public MEC doesn't store or process customer data outside the region you deploy the service instance in.

+> [Quickstart: Deploy a virtual machine in Azure public MEC using an ARM template](quickstart-create-vm-azure-resource-manager-template.md)

+This article discusses how assets are displayed in the Microsoft Purview Data Catalog, and all the features and details available to them. It describes how you can view relevant information or take action on assets in your catalog.

+- *Or* Use the Microsoft Purview Atlas APIs to ingest assets into the catalog.

+## Ratings

+Assets can be rated by all users with read access, or better, to that asset in Microsoft Purview.

+Ratings allow users to give an asset a rating from 1 to 5 stars, and leave a comment about the asset.

+These ratings can be seen by all users with read access, and rating can be [added as a facet](how-to-search-catalog.md#use-the-facets) when [searching the data catalog](how-to-search-catalog.md) so users can find assets with a certain rating.

+### View ratings

+1. [Search](how-to-search-catalog.md) or [browse](how-to-browse-catalog.md) for your asset in Microsoft Purview and select it.

+1. In the header of the asset you can see a rating, which will show an aggregate star rating of the asset, and the number of reviews.

+ :::image type="content" source="media/catalog-asset-details/view-rating-aggregate.png" alt-text="Screenshot of a rating in the header of an asset.":::

+1. To see a percentage breakdown of the ratings, select the rating.

+1. To see specific ratings and their comments, or to add your own rating, select **Open ratings**.

+ :::image type="content" source="media/catalog-asset-details/open-rating-details.png" alt-text="Screenshot of a selected rating in the header of an asset showing the percentage breakdown.":::

+### Add a rating to an asset

+1. [Search](how-to-search-catalog.md) or [browse](how-to-browse-catalog.md) for your asset in Microsoft Purview and select it.

+1. Select the ratings button in the asset's header.

+1. Select the **Open ratings** button.

+ :::image type="content" source="media/catalog-asset-details/open-ratings.png" alt-text="Screenshot that shows the ratings button selected, and the open ratings button highlighted.":::

+1. Choose a star rating, add a comment, and select **Submit**.

+ :::image type="content" source="media/catalog-asset-details/rate-asset.png" alt-text="Screenshot of a rating, showing five start selected and a comment about the quality of the data.":::

+## Edit or delete your rating

+1. Select the ratings button in the asset's header.

+1. Select the **Open ratings** button.

+1. Under **My rating** select the ellipsis button in your rating.

+ :::image type="content" source="media/catalog-asset-details/edit-rating.png" alt-text="Screenshot of the user's rating, shown under the My rating menu, with the ellipsis button selected.":::

+1. To delete your rating, select **Delete rating**.

+1. To edit your rating, select **Edit rating**, then update your score and comment and select **Submit**.

+## Tags

+Asset can be tagged by users with data curator permissions or better, and any users with reader permissions on these assets in Microsoft Purview can see these tags.

+Users can add tags [as a filter](how-to-search-catalog.md#refine-results) when [searching the data catalog](how-to-search-catalog.md), so users can see all assets with certain tags.

+>[!NOTE]

+>Tag limitations:

+>

+> - An asset can only have up to 50 tags

+> - Tags can only be 50 characters

+> - Allowed characters: numbers, letters, -, and _

+### Add a tag to an asset

+If you have [data curator](catalog-permissions.md) permissions Microsoft Purview, you can add a tag to an asset by:

+1. [Search](how-to-search-catalog.md) or [browse](how-to-browse-catalog.md) for your asset in Microsoft Purview and select it.

+1. Select the **+ Add Tag** button under the asset's name.

+ :::image type="content" source="media/catalog-asset-details/add-new-tag.png" alt-text="Screenshot that shows the new tag button highlighted on an asset detail page.":::

+1. Select an existing available tag, or input a new tag.

+### Remove a tag from an asset

+If you have [data curator](catalog-permissions.md) permissions Microsoft Purview, you can remove a tag from an asset by:

+1. [Search](how-to-search-catalog.md) or [browse](how-to-browse-catalog.md) for your asset in Microsoft Purview and select it.

+1. Select the **X** button next to an existing tag under the asset's name.

+ :::image type="content" source="media/catalog-asset-details/remove-tag.png" alt-text="Screenshot that shows the remove tag button highlighted next to an existing page.":::

+1. Confirm the removal of the tag.

+You can also refine the list of assets using facets and filters:

+- [Use the facets](how-to-search-catalog.md#use-the-facets) on the left hand side to narrow results by business metadata like glossary terms or classifications.

+- [Use the filters](how-to-search-catalog.md#use-the-filters) at the top to narrow results by source type, [managed attributes](how-to-managed-attributes.md), or activity.

+ > Certain tiles are groupings of a collection of data sources. For example, the Azure Storage Account tile contains all Azure Blob Storage and Azure Data Lake Storage Gen2 accounts. The Azure SQL Server tile will display the Azure SQL Server assets that contain Azure SQL Database and Azure Dedicated SQL Pool instances ingested into the catalog.

+**Attribute group:** A grouping of managed attributes that allow for easier organization and consumption.

+1. Managed attributes have a name, attribute group, data type, and associated asset types. They also have a required flag that can only be enabled when created as part of creating a new attribute group. Associated asset types are the data asset types you can apply the attribute to. For example, if you select "Azure SQL Table" for an attribute, you can apply it to Azure SQL Table assets, but not Azure Synapse Dedicated Table assets.

+### Required managed attributes

+When you create a managed attribute as part of a managed attribute group, you can add the **required** flag. The required flag means that a value must be provided for this managed attribute. When a data asset is edited the required attribute must be filled out before you can close the editor.

+>[!NOTE]

+> - You can't add the **required** flag to an existing attribute in editing.

+> - You can't add the **required** flag while creating a new attribute outside of an attribute group.

+> You can only add this flag while creating an attribute group.

+1. Open the data map application and navigate to **Managed attributes** in the **Annotation management** section.

+1. Select **New** and select **Attribute group**.

+1. Select **New attribute**.

+1. Fill out your attribute details, and select the **Mark as required** flag.

+ :::image type="content" source="media/how-to-managed-attributes/mark-as-required.png" alt-text="Screenshot of the mark as required flag on a new attribute being created as a part of a new attribute group.":::

+1. Select **Apply** and finish adding other attributes to complete your attribute group.

+- After creating a managed attribute, you can't update the attribute name, attribute group or the field type.

+- A managed attribute can only be marked as required during the creation of an attribute group.

+## Refine results

+For certain annotations, you can select the ellipses to choose between an AND condition or an OR condition.

+#### Available facets

+- **Assigned term** - refines your search to assets with the selected terms applied.

+- **Classification** - refines your search to assets with certain classifications.

+- **Collection** - refines your search by assets in a specific collection.

+- **Contact** - refines your search to assets that have selected users listed as a contact.

+- **Data** - refines your search to specific data types. For example: pipelines, data shares, tables, or reports.

+- **Endorsement** - refines your search to assets with specified endorsements, like **Certified** or **Promoted**.

+- **Label** - refines your search to assets with specific security labels.

+- **Metamodel facets** - if you've created a [metamodel](concept-metamodel.md) in your Microsoft Purview Data Map, you can also refine your search to metamodel assets like Business or Organization.

+- **Rating** - refines your search to only data assets with a specified rating.

+#### Available filters

+- **Activity** - allows you refine your search to attributes created or updated within a certain timeframe.

+- **Managed attributes** - refines your search to assets with specified [managed attributes](how-to-managed-attributes.md). Attributes will be listed under their attribute group, and use operators to help search for specific values. For example: Contains any, or Doesn't contain.

+- **Source type** - refines your search to assets from specified source types. For example: Azure Blob Storage or Power BI.

+- **Tags** - refines your search to assets with selected tags.

+[3108316]:https://launchpad.support.sap.com/#/notes/3108316

+[3108302]:https://launchpad.support.sap.com/#/notes/3108302

+The article describes how to configure basic Pacemaker cluster on Red Hat Enterprise Server(RHEL). The instructions cover RHEL 7, RHEL 8 and RHEL 9.

+* SAP Note [2002167] recommends OS settings for Red Hat Enterprise Linux

+* SAP Note [3108316] recommends OS settings for Red Hat Enterprise Linux 9.x

+* SAP Note [3108302] has SAP HANA Guidelines for Red Hat Enterprise Linux 9.x

+The following items are prefixed with either **[A]** - applicable to all nodes, **[1]** - only applicable to node 1 or **[2]** - only applicable to node 2. Differences in the commands or the configuration between RHEL 7 and RHEL 8/RHEL 9 are marked in the document.

+1. **[A]** Register - optional step. This step isn't required, if using RHEL SAP HA-enabled images.

+ For example, if deploying on RHEL 7, register your virtual machine and attach it to a pool that contains repositories for RHEL 7.

+1. **[A]** Enable RHEL for SAP repos - optional step. This step isn't required, if using RHEL SAP HA-enabled images.

+ ```sudo yum install -y pcs pacemaker fence-agents-azure-arm nmap-ncat

+ ```

+

+ > [!IMPORTANT]

+ > On RHEL 9, we recommend the following package versions (or later) to avoid issues with Azure Fence agent:

+ > fence-agents-4.10.0-20.el9_0.7

+ > fence-agents-common-4.10.0-20.el9_0.6

+ > ha-cloud-support-4.10.0-20.el9_0.6.x86_64.rpm

+ Check the version of the Azure fence agent. If necessary, update it to the minimum required version or later.

+1. If deploying on RHEL 9, install also the resource agents for cloud deployment:

+

+ ```

+ sudo yum install -y resource-agents-cloud

+ ```

+ > If using host names in the cluster configuration, it's vital to have reliable host name resolution. The cluster communication will fail, if the names are not available and that can lead to cluster failover delays.

+ If building a cluster on **RHEL 8.x/RHEL 9.x**, use the following commands:

+To create a managed identity (MSI), [create a system-assigned](../../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md#system-assigned-managed-identity) managed identity for each VM in the cluster. Should a system-assigned managed identity already exist, it will be used. User assigned managed identities should not be used with Pacemaker at this time. Fence device, based on managed identity is supported on RHEL 7.9 and RHEL 8.x/RHEL 9.x.

+ The sign-on URL isn't used and can be any valid URL

+1. Select Overview. Make a note the Application ID. It's used as the username (**login ID** in the steps below) of the service principal

+Neither managed identity nor service principal has permissions to access your Azure resources by default. You need to give the managed identity or service principal permissions to start and stop (power-off) all virtual machines of the cluster. If you didn't already create the custom role, you can create it using [PowerShell](../../role-based-access-control/custom-roles-powershell.md) or [Azure CLI](../../role-based-access-control/custom-roles-cli.md)

+Assign the custom role "Linux Fence Agent Role" that was created in the last chapter to the service principal. Don't use the Owner role anymore! For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).

+For RHEL **7.x**, use the following command to configure the fence device:

+For RHEL **8.x/9.x**, use the following command to configure the fence device:

+For RHEL **8.x/9.x**, use the following command to configure the fence device:

+If you're using fencing device, based on service principal configuration, read [Change from SPN to MSI for Pacemaker clusters using Azure fencing](https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-high-availability-change-from-spn-to-msi-for/ba-p/3609278) and learn how to convert to managed identity configuration.

+> The monitoring and fencing operations are deserialized. As a result, if there is a longer running monitoring operation and simultaneous fencing event, there is no delay to the cluster failover, due to the already running monitoring operation.

+If there is a need to collect diagnostic information within the VM, it may be useful to configure additional fencing device, based on fence agent `fence_kdump`. The `fence_kdump` agent can detect that a node entered kdump crash recovery and can allow the crash recovery service to complete, before other fencing methods are invoked. Note that `fence_kdump` isn't a replacement for traditional fence mechanisms, like Azure Fence Agent when using Azure VMs.

+* [fence_kdump fails with "timeout after X seconds" in a RHEL 6 or 7 HA cluster with kexec-tools older than 2.0.14](https://access.redhat.com/solutions/2388711)

+* For information how to change the default timeout see [How do I configure kdump for use with the RHEL 6,7,8 HA Add-On](https://access.redhat.com/articles/67570)

+## Azure Center for SAP Solutions

+Just as with Azure Monitoring for SAP, SAP RISE/ECS doesn't support any integration with [Azure Center for SAP Solutions](../center-sap-solutions/overview.md) in any capability. All SAP RISE workloads are deployed by SAP and running in SAP's Azure tenant and subscription, without any access by customer to the Azure resources.

+[3108302]:https://launchpad.support.sap.com/#/notes/3108302

+- SAP Note [3108302](https://launchpad.support.sap.com/#/notes/3108302) has SAP HANA Guidelines for Red Hat Enterprise Linux 9.x.

+[3108302]:https://launchpad.support.sap.com/#/notes/3108302

+* SAP Note [3108302] has SAP HANA Guidelines for Red Hat Enterprise Linux 9.x

+[3108302]:https://launchpad.support.sap.com/#/notes/3108302

+* SAP Note [3108302] has SAP HANA Guidelines for Red Hat Enterprise Linux 9.x.

+[3108302]:https://launchpad.support.sap.com/#/notes/3108302

+* SAP Note [3108302] has SAP HANA Guidelines for Red Hat Enterprise Linux 9.x

+# Tutorial: Forward syslog data to a Log Analytics workspace by using the Azure Monitor agent

+In this tutorial, you'll configure a Linux virtual machine (VM) to forward syslog data to your workspace by using the Azure Monitor agent. These steps allow you to collect and monitor data from Linux-based devices where you can't install an agent like a firewall network device.

+In this tutorial, you learn how to:

+To complete the steps in this tutorial, you must have the following resources and roles.

+ Title: Quickstart - Deploy your first web application to Azure Spring Apps

+description: Describes how to deploy a web application to Azure Spring Apps.

+# Quickstart: Deploy your first web application to Azure Spring Apps

+> [!NOTE]

+> The first 50 vCPU hours and 100 GB hours of memory are free each month. For more information, see [Price Reduction - Azure Spring Apps does more, costs less!](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/price-reduction-azure-spring-apps-does-more-costs-less/ba-p/3614058) on the [Apps on Azure Blog](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/bg-p/AppsonAzureBlog).

+> [!NOTE]

+> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams.

+**This article applies to:** ✔️ Basic/Standard tier ❌ Enterprise tier

+This quickstart shows how to deploy a Spring Boot web application to Azure Spring Apps. The sample project is a simple ToDo application to add tasks, mark when they're complete, and then delete them. The following screenshot shows the application:

+This application is a typical three-layers web application with the following layers:

+- A frontend bounded [React](https://reactjs.org/) application.

+- A backend Spring web application that uses Spring Data JPA to access a relational database.

+- A relational database. For localhost, the application uses [H2 Database Engine](https://www.h2database.com/html/main.html). For Azure Spring Apps, the application uses Azure Database for PostgreSQL. For more information about Azure Database for PostgreSQL, see [Flexible Server documentation](../postgresql/flexible-server/overview.md).

+The following diagram shows the architecture of the system:

+## Prerequisites

+- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.

+- [Azure CLI](/cli/azure/install-azure-cli). Version 2.45.0 or greater.

+- [Git](https://git-scm.com/downloads).

+- [Java Development Kit (JDK)](/java/azure/jdk/), version 17.

+## Clone and run the sample project locally

+Use the following steps to clone and run the app locally.

+1. The sample project is available on GitHub. Use the following command to clone the sample project:

+ ```bash

+ git clone https://github.com/Azure-Samples/ASA-Samples-Web-Application.git

+ ```

+1. Use the following command to build the sample project:

+ ```bash

+ cd ASA-Samples-Web-Application

+ ./mvnw clean package -DskipTests

+ ```

+1. Use the following command to run the sample application by Maven:

+ ```bash

+ java -jar web/target/simple-todo-web-0.0.1-SNAPSHOT.jar

+ ```

+1. Go to `http://localhost:8080` in your browser to access the application.

+## Prepare the cloud environment

+The main resources required to run this sample are an Azure Spring Apps instance and an Azure Database for PostgreSQL instance. This section provides the steps to create these resources.

+### Provide names for each resource

+Create variables to hold the resource names. Be sure to replace the placeholders with your own values.

+```azurecli

+RESOURCE_GROUP=<resource-group-name>

+LOCATION=<location>

+POSTGRESQL_SERVER=<server-name>

+POSTGRESQL_DB=<database-name>

+AZURE_SPRING_APPS_NAME=<Azure-Spring-Apps-service-instance-name>

+APP_NAME=<web-app-name>

+CONNECTION=<connection-name>

+```

+### Create a new resource group

+Use the following steps to create a new resource group.

+1. Use the following command to sign in to Azure CLI.

+ ```azurecli

+ az login

+ ```

+1. Use the following command to set the default location.

+ ```azurecli

+ az configure --defaults location=${LOCATION}

+ ```

+1. Set the default subscription. Use the following command to first list all available subscriptions:

+ ```azurecli

+ az account list --output table

+ ```

+1. Choose a subscription and set it as the default subscription with the following command:

+ ```azurecli

+ az account set --subscription <subscription-ID>

+ ```

+1. Use the following command to create a resource group.

+ ```azurecli

+ az group create --resource-group ${RESOURCE_GROUP}

+ ```

+1. Use the following command to set the newly created resource group as the default resource group.

+ ```azurecli

+ az configure --defaults group=${RESOURCE_GROUP}

+ ```

+### Create an Azure Spring Apps instance

+Azure Spring Apps is used to host the Spring web app. Create an Azure Spring Apps instance and an application inside it.

+1. Use the following command to create an Azure Spring Apps service instance.

+ ```azurecli

+ az spring create --name ${AZURE_SPRING_APPS_NAME}

+ ```

+1. Use the following command to create an application in the Azure Spring Apps instance.

+ ```azurecli

+ az spring app create \

+ --service ${AZURE_SPRING_APPS_NAME} \

+ --name ${APP_NAME} \

+ --runtime-version Java_17 \

+ --assign-endpoint true

+ ```

+### Prepare the PostgreSQL instance

+The Spring web app uses H2 for the database in localhost, and Azure Database for PostgreSQL for the database in Azure.

+Use the following command to create a PostgreSQL instance:

+```azurecli

+az postgres flexible-server create \

+ --name ${POSTGRESQL_SERVER} \

+ --database-name ${POSTGRESQL_DB} \

+ --active-directory-auth Enabled

+```

+To ensure that the application is accessible only by PostgreSQL in Azure Spring Apps, enter `n` to the prompts to enable access to a specific IP address and to enable access for all IP addresses.

+```output

+Do you want to enable access to client xxx.xxx.xxx.xxx (y/n) (y/n): n

+Do you want to enable access for all IPs (y/n): n

+```

+### Connect app instance to PostgreSQL instance

+After the application instance and the PostgreSQL instance are created, the application instance can't access the PostgreSQL instance directly. The following steps use Service Connector to configure the needed network settings and connection information. For more information about Service Connector, see [What is Service Connector?](../service-connector/overview.md).

+1. If you're using Service Connector for the first time, use the following command to register the Service Connector resource provider.

+ ```azurecli

+ az provider register --namespace Microsoft.ServiceLinker

+ ```

+1. Use the following command to achieve a passwordless connection:

+ ```azurecli

+ az extension add --name serviceconnector-passwordless --upgrade

+ ```

+1. Use the following command to create a service connection between the application and the PostgreSQL database:

+ ```azurecli

+ az spring connection create postgres-flexible \

+ --resource-group ${RESOURCE_GROUP} \

+ --service ${AZURE_SPRING_APPS_NAME} \

+ --app ${APP_NAME} \

+ --client-type springBoot \

+ --target-resource-group ${RESOURCE_GROUP} \

+ --server ${POSTGRESQL_SERVER} \

+ --database ${POSTGRESQL_DB} \

+ --system-identity \

+ --connection ${CONNECTION}

+ ```

+ The `--system-identity` parameter is required for the passwordless connection. For more information, see [Bind an Azure Database for PostgreSQL to your application in Azure Spring Apps](how-to-bind-postgres.md).

+1. After the connection is created, use the following command to validate the connection:

+ ```azurecli

+ az spring connection validate \

+ --resource-group ${RESOURCE_GROUP} \

+ --service ${AZURE_SPRING_APPS_NAME} \

+ --app ${APP_NAME} \

+ --connection ${CONNECTION}

+ ```

+ The output should appear similar to the following JSON code:

+ ```json

+ [

+ {

+ "additionalProperties": {},

+ "description": null,

+ "errorCode": null,

+ "errorMessage": null,

+ "name": "The target existence is validated",

+ "result": "success"

+ },

+ {

+ "additionalProperties": {},

+ "description": null,

+ "errorCode": null,

+ "errorMessage": null,

+ "name": "The target service firewall is validated",

+ "result": "success"

+ },

+ {

+ "additionalProperties": {},

+ "description": null,

+ "errorCode": null,

+ "errorMessage": null,

+ "name": "The configured values (except username/password) is validated",

+ "result": "success"

+ },

+ {

+ "additionalProperties": {},

+ "description": null,

+ "errorCode": null,

+ "errorMessage": null,

+ "name": "The identity existence is validated",

+ "result": "success"

+ }

+ ]

+ ```

+## Deploy the app to Azure Spring Apps

+Now that the cloud environment is prepared, the application is ready to deploy.

+1. Use the following command to deploy the app:

+ ```azurecli

+ az spring app deploy \

+ --service ${AZURE_SPRING_APPS_NAME} \

+ --name ${APP_NAME} \

+ --artifact-path web/target/simple-todo-web-0.0.1-SNAPSHOT.jar

+ ```

+1. After the deployment has completed, you can access the app with this URL: `https://${AZURE_SPRING_APPS_NAME}-${APP_NAME}.azuremicroservices.io/`. The page should appear as you saw in localhost.

+1. If there's a problem when you deploy the app, check the app's log to investigate by using the following command:

+ ```azurecli

+ az spring app logs \

+ --service ${AZURE_SPRING_APPS_NAME} \

+ --name ${APP_NAME}

+ ```

+## Clean up resources

+If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When you no longer need the resources, delete them by deleting the resource group. Use the following command to delete the resource group:

+```azurecli

+az group delete --name ${RESOURCE_GROUP}

+```

+## Next steps

+> [!div class="nextstepaction"]

+> [Create a service connection in Azure Spring Apps with the Azure CLI](../service-connector/quickstart-cli-spring-cloud-connection.md)

+For more information, see the following articles:

+- [Azure Spring Apps Samples](https://github.com/Azure-Samples/Azure-Spring-Cloud-Samples).

+- [Spring on Azure](/azure/developer/java/spring/)

+- [Spring Cloud Azure](/azure/developer/java/spring-framework/)

+CONTENT: final (85/100)

+STATUS: GA-ready

+Initial doc score: 83

+Current doc score: 96 (100, 783, 0)

+In a migration to Azure, there are several components involved that can affect your bill:

+All current features of the Azure Storage Mover service are provided free of charge. However, service enhancements and other features may be included in future releases. It's possible that the use of these features may incur a charge.

+As you begin your migration into Azure, the service copies your files and folders into your target Azure Storage locations. Depending on the configuration of these storage targets, usage charges may apply.

+Any storage usage charges incurred are the result of the following factors:

+The billing model for each Azure Storage target determines how these charges apply. There are two different billing models in Azure Storage:

+* Storage transactions caused by the Storage Mover service are billed. Review your specific storage product's pricing pages for details on transaction charges. The [estimating storage transaction charges](#estimating-storage-transaction-charges) section of this article explains why it can be difficult to estimate a migrationΓÇÖs effect on your storage transaction charges.

+* One advantage of the consumption-based model is that capacity charges are progressively applied. Charges are incurred only as files are migrated and increasingly more storage capacity is consumed. This model helps prevent storage preprovisioning or over-provisioning ahead of a migration.

+* The capacity of your Azure target storage is preprovisioned and is billed regardless of utilization. The progress of your cloud migration doesn't affect your bill.

+- It's not possible to estimate the number of transactions based on the utilized storage capacity of the source. The number of transactions scales with the number of namespace items (files and folder) and their properties that are migrated, not their size. For example, more transactions are required to migrate 1 GiB of small files than 1 GiB of larger files.

+- An empty Azure target requires fewer resources than a target that already contains items. To comply with your migration's settings, the Storage Mover agent often needs to enumerate a target's existing namespace. This enumeration increases the number of transactions.

+Upload bandwidth is another factor that could affect overall cost. The bandwidth utilized by your migration carries the same charge as any other Azure-bound traffic. There's no Storage Mover-specific premium. Your specific network connection and provider agreements determine whether upload charges are incurred.

+After understanding the billing implications of your cloud migration, it's a good idea to get more familiar with the Storage Mover service. Select an article to learn more.

+1. In the **Basics** tab, under **Project details**, make sure the correct subscription and resource group are selected. Under **Instance details**, type *myVM* for the **Virtual machine name**, and select the same region as your storage account. Choose your Linux distribution for your **Image**. Leave the other defaults. The default size and pricing is only shown as an example. Size availability and pricing are dependent on your region and subscription.

+1. Select your Linux distribution.

+> [Learn about using NFS Azure file shares](files-nfs-protocol.md)

+# [Ubuntu](#tab/Ubuntu)

+On Ubuntu and Debian, use the `apt` package

+```bash

+sudo apt update

+sudo apt install cifs-utils

+```

+# [RHEL](#tab/RHEL)

+Same applies for CentOS or Oracle Linux

+On Red Hat Enterprise Linux 8+ use the `dnf` package

+```bash

+sudo dnf install cifs-utils

+```

+On older versions of Red Hat Enterprise Linux use the `yum` package

+```bash

+sudo yum install cifs-utils

+```

+# [SLES](#tab/SLES)

+On SUSE Linux Enterprise Server, use the `zypper` package

+```bash

+sudo zypper install cifs-utils

+```

+On other distributions, use the appropriate package manager or [compile from source](https://wiki.samba.org/index.php/LinuxCIFS_utils#Download).

+# [Ubuntu](#tab/Ubuntu)

+On Ubuntu and Debian distributions, use the `apt` package

+# [RHEL](#tab/RHEL)

+Same applies for CentOS or Oracle Linux

+On Red Hat Enterprise Linux 8+, use the `dnf` package

+On older versions of Red Hat Enterprise Linux, use the `yum` package

+# [SLES](#tab/SLES)

+

+On SUSE Linux Enterprise Server, use the `zypper` package

+### Unable to create new database as the request will use the old/expired key

+This error is caused by changing workspace customer managed key used for enryption. You can choose to re-encrypt all the data in the workspace with the latest version of the active key. To-re-encrypt, change the key in the Azure portal to a temporary key and then switch back to the key you wish to use for encryption. Learn here how to [manage the workspace keys](../security/workspaces-encryption.md#manage-the-workspace-customer-managed-key).

+Start VM On Connect lets you reduce costs by enabling end users to turn on their session host virtual machines (VMs) only when they need them. You can then turn off VMs when they're not needed.

+Workload migration to the public cloud requires careful planning and coordination. One of the key considerations can be the ability to retain your IP addresses. Which can be important especially if your applications have IP address dependency or you have compliance requirements to use specific IP addresses. Azure Virtual Network solves this problem for you by allowing you to create virtual networks and subnets using an IP address range of your choice.

+Migrations can get a bit challenging when the above requirement is coupled with an extra requirement to keep some applications on-premises. In such as a situation, you have to split the applications between Azure and on-premises, without renumbering the IP addresses on either side. Additionally, you have to allow the applications to communicate as if they are in the same network.

+While extending your network isn't a good practice in general, the following use cases can make it necessary.

+ You can extend your on-premises subnets to Azure using a layer-3 overlay network based solution. Most solutions use an overlay technology such as VXLAN to extend the layer-2 network using an layer-3 overlay network. The following diagram shows a generalized solution. In this solution, the same subnet exists on both sides that is, Azure and on-premises.

+* For a given set of destination route-prefixes, if the ExpressRoute routes are preferred and the ExpressRoute connection subsequently goes down, then routes from S2S VPN or SD-WAN NVA connections will be preferred for traffic destined to the same route-prefixes. When the ExpressRoute connection is restored, traffic destined for these route-prefixes will continue to prefer the S2S VPN or SD-WAN NVA connections.

+There are several limitations with the virtual hub router upgrade

+* If you have already configured BGP peering between your Virtual WAN hub and an NVA in a spoke VNet, then you will have to [delete and then recreate the BGP peer](create-bgp-peering-hub-portal.md). Since the virtual hub router's IP addresses change after the upgrade, you will also have to reconfigure your NVA to peer with the virtual hub router's new IP addresses. These IP addresses are represented as the "virtualRouterIps" field in the Virtual Hub's Resource JSON.

+* If your Virtual WAN hub is connected to a combination of spoke virtual networks in the same region as the hub and a separate region than the hub, then you may experience a lack of connectivity to these respective spoke virtual networks. To resolve this and restore connectivity to these virtual networks, you can modify any of the virtual network connection properties (For example, you can modify the connection to propagate to a dummy label). We are actively working on removing this requirement.

+* Your Virtual WAN hub router can not currently be upgraded if you have a network virtual appliance in the virtual hub. We are actively working on removing this limitation.

+* If your Virtual WAN hub is connected to more than 100 spoke virtual networks, then the upgrade may fail.

+|1|Virtual hub upgrade to VMSS-based infrastructure: Compatibility with NVA in a hub.|For deployments with an NVA provisioned in the hub, the virtual hub router can't be upgraded to Virtual Machine Scale Sets.| July 2022|The Virtual WAN team is working on a fix that will allow Virtual hub routers to be upgraded to Virtual Machine Scale Sets, even if an NVA is provisioned in the hub. After upgrading, users will have to re-peer the NVA with the hub routerΓÇÖs new IP addresses (instead of having to delete the NVA).|

+|2|Virtual hub upgrade to VMSS-based infrastructure: Compatibility with NVA in a spoke VNet.|For deployments with an NVA provisioned in a spoke VNet, the customer will have to delete and recreate the BGP peering with the spoke NVA.|March 2022|The Virtual WAN team is working on a fix to remove the need for users to delete and recreate the BGP peering with a spoke NVA after upgrading.|

+|3|Virtual hub upgrade to VMSS-based infrastructure: Compatibility with spoke VNets in different regions |If your Virtual WAN hub is connected to a combination of spoke virtual networks in the same region as the hub and a separate region than the hub, then you may experience a lack of connectivity to these respective spoke virtual networks after upgrading your hub router to VMSS-based infrastructure.|March 2023|To resolve this and restore connectivity to these virtual networks, you can modify any of the virtual network connection properties (For example, you can modify the connection to propagate to a dummy label). We are actively working on removing this requirement. |

+|4|Virtual hub upgrade to VMSS-based infrastructure: Compatibility with more than 100 spoke VNets |If your Virtual WAN hub is connected to more than 100 spoke VNets, then the upgrade may time out, causing your virtual hub to remain on Cloud Services-based infrastructure.|March 2023|The Virtual WAN team is working on a fix to support upgrades when there are more than 100 spoke VNets connected.|

+ * Address spaces: If BGP is enabled, no address space is required.

+ * BGP peer IP address: The address of the on-premise VPN Device. Example: 10.51.255.254

+For more information about BGP, see [About BGP and VPN Gateway](vpn-gateway-bgp-overview.md).

+Front Door's WAF enables you to build custom rules that apply a length or size constraint on a part of an incoming request. This size constraint is measured in bytes.