-[Download the zip file](https://github.com/Azure-Samples/ms-identity-python-webapp/archive/master.zip), or clone the sample web application from GitHub.

-| [ms-identity-python-webapp](https://github.com/Azure-Samples/ms-identity-python-webapp/blob/master/README_B2C.md) | Demonstrate how to Integrate B2C of Microsoft identity platform with a Python web application. |

-> [!IMPORTANT]

-> [Cross-tenant synchronization](../multi-tenant-organizations/cross-tenant-synchronization-overview.md) is currently in PREVIEW.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-2. Select **Cross-tenant synchronization (Preview)** > **Configurations** and then select your configuration.

-> [!IMPORTANT]

-> [Cross-tenant synchronization](../multi-tenant-organizations/cross-tenant-synchronization-overview.md) is currently in PREVIEW.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-> [!IMPORTANT]

-> [Cross-tenant synchronization](../multi-tenant-organizations/cross-tenant-synchronization-overview.md) is currently in PREVIEW.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-### Provisioning users

-> [!IMPORTANT]

-> [Cross-tenant synchronization](../multi-tenant-organizations/cross-tenant-synchronization-overview.md) is currently in PREVIEW.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-This section describes steps required to enable pronoun data in Workday. We recommend engaging your Workday administrator to complete the steps listed below.

-1. Ensure that pronoun display and sharing preferences are enabled as per Workday guidelines. Refer Workday documents:

-

- [Steps: Set Up Gender Pronouns to Display on a Worker Profile * Human Capital Management * Reader * Administrator Guide (workday.com)](https://doc.workday.com/r/gJQvxHUyQOZv_31Vknf~3w/7gZPvVfbRhLiPissprv6lQ)

-

- [Steps: Set Up Public Profile Preferences * Human Capital Management * Reader * Administrator Guide (workday.com)](https://doc.workday.com/r/gJQvxHUyQOZv_31Vknf~3w/FuENV1VTRTHWo_h93KIjJA)

-1. Use Workday Studio or Postman to invoke [Get_Workers API version 38.1](https://community.workday.com/sites/default/files/file-hosting/productionapi/Human_Resources/v38.1/Get_Workers.html) for the test user using the Workday Azure AD integration system user. In the SOAP request header specify the option Include_Reference_Descriptors_In_Response.

-1. In the Get_Workers response, you will now see pronoun information.

-To retrieve pronouns from Workday, you'll need to update your Azure AD provisioning app to query Workday using v38.1 of the Workday Web Services. We recommend testing this configuration first in your test/sandbox environment before implementing the change in production.

-1. In the **Admin Credentials** section, update the **Tenant URL** to include the Workday Web Service version v38.1 as shown below.

-1. If you want to incorporate pronoun information as part of display name, you can update the attribute mapping for displayName attribute to use the below expression.

-1. If worker *Aaron Hall* has set his pronoun information in Workday as `HE/HIM`, then the above expression will set the display name in Azure AD as: *Aaron Hall (HE/HIM)*

-# Conditional Access authentication strength (preview)

-1. In the Azure portal, browse to **Azure Active Directory** > **Security** > **Authentication methods** > **Authentication strengths (Preview)**.

-## Known issues

->A user is considered capable for MFA when the user is in scope for **Certificate-based authentication** in the Authentication methods policy. This policy requirement means a user can't use proof up as part of their authentication to register other available methods. For more information, see [Azure AD MFA](concept-mfa-howitworks.md).

-# Troubleshoot Azure AD authentication strength (Preview)

-Users can sign in only by using authentication methods that they registered and are enabled by the Authentication methods policy. For more information, see [How Conditional Access Authentication strengths policies are used in combination with Authentication methods policy](concept-authentication-strengths.md#how-authentication-strength-works-with-the-authentication-methods-policy).

-If the user is registered for an enabled method that meets the authentication strength, they might need to use another method that isn't available after primary authentication, such as Windows Hello for Business or certificate-based authentication. For more information, see [How each authentication method works](concept-authentication-methods.md#how-each-authentication-method-works). The user will need to restart the session and choose **Sign-in options** and select a method required by the authentication strength.

-Use the **Sign-ins** log to find additional information about the sign-in:

-## My users can't use their FIDO2 security key to sign in

-An admin can restrict access to specific security keys. When a user tries to sign in by using a key they can't use, this **You can't get there from here** message appears. The user has to restart the session, and sign-in with a different FIDO2 security key.

-### Require authentication strength (preview)

-Administrators can choose to require [specific authentication strengths](../authentication/concept-authentication-strengths.md) in their Conditional Access policies. These authentication strengths are defined in the **Azure portal** > **Azure Active Directory** > **Security** > **Authentication methods** > **Authentication strengths (Preview)**. Administrators can choose to create their own or use the built-in versions.

-> [!NOTE]

-> Require authentication strength is currently in public preview. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-1. Browse to **Azure Active Directory** > **Security** > **Authentication methods** > **Authentication strengths (Preview)**.

-| User revokes their refresh tokens by using [PowerShell](/powershell/module/azuread/revoke-azureadsignedinuserallrefreshtoken) | Revoked | Revoked | Revoked | Revoked | Revoked |

-| Admin revokes all refresh tokens for a user by using [PowerShell](/powershell/module/azuread/revoke-azureaduserallrefreshtoken) | Revoked | Revoked |Revoked | Revoked | Revoked |

-`https://login.microsoftonline.com/469fdeb4-d4fd-4fde-991e-308a78e4bea4`

-The following shows how to sign a user into a specific tenant:

- NSURL *authorityURL = [NSURL URLWithString:@"https://login.microsoftonline.com/469fdeb4-d4fd-4fde-991e-308a78e4bea4"];

- guard let authorityURL = URL(string: "https://login.microsoftonline.com/469fdeb4-d4fd-4fde-991e-308a78e4bea4") else {

-*Microsoft.Identity.Web* adds extension methods that provide convenience services for calling Microsoft Graph or a downstream web API. These methods are explained in detail in [A web API that calls web APIs: Call an API](scenario-web-api-call-api-call-api.md). With these helper methods, you don't need to manually acquire a token.

-If, however, you do want to manually acquire a token, the following code shows an example of using *Microsoft.Identity.Web* to do so in an API controller. It calls a downstream API named *todolist*.

-To get a token to call the downstream API, you inject the `ITokenAcquisition` service by dependency injection in your controller's constructor (or your page constructor if you use Blazor), and you use it in your controller actions, getting a token for the user (`GetAccessTokenForUserAsync`) or for the application itself (`GetAccessTokenForAppAsync`) in the case of a daemon scenario.

- private readonly ITokenAcquisition _tokenAcquisition;

- public MyApiController(ITokenAcquisition tokenAcquisition)

- _tokenAcquisition = tokenAcquisition;

- HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);

- string accessToken = _tokenAcquisition.GetAccessTokenForUserAsync(scopesToAccessDownstreamApi);

- return await callTodoListService(accessToken);

-# [ASP.NET Core](#tab/aspnetcore)

-## Client secrets or client certificates

-Given that the web API now calls a downstream web API, a client secret or client certificate in *appsettings.json* can be used for authentication. A section can be added to specify:

-In the following example, the `GraphBeta` section specifies these settings.

-```json

-{

- "AzureAd": {

- "Instance": "https://login.microsoftonline.com/",

- "ClientId": "Enter_the_Application_(client)_ID_here",

- "TenantId": "common",

- "ClientSecret": "Enter_the_Application_Client_Secret_Value_here",

- "ClientCertificates": []

- },

- "GraphBeta": {

- "BaseUrl": "https://graph.microsoft.com/beta",

- "Scopes": "user.read"

- }

-}

-```

-Instead of a client secret, a client certificate can be provided. The following code snippet demonstrates a certificate stored in Azure Key Vault.

-```json

-{

- "AzureAd": {

- "Instance": "https://login.microsoftonline.com/",

- "ClientId": "Enter_the_Application_(client)_ID_here",

- "TenantId": "common",

-

- "ClientCertificates": [

- {

- "SourceType": "KeyVault",

- "KeyVaultUrl": "https://msidentitywebsamples.vault.azure.net",

- "KeyVaultCertificateName": "MicrosoftIdentitySamplesCert"

- }

- ]

- },

- "GraphBeta": {

- "BaseUrl": "https://graph.microsoft.com/beta",

- "Scopes": "user.read"

- }

-}

-*Microsoft.Identity.Web* provides several ways to describe certificates, both by configuration or by code. For details, see [Microsoft.Identity.Web wiki - Using certificates](https://github.com/AzureAD/microsoft-identity-web/wiki/Using-certificates).

-## Program.cs

-A web API will need to acquire a token for the downstream API. Specify it by adding the `.EnableTokenAcquisitionToCallDownstreamApi()` line after `.AddMicrosoftIdentityWebApi(Configuration)`. This line exposes the `ITokenAcquisition` service that can be used in the controller/pages actions.

-However, an alternative method is to implement a token cache. For example, adding `.AddInMemoryTokenCaches()`, to *Program.cs* will allow the token to be cached in memory.

-To call Microsoft Graph, *Microsoft.Identity.Web* enables you to directly use the `GraphServiceClient` (exposed by the Microsoft Graph SDK) in the API actions. To expose Microsoft Graph:

-To call a downstream API other than Microsoft Graph, *Microsoft.Identity.Web* provides `.AddDownstreamWebApi()`, which requests tokens for the downstream API on behalf of the user.

- .AddDownstreamWebApi("MyApi", Configuration.GetSection("MyApiScope"))

-If the web app needs to call another API resource, repeat the `.AddDownstreamWebApi()` method with the relevant scope as shown in the following snippet:

- .AddDownstreamWebApi("MyApi", Configuration.GetSection("MyApiScope"))

- .AddDownstreamWebApi("MyApi2", Configuration.GetSection("MyApi2Scope"))

-Note that `.EnableTokenAcquisitionToCallDownstreamApi` is called without any parameter, which means that the access token will be acquired just in time as the controller requests the token by specifying the scope.

-A Python web API will need to use some middleware to validate the bearer token received from the client. The web API can then obtain the access token for downstream API using MSAL Python library by calling the [`acquire_token_on_behalf_of`](https://msal-python.readthedocs.io/en/latest/?badge=latest#msal.ConfidentialClientApplication.acquire_token_on_behalf_of) method. For an example of using this API, see the [test code for the microsoft-authentication-library-for-python on GitHub](https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/1.2.0/tests/test_e2e.py#L429-L472). Also see the discussion of [issue 53](https://github.com/AzureAD/microsoft-authentication-library-for-python/issues/53) in that same repository for an approach that bypasses the need for a middle-tier application.

- var value = await _downstreamWebApi.CallWebApiForUserAsync(

-The `CallWebApiForUserAsync` method also has strongly typed generic overrides that enable you to directly receive an object. For example, the following method received a `Todo` instance, which is a strongly typed representation of the JSON returned by the web API.

- var value = await _downstreamWebApi.CallWebApiForUserAsync<object, Todo>(

-If you've decided to acquire a token manually by using the `ITokenAcquisition` service, you now need to use the token. In that case, the following code continues the example code shown in [A web API that calls web APIs: Acquire a token for the app](scenario-web-api-call-api-acquire-token.md). The code is called in the actions of the API controllers. It calls a downstream API named *todolist*.

- _httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);

-You've built your client application object. Now, you'll use it to acquire a token to call a web API. In ASP.NET or ASP.NET Core, calling a web API is done in the controller:

-If, however, you do want to manually acquire a token, the following code shows an example of using *Microsoft.Identity.Web* to do so in a home controller. It calls Microsoft Graph using the REST API (instead of the Microsoft Graph SDK). To get a token to call the downstream API, you inject the `ITokenAcquisition` service by dependency injection in your controller's constructor (or your page constructor if you use Blazor), and you use it in your controller actions, getting a token for the user (`GetAccessTokenForUserAsync`) or for the application itself (`GetAccessTokenForAppAsync`) in a daemon scenario.

- readonly ITokenAcquisition tokenAcquisition;

- public HomeController(ITokenAcquisition tokenAcquisition)

- this.tokenAcquisition = tokenAcquisition;

-The `ITokenAcquisition` service is injected by ASP.NET by using dependency injection.

- string accessToken = await tokenAcquisition.GetAccessTokenForUserAsync(scopes);

- client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);

->[!NOTE]

->The scope should be the fully qualified scope name. For example,`({api_uri}/scope)`.

-The following code snippet is extracted from [HomeController.cs#L157-L192](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect/blob/257c8f96ec3ff875c351d1377b36403eed942a18/WebApp/Controllers/HomeController.cs#L157-L192) in the [ms-identity-aspnet-webapp-openidconnect](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect) ASP.NET MVC code sample:

-```C#

-public async Task<ActionResult> ReadMail()

-{

- IConfidentialClientApplication app = MsalAppBuilder.BuildConfidentialClientApplication();

- AuthenticationResult result = null;

- var account = await app.GetAccountAsync(ClaimsPrincipal.Current.GetMsalAccountId());

- string[] scopes = { "Mail.Read" };

- try

- {

- // try to get token silently

- result = await app.AcquireTokenSilent(scopes, account).ExecuteAsync().ConfigureAwait(false);

- }

- catch (MsalUiRequiredException)

- {

- ViewBag.Relogin = "true";

- return View();

- }

- // More code here

- return View();

-For details see the code for [GetMsalAccountId](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect/blob/257c8f96ec3ff875c351d1377b36403eed942a18/WebApp/Utils/ClaimPrincipalExtension.cs#L38) in the code sample.

-In the Python sample, the code that calls the API is in [app.py#L60-71](https://github.com/Azure-Samples/ms-identity-python-webapp/blob/0.5.0/app.py#L60-71).

-Given that your web app now calls a downstream web API, provide a client secret or client certificate in the *appsettings.json* file. You can also add a section that specifies:

-In the following example, the `GraphBeta` section specifies these settings.

-```JSON

-{

- "AzureAd": {

- "Instance": "https://login.microsoftonline.com/",

- "ClientId": "[Client_id-of-web-app-eg-2ec40e65-ba09-4853-bcde-bcb60029e596]",

- "TenantId": "common",

- // To call an API

- "ClientSecret": "[Copy the client secret added to the app from the Azure portal]",

- "ClientCertificates": [

- ]

- },

- "GraphBeta": {

- "BaseUrl": "https://graph.microsoft.com/beta",

- "Scopes": "user.read"

- }

-}

-```

-Instead of a client secret, you can provide a client certificate. The following code snippet shows using a certificate stored in Azure Key Vault.

-```JSON

-{

- "AzureAd": {

- "Instance": "https://login.microsoftonline.com/",

- "ClientId": "[Client_id-of-web-app-eg-2ec40e65-ba09-4853-bcde-bcb60029e596]",

- "TenantId": "common",

- // To call an API

- "ClientCertificates": [

- {

- "SourceType": "KeyVault",

- "KeyVaultUrl": "https://msidentitywebsamples.vault.azure.net",

- "KeyVaultCertificateName": "MicrosoftIdentitySamplesCert"

- }

- ]

- },

- "GraphBeta": {

- "BaseUrl": "https://graph.microsoft.com/beta",

- "Scopes": "user.read"

- }

-}

-```

-*Microsoft.Identity.Web* provides several ways to describe certificates, both by configuration or by code. For details, see [Microsoft.Identity.Web - Using certificates](https://github.com/AzureAD/microsoft-identity-web/wiki/Using-certificates) on GitHub.

-Your web app needs to acquire a token for the downstream API. You specify it by adding the `.EnableTokenAcquisitionToCallDownstreamApi()` line after `.AddMicrosoftIdentityWebApp(Configuration)`. This line exposes the `ITokenAcquisition` service that you can use in your controller and page actions. However, as you'll see in the following two options, it can be done more simply. You'll also need to choose a token cache implementation, for example `.AddInMemoryTokenCaches()`, in *Startup.cs*:

-If you don't want to acquire the token yourself, *Microsoft.Identity.Web* provides two mechanisms for calling a web API from a web app. The option you choose depends on whether you want to call Microsoft Graph or another API.

-To call a web API other than Microsoft Graph, *Microsoft.Identity.Web* provides `.AddDownstreamWebApi()`, which requests tokens and calls the downstream web API.

- .AddDownstreamWebApi("MyApi", Configuration.GetSection("GraphBeta"))

-Because user sign-in is delegated to the OpenID Connect (OIDC) middleware, you must interact with the OIDC process. How you interact depends on the framework you use.

-For ASP.NET, you'll subscribe to middleware OIDC events:

-ASP.NET handles things similarly to ASP.NET Core, except that the configuration of OpenID Connect and the subscription to the `OnAuthorizationCodeReceived` event happen in the [App_Start\Startup.Auth.cs](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect/blob/a2da310539aa613b77da1f9e1c17585311ab22b7/WebApp/App_Start/Startup.Auth.cs) file. The concepts are also similar to those in ASP.NET Core, except that in ASP.NET you must specify the `RedirectUri` in [Web.config#L15](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect/blob/master/WebApp/Web.config#L15). This configuration is a bit less robust than the one in ASP.NET Core, because you need to change it when you deploy your application.

-Here's the code for Startup.Auth.cs:

-```csharp

-public partial class Startup

-{

- public void ConfigureAuth(IAppBuilder app)

- {

- app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

- app.UseCookieAuthentication(new CookieAuthenticationOptions());

- // Custom middleware initialization. This is activated when the code obtained from a code_grant is present in the query string (&code=<code>).

- app.UseOAuth2CodeRedeemer(

- new OAuth2CodeRedeemerOptions

- {

- ClientId = AuthenticationConfig.ClientId,

- ClientSecret = AuthenticationConfig.ClientSecret,

- RedirectUri = AuthenticationConfig.RedirectUri

- }

- );

- app.UseOpenIdConnectAuthentication(

- new OpenIdConnectAuthenticationOptions

- {

- // The `Authority` represents the v2.0 endpoint - https://login.microsoftonline.com/common/v2.0.

- Authority = AuthenticationConfig.Authority,

- ClientId = AuthenticationConfig.ClientId,

- RedirectUri = AuthenticationConfig.RedirectUri,

- PostLogoutRedirectUri = AuthenticationConfig.RedirectUri,

- Scope = AuthenticationConfig.BasicSignInScopes + " Mail.Read", // A basic set of permissions for user sign-in and profile access "openid profile offline_access"

- TokenValidationParameters = new TokenValidationParameters

- {

- ValidateIssuer = false,

- // In a real application, you would use IssuerValidator for additional checks, such as making sure the user's organization has signed up for your app.

- // IssuerValidator = (issuer, token, tvp) =>

- // {

- // //if(MyCustomTenantValidation(issuer))

- // return issuer;

- // //else

- // // throw new SecurityTokenInvalidIssuerException("Invalid issuer");

- // },

- //NameClaimType = "name",

- },

- Notifications = new OpenIdConnectAuthenticationNotifications()

- {

- AuthorizationCodeReceived = OnAuthorizationCodeReceived,

- AuthenticationFailed = OnAuthenticationFailed,

- }

- });

- }

- private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification context)

- {

- // Upon successful sign-in, get the access token and cache it by using MSAL.

- IConfidentialClientApplication clientApp = MsalAppBuilder.BuildConfidentialClientApplication(new ClaimsPrincipal(context.AuthenticationTicket.Identity));

- AuthenticationResult result = await clientApp.AcquireTokenByAuthorizationCode(new[] { "Mail.Read" }, context.Code).ExecuteAsync();

- }

- private Task OnAuthenticationFailed(AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)

- {

- notification.HandleResponse();

- notification.Response.Redirect("/Error?message=" + notification.Exception.Message);

- return Task.FromResult(0);

- }

-}

-```

-See [app.py](https://github.com/Azure-Samples/ms-identity-python-webapp/blob/0.5.0/app.py#L36-41) for the full context of that code.

-The token-cache implementation for web apps or web APIs is different from the implementation for desktop applications, which is often [file based](msal-net-token-cache-serialization.md).

-The web-app implementation can use the ASP.NET session or the server memory. For example, see how the cache implementation is hooked after the creation of the MSAL.NET application in [MsalAppBuilder.cs#L39-L51](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect/blob/79e3e1f084cd78f9170a8ca4077869f217735a1a/WebApp/Utils/MsalAppBuilder.cs#L57-L58):

-First, to use these implementations:

- ```csharp

- #using Microsoft.Identity.Web

- ```

-```csharp

-public static class MsalAppBuilder

- private static IConfidentialClientApplication clientapp;

- public static IConfidentialClientApplication BuildConfidentialClientApplication()

- {

- if (clientapp == null)

- {

- clientapp = ConfidentialClientApplicationBuilder.Create(AuthenticationConfig.ClientId)

- .WithClientSecret(AuthenticationConfig.ClientSecret)

- .WithRedirectUri(AuthenticationConfig.RedirectUri)

- .WithAuthority(new Uri(AuthenticationConfig.Authority))

- .Build();

- // After the ConfidentialClientApplication is created, we overwrite its default UserTokenCache serialization with our implementation

- clientapp.AddInMemoryTokenCache();

- }

- return clientapp;

- }

-Instead of `clientapp.AddInMemoryTokenCache()`, you can also use more advanced cache serialization implementations like Redis, SQL, Cosmos DB, or distributed memory. Here's an example for Redis:

-```csharp

- clientapp.AddDistributedTokenCache(services =>

- {

- services.AddStackExchangeRedisCache(options =>

- {

- options.Configuration = "localhost";

- options.InstanceName = "SampleInstance";

- });

- });

-```

-You want to call a web API other than Microsoft Graph. In that case, you've added `AddDownstreamWebApi` in *Startup.cs* as specified in [Code configuration](scenario-web-app-call-api-app-configuration.md#option-2-call-a-downstream-web-api-other-than-microsoft-graph), and you can directly inject an `IDownstreamWebApi` service in your controller or page constructor and use it in the actions:

- private IDownstreamWebApi _downstreamWebApi;

- public TodoListController(IDownstreamWebApi downstreamWebApi)

- _downstreamWebApi = downstreamWebApi;

- var value = await _downstreamWebApi.CallWebApiForUserAsync(

- var value = await _downstreamWebApi.CallWebApiForUserAsync<object, Todo>(

-You've decided to acquire a token manually using the `ITokenAcquisition` service, and you now need to use the token. In that case, the following code continues the example code shown in [A web app that calls web APIs: Acquire a token for the app](scenario-web-app-call-api-acquire-token.md). The code is called in the actions of the web app controllers.

- string accessToken = await tokenAcquisition.GetAccessTokenForUserAsync(scopes);

- httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);

-[ASP.NET Core web app tutorial](https://github.com/Azure-Samples/ms-identity-aspnetcore-webapp-tutorial#scope-of-this-tutorial)

-In ASP.NET, the application is configured through the [Web.config](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect/blob/a2da310539aa613b77da1f9e1c17585311ab22b7/WebApp/Web.config#L12-L15) file, lines 12 to 15.

-```xml

-<?xml version="1.0" encoding="utf-8"?>

-<!--

- For more information on how to configure your ASP.NET application, visit

- https://go.microsoft.com/fwlink/?LinkId=301880

- -->

-<configuration>

- <appSettings>

- <add key="webpages:Version" value="3.0.0.0" />

- <add key="webpages:Enabled" value="false" />

- <add key="ClientValidationEnabled" value="true" />

- <add key="UnobtrusiveJavaScriptEnabled" value="true" />

- <add key="ida:ClientId" value="[Enter your client ID, as obtained from the app registration portal]" />

- <add key="ida:ClientSecret" value="[Enter your client secret, as obtained from the app registration portal]" />

- <add key="ida:AADInstance" value="https://login.microsoftonline.com/{0}{1}" />

- <add key="ida:RedirectUri" value="https://localhost:44326/" />

- <add key="vs:EnableBrowserLink" value="false" />

- </appSettings>

-```bash

-CLIENT_ID=<client id>

-CLIENT_SECRET=<client secret>

-TENANT_ID=<tenant id>

-```

-2. Update the code in `ConfigureServices` so that it uses the `AddMicrosoftIdentityWebAppAuthentication` and `AddMicrosoftIdentityUI` methods.

- services.AddMicrosoftIdentityWebAppAuthentication(Configuration, "AzureAd");

- - Adds the authentication service.

-The code related to authentication in an ASP.NET web app and web APIs is located in the [App_Start/Startup.Auth.cs](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect/blob/a2da310539aa613b77da1f9e1c17585311ab22b7/WebApp/App_Start/Startup.Auth.cs#L17-L61) file.

-```csharp

- app.UseOpenIdConnectAuthentication(

- new OpenIdConnectAuthenticationOptions

- {

- // Authority` represents the identity platform endpoint - https://login.microsoftonline.com/common/v2.0.

- // `Scope` describes the initial permissions that your app will need.

- // See https://azure.microsoft.com/documentation/articles/active-directory-v2-scopes/.

- ClientId = clientId,

- Authority = String.Format(CultureInfo.InvariantCulture, aadInstance, "common", "/v2.0"),

- RedirectUri = redirectUri,

- Scope = "openid profile",

- PostLogoutRedirectUri = redirectUri,

- });

-> [!IMPORTANT]

-> Automatic redemption is currently in preview.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-> [!IMPORTANT]

-> [Cross-tenant synchronization](../multi-tenant-organizations/cross-tenant-synchronization-overview.md) is currently in preview.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-If you select **Inbound access** of the added organization, you'll see the **Cross-tenant sync (Preview)** tab and the **Allow users sync into this tenant** check box. Cross-tenant synchronization is a one-way synchronization service in Azure AD that automates creating, updating, and deleting B2B collaboration users across tenants in an organization. For more information, see [Configure cross-tenant synchronization](../../active-directory/multi-tenant-organizations/cross-tenant-synchronization-configure.md) and the [Multi-tenant organizations documentation](../multi-tenant-organizations/index.yml).

-> When configuring settings for an organization, you'll notice a **Cross-tenant sync (Preview)** tab. This tab doesn't apply to your B2B direct connect configuration. Instead, this feature is used by multi-tenant organizations to enable B2B collaboration across their tenants. For more information, see the [multi-tenant organization documentation](../multi-tenant-organizations/index.yml).

-For details about the resources, files, and applications, that are available to the B2B direct connect user via the Teams shared channel, refer to [Chat, teams, channels, & apps in Microsoft Teams](/microsoftteams/deploy-chat-teams-channels-microsoft-teams-landing-page).

-Based on your organizationΓÇÖs requirements you might use cross-tenant synchronization (preview) in multi-tenant organizations. For more information about this new feature, see the [multi-tenant organization documentation](../multi-tenant-organizations/index.yml) and the [feature comparison](../multi-tenant-organizations/overview.md#compare-multi-tenant-capabilities).

-Cross-tenant access settings let you manage B2B collaboration and B2B direct connect with other Azure AD organizations. You can determine how other Azure AD organizations collaborate with you (inbound access), and how your users collaborate with other Azure AD organizations (outbound access). Granular controls let you determine the people, groups, and apps, both in your organization and in external Azure AD organizations, that can participate in B2B collaboration and B2B direct connect. You can also trust multi-factor authentication (MFA) and device claims (compliant claims and hybrid Azure AD joined claims) from other Azure AD organizations.

-Azure AD has a new feature for multi-tenant organizations called cross-tenant synchronization (preview), which allows for a seamless collaboration experience across Azure AD tenants. Cross-tenant synchronization settings are configured under the **Organization-specific access settings**. To learn more about multi-tenant organizations and cross-tenant synchronization see the [Multi-tenant organizations documentation](../multi-tenant-organizations/index.yml).

-A multi-tenant organization is an organization that has more than one instance of Azure AD. There are various reasons for [multi-tenancy](../../active-directory/multi-tenant-organizations/overview.md#what-is-a-multi-tenant-organization), like using multiple clouds or having multiple geographical boundaries. Multi-tenant organizations use a one-way synchronization service in Azure AD, called [cross-tenant synchronization](../../active-directory/multi-tenant-organizations/overview.md#cross-tenant-synchronization-preview). Cross-tenant synchronization enables seamless collaboration for a multi-tenant organization. It improves user experience and ensures that users can access resources, without receiving an invitation email and having to accept a consent prompt in each tenant. Cross-tenant synchronization is currently in preview.

-> [!IMPORTANT]

-> Automatic redemption is currently in PREVIEW.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-For example, within a Microsoft Commercial Cloud instance, a multi-national conglomeration has multiple subsidiaries with the following requirements.

- where conditionalAccessStatus == "success"

-| where conditionalAccessStatus == "success"

-### How many licenses must you have?

-Your directory needs at least as many Azure AD Premium P2 licenses as the number of employees who will be performing the following tasks:

-For guest users, licensing needs will depend on the licensing model youΓÇÖre using. However, the below guest usersΓÇÖ activities are considered Azure AD Premium P2 usage:

-Azure AD Premium P2 licenses are **not** required for users with the Global Administrator or User Administrator roles who set up access reviews, configure settings, or apply the decisions from the reviews.

-Azure AD guest user access is based on a monthly active users (MAU) billing model, which replaces the 1:5 ratio billing model. For more information, see [Azure AD External Identities pricing](../external-identities/external-identities-pricing.md).

-For more information about licenses, see [Assign or remove licenses using the Azure portal](../fundamentals/license-users-groups.md).

-### Example license scenarios

-Here are some example license scenarios to help you determine the number of licenses you must have.

-| Scenario | Calculation | Number of licenses |

-| | | |

-| An administrator creates an access review of Group A with 75 users and 1 group owner, and assigns the group owner as the reviewer. | 1 license for the group owner as reviewer | 1 |

-| An administrator creates an access review of Group B with 500 users and 3 group owners, and assigns the 3 group owners as reviewers. | 3 licenses for each group owner as reviewers | 3 |

-| An administrator creates an access review of Group B with 500 users. Makes it a self-review. | 500 licenses for each user as self-reviewers | 500 |

-| An administrator creates an access review of Group C with 50 member users and 25 guest users. Makes it a self-review. | 50 licenses for each user as self-reviewers.* | 50 |

-| An administrator creates an access review of Group D with 6 member users and 108 guest users. Makes it a self-review. | 6 licenses for each user as self-reviewers. Guest users are billed on a monthly active user (MAU) basis. No additional licenses are required. * | 6 |

-\* Azure AD External Identities (guest user) pricing is based on monthly active users (MAU), which is the count of unique users with authentication activity within a calendar month. This model replaces the 1:5 ratio billing model, which allowed up to five guest users for each Azure AD Premium license in your tenant. When your tenant is linked to a subscription and you use External Identities features to collaborate with guest users, you'll be automatically billed using the MAU-based billing model. For more information, see [Billing model for Azure AD External Identities](../external-identities/external-identities-pricing.md).

-> [!NOTE]

-> Access Reviews for Service Principals requires an Entra Workload Identities Premium plan in addition to Azure AD Premium P2 license. You can view and acquire licenses on the [Workload Identities blade](https://portal.azure.com/#view/Microsoft_Azure_ManagedServiceIdentity/WorkloadIdentitiesBlade) in the Azure portal.

-# Configure cross-tenant synchronization using Microsoft Graph API (preview)

-> [!IMPORTANT]

-> Cross-tenant synchronization is currently in PREVIEW.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-# Configure cross-tenant synchronization (preview)

-> [!IMPORTANT]

-> Cross-tenant synchronization is currently in PREVIEW.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-1. Select the **Cross-tenant sync (Preview)** tab.

-1. In the source tenant, select **Azure Active Directory** > **Cross-tenant synchronization (Preview)**.

-1. In the source tenant, select **Azure Active Directory** > **Cross-tenant synchronization (Preview)**.

-1. In the source tenant, select **Azure Active Directory** > **Cross-tenant synchronization (Preview)**.

-1. In the source tenant, select **Azure Active Directory** > **Cross-tenant synchronization (Preview)**.

-# What is cross-tenant synchronization? (preview)

-> [!IMPORTANT]

-> Cross-tenant synchronization is currently in PREVIEW.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-Users created by cross-tenant synchronization will have the same experience when accessing Microsoft Teams and other Microsoft 365 services as B2B collaboration users created through a manual invitation. The [userType](../external-identities/user-properties.md) property on the B2B user, whether guest or member, does not change the end user experience. Over time, the member userType will be used by the various Microsoft 365 services to provide differentiated end user experiences for users in a multi-tenant organization.

-# Topologies for cross-tenant synchronization (preview)

-> [!IMPORTANT]

-> Cross-tenant synchronization is currently in PREVIEW.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-## Cross-tenant synchronization (preview)

-> [!IMPORTANT]

-> Cross-tenant synchronization is currently in PREVIEW.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-* **Service code** - a three- or four-digit value in the magnetic stripe that follows the expiration date of the payment card on the track data. It defines service attributes, differentiating between international and national interchange, or identifying usage restrictions.

- * Microsoft Sentinel workbooks help visualize Azure AD data sources. See sign-ins by country, region, or applications.

-|**6.3.1** Security vulnerabilities are identified and managed as follows: </br> New security vulnerabilities are identified using industry-recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTs). </br> Vulnerabilities are assigned a risk ranking based on industry best practices and consideration of potential impact. </br> Risk rankings identify, at a minimum, all vulnerabilities considered to be a high-risk or critical to the environment. </br> Vulnerabilities for bespoke and custom, and third-party software (for example operating systems and databases) are covered.|Learn about vulnerabilities. [MSRC | Security Updates, Security Update Guide](https://msrc.microsoft.com/update-guide)|

-# LinkedIn employment verification

-If your organization wants its employees to get verified on LinkedIn, you need to follow these few steps:

-1. Configure the LinkedIn company page with your organization DID (decentralized identity) and URL of the custom Webapp.

-As part of operating an AKS cluster, you may need to review logs to troubleshoot a problem. Built-in to the Azure portal is the ability to view logs for the [AKS master components][aks-master-logs] or [containers in an AKS cluster][azure-container-logs]. Occasionally, you may need to get *kubelet* logs from an AKS node for troubleshooting purposes.

-This article shows you how you can use `journalctl` to view the *kubelet* logs on an AKS node.

-This article assumes that you have an existing AKS cluster. If you need an AKS cluster, see the AKS quickstart [using the Azure CLI][aks-quickstart-cli], [using Azure PowerShell][aks-quickstart-powershell], or [using the Azure portal][aks-quickstart-portal].

-First, create an SSH connection with the node on which you need to view *kubelet* logs. This operation is detailed in the [SSH into Azure Kubernetes Service (AKS) cluster nodes][aks-ssh] document.

-Once you have connected to the node via `kubectl debug`, run the following command to pull the *kubelet* logs:

-> [!NOTE]

-> You don't need to use `sudo journalctl` since you are already `root` on the node.

-> ```

-The following sample output shows the *kubelet* log data:

-```

-If you need additional troubleshooting information from the Kubernetes master, see [view Kubernetes master node logs in AKS][aks-master-logs].

-[aks-master-logs]: monitor-aks-reference.md#resource-logs

-[aks-master-logs]: monitor-aks-reference.md#resource-logs

-[Helm][helm] is an open-source packaging tool that helps you install and manage the lifecycle of Kubernetes applications. Similar to Linux package managers such as *APT* and *Yum*, Helm is used to manage Kubernetes charts, which are packages of preconfigured Kubernetes resources.

-This article shows you how to configure and use Helm in a Kubernetes cluster on AKS.

-This article assumes that you have an existing AKS cluster. If you need an AKS cluster, see the AKS quickstart [using the Azure CLI][aks-quickstart-cli], [using Azure PowerShell][aks-quickstart-powershell], or [using the Azure portal][aks-quickstart-portal].

-In addition, this article assumes you have an existing AKS cluster with an integrated ACR. For more details on creating an AKS cluster with an integrated ACR, see [Authenticate with Azure Container Registry from Azure Kubernetes Service][aks-integrated-acr].

-You also need the Helm CLI installed, which is the client that runs on your development system. It allows you to start, stop, and manage applications with Helm. If you use the Azure Cloud Shell, the Helm CLI is already installed. For installation instructions on your local platform, see [Installing Helm][helm-install].

-Use the `helm version` command to verify you have Helm 3 installed:

-```console

-helm version

-```

-The following example shows Helm version 3.0.0 installed:

-```console

-$ helm version

-version.BuildInfo{Version:"v3.0.0", GitCommit:"e29ce2a54e96cd02ccfce88bee4f58bb6e2a28b6", GitTreeState:"clean", GoVersion:"go1.13.4"}

-```

-Use the [helm repo][helm-repo-add] command to add the *ingress-nginx* repository.

-```console

-helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx

-```

-Helm charts are used to deploy applications into a Kubernetes cluster. To search for pre-created Helm charts, use the [helm search][helm-search] command:

-```console

-helm search repo ingress-nginx

-```

-The following condensed example output shows some of the Helm charts available for use:

-```console

-$ helm search repo ingress-nginx

-NAME CHART VERSION APP VERSION DESCRIPTION

-ingress-nginx/ingress-nginx 2.12.0 0.34.1 Ingress controller for Kubernetes using NGINX a...

-```

-To update the list of charts, use the [helm repo update][helm-repo-update] command.

-```console

-helm repo update

-```

-The following example shows a successful repo update:

-```console

-$ helm repo update

-Hang tight while we grab the latest from your chart repositories...

-...Successfully got an update from the "ingress-nginx" chart repository

-Update Complete. ΓÄê Happy Helming!ΓÄê

-```

-## Import the images used by the Helm chart into your ACR

-This article uses the [NGINX ingress controller Helm chart][ingress-nginx-helm-chart], which relies on three container images. Use `az acr import` to import those images into your ACR.

-```azurecli

-REGISTRY_NAME=<REGISTRY_NAME>

-CONTROLLER_REGISTRY=k8s.gcr.io

-CONTROLLER_IMAGE=ingress-nginx/controller

-CONTROLLER_TAG=v0.48.1

-PATCH_REGISTRY=docker.io

-PATCH_IMAGE=jettech/kube-webhook-certgen

-PATCH_TAG=v1.5.1

-DEFAULTBACKEND_REGISTRY=k8s.gcr.io

-DEFAULTBACKEND_IMAGE=defaultbackend-amd64

-DEFAULTBACKEND_TAG=1.5

-az acr import --name $REGISTRY_NAME --source $CONTROLLER_REGISTRY/$CONTROLLER_IMAGE:$CONTROLLER_TAG --image $CONTROLLER_IMAGE:$CONTROLLER_TAG

-az acr import --name $REGISTRY_NAME --source $PATCH_REGISTRY/$PATCH_IMAGE:$PATCH_TAG --image $PATCH_IMAGE:$PATCH_TAG

-az acr import --name $REGISTRY_NAME --source $DEFAULTBACKEND_REGISTRY/$DEFAULTBACKEND_IMAGE:$DEFAULTBACKEND_TAG --image $DEFAULTBACKEND_IMAGE:$DEFAULTBACKEND_TAG

-```

-> [!NOTE]

-> In addition to importing container images into your ACR, you can also import Helm charts into your ACR. For more information, see [Push and pull Helm charts to an Azure container registry][acr-helm].

-To install charts with Helm, use the [helm install][helm-install-command] command and specify a release name and the name of the chart to install. To see installing a Helm chart in action, let's install a basic nginx deployment using a Helm chart.

-> [!TIP]

-> The following example creates a Kubernetes namespace for the ingress resources named *ingress-basic* and is intended to work within that namespace. Specify a namespace for your own environment as needed.

-```console

-ACR_URL=<REGISTRY_URL>

-# Create a namespace for your ingress resources

-kubectl create namespace ingress-basic

-# Use Helm to deploy an NGINX ingress controller

-helm install nginx-ingress ingress-nginx/ingress-nginx \

- --version 4.0.13 \

- --namespace ingress-basic \

- --set controller.replicaCount=2 \

- --set controller.nodeSelector."kubernetes\.io/os"=linux \

- --set controller.image.registry=$ACR_URL \

- --set controller.image.image=$CONTROLLER_IMAGE \

- --set controller.image.tag=$CONTROLLER_TAG \

- --set controller.image.digest="" \

- --set controller.admissionWebhooks.patch.nodeSelector."kubernetes\.io/os"=linux \

- --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz \

- --set controller.admissionWebhooks.patch.image.registry=$ACR_URL \

- --set controller.admissionWebhooks.patch.image.image=$PATCH_IMAGE \

- --set controller.admissionWebhooks.patch.image.tag=$PATCH_TAG \

- --set defaultBackend.nodeSelector."kubernetes\.io/os"=linux \

- --set defaultBackend.image.registry=$ACR_URL \

- --set defaultBackend.image.image=$DEFAULTBACKEND_IMAGE \

- --set defaultBackend.image.tag=$DEFAULTBACKEND_TAG \

- --set defaultBackend.image.digest=""

-```

-The following condensed example output shows the deployment status of the Kubernetes resources created by the Helm chart:

-```console

-NAME: nginx-ingress

-LAST DEPLOYED: Wed Jul 28 11:35:29 2021

-NAMESPACE: ingress-basic

-STATUS: deployed

-REVISION: 1

-TEST SUITE: None

-NOTES:

-The ingress-nginx controller has been installed.

-It may take a few minutes for the LoadBalancer IP to be available.

-You can watch the status by running 'kubectl --namespace ingress-basic get services -o wide -w nginx-ingress-ingress-nginx-controller'

-...

-```

-Use the `kubectl get services` command to get the *EXTERNAL-IP* of your service.

-```console

-kubectl --namespace ingress-basic get services -o wide -w nginx-ingress-ingress-nginx-controller

-```

-For example, the below command shows the *EXTERNAL-IP* for the *nginx-ingress-ingress-nginx-controller* service:

-```console

-$ kubectl --namespace ingress-basic get services -o wide -w nginx-ingress-ingress-nginx-controller

-NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR

-nginx-ingress-ingress-nginx-controller LoadBalancer 10.0.254.93 <EXTERNAL_IP> 80:30004/TCP,443:30348/TCP 61s app.kubernetes.io/component=controller,app.kubernetes.io/instance=nginx-ingress,app.kubernetes.io/name=ingress-nginx

-```

-To see a list of releases installed on your cluster, use the `helm list` command.

-```console

-helm list --namespace ingress-basic

-```

-The following example shows the *my-nginx-ingress* release deployed in the previous step:

-```console

-$ helm list --namespace ingress-basic

-NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION

-nginx-ingress ingress-basic 1 2021-07-28 11:35:29.9623734 -0500 CDT deployed ingress-nginx-3.34.0 0.47.0

-```

-When you deploy a Helm chart, a number of Kubernetes resources are created. These resources include pods, deployments, and services. To clean up these resources, use the [helm uninstall][helm-cleanup] command and specify your release name, as found in the previous `helm list` command.

-```console

-helm uninstall --namespace ingress-basic nginx-ingress

-```

-The following example shows the release named *my-nginx-ingress* has been uninstalled:

-```console

-$ helm uninstall --namespace ingress-basic nginx-ingress

-release "nginx-ingress" uninstalled

-```

-To delete the entire sample namespace, use the `kubectl delete` command and specify your namespace name. All the resources in the namespace are deleted.

-```console

-kubectl delete namespace ingress-basic

-```

-

-[taints]: operator-best-practices-advanced-scheduler.md

- az aks update -g MyResourceGroup -n myManagedCluster --enable-aad --aad-admin-group-object-ids <id-1> [--aad-tenant-id <id>]

-You can use the generally available [confidential VM sizes (DCav5/ECav5)][cvm-announce] to add a node pool to your AKS cluster with CVM. Confidential VMs with AMD SEV-SNP support bring a new set of security features to protect data-in-use with full VM memory encryption. These features enable node pools with CVM to target the migration of highly sensitive container workloads to AKS without any code refactoring while benefiting from the features of AKS. The nodes in a node pool created with CVM use a customized Ubuntu 20.04 image specially configured for CVM. For more details on CVM, see [Confidential VM node pools support on AKS with AMD SEV-SNP confidential VMs][cvm].

-To add a node pool with the CVM to AKS, use `az aks nodepool add` and set `node-vm-size` to `Standard_DCa4_v5`. For example:

-```azurecli-interactive

-az aks nodepool add \

- --resource-group myResourceGroup \

- --cluster-name myAKSCluster \

- --name cvmnodepool \

- --node-count 3 \

- --node-vm-size Standard_DC4as_v5

-```

-To verify a node pool uses CVM, use `az aks nodepool show` and verify the `vmSize` is `Standard_DCa4_v5`. For example:

-```azurecli-interactive

-az aks nodepool show \

- --resource-group myResourceGroup \

- --cluster-name myAKSCluster \

- --name cvmnodepool \

- --query 'vmSize'

-```

-The following example command and output shows the node pool uses CVM:

-```output

-az aks nodepool show \

- --resource-group myResourceGroup \

- --cluster-name myAKSCluster \

- --name cvmnodepool \

- --query 'vmSize'

-"Standard_DC4as_v5"

-```

-To remove a node pool with CVM from an AKS cluster, use `az aks nodepool delete`. For example:

-```azurecli-interactive

-az aks nodepool delete \

- --resource-group myResourceGroup \

- --cluster-name myAKSCluster \

- --name cvmnodepool

-```

-If you have multiple node pools, you may want to add a label during node pool creation. [These labels][kubernetes-labels] are visible in Kubernetes for handling scheduling rules for nodes. You can add labels to a node pool anytime, and they'll be set on all nodes in the node pool.

-In this how-to guide, you'll learn how to use labels in an AKS cluster.

-To create an AKS cluster with a label, use [az aks create][az-aks-create]. Specify the `--node-labels` parameter to set your labels. Labels must be a key/value pair and have a [valid syntax][kubernetes-label-syntax].

-```azurecli-interactive

-az aks create \

- --resource-group myResourceGroup \

- --name myAKSCluster \

- --node-count 2 \

- --nodepool-labels dept=IT costcenter=9000

-```

-Verify the labels were set by running `kubectl get nodes --show-labels`.

-```bash

-kubectl get nodes --show-labels | grep -e "costcenter=9000" -e "dept=IT"

-```

-To create a node pool with a label, use [az aks nodepool add][az-aks-nodepool-add]. Specify the name *labelnp* and use the `--labels` parameter to specify *dept=HR* and *costcenter=5000* for labels. Labels must be a key/value pair and have a [valid syntax][kubernetes-label-syntax]

-```azurecli-interactive

-az aks nodepool add \

- --resource-group myResourceGroup \

- --cluster-name myAKSCluster \

- --name labelnp \

- --node-count 1 \

- --labels dept=HR costcenter=5000 \

- --no-wait

-```

-The following example output from the [az aks nodepool list][az-aks-nodepool-list] command shows that *labelnp* is *Creating* nodes with the specified *nodeLabels*:

-```azurecli

-az aks nodepool list -g myResourceGroup --cluster-name myAKSCluster

-```output

-[

- {

- ...

- "count": 1,

- ...

- "name": "labelnp",

- "orchestratorVersion": "1.15.7",

- ...

- "provisioningState": "Creating",

- ...

- "nodeLabels": {

- "costcenter": "5000",

- "dept": "HR"

- },

- ...

- },

- ...

-]

-```

-Verify the labels were set by running `kubectl get nodes --show-labels`.

-```bash

-kubectl get nodes --show-labels | grep -e "costcenter=5000" -e "dept=HR"

-```

-To update a label on existing node pools, use [az aks nodepool update][az-aks-nodepool-update]. Updating labels on existing node pools will overwrite the old labels with the new labels. Labels must be a key/value pair and have a [valid syntax][kubernetes-label-syntax].

-```azurecli-interactive

-az aks nodepool update \

- --resource-group myResourceGroup \

- --cluster-name myAKSCluster \

- --name labelnp \

- --labels dept=ACCT costcenter=6000 \

- --no-wait

-```

-Verify the labels were set by running `kubectl get nodes --show-labels`.

-```bash

-kubectl get nodes --show-labels | grep -e "costcenter=6000" -e "dept=ACCT"

-```

-Since the [2021-08-19 AKS release][aks-release-2021-gh], Azure Kubernetes Service (AKS) has stopped the ability to make changes to AKS reserved labels. Attempting to change these labels will result in an error message.

-The following labels are reserved for use by AKS. *Virtual node usage* specifies if these labels could be a supported system feature on virtual nodes.

-Some properties that these system features change aren't available on the virtual nodes, because they require modifying the host.

-The following list of prefixes are reserved for usage by AKS and can't be used for any node.

-For additional reserved prefixes, see [Kubernetes well-known labels, annotations, and taints][kubernetes-well-known-labels].

-The following labels are planned for deprecation with the release of [Kubernetes v1.24][aks-release-calendar]. Customers should change any label references to the recommended substitute.

-*Newly deprecated. For more information, see [Release Notes][aks-release-notes-gh] on when these labels will no longer be maintained.

-Learn more about Kubernetes labels at the [Kubernetes labels documentation][kubernetes-labels].

-[install-azure-cli]: /cli/azure/install-azure-cli

-| Control plane | AKS Cluster Name | Used by AKS control plane components to manage cluster resources including ingress load balancers and AKS-managed public IPs, Cluster Autoscaler, Azure Disk & File CSI drivers. | Contributor role for Node resource group | Supported

- - powershell.exe

-This article shows you how to use the Azure portal to create and configure the virtual network resources and an AKS cluster with virtual nodes enabled.

-> [This article](virtual-nodes.md) gives you an overview of the region availability and limitations using virtual nodes.

-Virtual nodes enable network communication between pods that run in Azure Container Instances (ACI) and the AKS cluster. To provide this communication, a virtual network subnet is created and delegated permissions are assigned. Virtual nodes only work with AKS clusters created using *advanced* networking (Azure CNI). By default, AKS clusters are created with *basic* networking (kubenet). This article shows you how to create a virtual network and subnets, then deploy an AKS cluster that uses advanced networking.

-If you have not previously used ACI, register the service provider with your subscription. You can check the status of the ACI provider registration using the [az provider list][az-provider-list] command, as shown in the following example:

-```azurecli-interactive

-az provider list --query "[?contains(namespace,'Microsoft.ContainerInstance')]" -o table

-```

-The *Microsoft.ContainerInstance* provider should report as *Registered*, as shown in the following example output:

-```output

-Namespace RegistrationState RegistrationPolicy

- - --

-Microsoft.ContainerInstance Registered RegistrationRequired

-```

-If the provider shows as *NotRegistered*, register the provider using the [az provider register][az-provider-register] as shown in the following example:

-```azurecli-interactive

-az provider register --namespace Microsoft.ContainerInstance

-```

-## Sign in to Azure

-Sign in to the Azure portal at https://portal.azure.com.

-In the top left-hand corner of the Azure portal, select **Create a resource** > **Kubernetes Service**.

-On the **Basics** page, configure the following options:

- - Select the number of nodes to deploy into the cluster. For this article, set **Node count** to *1*. Node count **can** be adjusted after the cluster has been deployed.

-Click **Next: Node Pools**.

-On the **Node Pools** page, select *Enable virtual nodes*.

-By default, a cluster identity is created. This cluster identity is used for cluster communication and integration with other Azure services. By default, this cluster identity is a managed identity. For more information, see [Use managed identities](use-managed-identity.md). You can also use a service principal as your cluster identity.

-The cluster is also configured for advanced networking. The virtual nodes are configured to use their own Azure virtual network subnet. This subnet has delegated permissions to connect Azure resources between the AKS cluster. If you don't already have delegated subnet, the Azure portal creates and configures the Azure virtual network and subnet for use with the virtual nodes.

-Select **Review + create**. After the validation is complete, select **Create**.

-It takes a few minutes to create the AKS cluster and to be ready for use.

-The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account. To manage a Kubernetes cluster, use [kubectl][kubectl], the Kubernetes command-line client. The `kubectl` client is pre-installed in the Azure Cloud Shell.

-To open the Cloud Shell, select **Try it** from the upper right corner of a code block. You can also launch Cloud Shell in a separate browser tab by going to [https://shell.azure.com/bash](https://shell.azure.com/bash). Select **Copy** to copy the blocks of code, paste it into the Cloud Shell, and press enter to run it.

-Use the [az aks get-credentials][az-aks-get-credentials] command to configure `kubectl` to connect to your Kubernetes cluster. The following example gets credentials for the cluster name *myAKSCluster* in the resource group named *myResourceGroup*:

-```azurecli-interactive

-az aks get-credentials --resource-group myResourceGroup --name myAKSCluster

-```

-To verify the connection to your cluster, use the [kubectl get][kubectl-get] command to return a list of the cluster nodes.

-```console

-kubectl get nodes

-```

-The following example output shows the single VM node created and then the virtual node for Linux, *virtual-node-aci-linux*:

-```output

-NAME STATUS ROLES AGE VERSION

-virtual-node-aci-linux Ready agent 28m v1.11.2

-aks-agentpool-14693408-0 Ready agent 32m v1.11.2

-```

-In the Azure Cloud Shell, create a file named `virtual-node.yaml` and copy in the following YAML. To schedule the container on the node, a [nodeSelector][node-selector] and [toleration][toleration] are defined. These settings allow the pod to be scheduled on the virtual node and confirm that the feature is successfully enabled.

-```yaml

-apiVersion: apps/v1

-kind: Deployment

-metadata:

- name: aci-helloworld

-spec:

- replicas: 1

- selector:

- matchLabels:

- app: aci-helloworld

- template:

- labels:

- app: aci-helloworld

- containers:

- - name: aci-helloworld

- image: mcr.microsoft.com/azuredocs/aci-helloworld

- ports:

- - containerPort: 80

- nodeSelector:

- kubernetes.io/role: agent

- beta.kubernetes.io/os: linux

- type: virtual-kubelet

- tolerations:

- - key: virtual-kubelet.io/provider

- operator: Exists

-```

-Run the application with the [kubectl apply][kubectl-apply] command.

-```azurecli-interactive

-kubectl apply -f virtual-node.yaml

-```

-Use the [kubectl get pods][kubectl-get] command with the `-o wide` argument to output a list of pods and the scheduled node. Notice that the `virtual-node-helloworld` pod has been scheduled on the `virtual-node-linux` node.

-```console

-kubectl get pods -o wide

-```

-```output

-NAME READY STATUS RESTARTS AGE IP NODE

-virtual-node-helloworld-9b55975f-bnmfl 1/1 Running 0 4m 10.241.0.4 virtual-node-aci-linux

-```

-The pod is assigned an internal IP address from the Azure virtual network subnet delegated for use with virtual nodes.

-> If you use images stored in Azure Container Registry, [configure and use a Kubernetes secret][acr-aks-secrets]. A current limitation of virtual nodes is that you can't use integrated Azure AD service principal authentication. If you don't use a secret, pods scheduled on virtual nodes fail to start and report the error `HTTP response status code 400 error code "InaccessibleImage"`.

-To test the pod running on the virtual node, browse to the demo application with a web client. As the pod is assigned an internal IP address, you can quickly test this connectivity from another pod on the AKS cluster. Create a test pod and attach a terminal session to it:

-```console

-kubectl run -it --rm virtual-node-test --image=mcr.microsoft.com/dotnet/runtime-deps:6.0

-```

-Install `curl` in the pod using `apt-get`:

-```console

-apt-get update && apt-get install -y curl

-```

-Now access the address of your pod using `curl`, such as *http://10.241.0.4*. Provide your own internal IP address shown in the previous `kubectl get pods` command:

-```console

-curl -L http://10.241.0.4

-```

-The demo application is displayed, as shown in the following condensed example output:

-```output

-<html>

-<head>

- <title>Welcome to Azure Container Instances!</title>

-</head>

-[...]

-```

-Close the terminal session to your test pod with `exit`. When your session is ended, the pod is the deleted.

-In this article, a pod was scheduled on the virtual node and assigned a private, internal IP address. You could instead create a service deployment and route traffic to your pod through a load balancer or ingress controller. For more information, see [Create a basic ingress controller in AKS][aks-basic-ingress].

-[azure-cni]: https://github.com/Azure/azure-container-networking/blob/master/docs/cni.md

-[aks-github]: https://github.com/azure/aks/issues]

-[aks-network]: ./configure-azure-cni.md

-Use the API Management [Get By Name](/rest/api/apimanagement/current-ga/deleted-services/get-by-name) operation, substituting `{subscriptionId}`, `{location}`, and `{serviceName}` with your Azure subscription, resource location, and API Management instance name:

-### Flight Recorder

-All Java runtimes on App Service using the Azul JVMs come with the Zulu Flight Recorder. You can use this to record JVM, system, and application events and troubleshoot problems in your Java applications.

-#### Timed Recording

-To take a timed recording, you'll need the PID (Process ID) of the Java application. To find the PID, open a browser to your web app's SCM site at `https://<your-site-name>.scm.azurewebsites.net/ProcessExplorer/`. This page shows the running processes in your web app. Find the process named "java" in the table and copy the corresponding PID (Process ID).

-Next, open the **Debug Console** in the top toolbar of the SCM site and run the following command. Replace `<pid>` with the process ID you copied earlier. This command will start a 30-second profiler recording of your Java application and generate a file named `timed_recording_example.jfr` in the `D:\home` directory.

-```

-jcmd <pid> JFR.start name=TimedRecording settings=profile duration=30s filename="D:\home\timed_recording_example.JFR"

-```

-SSH into your App Service and run the `jcmd` command to see a list of all the Java processes running. In addition to jcmd itself, you should see your Java application running with a process ID number (pid).

-```shell

-078990bbcd11:/home# jcmd

-Picked up JAVA_TOOL_OPTIONS: -Djava.net.preferIPv4Stack=true

-147 sun.tools.jcmd.JCmd

-116 /home/site/wwwroot/app.jar

-```

-Execute the command below to start a 30-second recording of the JVM. This will profile the JVM and create a JFR file named *jfr_example.jfr* in the home directory. (Replace 116 with the pid of your Java app.)

-```shell

-jcmd 116 JFR.start name=MyRecording settings=profile duration=30s filename="/home/jfr_example.jfr"

-```

-During the 30-second interval, you can validate the recording is taking place by running `jcmd 116 JFR.check`. This will show all recordings for the given Java process.

-#### Continuous Recording

-You can use Zulu Flight Recorder to continuously profile your Java application with minimal impact on runtime performance. To do so, run the following Azure CLI command to create an App Setting named JAVA_OPTS with the necessary configuration. The contents of the JAVA_OPTS App Setting are passed to the `java` command when your app is started.

-```azurecli

-az webapp config appsettings set -g <your_resource_group> -n <your_app_name> --settings JAVA_OPTS=-XX:StartFlightRecording=disk=true,name=continuous_recording,dumponexit=true,maxsize=1024m,maxage=1d

-```

-Once the recording has started, you can dump the current recording data at any time using the `JFR.dump` command.

-```shell

-jcmd <pid> JFR.dump name=continuous_recording filename="/home/recording1.jfr"

-```

-#### Analyze `.jfr` files

-Use [FTPS](deploy-ftp.md) to download your JFR file to your local machine. To analyze the JFR file, download and install [Zulu Mission Control](https://www.azul.com/products/zulu-mission-control/). For instructions on Zulu Mission Control, see the [Azul documentation](https://docs.azul.com/zmc/) and the [installation instructions](/java/azure/jdk/java-jdk-flight-recorder-and-mission-control).

- <value>-Xms512m -Xmx1204m</value>

-| Java 8 | 1.8.0_312 (Zulu) * | 1.8.0_312 (Adoptium) |

-| Java 11 | 11.0.13 (MSFT) | 11.0.13 (MSFT) |

-| Java 17 | 17.0.1 (MSFT) | 17.0.1 (MSFT) |

-If you are [pinned](#choosing-a-java-runtime-version) to an older minor version of Java your site may be using the [Zulu for Azure](https://www.azul.com/downloads/#zulu) binaries provided through [Azul Systems](https://www.azul.com/). You can continue to use these binaries for your site, but any security patches or improvements will only be available in new versions of the OpenJDK, so we recommend that you periodically update your Web Apps to a later version of Java.

-Developers can download the Production Edition of Azul Zulu Enterprise JDK for local development from [Azul's download site](https://www.azul.com/downloads/#zulu).

-description: Learn how to configure a PHP app in the native Windows instances, or in a pre-built PHP container, in Azure App Service. This article shows the most common configuration tasks.

-5. From the **Review + create** tab, check that your configuration is correct, and select **Create**. Your App Service Environment can more than one hour to create.

-When you scale up or down in size, the required address space is doubled for a short period of time. The scale operation affects the real, available supported instances for a given subnet size. Platform upgrades need free IP addresses to ensure upgrade can happen without interruptions to outbound traffic. Finally, after scale up, down or in operations complete, there might be a short period of time before IP addresses are released.

-| `PHP_ZENDEXTENSIONS` | For Windows native apps, set to the path of the XDebug extension, such as `D:\devtools\xdebug\2.6.0\php_7.2\php_xdebug-2.6.0-7.2-vc15-nts.dll`. For Linux apps, set to `xdebug` to use the XDebug version of the PHP container. ||

-| `PORT` | Read-only. Port that Apache server listens to in the container. ||

-| `WEBSITE_ENABLE_PHP_ACCESS_LOGS` | Set to `TRUE` to log requests to the server (`CustomLog \dev\stderr combined` is added to `/etc/apache2/apache2.conf`). ||

-| `APACHE_SERVER_LIMIT` | Apache specific variable. The default is `1000`. ||

-| `APACHE_MAX_REQ_WORKERS` | Apache specific variable. The default is `256`. ||

-* "LogAnalytics/Behavior": false

-Specify your existing workspace in the `LogAnalytics/Workspace` line. Set the `LogAnalytics/Behavior` setting to true if you would like this log analytics workspace to be used in all cases. This means that any machine with this custom profile will use this workspace, even it is already connected to one. By default, the `LogAnalytics/Behavior` is set to false. If your machine is already connected to a workspace, then that workspace will continue to be used. If it's not connected to a workspace, then the workspace specified in `LogAnalytics\Workspace` will be used.

- #write-warning (Test-Json -Json $WebhookData)

- $Payload = $WebhookData | ConvertFrom-Json

- write-output $Payload.WebhookName

- write-output $Payload.RequestBody

- write-output $Payload.RequestHeader

- if ($Payload.RequestBody) {

- $names = (ConvertFrom-Json -InputObject $Payload.RequestBody)

-Change Tracking and Inventory is supported on all operating systems that meet Log Analytics agent requirements. See [supported operating systems](../../azure-monitor/agents/agents-overview.md#supported-operating-systems) for a list of the Windows and Linux operating system versions that are currently supported by the Log Analytics agent.

-You can import a Python 3.8 package and its dependencies by importing the following Python script into a Python 3.8 runbook, and then running it.

- - certificateName: arcdata-msft-elasticsearch-exporter-internal

- certificateName: arcdata-msft-elasticsearch-exporter-internal

- name: arcdata/msft/internal

- - elasticsearch/arcdata/msft/internal

- elasticsearch:

-> [Note]

-You can configure server configuration settings for Azure Arc-enabled SQL managed instance after creation time. This article describes how to configure settings like enabling or disabling mssql Agent, enable specific trace flags for troubleshooting scenarios.

-### Enable SQL Server agent

-SQL Server agent is disabled by default. It can be enabled by running the following command:

-### Enable Trace flags

-Enabling service-managed transparent data encryption will require the managed instance to use a service-managed database master key as well as the service-managed server certificate. These credentials will be automatically created when service-managed transparent data encryption is enabled. For more info on TDE, please refer to [Transparent data encryption](/sql/relational-databases/security/encryption/transparent-data-encryption).

-The following limitations must be considered when deploying Service-Managed TDE:

-### Prerequisites

-Turning on TDE on the managed instance will result in the following operations taking place:

-1. Adding the service-managed database master key in the `master` database.

-2. Adding the service-managed certificate protector.

-3. Adding the associated Database Encryption Keys (DEK) on all databases on the managed instance.

-4. Enabling encryption on all databases on the managed instance.

-Run kubectl patch to enable service-managed TDE

-kubectl patch sqlmi contososqlmi --namespace arc --type merge --patch '{ "spec": { "security": { "transparentDataEncryption": { "mode": "ServiceManaged" } } } }'

-Turning off TDE on the managed instance will result in the following operations taking place:

-1. Disabling encryption on all databases on the managed instance.

-2. Dropping the associated DEKs on all databases on the managed instance.

-3. Dropping the service-managed certificate protector.

-4. Dropping the service-managed database master key in the `master` database.

-Run kubectl patch to disable service-managed TDE

-kubectl patch sqlmi <sqlmi-name> --namespace <namespace> --type merge --patch '{ "spec": { "security": { "transparentDataEncryption": { "mode": null } } } }'

-kubectl patch sqlmi contososqlmi --namespace arc --type merge --patch '{ "spec": { "security": { "transparentDataEncryption": { "mode": null } } } }'

- certificates:

- - certificateName: arcdata-msft-elasticsearch-exporter-internal

- - certificateName: cluster-ca-certificate

- elasticsearch:

- - caCertificateName: cluster-ca-certificate

- certificateName: arcdata-msft-elasticsearch-exporter-internal

- endpoint: https://logsdb-svc:9200

- index: logstash-otel

- name: arcdata/msft/internal

- logs:

- exporters:

- - elasticsearch/arcdata/msft/internal

-For the public preview, the pipeline and exporter have a default pre-configuration to Microsoft's deployment of Elasticsearch. This default deployment gives you an example of how the parameters for credentials, exporters, and pipelines are set up within the spec. You can follow this example to export to your own monitoring solutions. See [adding exporters and pipelines](adding-exporters-and-pipelines.md) for more examples. This example deployment will be removed at the conclusion of the public preview.

-After the TelemetryRouter is deployed, both TelemetryCollector custom resources should be in a *Ready* state. These resources are system managed and editing them isn't supported. If you look at the pods, you should see the following types of pods:

-arctc-collector-outbound-0 2/2 Running 0 15h

-metricsdc-qgl26 2/2 Running 0 15h

-metricsdc-sndjv 2/2 Running 0 15h

-metricsdc-xh78q 2/2 Running 0 15h

-```

-```

-The ```--retention-period``` can be changed for a SQL Managed Instance-Azure Arc as follows. The below command applies to both ```direct``` and ```indirect``` connected modes.

-The operational data stored locally requires built-in administrative privileges to view it in Grafana/Kibana.

-Updated ElasticSearch to latest version `7.9.1-36fefbab37-205465`. Also Grafana, Kibana, Telegraf, Fluent Bit, Go.

-This article describes how to rotate service-managed credentials for Azure Arc-enabled SQL Managed Instance. Arc data services generates various service-managed credentials like certificates and SQL logins used for Monitoring, Backup/Restore, High Availability etc. These credentials are considered custom resource credentials managed by Azure Arc data services.

-During a SQL Managed Instance service-managed credential rotation, the managed instance Kubernetes pod is terminated and reprovisioned when new credentials are generated. This process causes a short amount of downtime as the new managed instance pod is created. To handle the interruption, build resiliency into your application such as connection retry logic, to ensure minimal disruption. Read [Overview of the reliability pillar](/azure/architecture/framework/resiliency/overview) for more information on how to architect resiliency and [retry guidance for Azure Services](/azure/architecture/best-practices/retry-service-specific#sql-database-using-adonet).

-Run the following commands to get current service-managed credentials generation from spec and generate the new generation of service-managed credentials. This action triggers a service-managed credential rotation.

-rotateCredentialGeneration=$(($(kubectl get sqlmi <sqlmi-name> -o jsonpath='{.spec.update.managedCredentialsGeneration}' -n <namespace>) + 1)) 

-kubectl patch sqlmi <sqlmi-name> --namespace <namespace> --type merge --patch '{ "spec": { "update": { "managedCredentialsGeneration": '$rotateCredentialGeneration'} } }' 

-The `managedCredentialsGeneration` identifies the target generation for the service-managed credentials. The rest of the features like configuration and the kubernetes topology remain the same.

-> Rollback is required when credential rotation failed for any reasons. Rollback to previous credentials generation is supported only once to n-1 where n is current generation.

-rotateCredentialGeneration=$(($(kubectl get sqlmi <sqlmi-name> -o jsonpath='{.spec.update.managedCredentialsGeneration}' -n <namespace>) - 1)) 

-kubectl patch sqlmi <sqlmi-name> --namespace <namespace> --type merge --patch '{ "spec": { "update": { "managedCredentialsGeneration": '$rotateCredentialGeneration'} } }' 

-|**ElasticSearch**|`<namespace>/logs-logsdb-0`, `<namespace>/data-logsdb-0`|

-Γöé Γöé ΓööΓöÇΓöÇΓöÇelasticsearch

-Γöé Γöé Γö£ΓöÇΓöÇΓöÇelasticsearch

-## Version 1.26 - January 2023

-Download for [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

-> [!NOTE]

-> Version 1.26 is only available for Linux operating systems.

-### Fixed

-## Version 1.25 - January 2023

-Download for [Windows](https://download.microsoft.com/download/2/#installing-a-specific-version-of-the-agent)

-### New features

-### Fixed

-* Windows Server 2008 R2 SP1, 2012 R2, 2016, 2019, and 2022

-* Windows PowerShell 4.0 or later (already included with Windows Server 2012 R2 and later). For Windows Server 2008 R2 SP1, [Download Windows Management Framework 5.1.](https://www.microsoft.com/download/details.aspx?id=54616).

-* [Create a function app with an Azure Cosmos DB connection](#create-a-function-app-with-an-azure-cosmos-db-connection)

-## Leverage New Types

-This article describes general strategies for error handling and the available retry strategies.

-There are two kinds of retries available for your functions:

-| Trigger/binding | Retry source | Configuration |

-| - | - | -- |

-| Azure Event Grid | [Binding extension](../event-grid/delivery-and-retry.md) | Event subscription |

-| Azure Event Hubs | [Retry policies](#retry-policies) | Function-level |

-| Azure Queue Storage | [Binding extension](functions-bindings-storage-queue-trigger.md#poison-messages) | [host.json](functions-bindings-storage-queue.md#host-json) |

-| RabbitMQ | [Binding extension](functions-bindings-rabbitmq-trigger.md#dead-letter-queues) | [Dead letter queue](https://www.rabbitmq.com/dlx.html) |

-| Azure Service Bus | [Binding extension](../service-bus-messaging/service-bus-dead-letter-queues.md) | [Dead letter queue](../service-bus-messaging/service-bus-dead-letter-queues.md#maximum-delivery-count) |

-Starting with version 3.x of the Azure Functions runtime, you can define retry policies for Timer, Kafka, and Event Hubs triggers that are enforced by the Functions runtime.

-The retry policy tells the runtime to rerun a failed execution until either successful completion occurs or the maximum number of retries is reached.

-A retry policy is evaluated when a Timer, Kafka, or Event Hubs-triggered function raises an uncaught exception. As a best practice, you should catch all exceptions in your code and rethrow any errors that you want to result in a retry.

-A specified amount of time is allowed to elapse between each retry.

-# [Exponential backoff](#tab/exponential-backoff)

-The first retry waits for the minimum delay. On subsequent retries, time is added exponentially to the initial duration for each retry, until the maximum delay is reached. Exponential back-off adds some small randomization to delays to stagger retries in high-throughput scenarios.

-You can configure the maximum number of times that a function execution is retried before eventual failure. The current retry count is stored in memory of the instance.

-It's possible for an instance to have a failure between retry attempts. When an instance fails during a retry policy, the retry count is lost. When there are instance failures, the Event Hubs trigger is able to resume processing and retry the batch on a new instance, with the retry count reset to zero. The timer trigger doesn't resume on a new instance.

-||-|

-```csharp

-[Function("EventHubsFunction")]

-[FixedDelayRetry(5, "00:00:10")]

-[EventHubOutput("dest", Connection = "EventHubConnectionAppSetting")]

-public static string Run([EventHubTrigger("src", Connection = "EventHubConnectionAppSetting")] string[] input,

- FunctionContext context)

-{

-// ...

-}

- ```

-||-|

-||-|

-||-|

-|MaximumInterval|The maximum retry delay. Specify it as a string with the format `HH:mm:ss`.|

-Retry policies aren't yet supported when they're running in an isolated worker process.

-||-|

-|maximumInterval|The maximum retry delay. Specify it as a string with the format `HH:mm:ss`.|

-# [Exponential backoff](#tab/exponential-backoff)

-||-|

-|maximumInterval|The maximum retry delay when you're using `exponentialBackoff` strategy. Specify it as a string with the format `HH:mm:ss`.|

-

-

-# [Exponential backoff](#tab/exponential-backoff)

-||-|

-| <ul><li>[Java function using Visual Studio Code](./create-first-function-vs-code-java.md)</li><li>[Jav)</li></ul> | <ul><li>[Java samples with different triggers](/samples/azure-samples/azure-functions-samples-java/azure-functions-java/)</li><li>[Event Hubs trigger and Azure Cosmos DB output binding](/samples/azure-samples/java-functions-eventhub-cosmosdb/sample/)</li></ul> |

-|US Gov Arizona </br> US Gov Texas </br> US Gov Virginia|FedRAMP High, DoD IL4, DoD IL5|145|

-source.add(new atlas.data.Polygon([[[/* Coordinates for polygon */]]]));

- color: 'orange',

- width: 2

-6. Select the **Send** button. The response includes results from multiple countries. To geobias results to the relevant area for your users, always add as many location details as possible to the request.

-The example in this section uses `Fuzzy Search` to search the entire world for *pizza*, then searches over the scope of a specific country. Finally, it demonstrates how to use a coordinate location and radius to scope a search over a specific area, and limit the number of returned results.

-| [Elevation][java elevation readme] ([deprecated](https://azure.microsoft.com/updates/azure-maps-elevation-apis-and-render-v2-dem-tiles-will-be-retired-on-5-may-2023)) | [azure-maps-elevation][java elevation package] | [elevation samples][java elevation sample] |

-[java elevation package]: https://repo1.maven.org/maven2/com/azure/azure-maps-elevation

-[java elevation readme]: https://github.com/Azure/azure-sdk-for-jav

-[java elevation sample]: https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/maps/azure-maps-elevation/src/samples/java/com/azure/maps/elevation/samples

-description: Tutorial on how to use Microsoft Azure Maps Creator to create indoor maps

-# Tutorial: Use Creator to create indoor maps

-> * Upload your indoor map drawing package.

-> [!TIP]

-> You can also create a dataset from a GeoJSON package. For more information, see [Create a dataset using a GeoJson package (Preview)].

-* Download the [Sample drawing package]

-> * This article uses the `us.atlas.microsoft.com` geographical URL. If your Creator service wasn't created in the United States, you must use a different geographical URL. For more information, see [Access to Creator services].

-> * Replace `{Your-Azure-Maps-Subscription-key}` with your Azure Maps subscription key in the URL examples.

-Use the [Data Upload API] to upload the drawing package to Azure Maps resources.

-The Data Upload API is a long running transaction that implements the pattern defined in [Creator Long-Running Operation API V2].

-3. Enter a **Request name** for the request, such as *POST Data Upload*.

-5. Enter the following URL to the [Data Upload API] The request should look like the following URL:

-7. In the **KEY** field, select `Content-Type`.

-8. In the **VALUE** field, select `application/octet-stream`.

- :::image type="content" source="./media/tutorial-creator-indoor-maps/data-upload-header.png"alt-text="A screenshot of Postman showing the header tab information for data upload that highlights the Content Type key with the value of application forward slash octet dash stream.":::

-10. Select the **binary** radio button.

-11. Select **Select File**, and then select a drawing package.

- :::image type="content" source="./media/tutorial-creator-indoor-maps/data-upload-body.png" alt-text="A screenshot of Postman showing the body tab in the POST window, with Select File highlighted, it's used to select the drawing package to import into Creator.":::

-14. Copy the value of the **Operation-Location** key. The Operation-Location key is also known as the `status URL` and is required to check the status of the drawing package upload, which is explained in the next section.

- :::image type="content" source="./media/tutorial-creator-indoor-maps/data-upload-response-header.png" alt-text="A screenshot of Postman showing the header tab in the response window, with the Operation Location key highlighted.":::

-### Check the drawing package upload status

-3. Enter a **Request name** for the request, such as *GET Data Upload Status*.

-5. Enter the `status URL` you copied as the last step in the previous section. The request should look like the following URL:

-8. Copy the value of the **Resource-Location** key, which is the `resource location URL`. The `resource location URL` contains the unique identifier (`udid`) of the drawing package resource.

- :::image type="content" source="./media/tutorial-creator-indoor-maps/resource-location-url.png" alt-text="A screenshot of Postman showing the resource location URL in the responses header.":::

-### (Optional) Retrieve drawing package metadata

-3. Enter a **Request name** for the request, such as *GET Data Upload Metadata*.

-4. . Select the **GET** HTTP method.

-5. Enter the `resource Location URL` you copied as the last step in the previous section:

-7. In the response window, select the **Body** tab. The metadata should like the following JSON fragment:

-Now that the drawing package is uploaded, you use the `udid` for the uploaded package to convert the package into map data. The [Conversion API] uses a long-running transaction that implements the pattern defined in the [Creator Long-Running Operation] article.

-3. Enter a **Request name** for the request, such as *POST Convert Drawing Package*.

-5. Enter the following URL to the [Conversion service] (replace `{Your-Azure-Maps-Subscription-key}` with your Azure Maps subscription key and `udid` with the `udid` of the uploaded package):

-8. Copy the value of the **Operation-Location** key, it contains the `status URL` that you use to check the status of the conversion.

- :::image type="content" source="./media/tutorial-creator-indoor-maps/data-convert-location-url.png" border="true" alt-text="A screenshot of Postman showing the URL value of the operation location key in the responses header.":::

-### Check the drawing package conversion status

-After the conversion operation completes, it returns a `conversionId`. We can access the `conversionId` by checking the status of the drawing package conversion process. The `conversionId` can then be used to access the converted data.

-To check the status of the conversion process and retrieve the `conversionId`:

-3. Enter a **Request name** for the request, such as *GET Conversion Status*.

-4. Select the **GET** HTTP method:

-5. Enter the `status URL` you copied in [Convert a drawing package](#convert-a-drawing-package). The request should look like the following URL:

-8. Copy the value of the **Resource-Location** key, which is the `resource location URL`. The `resource location URL` contains the unique identifier (`conversionId`), which is used by other APIs to access the converted map data.

- :::image type="content" source="./media/tutorial-creator-indoor-maps/data-conversion-id.png" alt-text="A screenshot of Postman highlighting the conversion ID value that appears in the resource location key in the responses header.":::

-The sample drawing package should be converted without errors or warnings. However, if you receive errors or warnings from your own drawing package, the JSON response includes a link to the [Drawing error visualizer]. You can use the Drawing Error visualizer to inspect the details of errors and warnings. To receive recommendations to resolve conversion errors and warnings, see [Drawing conversion errors and warnings].

-A dataset is a collection of map features, such as buildings, levels, and rooms. To create a dataset, use the [Dataset Create API]. The Dataset Create API takes the `conversionId` for the converted drawing package and returns a `datasetId` of the created dataset.

-3. Enter a **Request name** for the request, such as *POST Dataset Create*.

-5. Enter the following URL to the [Dataset service]. The request should look like the following URL (replace `{conversionId`} with the `conversionId` obtained in [Check drawing package conversion status](#check-the-drawing-package-conversion-status)):

-8. Copy the value of the **Operation-Location** key, it contains the `status URL` that you use to check the status of the dataset.

- :::image type="content" source="./media/tutorial-creator-indoor-maps/data-dataset-location-url.png" border="true" alt-text="A screenshot of Postman showing the value of the operation location key for dataset in the responses header.":::

-To check the status of the dataset creation process and retrieve the `datasetId`:

-3. Enter a **Request name** for the request, such as *GET Dataset Status*.

-5. Enter the `status URL` you copied in [Create a dataset](#create-a-dataset). The request should look like the following URL:

-7. In the response window, select the **Headers** tab. The value of the **Resource-Location** key is the `resource location URL`. The `resource location URL` contains the unique identifier (`datasetId`) of the dataset.

- :::image type="content" source="./media/tutorial-creator-indoor-maps/dataset-id.png" alt-text="A screenshot of Postman highlighting the dataset ID value of the resource location key in the responses header.":::

-A tileset is a set of vector tiles that render on the map. Tilesets are created from existing datasets. However, a tileset is independent from the dataset from which it was sourced. If the dataset is deleted, the tileset continues to exist.

-3. Enter a **Request name** for the request, such as *POST Tileset Create*.

-5. Enter the following URL to the [Tileset service]. The request should look like the following URL (replace `{datasetId`} with the `datasetId` obtained in the [Check the dataset creation status](#check-the-dataset-creation-status) section:

-8. Copy the value of the **Operation-Location** key, it contains the `status URL`, which you use to check the status of the tileset.

- :::image type="content" source="./media/tutorial-creator-indoor-maps/data-tileset-location-url.png" border="true" alt-text="A screenshot of Postman highlighting the status URL that is the value of the operation location key in the responses header.":::

-### Check the tileset creation status

-To check the status of the tileset creation process and retrieve the `tilesetId`:

-3. Enter a **Request name** for the request, such as *GET Tileset Status*.

-5. Enter the `status URL` you copied in [Create a tileset](#create-a-tileset). The request should look like the following URL:

-7. In the response window, select the **Headers** tab. The value of the **Resource-Location** key is the `resource location URL`. The `resource location URL` contains the unique identifier (`tilesetId`) of the dataset.

- :::image type="content" source="./media/tutorial-creator-indoor-maps/tileset-id.png" alt-text="A screenshot of Postman highlighting the tileset ID that is part of the value of the resource location URL in the responses header.":::

-## The map configuration (preview)

-Once your tileset creation completes, you can get the `mapConfigurationId` using the [tileset get] HTTP request:

-3. Enter a **Request name** for the request, such as *GET mapConfigurationId from Tileset*.

-5. Enter the following URL to the [Tileset service], passing in the tileset ID you obtained in the previous step.

-7. The tileset JSON appears in the body of the response, scroll down to see the `mapConfigurationId`:

-For more information, see [Map configuration] in the indoor maps concepts article.

-[Create a dataset using a GeoJson package (Preview)]: how-to-dataset-geojson.md

-| [Elevation (DEM)](/rest/api/maps/elevation)([deprecated](https://azure.microsoft.com/updates/azure-maps-elevation-apis-and-render-v2-dem-tiles-will-be-retired-on-5-may-2023))| Yes| One request = 2 transactions<br> <ul><li>If requesting elevation for a single point then one request = 1 transaction| <ul><li>Location Insights Elevation (Gen2 pricing)</li><li>Standard S1 Elevation Service Transactions (Gen1 S1 pricing)</li></ul>|

-| [Render v1](/rest/api/maps/render)<br>[Render v2](/rest/api/maps/render-v2) | Yes, except for Terra maps (MapTile.GetTerraTile and layer=terra) which are non-billable.|<ul><li>15 tiles = 1 transaction, except microsoft.dem ([deprecated](https://azure.microsoft.com/updates/azure-maps-elevation-apis-and-render-v2-dem-tiles-will-be-retired-on-5-may-2023)) is one tile = 50 transactions</li><li>One request for Get Copyright = 1 transaction</li><li>One request for Get Map Attribution = 1 transaction</li><li>One request for Get Static Map = 1 transaction</li><li>One request for Get Map Tileset = 1 transaction</li></ul> <br> For Creator related usage, see the [Creator table](#azure-maps-creator). |<ul><li>Maps Base Map Tiles (Gen2 pricing)</li><li>Maps Imagery Tiles (Gen2 pricing)</li><li>Maps Static Map Images (Gen2 pricing)</li><li>Maps Traffic Tiles (Gen2 pricing)</li><li>Maps Weather Tiles (Gen2 pricing)</li><li>Standard Hybrid Aerial Imagery Transactions (Gen1 S0 pricing)</li><li>Standard Aerial Imagery Transactions (Gen1 S0 pricing)</li><li>Standard S1 Aerial Imagery Transactions (Gen1 S1 pricing)</li><li>Standard S1 Hybrid Aerial Imagery Transactions (Gen1 S1 pricing)</li><li>Standard S1 Rendering Transactions (Gen1 S1 pricing)</li><li>Standard S1 Tile Transactions (Gen1 S1 pricing)</li><li>Standard S1 Weather Tile Transactions (Gen1 S1 pricing)</li><li>Standard Tile Transactions (Gen1 S0 pricing)</li><li>Standard Weather Tile Transactions (Gen1 S0 pricing)</li><li>Maps Copyright (Gen2 pricing, Gen1 S0 pricing and Gen1 S1 pricing)</li></ul>|

-> Alerts generated by [VM insights](../vm/vminsights-overview.md) do not support the common schema.

- > [!NOTE]

- > Custom properties are currently only supported by metric alerts. For all other alert types, the **custom properties** field is null.

-|customProperties ||

-If you've configured action groups for a metric alert rule, you can add more information to the alert payload by adding custom properties.

-The custom properties section contains ΓÇ£key: valueΓÇ¥ objects that are added to webhook notifications.

-> [!NOTE]

-> Custom properties are currently only supported by metric alerts. For all other alert types, the **custom properties** field is null.

-> [!NOTE]

-> Smart detection alerts support the common schema by default. You don't have to enable the common schema for smart detection alerts.

- 1. (Optional) If you've configured action groups for this alert rule, you can add custom properties to the alert payload to add more information to the payload. In the **Custom properties** section, add the property **Name** and **Value** for the custom property you want included in the payload.

- :::image type="content" source="media/alerts-create-new-alert-rule/alerts-metric-rule-details-tab.png" alt-text="Screenshot that shows the Details tab when creating a new alert rule.":::

- 1. (Optional) If you've configured action groups for this alert rule, you can add custom properties to the alert payload to add more information to the payload. In the **Custom properties** section, add the property **Name** and **Value** for the custom property you want included in the payload.

- > [!NOTE]

- > The [common schema](alerts-common-schema.md) overwrites custom configurations. Therefore, you can't use both custom properties and the common schema for log alerts.

- :::image type="content" source="media/alerts-create-new-alert-rule/alerts-log-rule-details-tab.png" alt-text="Screenshot that shows the Details tab when creating a new log alert rule.":::

- 1. (Optional) In the **Advanced options** section, select **Enable upon creation** for the alert rule to start running as soon as you're done creating it.

- 1. (Optional) If you've configured action groups for this alert rule, you can add custom properties to the alert payload to add more information to the payload. In the **Custom properties** section, add the property **Name** and **Value** for the custom property you want included in the payload.

- > [!NOTE]

- > The [common schema](alerts-common-schema.md) overwrites custom configurations. Therefore, you can't use both custom properties and the common schema for activity log alerts.

- :::image type="content" source="media/alerts-create-new-alert-rule/alerts-activity-log-rule-details-tab.png" alt-text="Screenshot that shows the Actions tab when creating a new activity log alert rule.":::

- 1. (Optional) In the **Advanced options** section, select **Enable upon creation** for the alert rule to start running as soon as you're done creating it.

- 1. (Optional) If you've configured action groups for this alert rule, you can add custom properties to the alert payload to add more information to the payload. In the **Custom properties** section, add the property **Name** and **Value** for the custom property you want included in the payload.

- > [!NOTE]

- > The [common schema](alerts-common-schema.md) overwrites custom configurations. Therefore, you can't use both custom properties and the common schema for resource health alerts.

- :::image type="content" source="media/alerts-create-new-alert-rule/alerts-activity-log-rule-details-tab.png" alt-text="Screenshot that shows the Actions tab when creating a new activity log alert rule.":::

- 1. (Optional) In the **Advanced options** section, select **Enable upon creation** for the alert rule to start running as soon as you're done creating it.

- 1. (Optional) If you've configured action groups for this alert rule, you can add custom properties to the alert payload to add more information to the payload. In the **Custom properties** section, add the property **Name** and **Value** for the custom property you want included in the payload.

- > [!NOTE]

- > The [common schema](alerts-common-schema.md) overwrites custom configurations. Therefore, you can't use both custom properties and the common schema for service health alerts.

- :::image type="content" source="media/alerts-create-new-alert-rule/alerts-activity-log-rule-details-tab.png" alt-text="Screenshot that shows the Actions tab when creating a new activity log alert rule.":::

-1. **Option 1**: On the function app **Overview** pane, go to **Application Insights**. Under **Collection Level**, select **Recommended**.

- > [!div class="mx-imgBorder"]

- > :::image type="content" source="./media//functions/collection-level.jpg" lightbox="./media//functions/collection-level.jpg" alt-text="Screenshot that shows the how to enable the AppInsights Java Agent.":::

-2. **Option 2**: On the function app **Overview** pane, go to **Configuration**. Under **Application settings**, select **New application setting**.

- > [!div class="mx-imgBorder"]

- > :::image type="content" source="./media//functions/create-new-setting.png" lightbox="./media//functions/create-new-setting.png" alt-text="Screenshot that shows the New application setting option.":::

- Add an application setting with the following values and select **Save**.

- ```

- APPLICATIONINSIGHTS_ENABLE_AGENT: true

- ```

-Your Java functions might have slow startup times if you adopted this feature before February 2023. Follow the steps to fix the issue.

-1. Enable the latest version by adding this setting:

-1. Enable the latest version by adding this setting:

-Currently unavailable.

-Currently unavailable.

-

-Currently unavailable.

-Currently unavailable.

-1. Install the [OpenTelemetry Collector Exporter](https://www.npmjs.com/package/@opentelemetry/exporter-otlp-http) package in your project.

- npm install @opentelemetry/exporter-otlp-http

- const { SimpleSpanProcessor } = require('@opentelemetry/sdk-trace-base');

- const { OTLPTraceExporter } = require('@opentelemetry/exporter-otlp-http');

- appInsights.getTraceHandler().getTracerProvider().addSpanProcessor(new SimpleSpanProcessor(otlpExporter));

-Currently unavailable.

-using System.Diagnostics;

-using Azure.Monitor.OpenTelemetry.Exporter;

-using OpenTelemetry;

-using OpenTelemetry.Trace;

-using Azure.Monitor.OpenTelemetry.Exporter;

-using OpenTelemetry.Logs;

-using System.Diagnostics.Metrics;

-using Azure.Monitor.OpenTelemetry.Exporter;

-using OpenTelemetry;

-using OpenTelemetry.Metrics;

-using System.Diagnostics.Metrics;

-using Azure.Monitor.OpenTelemetry.Exporter;

-using OpenTelemetry;

-using OpenTelemetry.Metrics;

-using System.Diagnostics.Metrics;

-using Azure.Monitor.OpenTelemetry.Exporter;

-using OpenTelemetry;

-using OpenTelemetry.Metrics;

-using System.Diagnostics;

-using OpenTelemetry;

-using OpenTelemetry.Trace;

- using System.Diagnostics;

- using OpenTelemetry;

- using OpenTelemetry.Trace;

-

-using Azure.Monitor.OpenTelemetry.AspNetCore;

-using Microsoft.AspNetCore.Builder;

-using Microsoft.Extensions.DependencyInjection;

-builder.Services.AddOpenTelemetry().UseAzureMonitor(

-//Uncomment the line below when setting the Application Insights Connection String via code

-//options => options.ConnectionString = "<Your Connection String>"

-);

-//Uncomment the line below when setting the Application Insights Connection String via code

-//config.azureMonitorExporterConfig.connectionString = "<Your Connection String>";

- Uncomment the code line with `<Your Connection String>`, and replace the placeholder with *your* unique connection string.

-| &nbsp;&nbsp;&nbsp;OpenTelemetry API | | | Yes | Yes | | Yes | |

-```csharp

-using System.Diagnostics.Metrics;

-using Azure.Monitor.OpenTelemetry.Exporter;

-using OpenTelemetry;

-using OpenTelemetry.Metrics;

-public class Program

-{

- internal static readonly Meter meter = new("OTel.AzureMonitor.Demo");

- public static void Main()

- {

- using var meterProvider = Sdk.CreateMeterProviderBuilder()

- .AddMeter("OTel.AzureMonitor.Demo")

- .AddAzureMonitorMetricExporter(o =>

- {

- o.ConnectionString = "<Your Connection String>";

- })

- .Build();

- var process = Process.GetCurrentProcess();

-

- ObservableGauge<int> myObservableGauge = meter.CreateObservableGauge("Thread.State", () => GetThreadState(process));

- System.Console.WriteLine("Press Enter key to exit.");

- System.Console.ReadLine();

- }

-

- private static IEnumerable<Measurement<int>> GetThreadState(Process process)

- {

- foreach (ProcessThread thread in process.Threads)

- {

- yield return new((int)thread.ThreadState, new("ProcessId", process.Id), new("ThreadId", thread.Id));

- }

- }

-}

-```

-> The advantage of using options provided by instrumentation libraries, when they're available, is that the entire context is available. As a result, users can select to add or filter more attributes. For example, the enrich option in the HttpClient instrumentation library gives users access to the httpRequestMessage itself. They can select anything from it and store it as an attribute.

- - [HttpClient and HttpWebRequest](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.14/src/OpenTelemetry.Instrumentation.Http/README.md#enrich)

-using System.Diagnostics;

-using OpenTelemetry;

-using OpenTelemetry.Trace;

- span.attributes[SemanticAttributes.HTTP_CLIENT_IP] = "<IP Address>";

-Currently unavailable.

- using System.Diagnostics;

- using OpenTelemetry;

- using OpenTelemetry.Trace;

-

-Data collection endpoints only support Log Analytics workspaces as a destination for collected data. [Custom metrics (preview)](../essentials/metrics-custom-overview.md) collected and uploaded via Azure Monitor Agent aren't currently controlled by DCEs. They also can't be configured over private links.

- | `<CONTAINER-IMAGE-VERSION>` | `mcr.microsoft.com/azuremonitor/prometheus/promdev/prom-remotewrite:prom-remotewrite-20230323.1`<br>This is the remote write container image version. |

- | `<CONTAINER-IMAGE-VERSION>` | `mcr.microsoft.com/azuremonitor/prometheus/promdev/prom-remotewrite:prom-remotewrite-20230323.1`<br>This is the remote write container image version. |

-> The table creation for a log ingestion API custom log below can't be used to create a [agent custom log table](..agents/data-collection-text-log.md). You must use the CLI or custom template process to create the table. If you do not have sufficent rights to run CLI or custom tempate you must ask your adminitrator to add the table for you.

-| Network | WriteBytesPerSecond | Network Write Bytes Per Second | BytesPerSecond | NetworkDeviceId - Id of the device<br>bytes - Total sent bytes |

-| Network | ReadBytesPerSecond | Network Read Bytes Per Second | BytesPerSecond | networkDeviceId - Id of the device<br>bytes - Total received bytes |

-* Learn about [writing search queries](../logs/get-started-queries.md).

-### AzAcSnap 8 (Build: 1AC073A)

-This article describes the Bicep operators. Operators are used to calculate values, compare values, or evaluate conditions. There are five types of Bicep operators:

-## Azure Files and Azure File Sync

-To learn more about the limits for Azure Files and File Sync, see [Azure Files scalability and performance targets](../../storage/files/storage-files-scale-targets.md).

-## Storage limits

-<!--like # storage accts -->

-For more information on limits for standard storage accounts, see [Scalability targets for standard storage accounts](../../storage/common/scalability-targets-standard-account.md).

-### Storage resource provider limits

-### Azure Blob storage limits

-### Azure Queue storage limits

-### Azure Table storage limits

- | API key| This is your personal API key, which is available under **Profile** in the [developer portal](https://api-portal.videoindexer.ai/profile)|

- **SSRS Configuration with SQL 2017**

- When you're using your own instance of SQL 2017, you need to manually configure SSRS. After SSRS configuration, ensure that *IsInitialized* property of SSRS is set to *True*. When this is set to True, MABS assumes that SSRS is already configured and will skip the SSRS configuration.

-description: Use a PowerShell script to silently install Azure Backup Server V2. This kind of installation is also called an unattended installation.

-These steps don't apply if you're installing Azure Backup Server V1.

-1. On the server that hosts Azure Backup Server V2 or later, create a text file. (You can create the file in Notepad or in another text editor.) Save the file as MABSSetup.ini.

-2. Paste the following code in the MABSSetup.ini file. Replace the text inside the brackets (\< \>) with values from your environment. The following text is an example:

- ReportingInstanceName=<reporting instance name>

- VaultCredentialFilePath=<vault credential full path and complete name>

- PassphraseSaveLocation=<passphrase save location>

-3. Save the file. Then, at an elevated command prompt on the installation server, enter this command:

- sku='16-04-lts',

- node_agent_sku_id='batch.node.ubuntu 16.04'),

- sku: "16-04-lts",

- nodeAgentSkuId: "batch.node.ubuntu 16.04");

- sku='16-04-lts',

- node_agent_sku_id='batch.node.ubuntu 16.04'),

- sku: "16-04-lts",

- nodeAgentSkuId: "batch.node.ubuntu 16.04");

- sku='16-04-lts',

- node_agent_sku_id='batch.node.ubuntu 16.04'),

- nodeAgentSkuId: "batch.node.ubuntu 16.04");

- nodeAgentSkuId: "batch.node.ubuntu 16.04");

-| Asia | Hong Kong SAR<br />Jakarta, Indonesia<br />Osaka, Japan<br />Tokyo, Japan<br />Singapore<br />Kaohsiung, Taiwan<br />Taipei, Taiwan <br />Manila, Philippines | Hong Kong SAR<br />Indonesia<br />Israel<br />Japan<br />Macao<br />Malaysia<br />Philippines<br />Singapore<br />South Korea<br />Taiwan<br />Thailand<br />T├╝rkiye<br />Vietnam |

- // Note that 'Captions' is only supported in Azure GPU regions (East US, France Central, Korea Central,

- // North Europe, Southeast Asia, West Europe, West US)

- | ImageAnalysisFeature.Captions

-# Note that 'Captions' is only supported in Azure GPU regions (East US, France Central, Korea Central,

- visionsdk.ImageAnalysisFeature.CAPTIONS |

-|`features`|`DenseCaption` | generates detailed captions for individual regions in the image. |

-* See the [API reference](https://aka.ms/vision-4-0-ref) to learn more about the API functionality.

-description: An overview of the capabilities of the Speech SDK audio input stream API.

- - PCM format (int-16)

-Make sure that your code provides the RAW audio data according to these specifications. Also, make sure that 16-bit samples arrive in little-endian format. Signed samples are also supported. If your audio source data doesn't match the supported formats, the audio must be transcoded into the required format.

-public class ContosoAudioStream : PullAudioInputStreamCallback {

- ContosoConfig config;

- public ContosoAudioStream(const ContosoConfig& config) {

- this.config = config;

- }

- public int Read(byte[] buffer, uint size) {

- // Returns audio data to the caller.

- // E.g., return read(config.YYY, buffer, size);

- }

- public void Close() {

- // Close and clean up resources.

- }

-};

-Create an audio configuration based on your audio format and input stream. Pass in both your regular speech configuration and the audio input configuration when you create your recognizer. For example:

-var audioConfig = AudioConfig.FromStreamInput(new ContosoAudioStream(config), audioFormat);

-var speechConfig = SpeechConfig.FromSubscription(...);

-var recognizer = new SpeechRecognizer(speechConfig, audioConfig);

-// Run stream through recognizer.

-var result = await recognizer.RecognizeOnceAsync();

-var text = result.GetText();

-| `telephone` | None | The text is spoken as a telephone number. The `format` attribute can contain digits that represent a country code. Examples are "1" for the United States or "39" for Italy. The speech synthesis engine can use this information to guide its pronunciation of a phone number. The phone number might also include the country code, and if so, takes precedence over the country code in the `format` attribute. The speech synthesis engine pronounces:<br /><br />`The number is <say-as interpret-as="telephone" format="1">(888) 555-1212</say-as>`<br /><br />As "My number is area code eight eight eight five five five one two one two." |

-1. The **Allowed IP addresses** field is optional and specifies an IP address or a range of IP addresses from which to accept requests. If the request IP address doesn't match the IP address or address range specified on the SAS token, authorization fails.

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=REST API&Pillar=Language&Product=Key-phrase-extraction&Page=quickstart&Section=Clean-up-resources" target="_target">I ran into an issue</a>

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=REST API&Pillar=Language&Product=Language-detection&Page=quickstart&Section=Clean-up-resources" target="_target" target="_target">I ran into an issue</a>

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=JAVA&Pillar=Language&Product=Named-entity-recognition&Page=quickstart&Section=Clean-up-resources" target="_target">I ran into an issue</a>

-> [!div class="nextstepaction"]

-> [Call NER using the REST API or client library](../quickstart.md)

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=PYTHON&Pillar=Language&Product=Personally-identifying-info&Page=quickstart&Section=Clean-up-resources" target="_target">I ran into an issue</a>

-> [!div class="nextstepaction"]

-> [Edit a project](../How-to/manage-knowledge-base.md)

-> [!div class="nextstepaction"]

-> [Best practices](./best-practices.md)

-> [!div class="nextstepaction"]

-> [Active learning suggestions](../tutorials/active-learning.md)

-> [!div class="nextstepaction"]

-> [Choose capactiy](../../../qnamaker/how-to/improve-knowledge-base.md)

-> [!div class="nextstepaction"]

-> [Get started with Question Answering](../quickstart/sdk.md)

-> [!div class="nextstepaction"]

-> [Import a project](./migrate-knowledge-base.md)

-> [!div class="nextstepaction"]

-> [Add questions with metadata](../../../qnamaker/quickstarts/add-question-metadata-portal.md)

-> [!div class="nextstepaction"]

-> [Edit a project](../../../qnamaker/How-To/edit-knowledge-base.md)

-> [!div class="nextstepaction"]

-> [Language selection](../index.yml)

-> [!div class="nextstepaction"]

-> [Review the latest changes](../whats-new.md)

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=PYTHON&Pillar=Language&Product=Question-answering&Page=quickstart&Section=Clean-up-resources" target="_target">I ran into an issue</a>

-> [!div class="nextstepaction"]

-> [Improve the quality of responses with synonyms](adding-synonyms.md)

-> [!div class="nextstepaction"]

-> [Create projects in multiple languages](multiple-languages.md)

-> [!div class="nextstepaction"]

-> [Multi-turn prompts](guided-conversations.md)

-> [!div class="nextstepaction"]

-> [Enrich your knowlege base with active learning](active-learning.md)

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=REST API&Pillar=Language&Product=Summarization&Page=quickstart&Section=Document-summarization" target="_target">I ran into an issue</a>

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=REST API&Pillar=Language&Product=Summarization&Page=quickstart&Section=Clean-up-resources" target="_target" target="_target">I ran into an issue</a>

-* [How to call the Text Analytics for health](../how-to/call-api.md)

-By default, Text Analytics for health will use the latest available AI model on your text. You can also configure your API requests to use a specific model version. The model you specify will be used to perform operations provided by the Text Analytics for health. Extraction of social determinants of health entities is supported with the new preview model version "2023-01-01-preview".

-| Supported Versions | latest version |

-| `2023-01-01-preview` | `2023-01-01-preview` |

-| `2022-08-15-preview` | `2022-08-15-preview` |

-| `2022-03-01` | `2022-03-01` |

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=CSHARP&Pillar=Language&Product=Text-analytics-for-health&Page=quickstart&Section=Clean-up-resources" target="_target">I ran into an issue</a>

-One method of identifying similar documents is to count the number of common words between documents. Unfortunately, this approach doesn't scale since an expansion in document size is likely to lead to a greater number of common words detected even among completely disparate topics. For this reason, cosine similarity can offer a more effective alternative.

-From a mathematic perspective, cosine similarity measures the cosine of the angle between two vectors projected in a multi-dimensional space. This is beneficial because if two documents are far apart by Euclidean distance because of size, they could still have a smaller angle between them and therefore higher cosine similarity. For more information on cosine similarity and the [underlying formula](https://en.wikipedia.org/wiki/Cosine_similarity).

-Azure OpenAI embeddings rely on cosine similarity to compute similarity between documents and a query.

-# Tutorial: Enable inline interoperability features in your Chat app

-The Chat SDK for JavaScript provides `previewUrl` and `url` for each inline images. Please note that some GIF images fetched from `previewUrl` might not be animated and a static preview image would be returned instead. Developers are expected to use the `url` if the intention is to fetch animated images only.

-Computing is an essential part of our daily lives, powering everything from our smartphones to critical infrastructure. However, increasing regulatory environments, prevalence of cyberattacks, and growing sophistication of attackers have made it difficult to trust the authenticity and integrity of the computing technologies we depend on. Attestation, a technique to verify the software and hardware components of a system, is a critical process for establishing trust and ensuring that computing technologies we rely on are trustworthy.

-1. A Citizen wants a passport to travel to a Foreign Country. The Citizen submits evidence requirements to their Host Country.

-2. Host country receives the evidence of policy compliance from the individual and verifies whether the supplied evidence proves that the individual complies with the policies for being issued a passport.

-3. If the Host Country decides the evidence meets their policies, the Host Country will issue a passport for a Citizen.

-4. The Citizen travels to a foreign nation, but first must present their passport to the Foreign Country Border Patrol Agent for evaluation.

-5. The Foreign Country Border Patrol Agent checks a series of rules on the passport before trusting it

- - Passport was produced by a trusted country.

-6. The Foreign Country Border Patrol Agent approves of the Passport and the Citizen can enter the Foreign Country.

-[az-acr-run]: /cli/azure/acr#az_acr_run

-REST endpoint: `.azurecr.io`

-Data endpoint(s): `..data.azurecr.io`

-Azure Cosmos DB allows you to isolate and restrict the restore permissions for continuous backup account to a specific role or a principal. The owner of the account can trigger a restore and assign a role to other principals to perform the restore operation. To learn more, see the [Permissions](continuous-backup-restore-permissions.md) article.

-|`ConnectionString`| Your .NET SDK endpoint, which you'll find in the **Overview** section of your Azure Cosmos DB for Gremlin database account. It's formatted as `https://your-graph-database-account.documents.azure.com:443/`.

-`DatabaseName`, `ContainerName`|The names of the target database and container.|

-In the API for MongoDB, compound indexes are **required** if your query needs the ability to sort on multiple fields at once. For queries with multiple filters that don't need to sort, create multiple single field indexes instead of a compound index to save on indexing costs.

-A compound index or single field indexes for each field in the compound index will result in the same performance for filtering in queries.

-Compounded indexes on nested fields are not supported by default due to limiations with arrays. If your nested field does not contain an array, the index will work as intended. If your nested field contains an array (anywhere on the path), that value will be ignored in the index.

-For example a compound index containing people.tom.age will work in this case since there's no array on the path:

-```javascript

-{ "people": { "tom": { "age": "25" }, "mark": { "age": "30" } } }

-but won't won't work in this case since there's an array in the path:

-```javascript

-{ "people": { "tom": [ { "age": "25" } ], "mark": [ { "age": "30" } ] } }

-This project supports multiple Spring Boot Versions. Visit [spring boot support policy](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/cosmos/azure-spring-data-cosmos#spring-boot-support-policy) for more information. Maven users can inherit from the `spring-boot-starter-parent` project to obtain a dependency management section to let Spring manage the versions for dependencies. Visit [spring boot version support](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/cosmos/azure-spring-data-cosmos#spring-boot-version-support) for more information.

-This project supports different spring-data-commons versions. Visit [spring data version support](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/cosmos/azure-spring-data-cosmos#spring-data-version-support) for more information.

-Azure Spring Data Azure Cosmos DB library supports multiple versions of Spring Boot / Spring Cloud. Refer to [azure Spring Data Azure Cosmos DB version mapping](https://github.com/Azure/azure-sdk-for-jav#which-version-of-azure-spring-data-cosmos-should-i-use) for detailed information on which version of Azure Spring Data Azure Cosmos DB to use with Spring Boot / Spring Cloud version.

-| **Release notes** | [Release notes for Spring Data Azure Cosmos DB SDK v3](https://github.com/Azure/azure-sdk-for-jav) |

-| **SDK Documentation** | [Azure Spring Data Azure Cosmos DB SDK v3 documentation](https://github.com/Azure/azure-sdk-for-jav) |

-| **Contribute to SDK** | [Azure SDK for Java Central Repo on GitHub](https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/cosmos/azure-spring-data-cosmos) |

-Release history is maintained in the azure-sdk-for-java repo, for detailed list of releases, see the [changelog file](https://github.com/Azure/azure-sdk-for-jav).

-* [Django](https://docs.citusdata.com/en/stable/develop/migration_mt_django.html),

-* [Django instructions](https://docs.citusdata.com/en/stable/develop/migration_mt_django.html)

->- When you delete a service instance, the associated managed identity will be deleted along.

-See [Limitations](../active-directory/managed-identities-azure-resources/managed-identities-faq.md#limitations) of managed identities, which also apply to managed identities in Azure Data Factory.

-What permissions do I need for discovery? | Storage account: Subscription Owner or Microsoft.Storage/storageaccounts/{read/write} and Microsoft.Authorization/roleAssignments/{read/write/delete}<br/><br/> Amazon S3 buckets: AWS account permission to run Cloud Formation (to create a role).

-You can drill down into API collection to review security findings for onboarded API endpoints.

-## Detecting runtime threats

-Defender for APIs monitors runtime traffic and threat intelligence feeds, and issues threat detection alerts. API alerts detect the top 10 OWASP threats, data exfiltration, volumetric attacks, anomalous and suspicious API parameters, traffic and IP access anomalies, and usage patterns.

-Act on recommendations and alerts to mitigate threats and risk. Defender for Cloud alerts and recommendations can be exported into SIEM systems such as Microsoft Sentinel, for investigation within existing threat response workflows for fast and efficient remediation. [Learn more](export-to-siem.md).

-[Review support and prerequisites](defender-for-apis-prepare.md) for Defender for APIs deployment.

- :::image type="content" source="media/defender-for-apis-posture/view-resource.png" alt-text="Screenshot that shows an API endpoint details." lightbox="media/defender-for-apis-posture/view-resource.png":::

-1. In the **Alerts** tab review security alerts for the endpoint. Defender for Endpoint monitors API traffic to and from endpoints, to provide runtime protection against suspicious behavior and malicious attacks.

-When the Defender CSPM plan is enabled together with Defender for APIs, you can use Cloud Security Explorer to query Cloud Security Graph, to identify, review and analyze API security risks across your organization.

-1. You can build your own query, or select the API query template.

- 1. To build your own query, in **What would you like to search?** select the **APIs** category. You can query:

- - API collections that contain one or more API endpoints.

- - API endpoints for Azure API Management operations.

- :::image type="content" source="media/defender-for-apis-posture/api-insights.png" alt-text="Screenshot that shows the predefined API query." lightbox="media/defender-for-apis-posture/api-insights.png":::

-

- The search resultS display each API resource with its associated insights, so that you can review, prioritize, and fix any issues.

- Alternatively, you can select the predefined query **Unauthenticated API endpoints containing sensitive data are outside the virtual network** > **Open query**. The query returns all unauthenticated API endpoints that contain sensitive data and aren't part of the Azure API management network.

-

- :::image type="content" source="media/defender-for-apis-posture/predefined-query.png" alt-text="Screenshot that shows a predefined API query.":::

-

-When a scan is triggered, findings are available as Defender for Cloud recommendations from 2 minutes up to 15 minutes after the scan is complete.

- 1. From the scope list, subscriptions with active rules show as **Rule applied**.

- :::image type="content" source="./media/remediate-vulnerability-findings-vm/modify-rule.png" alt-text="Modify or delete an existing rule.":::

-|Clouds:|:::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Azure Government<br>:::image type="icon" source="./media/icons/no-icon.png"::: Azure China 21Vianet|

-Defender for Cloud already supports different agent-based vulnerability scans, including [Microsoft Defender Vulnerability Management](deploy-vulnerability-assessment-defender-vulnerability-management.md), [BYOL](deploy-vulnerability-assessment-byol-vm.md) and [Qualys](deploy-vulnerability-assessment-vm.md). Agentless scanning extends the visibility of Defender for Cloud to reach more devices.

- If you want to change the default behavior so that Defender for Cloud always displays results from Defender Vulnerability Management (regardless of a third-party agent solution), select the [Defender Vulnerability Management](auto-deploy-vulnerability-assessment.md#automatically-enable-a-vulnerability-assessment-solution) setting in the vulnerability assessment solution.

- The agentless scanning setting is shared by both Defender Cloud Security Posture Management (CSPM) or Defender for Servers P2. When you enable agentless scanning on either plan, the setting is enabled for both plans.

-After you enable agentless scanning, software inventory and vulnerability information is updated automatically in Defender for Cloud.

- - The location of the default workspace depends on your Azure Arc machine region. [Learn more](https://learn.microsoft.com/azure/defender-for-cloud/faq-data-collection-agents#where-is-the-default-log-analytics-workspace-created-).

- - The location of the custom-created workspace is set by your organization. [Learn more](https://learn.microsoft.com/azure/defender-for-cloud/faq-data-collection-agents#how-can-i-use-my-existing-log-analytics-workspace-) about using a custom workspace.

-To view compliance data, you need to have at least **Reader** access to the policy compliance data as well; so Security Reader alone wonΓÇÖt suffice. If you're a global reader on the subscription, that will be enough too.

- You may have tweak `Update-AzSqlServerVulnerabilityAssessmentSetting` according to [Store Vulnerability Assessment scan results in a storage account accessible behind firewalls and VNets](/azure/azure-sql/database/sql-database-vulnerability-assessment-storage?toc=%2Fazure%2Fdefender-for-cloud%2Ftoc.json&view=azuresql).