+When you set up an identity provider for sign-up and sign-in in your Azure Active Directory B2C (Azure AD B2C) applications, you need to specify the endpoints of the Azure AD B2C identity provider. You should no longer reference *login.microsoftonline.com* in your applications and APIs for authenticating users with Azure AD B2C. Instead, use *b2clogin.com* or a [custom domain](./custom-domain.md) for all applications.

+The transition to b2clogin.com only applies to authentication endpoints that use Azure AD B2C policies (user flows or custom policies) to authenticate users. These endpoints have a `<policy-name>` parameter, which specifies the policy Azure AD B2C should use. [Learn more about Azure AD B2C policies](technical-overview.md#identity-experiences-user-flows-or-custom-policies).

+Old endpoints may look like:

+- <code>https://<b>login.microsoft.com</b>/\<tenant-name\>.onmicrosoft.com/<b>\<policy-name\></b>/oauth2/v2.0/authorize</code>

+- <code>https://<b>login.microsoft.com</b>/\<tenant-name\>.onmicrosoft.com/oauth2/v2.0/authorize<b>?p=\<policy-name\></b></code>

+A corresponding updated endpoint would look like:

+- <code>https://<b>\<tenant-name\>.b2clogin.com</b>/\<tenant-name\>.onmicrosoft.com/<b>\<policy-name\></b>/oauth2/v2.0/authorize</code>

+- <code>https://<b>\<tenant-name\>.b2clogin.com</b>/\<tenant-name\>.onmicrosoft.com/oauth2/v2.0/authorize?<b>p=\<policy-name\></b></code>

+With Azure AD B2C [custom domain](./custom-domain.md) the corresponding updated endpoint would look like:

+- <code>https://<b>login.contoso.com</b>/\<tenant-name\>.onmicrosoft.com/<b>\<policy-name\></b>/oauth2/v2.0/authorize</code>

+- <code>https://<b>login.contoso.com</b>/\<tenant-name\>.onmicrosoft.com/oauth2/v2.0/authorize?<b>p=\<policy-name\></b></code>

+## Endpoints that are not affected

+Some customers use the shared capabilities of Azure AD enterprise tenants. For example, acquiring an access token to call the [MS Graph API](microsoft-graph-operations.md#code-discussion) of the Azure AD B2C tenant.

+All endpoints, which don't contain a policy parameter aren't affected by the change. They're accessed only with the Azure AD's login.microsoftonline.com endpoints, and can't be used with the *b2clogin.com*, or custom domains. The following example shows a valid token endpoint of the Azure AD platform:

+```http

+https://login.microsoftonline.com/<tenant-name>.onmicrosoft.com/oauth2/v2.0/token

+```

+There are several modifications you might need to make to migrate your applications from *login.microsoftonline.com* using Azure AD B2C endpoints:

+* Change the redirect URL in your identity provider's applications to reference *b2clogin.com*, or custom domain. For more information, follow the [change identity provider redirect URLs](#change-identity-provider-redirect-urls) guidance.

+* Update your Azure AD B2C applications to use *b2clogin.com*, or custom domain in their user flow and token endpoint references. The change may include updating your use of an authentication library like Microsoft Authentication Library (MSAL).

+On each identity provider's website in which you've created an application, change all trusted URLs to redirect to `your-tenant-name.b2clogin.com`, or a custom domain instead of *login.microsoftonline.com*.

+There are two formats you can use for your b2clogin.com redirect URLs. The first provides the benefit of not having "Microsoft" appear anywhere in the URL by using the Tenant ID (a GUID) in place of your tenant domain name. Note, the `authresp` endpoint may not contain a policy name.

+If you're using [MSAL.NET][msal-dotnet] v2 or earlier, set the **ValidateAuthority** property to `false` on client instantiation to allow redirects to *b2clogin.com*. Setting this value to `false` isn't required for MSAL.NET v3 and above.

+| Step | Description |

+| : | :- |

+| 1. | User opens Azure AD B2C's sign-in page and then signs in or signs up by entering their username. |

+| 2. | Azure AD B2C redirects the user to xID authorize API endpoint using an OpenID Connect (OIDC) request. An OIDC endpoint is available containing information about the endpoints. xID Identity provider (IdP) redirects the user to the xID authorization sign-in page allowing the user to fill in or select their email address. |

+| 3. | xID IdP sends the push notification to the user's mobile device. |

+| 4. | The user opens the xID app, checks the request, then enters the PIN or authenticates with their biometrics. If PIN or biometrics is successfully verified, xID app activates the private key and creates an electronic signature. |

+| 5. | xID app sends the signature to xID IdP for verification. |

+| 6. | xID IdP shows a consent screen to the user, requesting authorization to give their personal information to the service they're signing in. |

+| 7. | xID IdP returns the OAuth authorization code to Azure AD B2C. |

+| 8. | Azure AD B2C sends a token request using the authorization code. |

+| 9. | xID IdP checks the token request and, if still valid, returns the OAuth access token and the ID token containing the requested user's identifier and email address. |

+| 10. | In addition, if the user's customer content is needed, Azure AD B2C calls the xID userdata API. |

+| 11. | The xID userdata API returns the user's encrypted customer content. Users can decrypt it with their private key, which they create when requesting the xID client information. |

+| 12. | User is either granted or denied access to the customer application based on the verification results. |

+Supply redirect URI. This is the URI in your site to which the user is returned after a successful authentication. The URI that should be provided to xID for your Azure AD B2C follows the pattern - `https://<your-b2c-domain>.b2clogin.com/<your-b2c-domain>.onmicrosoft.com/oauth2/authresp`.

+## Step 1: Register a web application in Azure AD B2C

+Before your [applications](application-types.md) can interact with Azure AD B2C, they must be registered in a tenant that you manage.

+For testing purposes like this tutorial, you're registering `https://jwt.ms`, a Microsoft-owned web application that displays the decoded contents of a token (the contents of the token never leave your browser).

+Follow the steps mentioned in [this tutorial](tutorial-register-applications.md?tabs=app-reg-ga) to **register a web application** and **enable ID token implicit grant** for testing a user flow or custom policy. There's no need to create a Client Secret at this time.

+## Step 2: Create a xID policy key

+## Step 3: Configure xID as an Identity provider

+1. Get the custom policy starter packs from GitHub, then update the XML files in the SocialAccounts starter pack with your Azure AD B2C tenant name:

+ ii. In all of the files in the **SocialAccounts** directory, replace the string `yourtenant` with the name of your Azure AD B2C tenant. For example, if the name of your B2C tenant is `contoso`, all instances of `yourtenant.onmicrosoft.com` become `contoso.onmicrosoft.com`.

+2. Open the `SocialAccounts/TrustFrameworkExtensions.xml`.

+ <Item Key="ValidTokenIssuerPrefixes">https://oidc-uat.x-id.io/</Item>

+ <Key Id="client_secret" StorageReferenceId="B2C_1A_XIDSecAppSecret" />

+ <OutputClaim ClaimTypeReferenceId="XID_verified" />

+## Step 4: Add a user journey

+At this point, you've set up the identity provider, but it's not yet available on any of the sign-in pages. If you have a custom user journey, continue to [step 5](#step-5-add-the-identity-provider-to-a-user-journey). Otherwise, create a duplicate of an existing template user journey as follows:

+## Step 5: Add the identity provider to a user journey

+2. In the next orchestration step, add a **ClaimsExchange** element. Set the **Id** to the value of the target claims exchange ID to link the xID button to `X-IDExchange` action. Next, update the value of **TechnicalProfileReferenceId** to the ID of the technical profile you created earlier `X-ID-Oauth2`.

+3. Add a new Orchestration step to call xID UserInfo endpoint to return claims about the authenticated user `X-ID-Userdata`.

+ The following XML demonstrates the orchestration steps of a user journey with xID identity provider:

+ <UserJourney Id="CombinedSignInAndSignUp">

+There are additional identity claims that xID supports and are referenced as part of the policy. Claims schema is the place where you declare these claims. ClaimsSchema element contains list of ClaimType elements. The ClaimType element contains the Id attribute, which is the claim name.

+1. Open the `TrustFrameworksExtension.xml`

+2. Find the `BuildingBlocks` element.

+3. Add the following ClaimType element in the **ClaimsSchema** element of your `TrustFrameworksExtension.xml` policy

+```xml

+ <BuildingBlocks>

+ <ClaimsSchema>

+ <!-- xID -->

+ <ClaimType Id="sid">

+ <DisplayName>sid</DisplayName>

+ <DataType>string</DataType>

+ </ClaimType>

+ <ClaimType Id="userdataid">

+ <DisplayName>userdataid</DisplayName>

+ <DataType>string</DataType>

+ </ClaimType>

+ <ClaimType Id="xid_verified">

+ <DisplayName>xid_verified</DisplayName>

+ <DataType>boolean</DataType>

+ </ClaimType>

+ <ClaimType Id="email_verified">

+ <DisplayName>email_verified</DisplayName>

+ <DataType>boolean</DataType>

+ </ClaimType>

+ <ClaimType Id="identityProviderAccessToken">

+ <DisplayName>Identity Provider Access Token</DisplayName>

+ <DataType>string</DataType>

+ <AdminHelpText>Stores the access token of the identity provider.</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="last_name">

+ <DisplayName>last_name</DisplayName>

+ <DataType>string</DataType>

+ </ClaimType>

+ <ClaimType Id="first_name">

+ <DisplayName>first_name</DisplayName>

+ <DataType>string</DataType>

+ </ClaimType>

+ <ClaimType Id="previous_name">

+ <DisplayName>previous_name</DisplayName>

+ <DataType>string</DataType>

+ </ClaimType>

+ <ClaimType Id="year">

+ <DisplayName>year</DisplayName>

+ <DataType>string</DataType>

+ </ClaimType>

+ <ClaimType Id="month">

+ <DisplayName>month</DisplayName>

+ <DataType>string</DataType>

+ </ClaimType>

+ <ClaimType Id="date">

+ <DisplayName>date</DisplayName>

+ <DataType>string</DataType>

+ </ClaimType>

+ <ClaimType Id="prefecture">

+ <DisplayName>prefecture</DisplayName>

+ <DataType>string</DataType>

+ </ClaimType>

+ <ClaimType Id="city">

+ <DisplayName>city</DisplayName>

+ <DataType>string</DataType>

+ </ClaimType>

+ <ClaimType Id="address">

+ <DisplayName>address</DisplayName>

+ <DataType>string</DataType>

+ </ClaimType>

+ <ClaimType Id="sub_char_common_name">

+ <DisplayName>sub_char_common_name</DisplayName>

+ <DataType>string</DataType>

+ </ClaimType>

+ <ClaimType Id="sub_char_previous_name">

+ <DisplayName>sub_char_previous_name</DisplayName>

+ <DataType>string</DataType>

+ </ClaimType>

+ <ClaimType Id="sub_char_address">

+ <DisplayName>sub_char_address</DisplayName>

+ <DataType>string</DataType>

+ </ClaimType>

+ <ClaimType Id="verified_at">

+ <DisplayName>verified_at</DisplayName>

+ <DataType>int</DataType>

+ </ClaimType>

+ <ClaimType Id="gender">

+ <DisplayName>Gender</DisplayName>

+ <DataType>string</DataType>

+ <DefaultPartnerClaimTypes>

+ <Protocol Name="OpenIdConnect" PartnerClaimType="gender" />

+ </DefaultPartnerClaimTypes>

+ <AdminHelpText>The user's gender.</AdminHelpText>

+ <UserHelpText>Your gender.</UserHelpText>

+ <UserInputType>TextBox</UserInputType>

+ </ClaimType>

+ <ClaimType Id="correlationId">

+ <DisplayName>correlation ID</DisplayName>

+ <DataType>string</DataType>

+ </ClaimType>

+ <!-- xID -->

+ </ClaimsSchema>

+ </BuildingBlocks>

+```

+In the following example, for the xID user journey, the **ReferenceId** is set to `CombinedSignInAndSignUp`:

+ <DefaultUserJourney ReferenceId="CombinedSignInAndSignUp" />

+## Step 7: Upload the custom policy

+1. Sign in to the [Azure portal](https://portal.azure.com/#home).

+2. Make sure you're using the directory that contains your Azure AD B2C tenant:

+ a. Select the **Directories + subscriptions** icon in the portal toolbar.

+ b. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and select **Switch**.

+3. In the [Azure portal](https://portal.azure.com/#home), search for and select **Azure AD B2C**.

+4. Under Policies, select **Identity Experience Framework**.

+5. Select **Upload Custom Policy**, and then upload the files in the following order:

+ 1. `TrustFrameworkBase.xml`, the base policy file

+ 2. `TrustFrameworkExtensions.xml`, the extension policy

+ 3. `SignUpSignIn.xml`, then the relying party policy

+## Step 8: Test your custom policy

+## April 2022

+### New articles

+- [Tutorial: Configure Azure Web Application Firewall with Azure Active Directory B2C](partner-azure-web-application-firewall.md)

+- [Configure Asignio with Azure Active Directory B2C for multi-factor authentication](partner-asignio.md)

+- [Set up sign-up and sign-in with Mobile ID using Azure Active Directory B2C](identity-provider-mobile-id.md)

+- [Find help and open a support ticket for Azure Active Directory B2C](find-help-open-support-ticket.md)

+### Updated articles

+- [Configure authentication in a sample single-page application by using Azure AD B2C](configure-authentication-sample-spa-app.md)

+- [Configure xID with Azure Active Directory B2C for passwordless authentication](partner-xid.md)

+- [Azure Active Directory B2C service limits and restrictions](service-limits.md)

+- [Localization string IDs](localization-string-ids.md)

+- [Manage your Azure Active Directory B2C tenant](tenant-management.md)

+- [Page layout versions](page-layout.md)

+- [Secure your API used an API connector in Azure AD B2C](secure-rest-api.md)

+- [Azure Active Directory B2C: What's new](whats-new-docs.md)

+- [Application types that can be used in Active Directory B2C](application-types.md)

+- [Publish your Azure Active Directory B2C app to the Azure Active Directory app gallery](publish-app-to-azure-ad-app-gallery.md)

+- [Quickstart: Set up sign in for a desktop app using Azure Active Directory B2C](quickstart-native-app-desktop.md)

+- [Register a single-page application (SPA) in Azure Active Directory B2C](tutorial-register-spa.md)

+| Pre-authentication | RD Web- Windows 7/10/11 using Internet Explorer* or [Edge Chromium IE mode](/deployedge/edge-ie-mode) + RDS ActiveX add-on |

+>[!NOTE]

+>Virtual phone numbers are not supported for Voice calls or SMS messages.

+| **macOS** | ![Chrome supports USB on macOS for Azure AD accounts.][y] | ![Chrome supports NFC on macOS for Azure AD accounts.][n] | ![Chrome supports BLE on macOS for Azure AD accounts.][n] | ![Edge supports USB on macOS for Azure AD accounts.][y] | ![Edge supports NFC on macOS for Azure AD accounts.][n] | ![Edge supports BLE on macOS for Azure AD accounts.][n] | ![Firefox supports USB on macOS for Azure AD accounts.][n] | ![Firefox supports NFC on macOS for Azure AD accounts.][n] | ![Firefox supports BLE on macOS for Azure AD accounts.][n] | ![Safari supports USB on macOS for Azure AD accounts.][n] | ![Safari supports NFC on macOS for Azure AD accounts.][n] | ![Safari supports BLE on macOS for Azure AD accounts.][n] |

+[Learn more about passwordless authentication](concept-authentication-passwordless.md)

+1. Navigate to the **Azure portal** > **Azure Active Directory** > **Sign-in logs**.

+- Microsoft Lists (iOS)

+The sign-in frequency setting works with apps that have implemented OAuth2 or OIDC protocols according to the standards. Most Microsoft native apps for Windows, Mac, and Mobile including the following web applications comply with the setting.

+The sign-in frequency setting works with 3rd party SAML applications and apps that have implemented OAuth2 or OIDC protocols, as long as they don't drop their own cookies and are redirected back to Azure AD for authentication on regular basis.

+ "netbios_domain_and_sam_account_name",

+ "netbios_domain_and_sam_account_name",

+# The {issuer} value in the path of the request can be used to control who can sign into the application.

+# The allowed values are **common** for both Microsoft accounts and work or school accounts,

+# **organizations** for work or school accounts only, **consumers** for Microsoft accounts only,

+# and **tenant identifiers** such as the tenant ID or domain name.

+ Title: Overview of permissions and consent in the Microsoft identity platform

+description: Learn about the foundational concepts and scenarios around consent and permissions in the Microsoft identity platform

+#Customer intent: As and a developer or admin in the Microsoft identity platform, I want to understand the basic concept about managing how applications access resources through the permissions and consent framework.

+# Introduction to permissions and consent

+To _access_ a protected resource like email or calendar data, your application needs the resource owner's _authorization_. The resource owner can _consent_ to or deny your app's request. Understanding these foundational concepts will help you build more secure and trustworthy applications that request only the access they need, when they need it, from its users and administrators.

+## Access scenarios

+As an application developer, you must identify how your application will access data. The application can use delegated access, acting on behalf of a signed-in user, or direct access, acting only as the application's own identity.

+

+### Delegated access (access on behalf of a user)

+In this access scenario, a user has signed into a client application. The client application accesses the resource on behalf of the user. Delegated access requires delegated permissions. Both the client and the user must be authorized separately to make the request.

+For the client app, the correct delegated permissions must be granted. Delegated permissions can also be referred to as scopes. Scopes are permissions of a given resource that the client application exercises on behalf of a user. They're strings that represent what the application wants to do on behalf of the user. For more information about scopes, see [scopes and permissions](v2-permissions-and-consent.md#scopes-and-permissions).

+For the user, the authorization relies on the privileges that the user has been granted for them to access the resource. For example, the user could be authorized to access directory resources by [Azure Active Directory (Azure AD) role-based access control (RBAC)](../roles/custom-overview.md) or to access mail and calendar resources by [Exchange Online RBAC](/exchange/permissions-exo/permissions-exo).

+### Direct access (App-only access)

+In this access scenario, the application acts on its own with no user signed in. Application access is used in scenarios such as automation, and backup. This scenario includes apps that run as background services or daemons. It's appropriate when it's undesirable to have a specific user signed in, or when the data required can't be scoped to a single user.

+Direct access may require application permissions but this isn't the only way for granting an application direct access. Application permissions can be referred to as app roles. When app roles are granted to other applications, they can be called applications permissions. The appropriate application permissions or app roles must be granted to the application for it to access the resource. For more information about assigning app roles to applications, see [App roles for applications](howto-add-app-roles-in-azure-ad-apps.md).

+## Types of permissions

+**Delegated permissions** are used in the delegated access scenario. They're permissions that allow the application to act on a user's behalf. The application will never be able to access anything users themselves couldn't access.

+For example, imagine an application that has been granted the Files.Read.All delegated permission on behalf of Tom, the user. The application will only be able to read files that Tom can personally access.

+**Application permissions** are used in the direct access scenario, without a signed-in user present. The application will be able to access any data that the permission is associated with. For example, an application granted the Files.Read.All application permission will be able to read any file in the tenant. Only an administrator or owner of the service principal can consent to application permissions.

+There are other ways in which applications can be granted authorization for direct access. For example, an application can be assigned an Azure AD RBAC role.

+## Consent

+One way that applications are granted permissions is through consent. Consent is a process where users or admins authorize an application to access a protected resource. For example, when a user attempts to sign into an application for the first time, the application can request permission to see the user's profile and read the contents of the user's mailbox. The user sees the list of permissions the app is requesting through a consent prompt.

+The key details of a consent prompt are the list of permissions the application requires and the publisher information. For more information about the consent prompt and the consent experience for both admins and end-users, see [application consent experience](application-consent-experience.md).

+### User consent

+User consent happens when a user attempts to sign into an application. The user provides their sign-in credentials. These credentials are checked to determine whether consent has already been granted. If no previous record of user or admin consent for the required permissions exists, the user is shown a consent prompt and asked to grant the application the requested permissions. In many cases, an admin may be required to grant consent on behalf of the user.

+### Administrator consent

+Depending on the permissions they require, some applications might require an administrator to be the one who grants consent. For example, application permissions can only be consented to by an administrator. Administrators can grant consent for themselves or for the entire organization. For more information about user and admin consent, see [user and admin consent overview](../manage-apps/consent-and-permissions-overview.md)

+### Preauthorization

+Preauthorization allows a resource application owner to grant permissions without requiring users to see a consent prompt for the same set of permissions that have been preauthorized. This way, an application that has been preauthorized won't ask users to consent to permissions. Resource owners can preauthorize client apps in the Azure portal or by using PowerShell and APIs, like Microsoft Graph.

+## Next steps

+- [User and admin consent overview](../manage-apps/consent-and-permissions-overview.md)

+- [Scopes and permissions](v2-permissions-and-consent.md)

+### acceptMappedClaims attribute

+| Key | Value type |

+| : | : |

+| acceptMappedClaims | Nullable Boolean |

+As documented on the [apiApplication resource type](/graph/api/resources/apiapplication#properties), this allows an application to use [claims mapping](active-directory-claims-mapping.md) without specifying a custom signing key. Applications that receive tokens rely on the fact that the claim values are authoritatively issued by Azure AD and cannot be tampered with. However, when you modify the token contents through claims-mapping policies, these assumptions may no longer be correct. Applications must explicitly acknowledge that tokens have been modified by the creator of the claims-mapping policy to protect themselves from claims-mapping policies created by malicious actors.

+> [!WARNING]

+> Do not set `acceptMappedClaims` property to `true` for multi-tenant apps, which can allow malicious actors to create claims-mapping policies for your app.

+Example:

+```json

+ "acceptMappedClaims": true,

+```

+>[!NOTE]

+> While it is safe to remove the identifierUris for app registrations within the current tenant, removing the identifierUris may cause clients to fail for other app registrations.

+> | Node.js | [Call Microsoft Graph with secret](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-console) | MSAL Node | Client credentials grant |

+ASP.NET Core 3.1 uses the Microsoft.AspNetCore.Authentication.JwtBearer library. The middleware is initialized in the Startup.cs file.

+

+ :::code language="js" source="~/ms-identity-javascript-v2/server.js":::

+- If you have a free trial or pay-as-you-go subscription, you don't have to wait 90 days for the subscription to automatically delete. You can delete your subscription three days after you cancel it. The Delete subscription option isn't available until three days after you cancel your subscription. For more details please read through [Delete free trial or pay-as-you-go subscriptions](../../cost-management-billing/manage/cancel-azure-subscription.md#delete-subscriptions).

+[Azure Active Directory documentation](../index.yml)

+For licensing and pricing information related to B2B direct connect users, refer to [Azure Active Directory External Identities pricing](https://azure.microsoft.com/pricing/details/active-directory/external-identities/).

+Microsoft Azure [national clouds](../develop/authentication-national-cloud.md) are physically isolated instances of Azure. B2B collaboration isn't enabled by default across national cloud boundaries, but you can use Microsoft cloud settings (preview) to establish mutual B2B collaboration between the following Microsoft Azure clouds:

+- Microsoft Azure global cloud and Microsoft Azure Government

+- Microsoft Azure global cloud and Microsoft Azure China 21Vianet

+## B2B collaboration across Microsoft clouds

+To set up B2B collaboration between tenants in different clouds, both tenants need to configure their Microsoft cloud settings to enable collaboration with the other cloud. Then each tenant must configure inbound and outbound cross-tenant access with the tenant in the other cloud. For details, see [Microsoft cloud settings (preview)](cross-cloud-settings.md).

+## B2B collaboration within the Microsoft Azure Government cloud

+Within the Azure US Government cloud, B2B collaboration is enabled between tenants that are both within Azure US Government cloud and that both support B2B collaboration. Azure US Government tenants that support B2B collaboration can also collaborate with social users using Microsoft, Google accounts, or email one-time passcode accounts. If you invite a user outside of these groups (for example, if the user is in a tenant that isn't part of the Azure US Government cloud or doesn't yet support B2B collaboration), the invitation will fail or the user won't be able to redeem the invitation. For Microsoft accounts (MSAs), there are known limitations with accessing the Azure portal: newly invited MSA guests are unable to redeem direct link invitations to the Azure portal, and existing MSA guests are unable to sign in to the Azure portal. For details about other limitations, see [Azure Active Directory Premium P1 and P2 Variations](../../azure-government/compare-azure-government-global-azure.md#azure-active-directory-premium-p1-and-p2).

+ Title: Configure B2B collaboration Microsoft cloud settings - Azure AD

+description: Use Microsoft cloud settings to enable cross-cloud B2B collaboration between sovereign (national) Microsoft Azure clouds.

+# Configure Microsoft cloud settings for B2B collaboration (Preview)

+> [!NOTE]

+> Microsoft cloud settings are preview features of Azure Active Directory. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+When Azure AD organizations in separate Microsoft Azure clouds need to collaborate, they can use Microsoft cloud settings to enable Azure AD B2B collaboration. B2B collaboration is available between the following global and sovereign Microsoft Azure clouds:

+- Microsoft Azure global cloud and Microsoft Azure Government

+- Microsoft Azure global cloud and Microsoft Azure China 21Vianet

+To set up B2B collaboration between partner organizations in different Microsoft Azure clouds, each partner mutually agrees to configure B2B collaboration with each other. In each organization, an admin completes the following steps:

+1. Configures their Microsoft cloud settings to enable collaboration with the partner's cloud.

+1. Uses the partner's tenant ID to find and add the partner to their organizational settings.

+1. Configures their inbound and outbound settings for the partner organization. The admin can either apply the default settings or configure specific settings for the partner.

+After each organization has completed these steps, Azure AD B2B collaboration between the organizations is enabled.

+## Before you begin

+- **Obtain the partner's tenant ID.** To enable B2B collaboration with a partner's Azure AD organization in another Microsoft Azure cloud, you'll need the partner's tenant ID. Using an organization's domain name for lookup isn't available in cross-cloud scenarios.

+- **Decide on inbound and outbound access settings for the partner.** Selecting a cloud in your Microsoft cloud settings doesn't automatically enable B2B collaboration. Once you enable another Microsoft Azure cloud, all B2B collaboration is blocked by default for organizations in that cloud. You'll need to add the tenant you want to collaborate with to your Organizational settings. At that point, your default settings go into effect for that tenant only. You can allow the default settings to remain in effect. Or, you can modify the inbound and outbound settings for the organization.

+- **Obtain any required object IDs or app IDs.** If you want to apply access settings to specific users, groups, or applications in the partner organization, you'll need to contact the organization for information before configuring your settings. Obtain their user object IDs, group object IDs, or application IDs (*client app IDs* or *resource app IDs*) so you can target your settings correctly.

+## Enable the cloud in your Microsoft cloud settings

+In your Microsoft cloud settings, enable the Microsoft Azure cloud you want to collaborate with.

+1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator or Security administrator account. Then open the **Azure Active Directory** service.

+1. Select **External Identities**, and then select **Cross-tenant access settings (Preview)**.

+1. Select **Cross cloud settings**.

+1. Select the checkboxes next to the external Microsoft Azure clouds you want to enable.

+ 

+> [!NOTE]

+> Selecting a cloud doesn't automatically enable B2B collaboration with organizations in that cloud. You'll need to add the organization you want to collaborate with, as described in the next section.

+## Add the tenant to your organizational settings

+Follow these steps to add the tenant you want to collaborate with to your Organizational settings.

+1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator or Security administrator account. Then open the **Azure Active Directory** service.

+1. Select **External Identities**, and then select **Cross-tenant access settings (Preview)**.

+1. Select **Organizational settings**.

+1. Select **Add organization**.

+1. On the **Add organization** pane, type the tenant ID for the organization (cross-cloud lookup by domain name isn't currently available).

+ 

+1. Select the organization in the search results, and then select **Add**.

+1. The organization appears in the **Organizational settings** list. At this point, all access settings for this organization are inherited from your default settings.

+ 

+1. If you want to change the cross-tenant access settings for this organization, select the **Inherited from default** link under the **Inbound access** or **Outbound access** column. Then follow the detailed steps in these sections:

+ - [Modify inbound access settings](cross-tenant-access-settings-b2b-collaboration.md#modify-inbound-access-settings)

+ - [Modify outbound access settings](cross-tenant-access-settings-b2b-collaboration.md#modify-outbound-access-settings)

+## Next steps

+See [Configure external collaboration settings](external-collaboration-settings-configure.md) for B2B collaboration with non-Azure AD identities, social identities, and non-IT managed external accounts.

+Azure AD organizations can use External Identities cross-tenant access settings to manage how they collaborate with other Azure AD organizations and other Microsoft Azure clouds through B2B collaboration and [B2B direct connect](cross-tenant-access-settings-b2b-direct-connect.md). [Cross-tenant access settings](cross-tenant-access-settings-b2b-collaboration.md) give you granular control over how external Azure AD organizations collaborate with you (inbound access) and how your users collaborate with external Azure AD organizations (outbound access). These settings also let you trust multi-factor authentication (MFA) and device claims ([compliant claims and hybrid Azure AD joined claims](../conditional-access/howto-conditional-access-policy-compliant-device.md)) from other Azure AD organizations.

+This article describes cross-tenant access settings, which are used to manage B2B collaboration and B2B direct connect with external Azure AD organizations, including across Microsoft clouds. Additional settings are available for B2B collaboration with non-Azure AD identities (for example, social identities or non-IT managed external accounts). These [external collaboration settings](external-collaboration-settings-configure.md) include options for restricting guest user access, specifying who can invite guests, and allowing or blocking domains.

+

+The behaviors described above apply to B2B collaboration with other Azure AD tenants in your same Microsoft Azure cloud. In cross-cloud scenarios, default settings work a little differently. See [Microsoft cloud settings](#microsoft-cloud-settings) later in this article.

+## Microsoft cloud settings

+Microsoft cloud settings let you collaborate with organizations from different Microsoft Azure clouds. With Microsoft cloud settings, you can establish mutual B2B collaboration between the following clouds:

+- Microsoft Azure global cloud and Microsoft Azure Government

+- Microsoft Azure global cloud and Microsoft Azure China 21Vianet

+To set up B2B collaboration, both organizations configure their Microsoft cloud settings to enable the partner's cloud. Then each organization uses the partner's tenant ID to find and add the partner to their organizational settings. From there, each organization can allow their default cross-tenant access settings apply to the partner, or they can configure partner-specific inbound and outbound settings. After you establish B2B collaboration with a partner in another cloud, you'll be able to:

+- Use B2B collaboration to invite a user in the partner tenant to access resources in your organization, including web line-of-business apps, SaaS apps, and SharePoint Online sites, documents, and files.

+- Apply Conditional Access policies to the B2B collaboration user and opt to trust device claims (compliant claims and hybrid Azure AD joined claims) from the userΓÇÖs home tenant.

+For configuration steps, see [Configure Microsoft cloud settings for B2B collaboration (Preview)](cross-cloud-settings.md).

+### Default settings in cross-cloud scenarios

+To collaborate with a partner tenant in a different Microsoft Azure cloud, both organizations need to mutually enable B2B collaboration with each other. The first step is to enable the partner's cloud in your cross-tenant settings. When you first enable another cloud, B2B collaboration is blocked for all tenants in that cloud. You need to add the tenant you want to collaborate with to your Organizational settings, and at that point your default settings go into effect for that tenant only. You can allow the default settings to remain in effect, or you can modify the organizational settings for the tenant.

+> [!NOTE]

+> During the preview of Microsoft cloud settings, sign-in events for cross-cloud scenarios will be reported in the resource tenant, but not in the home tenant.

+

+- If you want to set up B2B collaboration with a partner organization in an external Microsoft Azure cloud, follow the steps in [Configure Microsoft cloud settings](cross-cloud-settings.md). An admin in the partner organization will need to do the same for your tenant.

+ Default cross-tenant access settings apply to all external tenants for which you haven't created organization-specific customized settings. If you want to modify the Azure AD-provided default settings, follow these steps.

+ 

+ 

+1. Select **External Identities**, and then select **Cross-tenant access settings (Preview)**.

+ 

+ 

+1. Select **External Identities** > **Cross-tenant access settings (Preview)**.

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+

+You can use [cross-tenant access settings](cross-tenant-access-overview.md) to manage B2B collaboration with other Azure AD organizations and across Microsoft Azure clouds. For B2B collaboration with non-Azure AD external users and organizations, use [external collaboration settings](external-collaboration-settings-configure.md).

+B2B direct connect is a new way to collaborate with other Azure AD organizations. This feature currently works with Microsoft Teams shared channels. With B2B direct connect, you create two-way trust relationships with other Azure AD organizations to allow users to seamlessly sign in to your shared resources and vice versa. B2B direct connect users aren't added as guests to your Azure AD directory. When two organizations mutually enable B2B direct connect, users authenticate in their home organization and receive a token from the resource organization for access. Learn more about [B2B direct connect in Azure AD](b2b-direct-connect-overview.md).

+### Microsoft cloud settings for B2B collaboration (preview)

+Microsoft Azure cloud services are available in separate national clouds, which are physically isolated instances of Azure. Increasingly, organizations are finding the need to collaborate with organizations and users across global cloud and national cloud boundaries. With Microsoft cloud settings, you can establish mutual B2B collaboration between the following Microsoft Azure clouds:

+- Microsoft Azure global cloud and Microsoft Azure Government

+- Microsoft Azure global cloud and Microsoft Azure China 21Vianet

+To set up B2B collaboration between tenants in different clouds, both tenants need to configure their Microsoft cloud settings to enable collaboration with the other cloud. Then each tenant must configure inbound and outbound cross-tenant access with the tenant in the other cloud. See [Microsoft cloud settings](cross-cloud-settings.md) for details.

+- **Cross-tenant access settings API**: The [Microsoft Graph cross-tenant access API](/graph/api/resources/crosstenantaccesspolicy-overview?view=graph-rest-beta&preserve-view=true) lets you programmatically create the same B2B collaboration and B2B direct connect policies that are configurable in the Azure portal. Using the API, you can set up policies for inbound and outbound collaboration to allow or block features for everyone by default and limit access to specific organizations, groups, users, and applications. The API also allows you to accept MFA and device claims (compliant claims and hybrid Azure AD joined claims) from other Azure AD organizations.

+

+

+Within the Azure US Government cloud, B2B collaboration is enabled between tenants that are both within Azure US Government cloud and that both support B2B collaboration. If you invite a user in a tenant that doesn't yet support B2B collaboration, you'll get an error. For details and limitations, see [Azure Active Directory Premium P1 and P2 Variations](../../azure-government/compare-azure-government-global-azure.md#azure-active-directory-premium-p1-and-p2).

+If you need to collaborate with an Azure AD organization that's outside of the Azure US Government cloud, you can use [Microsoft cloud settings (preview)](cross-cloud-settings.md) to enable B2B collaboration.

+## Invitation is blocked due to cross-tenant access policies

+When you try to invite a B2B collaboration user in another Microsoft Azure cloud, this error message will appear if B2B collaboration is supported between the two clouds but is blocked by cross-tenant access settings. The settings that are blocking collaboration could be either in the B2B collaboration userΓÇÖs home tenant or in your tenant. Check your cross-tenant access settings to make sure youΓÇÖve added the B2B collaboration userΓÇÖs home tenant to your Organizational settings and that your settings allow B2B collaboration with the user. Then make sure an admin in the userΓÇÖs tenant does the same.

+## Invitation is blocked due to disabled Microsoft B2B Cross Cloud Worker application

+Rarely, you might see this message: ΓÇ£This action can't be completed because the Microsoft B2B Cross Cloud Worker application has been disabled in the invited userΓÇÖs tenant. Please ask the invited userΓÇÖs admin to re-enable it, then try again.ΓÇ¥ This error means that the Microsoft B2B Cross Cloud Worker application has been disabled in the B2B collaboration userΓÇÖs home tenant. This app is typically enabled, but it might have been disabled by an admin in the userΓÇÖs home tenant, either through PowerShell or the portal (see [Disable how a user signs in](../manage-apps/disable-user-sign-in-portal.md)). An admin in the userΓÇÖs home tenant can re-enable the app through PowerShell or the Azure portal. In the portal, search for ΓÇ£Microsoft B2B Cross Cloud WorkerΓÇ¥ to find the app, select it, and then choose to re-enable it.

+## Redemption is blocked due to cross-tenant access settings

+A B2B collaboration user could see this message when they try to redeem a B2B collaboration invitation: ΓÇ£This invitation is blocked by cross-tenant access settings. Admins in both your organization and the inviterΓÇÖs organization must configure cross-tenant access settings to allow the invitation.ΓÇ¥ This error can occur when cross-tenant policies are changed between the time the invitation was sent to the user and the time the user redeems it. Check your cross-tenant access settings to make sure B2B collaboration is properly configured, and make sure an admin in the userΓÇÖs tenant does the same.

+

+## Manage collaboration with other organizations and clouds

+B2B collaboration is enabled by default, but comprehensive admin settings let you control your inbound and outbound B2B collaboration with external partners and organizations:

+- For B2B collaboration with other Azure AD organizations, use [cross-tenant access settings (preview)](cross-tenant-access-overview.md). Manage inbound and outbound B2B collaboration, and scope access to specific users, groups, and applications. Set a default configuration that applies to all external organizations, and then create individual, organization-specific settings as needed. Using cross-tenant access settings, you can also trust multi-factor (MFA) and device claims (compliant claims and hybrid Azure AD joined claims) from other Azure AD organizations.

+- Use [external collaboration settings](external-collaboration-settings-configure.md) to define who can invite external users, allow or block B2B specific domains, and set restrictions on guest user access to your directory.

+- Use [Microsoft cloud settings (preview)](cross-cloud-settings.md) to establish mutual B2B collaboration between the Microsoft Azure global cloud and Microsoft Azure Government or Microsoft Azure China 21Vianet.

+

+

+

+

+

+

+You can [enable integration with SharePoint and OneDrive](/sharepoint/sharepoint-azureb2b-integration) to share files, folders, list items, document libraries, and sites with people outside your organization, while using Azure B2B for authentication and management. The users you share resources with are typically added to your directory as guests, and permissions and groups work the same for these guests as they do for internal users. When enabling integration with SharePoint and OneDrive, you'll also enable the [email one-time passcode](one-time-passcode.md) feature in Azure AD B2B to serve as a fallback authentication method.

+- [Understand the invitation redemption process](redemption-experience.md)

+>We don't currently support:<ul><li>Adding groups to a group synced with on-premises Active Directory.</li><li>Adding Security groups to Microsoft 365 groups.</li><li>Adding Microsoft 365 groups to Security groups or other Microsoft 365 groups.</li><li>Assigning apps to nested groups.</li><li>Applying licenses to nested groups.</li><li>Adding distribution groups in nesting scenarios.</li><li>Adding security groups as members of mail-enabled security groups</li><li> Adding groups as members of a role-assignable group.</li></ul>

+ >

+ >When adding a custom domain, the Password Policy values will be inherited from the initial domain.

+- If you have on-premises versions of Windows Server that you want to use alongside Azure Active Directory, see [Integrate your on-premises directories with Azure Active Directory](../hybrid/whatis-hybrid-identity.md).

+1. Navigate to the **Azure portal** > **Azure Active Directory** > **Sign-in logs**.

+description: Learn how to configure your systems to help protect your Microsoft 365 cloud environment from on-premises compromise.

+ - it-pro

+ - seodec18

+ - kr2b-contr-experiment

+Many customers connect their private corporate networks to Microsoft 365 to benefit their users, devices, and applications. However, these private networks can be compromised in many well-documented ways. Microsoft 365 acts as a sort of nervous system for many organizations. It's critical to protect it from compromised on-premises infrastructure.

+This article shows you how to configure your systems to help protect your Microsoft 365 cloud environment from on-premises compromise, including the following elements:

+- Azure Active Directory (Azure AD) tenant configuration settings

+- How Azure AD tenants can be safely connected to on-premises systems

+- The tradeoffs required to operate your systems in ways that protect your cloud systems from on-premises compromise

+Microsoft strongly recommends that you implement this guidance.

+## Threat sources in on-premises environments

+Your Microsoft 365 cloud environment benefits from an extensive monitoring and security infrastructure. Microsoft 365 uses machine learning and human intelligence to look across worldwide traffic. It can rapidly detect attacks and allow you to reconfigure nearly in real time.

+Hybrid deployments can connect on-premises infrastructure to Microsoft 365. In such deployments, many organizations delegate trust to on-premises components for critical authentication and directory object state management decisions. If the on-premises environment is compromised, these trust relationships become an attacker's opportunities to compromise your Microsoft 365 environment.

+- **Federated trust relationships**, such as Security Assertions Markup Language (SAML) authentication, are used to authenticate to Microsoft 365 through your on-premises identity infrastructure. If a SAML token-signing certificate is compromised, federation allows anyone who has that certificate to impersonate any user in your cloud.

+ We recommend that you disable federation trust relationships for authentication to Microsoft 365 when possible.

+- **Account synchronization** can be used to modify privileged users, including their credentials, or groups that have administrative privileges in Microsoft 365.

+ We recommend that you ensure that synchronized objects hold no privileges beyond a user in Microsoft 365. You can control privileges either directly or through inclusion in trusted roles or groups. Ensure these objects have no direct or nested assignment in trusted cloud roles or groups.

+## Protecting Microsoft 365 from on-premises compromise

+To address the threats described above, we recommend you adhere to the principles illustrated in the following diagram:

+

+1. **Fully isolate your Microsoft 365 administrator accounts.** They should be:

+ - Mastered in Azure AD.

+ - Authenticated by using multifactor authentication.

+ - Secured by Azure AD Conditional Access.

+ - Accessed only by using Azure-managed workstations.

+ These administrator accounts are restricted-use accounts. No on-premises accounts should have administrative privileges in Microsoft 365.

+ For more information, see [About admin roles](/microsoft-365/admin/add-users/about-admin-roles). Also, see [Roles for Microsoft 365 in Azure AD](../roles/m365-workload-docs.md).

+1. **Use Azure AD cloud authentication to eliminate dependencies on your on-premises credentials.** Always use strong authentication, such as Windows Hello, FIDO, Microsoft Authenticator, or Azure AD multifactor authentication.

+The following sections provide guidance about how to implement the principles described above.

+- Use cloud-only accounts for Azure AD and Microsoft 365 privileged roles.

+- Deploy privileged access devices for privileged access to manage Microsoft 365 and Azure AD. See [Device roles and profiles](/security/compass/privileged-access-devices#device-roles-and-profiles).

+ Deploy Azure AD Privileged Identity Management (PIM) for just-in-time access to all human accounts that have privileged roles. Require strong authentication to activate roles. See [What is Azure AD Privileged Identity Management](../privileged-identity-management/pim-configure.md).

+- Provide administrative roles that allow the least privilege necessary to do required tasks. See [Least privileged roles by task in Azure Active Directory](../roles/delegate-by-task.md).

+- To enable a rich role assignment experience that includes delegation and multiple roles at the same time, consider using Azure AD security groups or Microsoft 365 Groups. These groups are collectively called *cloud groups*.

+ Also, enable role-based access control. See [Assign Azure AD roles to groups](../roles/groups-assign-role.md). You can use administrative units to restrict the scope of roles to a portion of the organization. See [Administrative units in Azure Active Directory](../roles/administrative-units.md).

+- Deploy emergency access accounts. Do *not* use on-premises password vaults to store credentials. See [Manage emergency access accounts in Azure AD](../roles/security-emergency-access.md).

+For more information, see [Securing privileged access](/security/compass/overview). Also, see [Secure access practices for administrators in Azure AD](../roles/security-planning.md).

+### Use cloud authentication

+- **Deploy passwordless authentication**. Reduce the use of passwords as much as possible by deploying passwordless credentials. These credentials are managed and validated natively in the cloud. For more information, see [Plan a passwordless authentication deployment in Azure Active Directory](../authentication/howto-authentication-passwordless-deployment.md).

+ Choose from these authentication methods:

+ - [Windows Hello for business](/windows/security/identity-protection/hello-for-business/passwordless-strategy)

+ - [The Microsoft Authenticator app](../authentication/howto-authentication-passwordless-phone.md)

+ - [FIDO2 security keys](../authentication/howto-authentication-passwordless-security-key-windows.md)

+- **Deploy multifactor authentication**. For more information, see [Plan an Azure Active Directory Multi-Factor Authentication deployment](../authentication/howto-mfa-getstarted.md).

+ Provision multiple strong credentials by using Azure AD multifactor authentication. That way, access to cloud resources requires an Azure AD managed credential in addition to an on-premises password. For more information, see [Build resilience with credential management](../fundamentals/resilience-in-credentials.md) and [Create a resilient access control management strategy by using Azure AD](./resilience-overview.md).

+Hybrid account password management requires hybrid components such as password protection agents and password writeback agents. If your on-premises infrastructure is compromised, attackers can control the machines on which these agents reside. This vulnerability won't compromise your cloud infrastructure. But your cloud accounts won't protect these components from on-premises compromise.

+On-premises accounts synced from Active Directory are marked to never expire in Azure AD. This setting is usually mitigated by on-premises Active Directory password settings. If your instance of Active Directory is compromised and synchronization is disabled, set the [EnforceCloudPasswordPolicyForPasswordSyncedUsers](../hybrid/how-to-connect-password-hash-synchronization.md) option to force password changes.

+

+- **Provision from cloud HR apps to Azure AD.** This provisioning enables an on-premises compromise to be isolated. This isolation doesn't disrupt your joiner-mover-leaver cycle from your cloud HR apps to Azure AD.

+- **Cloud applications.** Where possible, deploy Azure AD app provisioning as opposed to on-premises provisioning solutions. This method protects some of your software as a service (SaaS) apps from malicious hacker profiles in on-premises breaches. For more information, see [What is app provisioning in Azure Active Directory](../app-provisioning/user-provisioning.md).

+- **External identities.** Use Azure AD B2B collaboration to reduce the dependency on on-premises accounts for external collaboration with partners, customers, and suppliers. Carefully evaluate any direct federation with other identity providers. For more information, see [B2B collaboration overview](../external-identities/what-is-b2b.md).

+ We recommend limiting B2B guest accounts in the following ways:

+ - Limit guest access to browsing groups and other properties in the directory. Use the external collaboration settings to restrict guests' ability to read groups they're not members of.

+ - Block access to the Azure portal. You can make rare necessary exceptions. Create a Conditional Access policy that includes all guests and external users. Then implement a policy to block access. See [Conditional Access](../conditional-access/concept-conditional-access-cloud-apps.md).

+- **Disconnected forests.** Use Azure AD cloud provisioning to connect to disconnected forests. This approach eliminates the need to establish cross-forest connectivity or trusts, which can broaden the effect of an on-premises breach. For more information, see [What is Azure AD Connect cloud sync](../cloud-sync/what-is-cloud-sync.md).

+- **Collaboration**. Use Microsoft 365 Groups and Microsoft Teams for modern collaboration. Decommission on-premises distribution lists, and [upgrade distribution lists to Microsoft 365 Groups in Outlook](/office365/admin/manage/upgrade-distribution-lists).

+- **Access**. Use Azure AD security groups or Microsoft 365 Groups to authorize access to applications in Azure AD.

+- **Office 365 licensing**. Use group-based licensing to provision to Office 365 by using cloud-only groups. This method decouples control of group membership from on-premises infrastructure.

+Deploy Azure AD joined Windows 10 workstations with mobile device management policies. Enable Windows Autopilot for a fully automated provisioning experience. See [Plan your Azure AD join implementation](../devices/azureadjoin-plan.md) and [Windows Autopilot](/mem/autopilot/windows-autopilot).

+- **Use Windows 10 workstations**.

+ - Deprecate machines that run Windows 8.1 and earlier.

+ - Don't deploy computers that have server operating systems as workstations.

+- **Use Microsoft Endpoint Manager as the authority for all device management workloads.** See [Microsoft Endpoint Manager](https://www.microsoft.com/security/business/microsoft-endpoint-manager).

+- **Deploy privileged access devices.** For more information, see [Device roles and profiles](/security/compass/privileged-access-devices#device-roles-and-profiles).

+### Workloads, applications, and resources

+- **On-premises single-sign-on (SSO) systems**

+ Deprecate any on-premises federation and web access management infrastructure. Configure applications to use Azure AD.

+- **SaaS and line-of-business (LOB) applications that support modern authentication protocols**

+ Use Azure AD for SSO. The more apps you configure to use Azure AD for authentication, the less risk in an on-premises compromise. For more information, see [What is single sign-on in Azure Active Directory](../manage-apps/what-is-single-sign-on.md).

+- **Legacy applications**

+ You can enable authentication, authorization, and remote access to legacy applications that don't support modern authentication. Use [Azure AD Application Proxy](../app-proxy/application-proxy.md). Or, enable them through a network or application delivery controller solution by using secure hybrid access partner integrations. See [Secure legacy apps with Azure Active Directory](../manage-apps/secure-hybrid-access.md).

+ Choose a VPN vendor that supports modern authentication. Integrate its authentication with Azure AD. In an on-premises compromise, you can use Azure AD to disable or block access by disabling the VPN.

+- **Application and workload servers**

+ Applications or resources that required servers can be migrated to Azure infrastructure as a service (IaaS). Use Azure AD Domain Services (Azure AD DS) to decouple trust and dependency on on-premises instances of Active Directory. To achieve this decoupling, make sure virtual networks used for Azure AD DS don't have a connection to corporate networks. See [Azure AD Domain Services](../../active-directory-domain-services/overview.md).

+ Use credential tiering. Application servers are typically considered tier-1 assets. For more information, see [Enterprise access model](/security/compass/privileged-access-access-model#ADATM_BM).

+- Use Conditional Access to block legacy authentication protocols whenever possible. Additionally, disable legacy authentication protocols at the application level by using an application-specific configuration. See [Block legacy authentication](../conditional-access/howto-conditional-access-policy-block-legacy.md).

+ For more information, see [Legacy authentication protocols](../fundamentals/auth-sync-overview.md#legacy-authentication-protocols). Or see specific details for [Exchange Online](/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online#how-basic-authentication-works-in-exchange-online) and [SharePoint Online](/powershell/module/sharepoint-online/set-spotenant).

+- Implement the recommended identity and device access configurations. See [Common Zero Trust identity and device access policies](/microsoft-365/security/office-365-security/identity-access-policies).

+- If you're using a version of Azure AD that doesn't include Conditional Access, use [Security defaults in Azure AD](../fundamentals/concept-fundamentals-security-defaults.md).

+ For more information about Azure AD feature licensing, see the [Azure AD pricing guide](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).

+## Monitor

+After you configure your environment to protect your Microsoft 365 from an on-premises compromise, proactively monitor the environment. For more information, see [What is Azure Active Directory monitoring](../reports-monitoring/overview-monitoring.md).

+- **Suspicious activity**

+ Monitor all Azure AD risk events for suspicious activity. See [Risk detection and remediation](../identity-protection/overview-identity-protection.md#risk-detection-and-remediation). Azure AD Identity Protection is natively integrated with Microsoft Defender for Cloud. See [What is Identity Protection](../identity-protection/overview-identity-protection.md).

+ Define the network named locations to avoid noisy detections on location-based signals. See [Using the location condition in a Conditional Access policy](../conditional-access/location-condition.md).

+- **User and Entity Behavioral Analytics (UEBA) alerts**

+ Use UEBA to get insights on anomaly detection. Microsoft Defender for Cloud Apps provides UEBA in the cloud. See [Investigate risky users](/cloud-app-security/tutorial-ueba).

+ You can integrate on-premises UEBA from Azure Advanced Threat Protection (ATP). Microsoft Defender for Cloud Apps reads signals from Azure AD Identity Protection. See [Connect to your Active Directory Forest](/defender-for-identity/install-step2).

+- **Emergency access accounts activity**

+ Monitor any access that uses emergency access accounts. See [Manage emergency access accounts in Azure AD](../roles/security-emergency-access.md). Create alerts for investigations. This monitoring must include the following actions:

+ - Sign-ins

+ - Credential management

+ - Any updates on group memberships

+ - Application assignments

+- **Privileged role activity**

+ Configure and review security alerts generated by Azure AD Privileged Identity Management (PIM). Monitor direct assignment of privileged roles outside PIM by generating alerts whenever a user is assigned directly. See [Security alerts](../privileged-identity-management/pim-how-to-configure-security-alerts.md?tabs=new#security-alerts).

+- **Azure AD tenant-wide configurations**

+ Any change to tenant-wide configurations should generate alerts in the system. These changes include but aren't limited to the following changes:

+ - Updated custom domains

+ - Azure AD B2B changes to allowlists and blocklists

+ - Azure AD B2B changes to allowed identity providers, such as SAML identity providers through direct federation or social sign-ins

+ - Conditional Access or Risk policy changes

+- **Application and service principal objects**

+ - New applications or service principals that might require Conditional Access policies

+ - Credentials added to service principals

+ - Application consent activity

+- **Custom roles**

+ - Updates to the custom role definitions

+ - Newly created custom roles

+- **Azure AD logs**. Ingest generated logs and signals by consistently following best practices for settings such as diagnostics, log retention, and SIEM ingestion.

+ The log strategy must include the following Azure AD logs:

+ - Sign-in activity

+ - Audit logs

+ - Risk events

+ Azure AD provides Azure Monitor integration for the sign-in activity log and audit logs. See [Azure AD activity logs in Azure Monitor](../reports-monitoring/concept-activity-logs-azure-monitor.md).

+ Use the Microsoft Graph API to ingest risk events. See [Use the Microsoft Graph identity protection APIs](/graph/api/resources/identityprotection-root).

+ You can stream Azure AD logs to Azure Monitor logs. See [Integrate Azure AD logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md).

+- **Hybrid infrastructure operating system security logs**. All hybrid identity infrastructure operating system logs should be archived and carefully monitored as a tier-0 system, because of the surface-area implications. Include the following elements:

+ - Application Proxy agents

+ - Password writeback agents

+ - Password Protection Gateway machines

+ - Network policy servers (NPSs) that have the Azure AD multifactor authentication RADIUS extension

+ - Azure AD Connect

+ You must deploy Azure AD Connect Health to monitor identity synchronization. See [What is Azure AD Connect](../hybrid/whatis-azure-ad-connect.md).

+- [Build resilience into identity and access management by using Azure AD](resilience-overview.md)

+- [Secure external access to resources](secure-external-access-resources.md)

+- [Integrate all your apps with Azure AD](five-steps-to-full-application-integration-with-azure-ad.md)

+ Title: Resilience in identity and access management with Azure Active Directory

+description: Learn how to build resilience into identity and access management. Resilience helps endure disruption to system components and recover with minimal effort.

+ - it-pro

+ - seodec18

+ - kr2b-contr-experiment

+Identity and access management (IAM) is a framework of processes, policies, and technologies. IAM facilitates the management of identities and what they access. It includes the many components supporting the authentication and authorization of user and other accounts in your system.

+IAM resilience is the ability to endure disruption to system components and recover with minimal impact to your business, users, customers, and operations. Reducing dependencies, complexity, and single-points-of-failure, while ensuring comprehensive error handling, increases your resilience.

+Disruption can come from any component of your IAM systems. To build a resilient IAM system, assume disruptions will occur and plan for them.

+When planning the resilience of your IAM solution, consider the following elements:

+* Your applications that rely on your IAM system

+* The public infrastructures your authentication calls use, including telecom companies, Internet service providers, and public key providers

+* Your cloud and on-premises identity providers

+* Other services that rely on your IAM, and the APIs that connect them

+* Any other on-premises components in your system

+Whatever the source, recognizing and planning for the contingencies is important. However, adding other identity systems, and their resultant dependencies and complexity, may reduce your resilience rather than increase it.

+description: Learn to monitor, identify, and alert on security issues with accounts, applications, devices, and infrastructure in Azure Active Directory.

+ - it-pro

+ - seodec18

+ - kr2b-contr-experiment

+Microsoft has a successful and proven approach to [Zero Trust security](https://aka.ms/Zero-Trust) using [Defense in Depth](https://us-cert.cisa.gov/bsi/articles/knowledge/principles/defense-in-depth) principles that use identity as a control plane. Organizations continue to embrace a hybrid workload world for scale, cost savings, and security. Azure Active Directory (Azure AD) plays a pivotal role in your strategy for identity management. Recently, news surrounding identity and security compromise has increasingly prompted enterprise IT to consider their identity security posture as a measurement of defensive security success.

+## Hybrid identity

+Azure Active Directory creates a common user identity for authentication and authorization to all resources, regardless of location. We call this *hybrid identity*.

+### Audience

+### Scope

+This introduction provides the suggested prereading and password audit and strategy recommendations. This article also provides an overview of the tools available for hybrid Azure environments and fully cloud-based Azure environments. Finally, we provide a list of data sources you can use for monitoring and alerting and configuring your security information and event management (SIEM) strategy and environment. The rest of the guidance presents monitoring and alerting strategies in the following areas:

+* [User accounts](security-operations-user-accounts.md). Guidance specific to non-privileged user accounts without administrative privilege, including anomalous account creation and usage, and unusual sign-ins.

+* [Privileged accounts](security-operations-privileged-accounts.md). Guidance specific to privileged user accounts that have elevated permissions to perform administrative tasks. Tasks include Azure AD role assignments, Azure resource role assignments, and access management for Azure resources and subscriptions.

+* [Privileged Identity Management (PIM)](security-operations-privileged-identity-management.md). Guidance specific to using PIM to manage, control, and monitor access to resources.

+* [Applications](security-operations-applications.md). Guidance specific to accounts used to provide authentication for applications.

+* [Devices](security-operations-devices.md). Guidance specific to monitoring and alerting for devices registered or joined outside of policies, non-compliant usage, managing device administration roles, and sign-ins to virtual machines.

+* [Infrastructure](security-operations-infrastructure.md). Guidance specific to monitoring and alerting on threats to your hybrid and purely cloud-based environments.

+Microsoft has many products and services that enable you to customize your IT environment to fit your needs. We recommend that you review the following guidance for your operating environment:

+ * [Windows 10 and Windows Server 2016 security auditing and monitoring reference](https://www.microsoft.com/download/details.aspx?id=52630)

+ * [Security baseline (FINAL) for Windows 10 v1909 and Windows Server v1909](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1909-and-windows-server/ba-p/1023093)

+ * [Security baseline for Windows 11](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-security-baseline/ba-p/2810772)

+ * [Security baseline for Windows Server 2022](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-server-2022-security-baseline/ba-p/2724685)

+ * [Microsoft Defender for Identity architecture](/defender-for-identity/architecture)

+ * [Connect Microsoft Defender for Identity to Active Directory quickstart](/defender-for-identity/install-step2)

+ * [Azure security baseline for Microsoft Defender for Identity](/defender-for-identity/security-baseline)

+ * [Monitoring Active Directory for Signs of Compromise](/windows-server/identity/ad-ds/plan/security-best-practices/monitoring-active-directory-for-signs-of-compromise)

+ * [Monitor sign-ins with the Azure AD sign-in log](../reports-monitoring/concept-all-sign-ins.md)

+ * [Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)

+ * [Investigate risk with Azure Active Directory Identity Protection](../identity-protection/howto-identity-protection-investigate-risk.md)

+ * [Connect Azure AD Identity Protection data to Microsoft Sentinel](../../sentinel/data-connectors-reference.md#azure-active-directory-identity-protection)

+ * [Audit Policy Recommendations](/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations)

+ * [AD FS Troubleshooting - Auditing Events and Logging](/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging)

+## Data sources

+From the Azure portal, you can view the Azure AD Audit logs. Download logs as comma separated value (CSV) or JavaScript Object Notation (JSON) files. The Azure portal has several ways to integrate Azure AD logs with other tools that allow for greater automation of monitoring and alerting:

+* **[Microsoft Sentinel](../../sentinel/overview.md)**. Enables intelligent security analytics at the enterprise level by providing security information and event management (SIEM) capabilities.

+* **[Azure Monitor](../../azure-monitor/overview.md)**. Enables automated monitoring and alerting of various conditions. Can create or use workbooks to combine data from different sources.

+* **[Azure Event Hubs](../../event-hubs/event-hubs-about.md)** integrated with a SIEM. Azure AD logs can be integrated to other SIEMs such as Splunk, ArcSight, QRadar and Sumo Logic via the Azure Event Hubs integration. For more information, see [Stream Azure Active Directory logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md).

+* **[Microsoft Defender for Cloud Apps](/cloud-app-security/what-is-cloud-app-security)**. Enables you to discover and manage apps, govern across apps and resources, and check the compliance of your cloud apps.

+* **[Securing workload identities with Identity Protection Preview](../identity-protection/concept-workload-identity-risk.md)**. Used to detect risk on workload identities across sign-in behavior and offline indicators of compromise.

+Much of what you will monitor and alert on are the effects of your Conditional Access policies. You can use the Conditional Access insights and reporting workbook to examine the effects of one or more Conditional Access policies on your sign-ins and the results of policies, including device state. This workbook enables you to view an impact summary, and identify the impact over a specific time period. You can also use the workbook to investigate the sign-ins of a specific user. For more information, see [Conditional Access insights and reporting](../conditional-access/howto-conditional-access-insights-reporting.md).

+The remainder of this article describes what to monitor and alert on. Where there are specific pre-built solutions we link to them or provide samples following the table. Otherwise, you can build alerts using the preceding tools.

+* **[Identity Protection](../identity-protection/overview-identity-protection.md)** generates three key reports that you can use to help with your investigation:

+* **Risky users** contains information about which users are at risk, details about detections, history of all risky sign-ins, and risk history.

+* **Risky sign-ins** contains information surrounding the circumstance of a sign-in that might indicate suspicious circumstances. For more information on investigating information from this report, see [How To: Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md).

+* **Risk detections** contains information on risk signals detected by Azure AD Identity Protection that informs sign-in and user risk. For more information, see the [Azure AD security operations guide for user accounts](security-operations-user-accounts.md).

+For more information, see [What is Identity Protection](../identity-protection/overview-identity-protection.md).

+For the best results, we recommend that you monitor your domain controllers using Microsoft Defender for Identity. This approach enables the best detection and automation capabilities. Follow the guidance from these resources:

+If you don't plan to use Microsoft Defender for Identity, monitor your domain controllers by one of these approaches:

+* Event log messages. See [Monitoring Active Directory for Signs of Compromise](/windows-server/identity/ad-ds/plan/security-best-practices/monitoring-active-directory-for-signs-of-compromise).

+* PowerShell cmdlets. See [Troubleshooting Domain Controller Deployment](/windows-server/identity/ad-ds/deploy/troubleshooting-domain-controller-deployment).

+As part of an Azure hybrid environment, the following items should be baselined and included in your monitoring and alerting strategy.

+* **PTA Agent**. The pass-through authentication agent is used to enable pass-through authentication and is installed on-premises. See [Azure AD Pass-through Authentication agent: Version release history](../hybrid/reference-connect-pta-version-history.md) for information on verifying your agent version and next steps.

+* **AD FS/WAP**. Azure Active Directory Federation Services (Azure AD FS) and Web Application Proxy (WAP) enable secure sharing of digital identity and entitlement rights across your security and enterprise boundaries. For information on security best practices, see [Best practices for securing Active Directory Federation Services](/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs).

+* **Azure AD Connect Health Agent**. The agent used to provide a communications link for Azure AD Connect Health. For information on installing the agent, see [Azure AD Connect Health agent installation](../hybrid/how-to-connect-health-agent-install.md).

+* **Azure AD Connect Sync Engine**. The on-premises component, also called the sync engine. For information on the feature, see [Azure AD Connect sync service features](../hybrid/how-to-connect-syncservice-features.md).

+* **Password Protection DC agent**. Azure password protection DC agent is used to help with monitoring and reporting event log messages. For information, see [Enforce on-premises Azure AD Password Protection for Active Directory Domain Services](../authentication/concept-password-ban-bad-on-premises.md).

+* **Password Filter DLL**. The password filter DLL of the DC Agent receives user password-validation requests from the operating system. The filter forwards them to the DC Agent service that's running locally on the DC. For information on using the DLL, see [Enforce on-premises Azure AD Password Protection for Active Directory Domain Services](../authentication/concept-password-ban-bad-on-premises.md).

+* **Password writeback Agent**. Password writeback is a feature enabled with [Azure AD Connect](../hybrid/whatis-hybrid-identity.md) that allows password changes in the cloud to be written back to an existing on-premises directory in real time. For more information on this feature, see [How does self-service password reset writeback work in Azure Active Directory](../authentication/concept-sspr-writeback.md).

+* **Azure AD Application Proxy Connector**. Lightweight agents that sit on-premises and facilitate the outbound connection to the Application Proxy service. For more information, see [Understand Azure ADF Application Proxy connectors](../app-proxy/application-proxy-connectors.md).

+As part of an Azure cloud-based environment, the following items should be baselined and included in your monitoring and alerting strategy.

+* **Azure AD Application Proxy**. This cloud service provides secure remote access to on-premises web applications. For more information, see [Remote access to on-premises applications through Azure AD Application Proxy](../app-proxy/application-proxy-connectors.md).

+* **Azure AD Connect**. Services used for an Azure AD Connect solution. For more information, see [What is Azure AD Connect](../hybrid/whatis-azure-ad-connect.md).

+* **Azure AD Connect Health**. Service Health provides you with a customizable dashboard that tracks the health of your Azure services in the regions where you use them. For more information, see [Azure AD Connect Health](../hybrid/whatis-azure-ad-connect.md).

+* **Azure AD multifactor authentication**. Multifactor authentication requires a user to provide more than one form of proof for authentication. This approach can provide a proactive first step to securing your environment. For more information, see [Azure AD multi-factor authentication](../authentication/concept-mfa-howitworks.md).

+* **Dynamic groups**. Dynamic configuration of security group membership for Azure AD Administrators can set rules to populate groups that are created in Azure AD based on user attributes. For more information, see [Dynamic groups and Azure Active Directory B2B collaboration](../external-identities/use-dynamic-groups.md).

+* **Conditional Access**. Conditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. Conditional Access is at the heart of the new identity driven control plane. For more information, see [What is Conditional Access](../conditional-access/overview.md).

+* **Identity Protection**. A tool that enables organizations to automate the detection and remediation of identity-based risks, investigate risks using data in the portal, and export risk detection data to your SIEM. For more information, see [What is Identity Protection](../identity-protection/overview-identity-protection.md).

+* **Group-based licensing**. Licenses can be assigned to groups rather than directly to users. Azure AD stores information about license assignment states for users.

+* **Provisioning Service**. Provisioning refers to creating user identities and roles in the cloud applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. For more information, see [How Application Provisioning works in Azure Active Directory](../app-provisioning/how-provisioning-works.md).

+* **Graph API**. The Microsoft Graph API is a RESTful web API that enables you to access Microsoft Cloud service resources. After you register your app and get authentication tokens for a user or service, you can make requests to the Microsoft Graph API. For more information, see [Overview of Microsoft Graph](/graph/overview).

+* **Domain Service**. Azure Active Directory Domain Services (AD DS) provides managed domain services such as domain join, group policy. For more information, see [What is Azure Active Directory Domain Services](../../active-directory-domain-services/overview.md).

+* **Azure Resource Manager**. Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in your Azure account. For more information, see [What is Azure Resource Manager](../../azure-resource-manager/management/overview.md).

+* **Managed identity**. Managed identities eliminate the need for developers to manage credentials. Managed identities provide an identity for applications to use when connecting to resources that support Azure AD authentication. For more information, see [What are managed identities for Azure resources](../managed-identities-azure-resources/overview.md).

+* **Privileged Identity Management**. PIM is a service in Azure AD that enables you to manage, control, and monitor access to important resources in your organization. For more information, see [What is Azure AD Privileged Identity Management](../privileged-identity-management/pim-configure.md).

+* **Access reviews**. Azure AD access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User's access can be reviewed regularly to make sure only the right people have continued access. For more information, see [What are Azure AD access reviews](../governance/access-reviews-overview.md).

+* **Entitlement management**. Azure AD entitlement management is an [identity governance](../governance/identity-governance-overview.md) feature. Organizations can manage identity and access lifecycle at scale, by automating access request workflows, access assignments, reviews, and expiration. For more information, see [What is Azure AD entitlement management](../governance/entitlement-management-overview.md).

+* **Activity logs**. The Activity log is an Azure [platform log](../../azure-monitor/essentials/platform-logs-overview.md) that provides insight into subscription-level events. This log includes such information as when a resource is modified or when a virtual machine is started. For more information, see [Azure Activity log](../../azure-monitor/essentials/activity-log.md).

+* **Self-service password reset service**. Azure AD self-service password reset (SSPR) gives users the ability to change or reset their password. The administrator or help desk isn't required. For more information, see [How it works: Azure AD self-service password reset](../authentication/concept-sspr-howitworks.md).

+* **Device services**. Device identity management is the foundation for [device-based Conditional Access](../conditional-access/require-managed-devices.md). With device-based Conditional Access policies, you can ensure that access to resources in your environment is only possible with managed devices. For more information, see [What is a device identity](../devices/overview.md).

+* **Self-service group management**. You can enable users to create and manage their own security groups or Microsoft 365 groups in Azure AD. The owner of the group can approve or deny membership requests and can delegate control of group membership. Self-service group management features aren't available for mail-enabled security groups or distribution lists. For more information, see [Set up self-service group management in Azure Active Directory](../enterprise-users/groups-self-service-management.md).

+* **Risk detections**. Contains information about other risks triggered when a risk is detected and other pertinent information such as sign-in location and any details from Microsoft Defender for Cloud Apps.

+* [Azure AD security operations overview](security-operations-introduction.md)

+* [Security operations for user accounts](security-operations-user-accounts.md)

+* [Security operations for privileged accounts](security-operations-privileged-accounts.md)

+* [Security operations for Privileged Identity Management](security-operations-privileged-identity-management.md)

+* [Security operations for applications](security-operations-applications.md)

+* [Security operations for devices](security-operations-devices.md)

+* [Security operations for infrastructure](security-operations-infrastructure.md)

+ Title: Security operations for privileged accounts in Azure Active Directory

+description: Learn about baselines, and how to monitor and alert on potential security issues with privileged accounts in Azure Active Directory.

+# Security operations for privileged accounts in Azure Active Directory

+## Log files to monitor

+* **[Microsoft Sentinel](../../sentinel/overview.md)**. Enables intelligent security analytics at the enterprise level by providing security information and event management (SIEM) capabilities.

+* **[Azure Monitor](../../azure-monitor/overview.md)**. Enables automated monitoring and alerting of various conditions. Can create or use workbooks to combine data from different sources.

+* **[Azure Event Hubs](../../event-hubs/event-hubs-about.md)** integrated with a SIEM. Enables Azure AD logs to be pushed to other SIEMs such as Splunk, ArcSight, QRadar, and Sumo Logic via the Azure Event Hubs integration. For more information, see [Stream Azure Active Directory logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md).

+* **[Microsoft Defender for Cloud Apps](/cloud-app-security/what-is-cloud-app-security)**. Enables you to discover and manage apps, govern across apps and resources, and check your cloud apps' compliance.

+* **Microsoft Graph**. Enables you to export data and use Microsoft Graph to do more analysis. For more information, see [Microsoft Graph PowerShell SDK and Azure Active Directory Identity Protection](../identity-protection/howto-identity-protection-graph-api.md).

+* **[Identity Protection](../identity-protection/overview-identity-protection.md)**. Generates three key reports you can use to help with your investigation:

+ * **Risky users**. Contains information about which users are at risk, details about detections, history of all risky sign-ins, and risk history.

+ * **Risky sign-ins**. Contains information about a sign-in that might indicate suspicious circumstances. For more information on investigating information from this report, see [Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md).

+ * **Risk detections**. Contains information about other risks triggered when a risk is detected and other pertinent information such as sign-in location and any details from Microsoft Defender for Cloud Apps.

+* **[Securing workload identities with Identity Protection Preview](..//identity-protection/concept-workload-identity-risk.md)**. Use to detect risk on workload identities across sign-in behavior and offline indicators of compromise.

+* Are protected with multifactor authentication at a minimum.

+The rest of this article describes what we recommend you monitor and alert on. The article is organized by the type of threat. Where there are specific prebuilt solutions, we link to them following the table. Otherwise, you can build alerts by using the tools described above.

+This article provides details on setting baselines and auditing sign-in and usage of privileged accounts. It also discusses tools and resources you can use to help maintain the integrity of your privileged accounts. The content is organized into the following subjects:

+It's important that you prevent being accidentally locked out of your Azure AD tenant. You can mitigate the effect of an accidental lockout by creating emergency access accounts in your organization. Emergency access accounts are also known as *break-glass accounts*, as in "break glass in case of emergency" messages found on physical security equipment like fire alarms.

+* Sign-in.

+* Account password change.

+* Account permission or roles changed.

+* Credential or auth method added or changed.

+| Privileged accounts that don't follow naming policy| | Azure subscription | [List Azure role assignments using the Azure portal](../../role-based-access-control/role-assignments-list-portal.md)| List role assignments for subscriptions and alert where the sign-in name doesn't match your organization's format. An example is the use of ADM_ as a prefix. |

+| Interrupt | High, medium | Azure AD Sign-ins | Status = Interrupted<br>-and-<br>error code = 50074<br>-and-<br>Failure reason = Strong auth required<br>Status = Interrupted<br>-and-<br>Error code = 500121<br>Failure reason = Authentication failed during strong authentication request | This event can be an indication an attacker has the password for the account but can't pass the multifactor authentication challenge.<br>[Azure Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AADPrivilegedAccountsFailedMFA.yaml) |

+| Discover privileged accounts not registered for multifactor authentication | High | Microsoft Graph API| Query for IsMFARegistered eq false for admin accounts. [List credentialUserRegistrationDetails - Microsoft Graph beta](/graph/api/reportroot-list-credentialuserregistrationdetails?view=graph-rest-beta&preserve-view=true&tabs=http) | Audit and investigate to determine if the event is intentional or an oversight. |

+| MFA fraud alert or block | High | Azure AD Sign-ins log/Azure Log Analytics | Sign-ins>Authentication details Result details = MFA denied, fraud code entered | Privileged user has indicated they haven't instigated the multi-factor authentication prompt, which could indicate an attacker has the password for the account.<br>[Azure Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/MFARejectedbyUser.yaml) |

+| MFA fraud alert or block | High | Azure AD Audit log log/Azure Log Analytics | Activity type = Fraud reported - User is blocked for MFA or fraud reported - No action taken (based on tenant-level settings for fraud report) | Privileged user has indicated they haven't instigated the multi-factor authentication prompt, which could indicate an attacker has the password for the account.<br>[Azure Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/MFARejectedbyUser.yaml) |

+| Administrators authenticating to other Azure AD tenants| Medium| Azure AD Sign-ins log| Status = success<br><br>Resource tenantID != Home Tenant ID| When scoped to Privileged Users, this monitor detects when an administrator has successfully authenticated to another Azure AD tenant with an identity in your organization's tenant. <br><br>Alert if Resource TenantID isn't equal to Home Tenant ID |

+|Admin User state changed from Guest to Member|Medium|Azure AD Audit logs|Activity: Update user<br><br>Category: UserManagement<br><br>UserType changed from Guest to Member|Monitor and alert on change of user type from Guest to Member.<br><br> Was this change expected?

+Privileged accounts that have been assigned permissions in Azure AD Domain Services can perform tasks for Azure AD Domain Services that affect the security posture of your Azure-hosted virtual machines that use Azure AD Domain Services. Enable security audits on virtual machines and monitor the logs. For more information on enabling Azure AD Domain Services audits and for a list of sensitive privileges, see the following resources:

+| What to monitor | Risk level | Where | Filter/subfilter | Notes |

+||||-|-|

+| Attempted and completed changes | High | Azure AD Audit logs | Date and time<br>-and-<br>Service<br>-and-<br>Category and name of the activity (what)<br>-and-<br>Status = Success or failure<br>-and-<br>Target<br>-and-<br>Initiator or actor (who) | Any unplanned changes should be alerted on immediately. These logs should be retained to help with any investigation. Any tenant-level changes should be investigated immediately (link out to Infra doc) that would lower the security posture of your tenant. An example is excluding accounts from multifactor authentication or Conditional Access. Alert on any additions or changes to applications. See [Azure Active Directory security operations guide for Applications](security-operations-applications.md). |

+| **EXAMPLE**<br>Attempted or completed change to high-value apps or services | High | Audit log | Service<br>-and-<br>Category and name of the activity | <li>Date and time <li>Service <li>Category and name of the activity <li>Status = Success or failure <li>Target <li>Initiator or actor (who) |

+| Privileged changes in Azure AD Domain Services | High | Azure AD Domain Services | Look for event [4673](/windows/security/threat-protection/auditing/event-4673) | [Enable security audits for Azure Active Directory Domain Services](../../active-directory-domain-services/security-audit-events.md)<br>For a list of all privileged events, see [Audit Sensitive Privilege use](/windows/security/threat-protection/auditing/audit-sensitive-privilege-use). |

+| Accounts exempt from Conditional Access| High| Azure Monitor Logs<br>-or-<br>Access Reviews| Conditional Access = Insights and reporting| Any account exempt from Conditional Access is most likely bypassing security controls and is more vulnerable to compromise. Break-glass accounts are exempt. See information on how to monitor break-glass accounts later in this article.|

+| Addition of a Temporary Access Pass to a privileged account| High| Azure AD Audit logs| Activity: Admin registered security info<br><br>Status Reason: Admin registered temporary access pass method for user<br><br>Category: UserManagement<br><br>Initiated by (actor): User Principal Name<br><br>Target: User Principal Name|Monitor and alert on a Temporary Access Pass being created for a privileged user.

+To monitor for exceptions, you must first create a baseline. Determine the following information for these elements

+* **Admin accounts**

+ * Your privileged account strategy

+ * Use of on-premises accounts to administer on-premises resources

+ * Use of cloud-based accounts to administer cloud-based resources

+ * Approach to separating and monitoring administrative permissions for on-premises and cloud-based resources

+* **Privileged role protection**

+ * Protection strategy for roles that have administrative privileges

+ * Organizational policy for using privileged accounts

+ * Strategy and principles for maintaining permanent privilege versus providing time-bound and approved access

+The following concepts and information help determine policies:

+* **Just-in-time admin principles**. Use the Azure AD logs to capture information for performing administrative tasks that are common in your environment. Determine the typical amount of time needed to complete the tasks.

+* **Just-enough admin principles**. Determine the least-privileged role, which might be a custom role, that's needed for administrative tasks. For more information, see [Least privileged roles by task in Azure Active Directory](../roles/delegate-by-task.md).

+* **Establish an elevation policy**. After you have insight into the type of elevated privilege needed and how long is needed for each task, create policies that reflect elevated privileged usage for your environment. As an example, define a policy to limit Global admin access to one hour.

+After you establish your baseline and set policy, you can configure monitoring to detect and alert usage outside of policy.

+You can monitor privileged account changes by using Azure AD Audit logs and Azure Monitor logs. Include the following changes in your monitoring process.

+## Next steps

+In Azure AD entitlement management, an administrator can define that an access package is incompatible with another access package or with a group. Users who have the incompatible memberships will be then unable to request more access. [Learn more](../governance/entitlement-management-access-package-request-policy.md#prevent-requests-from-users-with-incompatible-access).

+When you [create an access package](entitlement-management-access-package-create.md), you can create one or more access package policies that set conditions for which users can request an access package, what the approval process looks like, and how often a person would have to re-request access or have their access reviewed. Access reviews are configured while you create or edit those access package policies.

+As an access package manager, you can change the approval and requestor information settings for an access package at any time by editing an existing policy or adding a new policy for requesting access.

+This article describes how to change the approval and requestor information settings for an existing access package, through an access package's policy.

+After you have configured requestor information in your access package's policy, can view the requestor's responses to the questions. For guidance on seeing requestor information, see [View requestor's answers to questions](entitlement-management-request-approve.md#view-requestors-answers-to-questions).

+You can remove an assignment that a user or an administrator had previously requested.

+1. [Create an accessPackageAssignmentPolicy](/graph/api/entitlementmanagement-post-accesspackageassignmentpolicies?tabs=http&view=graph-rest-beta&preserve-view=true) for each policy needed in the access package.

+As an access package manager, you can change the lifecycle settings for assignments in an access package at any time by editing an existing policy. If you change the expiration date for assignments on a policy, the expiration date for requests that are already in a pending approval or approved state will not change.

+When you create an access package, you specify the request, approval and lifecycle settings, which are stored on the first policy of the access package. Most access packages will have a single policy, but a single access package can have multiple policies. You would create multiple policies for an access package if you want to allow different sets of users to be granted assignments with different request and approval settings.

+ > All users from the selected connected organizations can request this access package. For a connected organization that has an Azure AD directory, users from all verified domains associated with the Azure AD directory can request, unless those domains are blocked by the Azure B2B allow or deny list. For more information, see [Allow or block invitations to B2B users from specific organizations](../external-identities/allow-deny-list.md).

+## Prevent requests from users with incompatible access

+In Azure AD entitlement management, you can see who has requested access packages, the policy for their request, and the status of their request. This article describes how to view requests for an access package, and remove requests that are no longer needed.

+description: Learn how to set up an access review in a policy for entitlement management access packages in Azure Active Directory.

+#Customer intent: As an administrator, I want to create an access review for my access packages so I can review the active assignments of my users to ensure everyone has the appropriate access.

+description: Learn how to review user access of entitlement management access packages in Azure Active Directory access reviews.

+Typically, when a request is approved, entitlement management will provision the user with the necessary access. If the user isn't already in your directory, entitlement management will first invite the user. When the user is invited, Azure AD will automatically create a B2B guest account for them but won't send the user an email. Note that an administrator may have previously limited which organizations are allowed for collaboration, by setting a [B2B allow or deny list](../external-identities/allow-deny-list.md) to allow or block invites to other organization's domains. If the user's domain isn't allowed by those lists, then they won't be invited and can't be assigned access until the lists are updated.

+1. If the policy settings include an expiration date, then later when the access package assignment for the external user expires, the external user's access rights from that access package are removed.

+- If you have been previously using the B2B allow list, you must either remove that list, or make sure all the domains of all the organizations you want to partner with using entitlement management are added to the list. Alternatively, if you are using the B2B deny list, you must make sure no domain of any organization you want to partner with is present on that list.

+- If you create an entitlement management policy for **All users** (All connected organizations + any new external users), and a user doesnΓÇÖt belong to a connected organization in your directory, a connected organization will automatically be created for them when they request the package. However, any B2B [allow or deny list](../external-identities/allow-deny-list.md) settings you have will take precedence. Therefore, you will want to remove the allow list, if you were using one, so that **All users** can request access, and exclude all authorized domains from your deny list if you are using a deny list.

+

+ > [!NOTE]

+ > If you create a connected organization for an Azure AD tenant from a different Microsoft cloud, you also need to configure cross-tenant access settings appropriately. For more information on how to configure these settings, see [Configure cross-tenant access settings](../external-identities/cross-cloud-settings.md).

+## Add custom extension to a policy in an access package

+1. Select the access package you want to add a custom extension (Logic App) to from the list of access packages that have already been created.

+ > Select **New access package** if you want to create a new access package.

+1. Change to the policy tab, select the policy and select **Edit**.

+1. In the policy settings, go to the **Custom Extensions (Preview)** tab.

+1. In the menu below **Stage**, select the access package event you wish to use as trigger for this custom extension (Logic App). For example, if you only want to trigger the custom extension Logic App workflow when a user requests the access package, select **Request is created**.

+1. In the menu below **Custom Extension**, select the custom extension (Logic App) you want to add to the access package. The do action you select will execute when the event selected in the when field occurs.

+1. Select **Update** to add it to an existing access package's policy.

+* users in another Azure AD directory (from any Microsoft cloud),

+In addition, you can have a connected organization for users with a Microsoft Account, such as from the domain *live.com*.

+In this case, you can configure two connected organizations. You create one connected organization for Graphic Design Institute and one for Contoso. If you then add the two connected organizations to a policy, users from each organization with a user principal name that matches the policy can request access packages. Users with a user principal name that has a domain of contoso.com would match the Contoso-connected organization and would also be allowed to request packages. Users with a user principal name that has a domain of *graphicdesigninstitute.com* would match the Graphic Design Institute-connected organization and be allowed to submit requests. And, because Graphic Design Institute uses Azure AD, any users with a principal name that matches a [verified domain](../fundamentals/add-custom-domain.md#verify-your-custom-domain-name) that's added to their tenant, such as *graphicdesigninstitute.example*, would also be able to request access packages by using the same policy. If you have [email one-time passcode (OTP) authentication](../external-identities/one-time-passcode.md) turned on, that includes users from those domains that aren't yet part of Azure AD directories who'll authenticate using email OTP when accessing your resources.

+1. Confirm that the organization name and authentication type are correct. User sign in, prior to being able to access the myaccess portal, depends on the authentication type for their organization. If the authentication type for a connected organization is Azure AD, then all users with an account in any verified domain of that Azure AD directory will sign into their directory, and then can request access to access packages that allow that connected organization. If the authentication type is One-time passcode, this allows users with email addresses from just that domain to visit the myaccess portal. Then, after they authenticate with the passcode, the user can make a request.

+ > Access from some domains could be blocked by the Azure AD business to business (B2B) allow or deny list. For more information, see [Allow or block invitations to B2B users from specific organizations](../external-identities/allow-deny-list.md).

+1. Select **Add** to add the Azure AD directory or domain. Currently, you can add only one Azure AD directory or domain per connected organization.

+ Here are the types of resources you can manage user's access to, with entitlement management:

+Access packages also include one or more *policies*. A policy defines the rules or guardrails for assignment to access package. Each policy can be used to ensure that only the appropriate users are able to have access assignments, and the access is time-limited and will expire if not renewed.

+You can have policies for users to request access. In these kinds of policies, an administrator or access package manager defines

+You can also have policies for users to be assigned access, either by an administrator or automatically.

+ "additionalProperties": ["netbios_domain_and_sam_account_name", "emit_as_roles"]

+ "additionalProperties": ["netbios_domain_and_sam_account_name", "emit_as_roles"]

+- [Configure role claims](../../active-directory/develop/active-directory-enterprise-app-role-management.md)

+The export.csv file contains all changes that are about to be exported. Each row corresponds to a change for an object in the connector space and the object is identified by the DN attribute. The DN attribute is a unique identifier assigned to an object in the connector space. When you have many rows/changes in the export.csv to analyze, it may be difficult for you to figure out which objects the changes are for based on the DN attribute alone. To simplify the process of analyzing the changes, use the `csanalyzer.ps1` PowerShell script. The script retrieves common identifiers (for example, displayName, userPrincipalName) of the objects. To use the script:

+```powershell

+if($result)

+ do 

+ #create the object placeholder

+ #adding them up here means we can enforce consistency

+ $objOutputUser=New-Object psobject

+ Add-Member -InputObject $objOutputUser -MemberType NoteProperty -Name ID -Value ""

+ Add-Member -InputObject $objOutputUser -MemberType NoteProperty -Name Type -Value ""

+ Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name DN -Value ""

+ Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name operation -Value ""

+ Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name UPN -Value ""

+ Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name displayName -Value ""

+ Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name sourceAnchor -Value ""

+ Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name alias -Value ""

+ Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name primarySMTP -Value ""

+ Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name onPremisesSamAccountName -Value ""

+ Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name mail -Value ""

+ $user = [System.Xml.Linq.XElement]::ReadFrom($reader)

+ if ($showOutput) {Write-Host Found an exported object... -ForegroundColor Green}

+ #object id

+ $outID=$user.Attribute('id').Value

+ if ($showOutput) {Write-Host ID: $outID}

+ $objOutputUser.ID=$outID

+ #object type

+ $outType=$user.Attribute('object-type').Value

+ if ($showOutput) {Write-Host Type: $outType}

+ $objOutputUser.Type=$outType

+ #dn

+ $outDN= $user.Element('unapplied-export').Element('delta').Attribute('dn').Value

+ if ($showOutput) {Write-Host DN: $outDN}

+ $objOutputUser.DN=$outDN

+ #operation

+ $outOperation= $user.Element('unapplied-export').Element('delta').Attribute('operation').Value

+ if ($showOutput) {Write-Host Operation: $outOperation}

+ $objOutputUser.operation=$outOperation

+ #now that we have the basics, go get the details

+ foreach ($attr in $user.Element('unapplied-export-hologram').Element('entry').Elements("attr"))

+ $attrvalue=$attr.Attribute('name').Value

+ $internalvalue= $attr.Element('value').Value

+ switch ($attrvalue)

+ "userPrincipalName"

+ {

+ if ($showOutput) {Write-Host UPN: $internalvalue}

+ $objOutputUser.UPN=$internalvalue

+ }

+ "displayName"

+ {

+ if ($showOutput) {Write-Host displayName: $internalvalue}

+ $objOutputUser.displayName=$internalvalue

+ }

+ "sourceAnchor"

+ {

+ if ($showOutput) {Write-Host sourceAnchor: $internalvalue}

+ $objOutputUser.sourceAnchor=$internalvalue

+ }

+ "alias"

+ {

+ if ($showOutput) {Write-Host alias: $internalvalue}

+ $objOutputUser.alias=$internalvalue

+ }

+ "proxyAddresses"

+ {

+ if ($showOutput) {Write-Host primarySMTP: ($internalvalue -replace "SMTP:","")}

+ $objOutputUser.primarySMTP=$internalvalue -replace "SMTP:",""

+ }

+ $objOutputUsers += $objOutputUser

+ Write-Progress -activity "Processing ${xmltoimport} in batches of ${batchsize}" -status "Batch ${outputfilecount}: " -percentComplete (($objOutputUsers.Count / $batchsize) * 100)

+ #every so often, dump the processed users in case we blow up somewhere

+ if ($count % $batchsize -eq 0)

+ {

+ Write-Host Hit the maximum users processed without completion... -ForegroundColor Yellow

+ #export the collection of users as a CSV

+ Write-Host Writing processedusers${outputfilecount}.csv -ForegroundColor Yellow

+ $objOutputUsers | Export-Csv -path processedusers${outputfilecount}.csv -NoTypeInformation

+ #increment the output file counter

+ $outputfilecount+=1

+ #reset the collection and the user counter

+ $objOutputUsers = $null

+ $count=0

+ }

+ $count+=1

+ #need to bail out of the loop if no more users to process

+ if ($reader.NodeType -eq [System.Xml.XmlNodeType]::EndElement)

+ {

+ break

+ }

+ } while ($reader.Read)

+ #need to write out any users that didn't get picked up in a batch of 1000

+ #export the collection of users as CSV

+ Write-Host Writing processedusers${outputfilecount}.csv -ForegroundColor Yellow

+ $objOutputUsers | Export-Csv -path processedusers${outputfilecount}.csv -NoTypeInformation

+}

+else

+{

+ Write-Host "Imported XML file is empty. No work to do." -ForegroundColor Red

+}

+>Azure AD Connect v1.6.xx.x uses the ADAL library. The ADAL library is being deprecated and support will end in June 2022. Microsoft recommends that you upgrade to the latest version of [Azure AD Connect v2](whatis-azure-ad-connect-v2.md).

+If password reset is not an option for you from the Azure AD portal, you can choose to manually dismiss user risk. Dismissing user risk does not have any impact on the user's existing password, but this process will change the user's Risk State from At Risk to Dismissed. It is important that you change the user's password using whatever means are available to you in order to bring the identity back to a safe state.

+- [What is Azure AD B2B collaboration?](../external-identities/what-is-b2b.md)

+- [F5-BIG-IP Easy Button for SSO to Oracle EBS (Enterprise Business Suite)](f5-big-ip-oracle-enterprise-business-suite-easy-button.md)

+- [F5-BIG-IP Easy Button for SSO to Oracle JD Edwards](f5-big-ip-oracle-jde-easy-button.md)

+- [F5-BIG-IP Easy Button for SSO to SAP ERP](f5-big-ip-sap-erp-easy-button.md)

+This script uses the [Client_Credential Oauth Flow](../../develop/v2-oauth2-client-creds-grant-flow.md)

+| [Invoke-WebRequest](/powershell/module/microsoft.powershell.utility/invoke-webrequest) | Sends HTTP and HTTPS requests to a web page or web service. It parses the response and returns collections of links, images, and other significant HTML elements. |

+Azure Active Directory (Azure AD) lets you assign a cloud Azure AD security group to an Azure AD role. A Global Administrator or Privileged Role Administrator must create a new security group and make the group role-assignable at creation time. Only the Global Administrator, Privileged Role Administrator, or the group Owner role assignments can change the membership of the group. Also, no other users can reset the password of the users who are members of the group. This feature helps prevent an admin from elevating to a higher privileged role without going through a request and approval procedure.

+## When to use a role-assignable group

+If you want to assign a group to an Azure AD or Azure Resource role and require elevation through a PIM process, there's only one way to do it:

+- **Assign the group persistently to a role**. Then, in PIM, you can grant users eligible role assignments to the group. Each eligible user must activate their role assignment to become members of the group, and activation is subject to approval policies. This path requires a role-assignable group to be enabled in PIM as a privileged access group for the Azure AD role.

+This method allows maximum granularity of permissions. Use this method to:

+- Maintain different activation policies for different sets of users to access an Azure AD or Azure resource role. For example, if you want some users to be approved before becoming a Global Administrator while allowing other users to be auto-approved, you could set up two privileged access groups, assign them both persistently (a "permanent" assignment in Privileged Identity Management) to the Global Administrator role and then use a different activation policy for the Member role for each group.

+If your organization uses a ticketing system to track help desk items or change requests for your environment, you can select the **Require ticket information on activation** box to require the elevation request to contain the name of the ticketing system (optional, if your organization uses multiple systems) and the ticket number that prompted the need for role activation.

+## Manage role settings through Microsoft Graph

+To manage settings for Azure AD roles through Microsoft Graph, use the [unifiedRoleManagementPolicy resource type and related methods](/graph/api/resources/unifiedrolemanagementpolicy).

+In Microsoft Graph, role settings are referred to as rules and they're assigned to Azure AD roles through container policies. Each Azure AD role is assigned a specific policy object. You can retrieve all policies that are scoped to Azure AD roles and for each policy, retrieve the associated collection of rules through an `$expand` query parameter. The syntax for the request is as follows:

+```http

+GET https://graph.microsoft.com/v1.0/policies/roleManagementPolicies?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'&$expand=rules

+```

+Rules are grouped into containers. The containers are further broken down into rule definitions that are identified by unique IDs for easier management. For example, a **unifiedRoleManagementPolicyEnablementRule** container exposes three rule definitions identified by the following unique IDs.

+To update these rule definitions, use the [update rules API](/graph/api/unifiedrolemanagementpolicyrule-update). For example, the following request specifies an empty **enabledRules** collection, therefore deactivating the enabled rules for a policy, such as multifactor authentication, ticketing information and justification.

+```http

+PATCH https://graph.microsoft.com/v1.0/policies/roleManagementPolicies/DirectoryRole_cab01047-8ad9-4792-8e42-569340767f1b_70c808b5-0d35-4863-a0ba-07888e99d448/rules/Enablement_EndUser_Assignment

+{

+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule",

+ "id": "Enablement_EndUser_Assignment",

+ "enabledRules": [],

+ "target": {

+ "caller": "EndUser",

+ "operations": [

+ "all"

+ ],

+ "level": "Assignment",

+ "inheritableSettings": [],

+ "enforcedSettings": []

+ }

+}

+```

+You can retrieve the collection of rules that are applied to all Azure AD roles or a specific Azure AD role through the [unifiedroleManagementPolicyAssignment resource type and related methods](/graph/api/resources/unifiedrolemanagementpolicyassignment). For example, the following request uses the `$expand` query parameter to retrieve the rules that are applied to an Azure AD role identified by **roleDefinitionId** or **templateId** `62e90394-69f5-4237-9190-012177145e10`.

+```http

+GET https://graph.microsoft.com/v1.0/policies/roleManagementPolicyAssignments?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole' and roleDefinitionId eq '62e90394-69f5-4237-9190-012177145e10'&$expand=policy($expand=rules)

+```

+For more information about managing role settings through PIM, see [Role settings and PIM](/graph/api/resources/privilegedidentitymanagementv3-overview#role-settings-and-pim).

+Alert | Severity | Trigger | Recommendation

+ | | |

+**Too many owners assigned to a resource** |Medium |Too many users have the owner role. |Review the users in the list and reassign some to less privileged roles.

+**Too many permanent owners assigned to a resource** |Medium |Too many users are permanently assigned to a role. |Review the users in the list and re-assign some to require activation for role use.

+**Duplicate role created** |Medium |Multiple roles have the same criteria. |Use only one of these roles.

+**Roles are being assigned outside of Privileged Identity Management (Preview)** | High | A role is managed directly through the Azure IAM resource blade or the Azure Resource Manager API | Review the users in the list and remove them from privileged roles assigned outside of Privilege Identity Management.

+> [!Note]

+> During the public preview of the **Roles are being assigned outside of Privileged Identity Management (Preview)** alert, Microsoft supports only permissions that are assigned at the subscription level.

+| Create or delete administrative units | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |

+| Add or remove members individually | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |

+| Add or remove members in bulk | :x: | :heavy_check_mark: | :heavy_check_mark: |

+| Assign administrative unit-scoped administrators | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |

+| Administrative unit-scoped creation and deletion of groups | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |

+| Administrative unit-scoped management of group properties and membership | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |

+ Title: Group management permissions for Azure AD custom roles - Azure Active Directory

+description: Group management permissions for Azure AD custom roles in the Azure portal, PowerShell, or Microsoft Graph API.

+# Group management permissions for Azure AD custom roles

+## License requirements

+My Staff is based on administrative units, which are a container of resources which can be used to restrict the scope of a role assignment's administrative control. For more information, see [Administrative units management in Azure Active Directory](administrative-units.md). In My Staff, administrative units can be used to contain a group of users in a store or department. A team manager can then be assigned to an administrative role at a scope of one or more units.

+1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com) as a Global Administrator, User Administrator, or Group Administrator.

+> | microsoft.directory/crossTenantAccessPolicies/allProperties/allTasks | Manage all aspects of cross-tenant access policies |

+> | microsoft.directory/lifecycleManagement/workflows/allProperties/allTasks | Manage all aspects of lifecycle management workflows and tasks in Azure AD |

+> | microsoft.directory/crossTenantAccessPolicies/allProperties/read | Read all properties of cross-tenant access policies |

+> | microsoft.directory/lifecycleManagement/workflows/allProperties/read | Read all properties of lifecycle management workflows and tasks in Azure AD |

+> | microsoft.directory/crossTenantAccessPolicies/create | Create cross-tenant access policies |

+> | microsoft.directory/crossTenantAccessPolicies/delete | Delete cross-tenant access policies |

+> | microsoft.directory/crossTenantAccessPolicies/standard/read | Read basic properties of cross-tenant access policies |

+> | microsoft.directory/crossTenantAccessPolicies/owners/read | Read owners of cross-tenant access policies |

+> | microsoft.directory/crossTenantAccessPolicies/policyAppliedTo/read | Read the policyAppliedTo property of cross-tenant access policies |

+> | microsoft.directory/crossTenantAccessPolicies/basic/update | Update basic properties of cross-tenant access policies |

+> | microsoft.directory/crossTenantAccessPolicies/owners/update | Update owners of cross-tenant access policies |

+> | microsoft.directory/crossTenantAccessPolicies/tenantDefault/update | Update the default tenant for cross-tenant access policies |

+ Title: 'Tutorial: Configure Alinto Protect for automatic user provisioning with Azure Active Directory | Microsoft Docs'

+description: Learn how to automatically provision and de-provision user accounts from Azure AD to Alinto Protect.

+writer: twimmers

+ms.assetid: cc47804c-2d00-402f-8aa5-b6155a81d78d

+# Tutorial: Configure Alinto Protect for automatic user provisioning

+This tutorial describes the steps you need to do in both Alinto Protect and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Alinto Protect](https://www.alinto.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

+## Capabilities supported

+> [!div class="checklist"]

+> * Create users in Alinto Protect

+> * Remove users in Alinto Protect when they do not require access anymore

+> * Keep user attributes synchronized between Azure AD and Alinto Protect

+> * [Single sign-on](../manage-apps/add-application-portal-setup-oidc-sso.md) to Alinto Protect (recommended).

+## Prerequisites

+The scenario outlined in this tutorial assumes that you already have the following prerequisites:

+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)

+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).

+* A user account in Alinto Protect with Admin permission

+## Step 1. Plan your provisioning deployment

+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).

+1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. Determine what data to [map between Azure AD and Alinto Protect](../app-provisioning/customize-application-attributes.md).

+## Step 2. Configure Alinto Protect to support provisioning with Azure AD

+Contact [Alinto Protect Support](https://www.alinto.com/contact-email-provider/) to configure Alinto to support provisioning with Azure AD.

+## Step 3. Add Alinto Protect from the Azure AD application gallery

+Add Alinto Protect from the Azure AD application gallery to start managing provisioning to Alinto Protect. If you have previously setup Alinto Protect for SSO, you can use the same application. However it's recommended you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).

+## Step 4. Define who will be in scope for provisioning

+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user and group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* If you need additional roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles.

+## Step 5. Configure automatic user provisioning to Alinto Protect

+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and groups in Alinto Protect based on user and group assignments in Azure AD.

+### To configure automatic user provisioning for Alinto Protect in Azure AD:

+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.

+ 

+1. In the applications list, select **Alinto Protect**.

+ 

+1. Select the **Provisioning** tab.

+ 

+1. Set the **Provisioning Mode** to **Automatic**.

+ 

+1. In the **Admin Credentials** section, input your Alinto Protect Tenant URL and Secret Token. Click **Test Connection** to ensure Azure AD can connect to Alinto Protect. If the connection fails, ensure your Alinto Protect account has Admin permissions and try again.

+ 

+1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.

+ 

+1. Select **Save**.

+1. In the **Mappings** section, select **Synchronize Azure Active Directory Users to Alinto Protect**.

+1. Review the user attributes that are synchronized from Azure AD to Alinto Protect in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Alinto Protect for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you'll need to ensure that the Alinto Protect API supports filtering users based on that attribute. Select the **Save** button to commit any changes.

+ |Attribute|Type|Supported for filtering|Required by Alinto Protect|

+ |||||

+ |userName|String|&check;|&check;

+ |active|Boolean||&check;

+ |name.givenName|String||

+ |name.familyName|String||

+ |externalId|String||

+1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. To enable the Azure AD provisioning service for Alinto Protect, change the **Provisioning Status** to **On** in the **Settings** section.

+ 

+1. Define the users and groups that you would like to provision to Alinto Protect by choosing the desired values in **Scope** in the **Settings** section.

+ 

+1. When you're ready to provision, click **Save**.

+ 

+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to complete than next cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.

+## Step 6. Monitor your deployment

+Once you've configured provisioning, use the following resources to monitor your deployment:

+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully

+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it's to completion

+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).

+## More resources

+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)

+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+## Next steps

+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)

+ Title: 'Tutorial: Configure Cerby for automatic user provisioning with Azure Active Directory | Microsoft Docs'

+description: Learn how to automatically provision and de-provision user accounts from Azure AD to Cerby.

+writer: twimmers

+ms.assetid: 465492d5-4f75-4201-bed4-f45b3be18702

+# Tutorial: Configure Cerby for automatic user provisioning

+This tutorial describes the steps you need to do in both Cerby and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Cerby](https://app.cerby.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

+## Capabilities supported

+> [!div class="checklist"]

+> * Create users in Cerby

+> * Remove users in Cerby when they do not require access anymore

+> * Keep user attributes synchronized between Azure AD and Cerby

+> * [Single sign-on](cerby-tutorial.md) to Cerby (recommended).

+## Prerequisites

+The scenario outlined in this tutorial assumes that you already have the following prerequisites:

+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)

+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).

+* A user account in Cerby with the Workspace Owner role.

+* The Cerby SAML2-based integration must be set up. Follow the instructions in the [How to Configure the Cerby App Gallery SAML App with Your Azure AD Tenant](https://help.cerby.com/en/articles/5457563-how-to-configure-the-cerby-app-gallery-saml-app-with-your-azure-ad-tenant) article to set up the integration.

+## Step 1. Plan your provisioning deployment

+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).

+1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. Determine what data to [map between Azure AD and Cerby](../app-provisioning/customize-application-attributes.md).

+## Step 2. Configure Cerby to support provisioning with Azure AD

+Cerby has enabled by default the provisioning support for Azure AD. You must only retrieve the SCIM API authentication token by completing the following steps:

+1. Log in to your corresponding [Cerby workspace](https://app.cerby.com/).

+1. Click the **Hi there < user >!** button located at the bottom of the left side navigation menu. A drop-down menu is displayed.

+1. Select the **Workspace Configuration** option related to your account from the drop-down menu. The **Workspace Configuration** page is displayed.

+1. Activate the **IDP Settings** tab.

+1. Click the **View Token** button located in the **Directory Sync** section of the **IDP Settings** tab. A pop-up window is displayed waiting to confirm your identity, and a push notification is sent to your Cerby mobile application.

+**IMPORTANT:** To confirm your identity, you must have installed and logged in to the Cerby mobile application to receive push notifications.

+1. Click the **It's me!** button in the **Confirmation Request** screen of your Cerby mobile application to confirm your identity. The pop-up window in your Cerby workspace is closed, and the **Show Token** pop-up window is displayed.

+1. Click the **Copy** button to copy the SCIM token to the clipboard.

+ >[!TIP]

+ >Keep the **Show Token** pop-up window open to copy the token at any time. You need the token to configure provisioning with Azure AD.

+## Step 3. Add Cerby from the Azure AD application gallery

+Add Cerby from the Azure AD application gallery to start managing provisioning to Cerby. If you have previously setup Cerby for SSO, you can use the same application. However it's recommended you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).

+## Step 4. Define who will be in scope for provisioning

+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user and group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* If you need additional roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles.

+## Step 5. Configure automatic user provisioning to Cerby

+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and groups in Cerby based on user and group assignments in Azure AD.

+### To configure automatic user provisioning for Cerby in Azure AD:

+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.

+ 

+1. In the applications list, select **Cerby**.

+ 

+1. Select the **Provisioning** tab.

+ 

+1. Set the **Provisioning Mode** to **Automatic**.

+ 

+1. In the **Admin Credentials** section, input `https://api.cerby.com/v1/scim/v2` as your Cerby Tenant URL and the SCIM API authentication token that you have previously retrieved.

+1. Click **Test Connection** to ensure Azure AD can connect to Cerby. If the connection fails, ensure your Cerby account has Admin permissions and try again.

+ 

+1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.

+ 

+1. Select **Save**.

+1. In the **Mappings** section, select **Synchronize Azure Active Directory Users to Cerby**.

+1. Review the user attributes that are synchronized from Azure AD to Cerby in the **Attribute Mappings** section. The attributes selected as **Matching** properties are used to match the user accounts in Cerby for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you'll need to ensure that the Cerby API supports filtering users based on that attribute. Select the **Save** button to commit any changes.

+ |Attribute|Type|Supported for filtering|Required by Cerby|

+ |||||

+ |userName|String|&check;|&check;

+ |emails[type eq "work"].value|String|&check;|&check;

+ |active|Boolean||&check;

+ |name.givenName|String||&check;

+ |name.familyName|String||&check;

+ |externalId|String||

+1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. To enable the Azure AD provisioning service for Cerby, change the **Provisioning Status** to **On** in the **Settings** section.

+ 

+1. Define the users and groups that you would like to provision to Cerby by choosing the desired values in **Scope** in the **Settings** section.

+ 

+1. When you're ready to provision, click **Save**.

+ 

+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to complete than next cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.

+## Step 6. Monitor your deployment

+Once you've configured provisioning, use the following resources to monitor your deployment:

+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully

+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it's to completion

+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).

+## More resources

+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)

+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+## Next steps

+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)

+ Title: 'Tutorial: Azure AD SSO integration with Chronus SAML'

+description: Learn how to configure single sign-on between Azure Active Directory and Chronus SAML.

+# Tutorial: Azure AD SSO integration with Chronus SAML

+In this tutorial, you'll learn how to integrate Chronus SAML with Azure Active Directory (Azure AD). When you integrate Chronus SAML with Azure AD, you can:

+* Control in Azure AD who has access to Chronus SAML.

+* Enable your users to be automatically signed-in to Chronus SAML with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Chronus SAML single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* Chronus SAML supports **SP and IDP** initiated SSO.

+* Chronus SAML supports **Just In Time** user provisioning.

+## Add Chronus SAML from the gallery

+To configure the integration of Chronus SAML into Azure AD, you need to add Chronus SAML from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Chronus SAML** in the search box.

+1. Select **Chronus SAML** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Chronus SAML

+Configure and test Azure AD SSO with Chronus SAML using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Chronus SAML.

+To configure and test Azure AD SSO with Chronus SAML, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Chronus SAML SSO](#configure-chronus-saml-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Chronus SAML test user](#create-chronus-saml-test-user)** - to have a counterpart of B.Simon in Chronus SAML that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Chronus SAML** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a value using the following pattern:

+ `<CustomerName>.domain.extension`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://<CustomerName>.domain.extension/session`

+1. Click **Set additional URLs** and perform the following steps if you wish to configure the application in **SP** initiated mode:

+

+ In the **Sign-on URL** text box, type a URL using the following pattern:

+ `https://<CustomerName>.domain.extension/session`

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Chronus SAML Client support team](mailto:support@chronus.com) to get these values. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Chronus SAML** section, copy the appropriate URL(s) based on your requirement.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Chronus SAML.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Chronus SAML**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Chronus SAML SSO

+To configure single sign-on on Chronus SAML side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Chronus SAML support team](mailto:support@chronus.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Chronus SAML test user

+In this section, a user called B.Simon is created in Chronus SAML. Chronus SAML supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Chronus SAML, a new one is created after authentication.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to Chronus SAML Sign on URL where you can initiate the login flow.

+* Go to Chronus SAML Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Chronus SAML for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the Chronus SAML tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Chronus SAML for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

+## Next steps

+Once you configure Chronus SAML you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with Clebex'

+# Tutorial: Azure AD SSO integration with Clebex

+1. To automate the configuration within Clebex, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.

+ 

+2. After adding extension to the browser, click on **Set up Clebex** will direct you to the Clebex application. From there, provide the admin credentials to sign into Clebex. The browser extension will automatically configure the application for you and automate steps 3-10.

+ 

+3. If you want to setup Clebex manually, in a different web browser window, sign in to your Clebex company site as an administrator.

+ Title: 'Tutorial: Azure AD SSO integration with FortiGate SSL VPN'

+# Tutorial: Azure AD SSO integration with FortiGate SSL VPN

+* A FortiGate SSL VPN with single sign-on (SSO) enabled.

+You'll configure and test Azure AD SSO with FortiGate SSL VPN by using a test user named B.Simon. For SSO to work, you need to establish a link relationship between an Azure AD user and the corresponding SAML SSO user group in FortiGate SSL VPN.

+ 1. **Create a FortiGate SAML SSO user group** as a counterpart to the Azure AD representation of the user.

+1. On the **Set up Single Sign-On with SAML** page, select the **Edit** button for **Basic SAML Configuration** to edit the settings:

+ 

+ a. In the **Identifier** box, enter a URL in the pattern

+ `https://<FortiGate IP or FQDN address>:<Custom SSL VPN port>/remote/saml/metadata`.

+ b. In the **Reply URL** box, enter a URL in the pattern

+ `https://<FortiGate IP or FQDN address>:<Custom SSL VPN port>/remote/saml/login`.

+ c. In the **Sign on URL** box, enter a URL in the pattern

+ `https://<FortiGate IP or FQDN address>:<Custom SSL VPN port>/remote/login`.

+ `https://<FortiGate IP or FQDN address>:<Custom SSL VPN port><FQDN>/remote/saml/logout`.

+ > These values are just patterns. You need to use the actual **Sign on URL**, **Identifier**, **Reply URL**, and **Logout URL** that is configured on the FortiGate.

+ 

+1. The claims required by FortiGate SSL VPN are shown in the following table. The names of these claims must match the names used in the **Perform FortiGate command-line configuration** section of this tutorial. Names are case-sensitive.

+ h. Under **Advanced options**, select the **Customize the name of the group claim** check box.

+Although you can configure SSO from the GUI since FortiOS 7.0, the CLI configurations apply to all versions and are therefore shown here.

+| FortiGate SAML CLI setting | Equivalent Azure configuration |

+ | | |

+ | SP entity ID (`entity-id`) | Identifier (Entity ID) |

+| SP Single Sign-On URL (`single-sign-on-url`) | Reply URL (Assertion Consumer Service URL) |

+| SP Single Logout URL (`single-logout-url`) | Logout URL |

+| IdP Entity ID (`idp-entity-id`) | Azure Login URL |

+| IdP Single Sign-On URL (`idp-single-sign-on-url`) | Azure AD Identifier |

+| IdP Single Logout URL (`idp-single-logout-url`) | Azure Logout URL |

+| IdP certificate (`idp-cert`) | Base64 SAML certificate name (REMOTE_Cert_N) |

+| Username attribute (`user-name`) | username |

+| Group name attribute (`group-name`) | group |

+> [!NOTE]

+ > The Sign on URL under Basic SAML Configuration is not used in the FortiGate configurations. It is used to trigger SP-initiated single sign on to redirect the user to the SSL VPN portal page.

+1. Run these commands and substitute the `<values>` with the information that you collected previously:

+ edit azure

+ set cert <FortiGate VPN Server Certificate Name>

+ set entity-id < Identifier (Entity ID)Entity ID>

+ set single-sign-on-url < Reply URL Reply URL>

+ set single-logout-url <Logout URL>

+ set idp-entity-id <Azure AD Identifier>

+ set idp-single-logout-url <Azure Logout URL>

+ set idp-cert <Base64 SAML Certificate Name>

+ set user-name username

+ set group-name group

+ next

+ ```console

+ edit FortiGateAccess

+ set member azure

+ config match

+ edit 1

+ set server-name azure

+ set group-name <Object Id>

+ next

+ end

+ next

+ ```

+

+Refer to [Configuring SAML SSO login for SSL VPN with Azure AD acting as SAML IdP for instructions](https://docs.fortinet.com/document/fortigate-public-cloud/7.0.0/azure-administration-guide/584456/configuring-saml-sso-login-for-ssl-vpn-web-mode-with-azure-ad-acting-as-saml-idp).

+* In Step 5) of the Azure SSO configuration, **Test single sign-on with your App*, click the **Test** button in the Azure portal. This will redirect to FortiGate VPN Sign-on URL where you can initiate the login flow.

+ Title: 'Tutorial: Azure AD SSO integration with Fresh Relevance'

+# Tutorial: Azure AD SSO integration with Fresh Relevance

+1. To automate the configuration within Fresh Relevance, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.

+ 

+2. After adding extension to the browser, click on **Set up Fresh Relevance** will direct you to the Fresh Relevance application. From there, provide the admin credentials to sign into Fresh Relevance. The browser extension will automatically configure the application for you and automate steps 3-10.

+ 

+3. If you want to setup Fresh Relevance manually, in a different web browser window, sign in to your Fresh Relevance company site as an administrator.

+ Title: 'Tutorial: Azure AD SSO integration with IDrive360'

+# Tutorial: Azure AD SSO integration with IDrive360

+1. To automate the configuration within IDrive360, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.

+ 

+2. After adding extension to the browser, click on **Set up IDrive360** will direct you to the IDrive360 application. From there, provide the admin credentials to sign into IDrive360. The browser extension will automatically configure the application for you and automate steps 3-10.

+ 

+3. If you want to setup IDrive360 manually, in a different web browser window, sign in to your IDrive360 company site as an administrator.

+ Title: 'Tutorial: Azure AD SSO integration with i-Sight'

+description: Learn how to configure single sign-on between Azure Active Directory and i-Sight.

+# Tutorial: Azure AD SSO integration with i-Sight

+In this tutorial, you'll learn how to integrate i-Sight with Azure Active Directory (Azure AD). When you integrate i-Sight with Azure AD, you can:

+* Control in Azure AD who has access to i-Sight.

+* Enable your users to be automatically signed-in to i-Sight with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* i-Sight single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* i-Sight supports **IDP** initiated SSO.

+## Add i-Sight from the gallery

+To configure the integration of i-Sight into Azure AD, you need to add i-Sight from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **i-Sight** in the search box.

+1. Select **i-Sight** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for i-Sight

+Configure and test Azure AD SSO with i-Sight using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in i-Sight.

+To configure and test Azure AD SSO with i-Sight, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure i-Sight SSO](#configure-i-sight-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create i-Sight test user](#create-i-sight-test-user)** - to have a counterpart of B.Simon in i-Sight that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **i-Sight** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** text box, type a URL using one of the following patterns:

+ | **Identifier** |

+ |--|

+ | `https://<CustomerName>.i-sight.com` |

+ | `https://<CustomerName>.i-sightuat.com` |

+ b. In the **Reply URL** text box, type a URL using one of the following patterns:

+ | **Reply URL** |

+ |--|

+ | `https://<CustomerName>.i-sight.com/auth/wsfed` |

+ | `https://<CustomerName>.i-sightuat.com/auth/wsfed` |

+ > [!Note]

+ > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [i-Sight Client support team](mailto:it@i-sight.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up i-Sight** section, copy the appropriate URL(s) based on your requirement.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to i-Sight.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **i-Sight**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure i-Sight SSO

+To configure single sign-on on **i-Sight** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [i-Sight support team](mailto:it@i-sight.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create i-Sight test user

+In this section, you create a user called Britta Simon in i-Sight. Work with [i-Sight support team](mailto:it@i-sight.com) to add the users in the i-Sight platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on Test this application in Azure portal and you should be automatically signed in to the i-Sight for which you set up the SSO.

+* You can use Microsoft My Apps. When you click the i-Sight tile in the My Apps, you should be automatically signed in to the i-Sight for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure i-Sight you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with MongoDB Cloud'

+# Tutorial: Azure AD SSO integration with MongoDB Cloud

+* Control in Azure AD who has access to MongoDB Atlas, the MongoDB community, MongoDB University, and MongoDB Support.

+* Assign MongoDB Atlas roles to users based on their Azure AD group memberships.

+ 1. [Create an Azure AD test user and test group](#create-an-azure-ad-test-user-and-test-group) to test Azure AD single sign-on with B.Simon.

+ 1. [Assign the Azure AD test user or test group](#assign-the-azure-ad-test-user-or-test-group) to enable B.Simon to use Azure AD single sign-on.

+1. [Configure MongoDB Atlas SSO](#configure-mongodb-atlas-sso) to configure the single sign-on settings on the application side.

+1. In the Azure portal, on the **MongoDB Cloud** application integration page, find the **Manage** section. Select **single sign-on**.

+1. If you would like to authorize users using MongoDB Atlas [role mappings](https://docs.atlas.mongodb.com/security/manage-role-mapping/), add the below group claim to send user's group information within SAML assertion.

+ | Name | Source attribute|

+ | | |

+ | memberOf | Group ID |

+

+### Create an Azure AD test user and test group

+If you are using MongoDB Atlas role mappings feature in order to assign roles to users based on their Azure AD groups, create a test group and B.Simon as a member:

+1. From the left pane in Azure portal, select **Azure Active Directory** > **Groups**.

+1. Select **New group** at the top of the screen.

+1. In the **Group** properties, follow these steps:

+ 1. Select 'Security' in **Group type** dropdown.

+ 1. In the **Group name** field, enter 'Group 1'.

+ 1. Select **Create**.

+

+### Assign the Azure AD test user or test group

+In this section, you'll enable B.Simon or Group 1 to use Azure single sign-on by granting access to MongoDB Cloud.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list or if you are using MongoDB Atla role mappings, select **Group 1** from the Groups list; then click the **Select** button at the bottom of the screen.

+## Configure MongoDB Atlas SSO

+To configure single sign-on on the MongoDB Atlas side, you need the appropriate URLs copied from the Azure portal. You also need to configure the Federation Application for your MongoDB Atlas Organization. Follow the instructions in the [MongoDB Atlas documentation](https://docs.atlas.mongodb.com/security/federated-auth-azure-ad/). If you have a problem, contact the [MongoDB support team](https://support.mongodb.com/).

+### Configure MongoDB Atlas Role Mapping

+To authorize users in MongoDB Atlas based on their Azure AD group membership, you can map the Azure AD group's Object-IDs to MongoDB Atlas Organization/Project roles with the help of MongoDB Atlas role mappings. Follow the instructions in the [MongoDB Atlas documentation](https://docs.atlas.mongodb.com/security/manage-role-mapping/#add-role-mappings-in-your-organization-and-its-projects). If you have a problem, contact the [MongoDB support team](https://support.mongodb.com/).

+MongoDB Atlas supports just-in-time user provisioning, which is enabled by default. There is no additional action for you to take. If a user doesn't already exist in MongoDB Atlas, a new one is created after authentication.

+* Click on **Test this application** in Azure portal. This will redirect to MongoDB Atlas Sign-on URL where you can initiate the login flow.

+* Go to MongoDB Atlas Sign on URL directly and initiate the login flow from there.

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the MongoDB Atlas for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the MongoDB Cloud tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the MongoDB Cloud for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

+ Title: 'Tutorial: Azure AD SSO integration with SharingCloud |'

+# Tutorial: Azure AD SSO integration with SharingCloud

+* SharingCloud supports **SP and IDP** initiated SSO.

+* SharingCloud supports **Just In Time** user provisioning.

+1. On the **Set up single sign-on with SAML** page, perform the following steps:

+ a. In the **Identifier** text box, type a URL using the following pattern:

+ `https://auth.sharingcloud.net/auth/realms/<COMPANY_NAME>`

+ b. In the **Reply URL** text box, type a URL using the following pattern:

+ `https://auth.sharingcloud.net/auth/realms/<COMPANY_NAME>/broker/saml/endpoint`

+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:

+ In the **Sign-on URL** text box, type a URL using the following pattern:

+ `https://<SUBDOMAIN>.factset.com/services/saml2/`

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact the [SharingCloud support team](mailto:support@sharingcloud.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+* A Skills Base license that supports single sign-on (SSO).

+>[!NOTE]

+> Skills Base does not support **IdP** initiated SSO.

+ 2. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+2. **[Configure Skills Base SSO](#configure-skills-base-sso)** - to configure the single sign-on settings on application side.

+3. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+

+1. In the Azure portal, on the **Skills Base** Enterprise Application Overview page, under **Getting Started** section select **Get started** under **2. Set up single sign on**.

+2. On the **Select a single sign-on method** page, select **SAML**.

+3. On the **Set up Single Sign-On with SAML** page, click the **Upload metadata file** button at the top of the page.

+4. Click the **Select a file** icon and select the metadata file that you downloaded from Skills Base.

+5. Click **Add**

+ 

+6. On the **Basic SAML Configuration** page, in the **Sign on URL** text box, enter your Skills Base shortcut link, which should be in the format:

+ > You can get the Sign on URL from the Skills Base application. Please log in as an Administrator and to go to \[Administration > Settings > Instance details > Shortcut link\]. Copy the shortcut link and paste it into the **Sign on URL** textbox in Azure AD.

+5. Click **Save**

+6. Close the **Basic SAML Configuration** dialog.

+5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, next to **Federation Metadata XML**, click **Download** to download the Federation Metadata XML and save it on your computer.

+ 

+## Configure Skills Base SSO

+1. Log in to Skills Base as an Administrator.

+1. From the left side of menu, select **Administration -> Authentication**.

+ 

+1. On the **Authentication** page in the **Identity Providers** section, select **Add identity provider**.

+ 

+1. Click **Add** to use the default settings.

+ 

+1. In the **Application Details** panel, next to **SAML SP Metadata**, select **Download XML File** and save the resulting file on your computer.

+ 

+1. In the **Identity Providers** section, select the **edit** button (denoted by a pencil icon) for the Identity Provider record you added.

+ 

+1. In the **Edit identity provider** panel, for **SAML IdP Metadata** select **Upload an XML file**

+1. Click **Browse** to choose a file. Select the Federation Metadata XML file that you downloaded from Azure AD and click **Save**.

+ 

+

+1. In the **Authentication** panel, for **Single Sign-On** select the Identity Provider you added.

+ 

+1. Make sure the option to bypass the Skills Base login screen is **deselected** for now. You can enable this option later, once the integration is proved to be working.

+1. If you would like to enable **Just In Time** user provisioning, enable the **Automatic user account provisioning** option.

+1. click **Save changes**.

+ 

+> [!Note]

+> The Identity Provider you added in the **Identity Providers** panel should now have a green **Enabled** badge in the **Status** column.

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+2. Select **New user** at the top of the screen.

+3. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 2. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 3. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 4. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Skills Base.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+2. In the applications list, select **Skills Base**.

+3. In the app's overview page, find the **Manage** section and select **Users and groups**.

+4. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+5. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+6. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+7. In the **Add Assignment** dialog, click the **Assign** button.

+Skills Base supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Skills Base, a new one is created after authentication.

+> If you need to create a user manually, follow the instructions [here](https://support.skills-base.com/kb/articles/11000024831-adding-people-and-enabling-them-to-log-in).

+ Title: 'Tutorial: Azure AD SSO integration with UserZoom'

+description: Learn how to configure single sign-on between Azure Active Directory and UserZoom.

+# Tutorial: Azure AD SSO integration with UserZoom

+In this tutorial, you'll learn how to integrate UserZoom with Azure Active Directory (Azure AD). When you integrate UserZoom with Azure AD, you can:

+* Control in Azure AD who has access to UserZoom.

+* Enable your users to be automatically signed-in to UserZoom with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* UserZoom single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* UserZoom supports **SP** and **IDP** initiated SSO.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Add UserZoom from the gallery

+To configure the integration of UserZoom into Azure AD, you need to add UserZoom from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **UserZoom** in the search box.

+1. Select **UserZoom** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for UserZoom

+Configure and test Azure AD SSO with UserZoom using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in UserZoom.

+To configure and test Azure AD SSO with UserZoom, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure UserZoom SSO](#configure-userzoom-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create UserZoom test user](#create-userzoom-test-user)** - to have a counterpart of B.Simon in UserZoom that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **UserZoom** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, the user does not have to perform any step as the app is already pre-integrated with Azure.

+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **SP** initiated mode then perform the following steps :

+ a. In the **Identifier** text box, type the value:

+ `urn:auth0:auth-userzoom:microsoft`

+ b. In the **Reply URL** text box, type the URL:

+ `https://auth.userzoom.com/login/callback?connection=microsoft`

+ c. In the **Sign-on URL** text box, type the URL:

+ `https://www.manager.userzoom.com/microsoft`

+1. UserZoom application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

+ 

+1. In addition to above, UserZoom application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirement.

+ | Name | Source Attribute |

+ |-| |

+ | email | user.mail |

+ | given_name | user.givenname |

+ | family_name | user.surname |

+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up UserZoom** section, copy the appropriate URL(s) based on your requirement.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to UserZoom.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **UserZoom**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure UserZoom SSO

+To configure single sign-on on **UserZoom** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [UserZoom support team](mailto:support@userzoom.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create UserZoom test user

+In this section, you create a user called Britta Simon in UserZoom. Work with [UserZoom support team](mailto:support@userzoom.com) to add the users in the UserZoom platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to UserZoom Sign on URL where you can initiate the login flow.

+* Go to UserZoom Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the UserZoom for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the UserZoom tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the UserZoom for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure UserZoom you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure Active Directory integration with Workgrid'

+ 

+ a. In the **Sign on URL** text box, type a URL using the following pattern:

+ `https://<COMPANYCODE>.workgrid.com/console`

+ b. In the **Identifier (Entity ID)** text box, type a value using the following pattern:

+ `urn:amazon:cognito:sp:us-east-1_<poolid>`

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Sign on URL and Identifier. Your Sign On URL is the same URL you use to sign in to the Workgrid console. You can find the Entity ID in the Security Section of your Workgrid console.

+ 

+ 

+ 

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+To configure single sign-on on **Workgrid** side, you need to add the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to your Workgrid console in the **Security section**.

+ 

+ > [!NOTE]

+ > You will need to use the full schema URI for the Email, Name and Family Name claims when mapping the attributes in Workgrid:

+ >

+ > 

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to Workgrid Sign-on URL where you can initiate the login flow.

+## Change Logs

+* 05/16/2022 - **Schema Discovery** feature enabled on this app.

+ Title: Cluster extensions for Azure Kubernetes Service (AKS)

+# Deploy and manage cluster extensions for Azure Kubernetes Service (AKS)

+[azure-ml-overview]: ../machine-learning/how-to-attach-kubernetes-anywhere.md

+[arc-k8s-regions]: https://azure.microsoft.com/global-infrastructure/services/?products=azure-arc&regions=all

+ Title: Custom certificate authority (CA) in Azure Kubernetes Service (AKS) (preview)

+description: Learn how to use a custom certificate authority (CA) in an Azure Kubernetes Service (AKS) cluster.

+# Custom certificate authority (CA) in Azure Kubernetes Service (AKS) (preview)

+Custom certificate authorities (CAs) allow you to establish trust between your Azure Kubernetes Service (AKS) cluster and your workloads, such as private registries, proxies, and firewalls. A Kubernetes secret is used to store the certificate authority's information, then it's passed to all nodes in the cluster.

+This feature is applied per nodepool, so new and existing nodepools must be configured to enable this feature.

+## Prerequisites

+* An Azure subscription. If you don't have an Azure subscription, you can create a [free account](https://azure.microsoft.com/free).

+* [Azure CLI installed][azure-cli-install].

+* A base64 encoded certificate string.

+### Limitations

+This feature isn't currently supported for Windows nodepools.

+### Install the `aks-preview` extension

+You also need the *aks-preview* Azure CLI extensions version 0.5.72 or later. Install the *aks-preview* extension by using the [az extension add][az-extension-add] command, or install any available updates by using the [az extension update][az-extension-update] command.

+```azurecli

+# Install the aks-preview extension

+az extension add --name aks-preview

+# Update the extension to make sure you have the latest version installed

+az extension update --name aks-preview

+```

+### Register the `CustomCATrustPreview` preview feature

+Register the `CustomCATrustPreview` feature flag by using the [az feature register][az-feature-register] command:

+```azurecli

+az feature register --namespace "Microsoft.ContainerService" --name "CustomCATrustPreview"

+```

+It takes a few minutes for the status to show *Registered*. Verify the registration status by using the [az feature list][az-feature-list] command:

+```azurecli

+az feature list --query "[?contains(name, 'Microsoft.ContainerService/CustomCATrustPreview')].{Name:name,State:properties.state}" -o table

+```

+Refresh the registration of the *Microsoft.ContainerService* resource provider by using the [az provider register][az-provider-register] command:

+```azurecli

+az provider register --namespace Microsoft.ContainerService

+```

+## Configure a new AKS cluster to use a custom CA

+To configure a new AKS cluster to use a custom CA, run the [az aks create][az-aks-create] command with the `--enable-custom-ca-trust` parameter.

+```azurecli

+az aks create \

+ --resource-group myResourceGroup \

+ --name myAKSCluster \

+ --node-count 2 \

+ --enable-custom-ca-trust

+```

+## Configure a new nodepool to use a custom CA

+To configure a new nodepool to use a custom CA, run the [az aks nodepool add][az-aks-nodepool-add] command with the `--enable-custom-ca-trust` parameter.

+```azurecli

+az aks nodepool add \

+ --cluster-name myAKSCluster \

+ --resource-group myResourceGroup \

+ --name myNodepool \

+ --enable-custom-ca-trust

+```

+## Configure an existing nodepool to use a custom CA

+To configure an existing nodepool to use a custom CA, run the [az aks nodepool update][az-aks-nodepool-update] command with the `--enable-custom-trust-ca` parameter.

+```azurecli

+az aks nodepool update \

+ --resource-group myResourceGroup \

+ --cluster-name myAKSCluster \

+ --name myNodepool \

+ --enable-custom-ca-trust

+```

+## Create a Kubernetes secret with your CA information

+Create a [Kubernetes secret][kubernetes-secrets] YAML manifest with your base64 encoded certificate string in the `data` field. Data from this secret is used to update CAs on all nodes.

+You must ensure that:

+* The secret is named `custom-ca-trust-secret`.

+* The secret is created in the `kube-system` namespace.

+```yaml

+apiVerison: v1

+kind: Secret

+metadata:

+ name: custom-ca-trust-secret

+ namespace: kube-system

+type: Opaque

+data:

+ ca1.crt: |

+ {base64EncodedCertStringHere}

+ ca2.crt: |

+ {anotherBase64EncodedCertStringHere}

+```

+To update or remove a CA, edit and apply the YAML manifest. The cluster will poll for changes and update the nodes accordingly. This process may take a couple of minutes before changes are applied.

+## Next steps

+For more information on AKS security best practices, see [Best practices for cluster security and upgrades in Azure Kubernetes Service (AKS)][aks-best-practices-security-upgrades].

+<!-- LINKS EXTERNAL -->

+[kubernetes-secrets]:https://kubernetes.io/docs/concepts/configuration/secret/

+<!-- LINKS INTERNAL -->

+[aks-best-practices-security-upgrades]: operator-best-practices-cluster-security.md

+[azure-cli-install]: /cli/azure/install-azure-cli

+[az-aks-create]: /cli/azure/aks#az-aks-create

+[az-aks-update]: /cli/azure/aks#az-aks-update

+[az-aks-nodepool-add]: /cli/azure/aks#az-aks-nodepool-add

+[az-aks-nodepool-update]: /cli/azure/aks#az-aks-update

+[az-extension-add]: /cli/azure/extension#az-extension-add

+[az-extension-update]: /cli/azure/extension#az-extension-update

+[az-feature-list]: /cli/azure/feature#az-feature-list

+[az-feature-register]: /cli/azure/feature#az-feature-register

+[az-provider-register]: /cli/azure/provider#az-provider-register

+## Confirm settings have been applied

+After you have applied custom node configuration, you can confirm the settings have been applied to the nodes by [connecting to the host][node-access] and verifying `sysctl` or configuration changes have been made on the filesystem.

+[node-access]: node-access.md

+ Title: Dapr extension for Azure Kubernetes Service (AKS) overview

+Lastly, the Dapr extension is an extension of AKS, therefore you can expect the same support policy as other AKS features.

+[dapr-secrets-block]: https://docs.dapr.io/developing-applications/building-blocks/secrets/secrets-overview/

+ Title: Dapr extension for Azure Kubernetes Service (AKS) and Arc-enabled Kubernetes

+description: Install and configure Dapr on your Azure Kubernetes Service (AKS) and Arc-enabled Kubernetes clusters using the Dapr cluster extension.

+# Dapr extension for Azure Kubernetes Service (AKS) and Arc-enabled Kubernetes

+By using the Dapr extension to provision Dapr on your AKS or Arc-enabled Kubernetes cluster, you eliminate the overhead of downloading Dapr tooling and manually installing and managing the runtime on your AKS cluster. Additionally, the extension offers support for all [native Dapr configuration capabilities][dapr-configuration-options] through simple command-line arguments.

+The Dapr extension uses the Azure CLI to provision the Dapr control plane on your AKS or Arc-enabled Kubernetes cluster. This will create:

+Once Dapr is installed on your cluster, you can begin to develop using the Dapr building block APIs by [adding a few annotations][dapr-deployment-annotations] to your deployments. For a more in-depth overview of the building block APIs and how to best use them, please see the [Dapr building blocks overview][building-blocks-concepts].

+> If you install Dapr through the AKS or Arc-enabled Kubernetes extension, our recommendation is to continue using the extension for future management of Dapr instead of the Dapr CLI. Combining the two tools can cause conflicts and result in undesired behavior.

+## Currently supported

+### Dapr versions

+The Dapr extension support varies depending on how you manage the runtime.

+**Self-managed**

+For self-managed runtime, the Dapr extension supports:

+- [The latest version of Dapr and 1 previous version (N-1)][dapr-supported-version]

+- Upgrading minor version incrementally (for example, 1.5 -> 1.6 -> 1.7)

+Self-managed runtime requires manual upgrade to remain in the support window. To upgrade Dapr via the extension, follow the [Update extension instance instructions][update-extension].

+**Auto-upgrade**

+Enabling auto-upgrade keeps your Dapr extension updated to the latest minor version. You may experience breaking changes between updates.

+### Components

+Azure + open source components are supported. Alpha and beta components are supported via best effort.

+### Clouds/regions

+Global Azure cloud is supported with Arc support on the regions listed by [Azure Products by Region][supported-cloud-regions].

+## Prerequisites

+- If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+- Install the latest version of the [Azure CLI](/cli/azure/install-azure-cli-windows).

+- If you don't have one already, you need to create an [AKS cluster][deploy-cluster] or connect an [Arc-enabled Kubernetes cluster][arc-k8s-cluster].

+You will need the `k8s-extension` Azure CLI extension. Install this by running the following commands:

+## Create the extension and install Dapr on your AKS or Arc-enabled Kubernetes cluster

+When installing the Dapr extension, use the flag value that corresponds to your cluster type:

+- **AKS cluster**: `--cluster-type managedClusters`.

+- **Arc-enabled Kubernetes cluster**: `--cluster-type connectedClusters`.

+Create the Dapr extension, which installs Dapr on your AKS or Arc-enabled Kubernetes cluster. For example, for an AKS cluster:

+### Troubleshooting Dapr

+Troubleshoot Dapr errors via the [common Dapr issues and solutions guide][dapr-troubleshooting].

+[arc-k8s-cluster]: /azure-arc/kubernetes/quickstart-connect-cluster.md

+[update-extension]: ./cluster-extensions.md#update-extension-instance

+[dapr-oss-support]: https://docs.dapr.io/operations/support/support-release-policy/

+[dapr-supported-version]: https://docs.dapr.io/operations/support/support-release-policy/#supported-versions

+[dapr-troubleshooting]: https://docs.dapr.io/operations/troubleshooting/common_issues/

+[supported-cloud-regions]: https://azure.microsoft.com/global-infrastructure/services/?products=azure-arc

+1. Select the instance of your app for the namespace you deployed to. If you stuck to the defaults we mentioned above, then it will be the **myapp** app in the **default** namespace.

+ Title: Draft extension for Azure Kubernetes Service (AKS) (preview)

+description: Install and use Draft on your Azure Kubernetes Service (AKS) cluster using the Draft extension.

+# Draft for Azure Kubernetes Service (AKS) (preview)

+[Draft](https://github.com/Azure/draft) is an open-source project that streamlines Kubernetes development by taking a non-containerized application and generating the Dockerfiles, Kubernetes manifests, Helm charts, Kustomize configurations, and other artifacts associated with a containerized application. Draft can also create a GitHub Action workflow file to quickly build and deploy applications onto any Kubernetes cluster.

+## How it works

+Draft has the following commands to help ease your development on Kubernetes:

+- **draft create**: Creates the Dockerfile and the proper manifest files.

+- **draft setup-gh**: Sets up your GitHub OIDC.

+- **draft generate-workflow**: Generates the GitHub Action workflow file for deployment onto your cluster.

+- **draft up**: Sets up your GitHub OIDC and generates a GitHub Action workflow file, combining the previous two commands.

+## Prerequisites

+- If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+- Install the latest version of the [Azure CLI](/cli/azure/install-azure-cli-windows) and the *aks-preview* extension.

+- If you don't have one already, you need to create an [AKS cluster][deploy-cluster].

+### Install the `aks-preview` Azure CLI extension

+```azurecli-interactive

+# Install the aks-preview extension

+az extension add --name aks-preview

+# Update the extension to make sure you have the latest version installed

+az extension update --name aks-preview

+```

+## Create artifacts using `draft create`

+To create a Dockerfile, Helm chart, Kubernetes manifest, or Kustomize files needed to deploy your application onto an AKS cluster, use the `draft create` command:

+```azure-cli-interactive

+az aks draft create

+```

+You can also run the command on a specific directory using the `--destination` flag:

+```azure-cli-interactive

+az aks draft create --destination /Workspaces/ContosoAir

+```

+## Set up GitHub OIDC using `draft setup-gh`

+To use Draft, you have to register your application with GitHub using `draft setup-gh`. This step only needs to be done once per repository.

+```azure-cli-interactive

+az aks draft setup-gh

+```

+## Generate a GitHub Action workflow file for deployment using `draft generate-workflow`

+After you create your artifacts and set up GitHub OIDC, you can generate a GitHub Action workflow file, creating an action that deploys your application onto your AKS cluster. Once your workflow file is generated, you must commit it into your repository in order to initiate the GitHub Action.

+```azure-cli-interactive

+az aks draft generate-workflow

+```

+You can also run the command on a specific directory using the `--destination` flag:

+```azure-cli-interactive

+az aks draft generate-workflow --destination /Workspaces/ContosoAir

+```

+## Set up GitHub OpenID Connect (OIDC) and generate a GitHub Action workflow file using `draft up`

+`draft up` is a single command to accomplish GitHub OIDC setup and generate a GitHub Action workflow file for deployment. It effectively combines the `draft setup-gh` and `draft generate-workflow` commands, meaning it's most commonly used when getting started in a new repository for the first time, and only needs to be run once. Subsequent updates to the GitHub Action workflow file can be made using `draft generate-workflow`.

+```azure-cli-interactive

+az aks draft up

+```

+You can also run the command on a specific directory using the `--destination` flag:

+```azure-cli-interactive

+az aks draft up --destination /Workspaces/ContosoAir

+```

+<!-- LINKS INTERNAL -->

+[deploy-cluster]: ./tutorial-kubernetes-deploy-cluster.md

+[az-feature-register]: /cli/azure/feature#az-feature-register

+[az-feature-list]: /cli/azure/feature#az-feature-list

+[az-provider-register]: /cli/azure/provider#az-provider-register

+[sample-application]: ./quickstart-dapr.md

+[k8s-version-support-policy]: ./supported-kubernetes-versions.md?tabs=azure-cli#kubernetes-version-support-policy

+[web-app-routing]: web-app-routing.md

+[az-extension-add]: /cli/azure/extension#az-extension-add

+[az-extension-update]: /cli/azure/extension#az-extension-update

+[azureml-aks]: ../machine-learning/v1/how-to-deploy-azure-kubernetes-service.md

+export DB_USER=<Server admin login>@<Server name>

+export NAMESPACE=default

+# HTTP proxy support in Azure Kubernetes Service

+* Latest version of [Azure CLI installed](/cli/azure/install-azure-cli).

+| [Apache Spark][apache-spark] | An open source, fast engine for large-scale data processing. | Running Apache Spark jobs requires a minimum node size of *Standard_D3_v2*. See [running Spark on Kubernetes][spark-kubernetes] for more details on running Spark jobs on Kubernetes. |

+[azure-ml-overview]: ../machine-learning/how-to-attach-kubernetes-anywhere.md

+[spark-kubernetes]: https://spark.apache.org/docs/latest/running-on-kubernetes.html

+ Title: KEDA add-on on Azure Kubernetes Service (AKS) (Preview)

+description: Use the KEDA add-on to deploy a managed KEDA instance on Azure Kubernetes Service (AKS).

+# Simplified application autoscaling with Kubernetes Event-driven Autoscaling (KEDA) add-on (Preview)

+Kubernetes Event-driven Autoscaling (KEDA) is a single-purpose and lightweight component that strives to make application autoscaling simple and is a CNCF Incubation project.

+The KEDA add-on makes it even easier by deploying a managed KEDA installation, providing you with [a rich catalog of 40+ KEDA scalers](https://keda.sh/docs/latest/scalers/) that you can scale your applications with on your Azure Kubernetes Services (AKS) cluster.

+## KEDA add-on overview

+[KEDA][keda] provides two main components:

+- **KEDA operator** allows end-users to scale workloads in/out from 0 to N instances with support for Kubernetes Deployments, Jobs, StatefulSets or any custom resource that defines `/scale` subresource.

+- **Metrics server** exposes external metrics to HPA in Kubernetes for autoscaling purposes such as messages in a Kafka topic, or number of events in an Azure event hub. Due to upstream limitations, this must be the only installed metric adapter.

+## Prerequisites

+> [!NOTE]

+> KEDA is currently only available in the `westcentralus` region.

+- An Azure subscription. If you don't have an Azure subscription, you can create a [free account](https://azure.microsoft.com/free).

+- [Azure CLI installed](/cli/azure/install-azure-cli).

+### Register the `AKS-KedaPreview` feature flag

+To use the KEDA, you must enable the `AKS-KedaPreview` feature flag on your subscription.

+```azurecli

+az feature register --name AKS-KedaPreview --namespace Microsoft.ContainerService

+```

+You can check on the registration status by using the `az feature list` command:

+```azurecli-interactive

+az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/AKS-KedaPreview')].{Name:name,State:properties.state}"

+```

+When ready, refresh the registration of the *Microsoft.ContainerService* resource provider by using the `az provider register` command:

+```azurecli-interactive

+az provider register --namespace Microsoft.ContainerService

+```

+## Deploy the KEDA add-on with Azure Resource Manager (ARM) templates

+The KEDA add-on can be enabled by deploying an AKS cluster with an Azure Resource Manager template and specifying the `workloadAutoScalerProfile` field:

+```json

+ "workloadAutoScalerProfile": {

+ "keda": {

+ "enabled": true

+ }

+ }

+```

+## Connect to your AKS cluster

+To connect to the Kubernetes cluster from your local computer, you use [kubectl][kubectl], the Kubernetes command-line client.

+If you use the Azure Cloud Shell, `kubectl` is already installed. You can also install it locally using the [az aks install-cli][az aks install-cli] command:

+```azurecli

+az aks install-cli

+```

+To configure `kubectl` to connect to your Kubernetes cluster, use the [az aks get-credentials][az aks get-credentials] command. The following example gets credentials for the AKS cluster named *MyAKSCluster* in the *MyResourceGroup*:

+```azurecli

+az aks get-credentials --resource-group MyResourceGroup --name MyAKSCluster

+```

+## Example deployment

+The following snippet is a sample deployment that creates a cluster with KEDA enabled with a single node pool comprised of three `DS2_v5` nodes.

+```json

+{

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "resources": [

+ {

+ "apiVersion": "2022-05-02-preview",

+ "dependsOn": [],

+ "type": "Microsoft.ContainerService/managedClusters",

+ "location": "westcentralus",

+ "name": "myAKSCluster",

+ "properties": {

+ "kubernetesVersion": "1.23.5",

+ "enableRBAC": true,

+ "dnsPrefix": "myAKSCluster",

+ "agentPoolProfiles": [

+ {

+ "name": "agentpool",

+ "osDiskSizeGB": 200,

+ "count": 3,

+ "enableAutoScaling": false,

+ "vmSize": "Standard_D2S_v5",

+ "osType": "Linux",

+ "storageProfile": "ManagedDisks",

+ "type": "VirtualMachineScaleSets",

+ "mode": "System",

+ "maxPods": 110,

+ "availabilityZones": [],

+ "nodeTaints": [],

+ "enableNodePublicIP": false

+ }

+ ],

+ "networkProfile": {

+ "loadBalancerSku": "standard",

+ "networkPlugin": "kubenet"

+ },

+ "workloadAutoScalerProfile": {

+ "keda": {

+ "enabled": true

+ }

+ }

+ },

+ "identity": {

+ "type": "SystemAssigned"

+ }

+ }

+ ]

+}

+```

+## Use KEDA

+KEDA scaling will only work once a custom resource definition has been defined (CRD). To learn more about KEDA CRDs, follow the official [KEDA documentation][keda-scalers] to define your scaler.

+## Clean Up

+To remove the resource group, and all related resources, use the [az group delete][az-group-delete] command:

+```azurecli

+az group delete --name MyResourceGroup

+```

+<!-- LINKS - internal -->

+[az-aks-create]: /cli/azure/aks#az-aks-create

+[az aks install-cli]: /cli/azure/aks#az-aks-install-cli

+[az aks get-credentials]: /cli/azure/aks#az-aks-get-credentials

+[az aks update]: /cli/azure/aks#az-aks-update

+[az-group-delete]: /cli/azure/group#az-group-delete

+<!-- LINKS - external -->

+[kubectl]: https://kubernetes.io/docs/user-guide/kubectl

+[keda]: https://keda.sh/

+[keda-scalers]: https://keda.sh/docs/scalers/

+|**Authentication** | Generate deployment credentials. |

+# [Service principal](#tab/userlevel)

+# [Open ID Connect](#tab/openid)

+Open ID Connect is an authentication method that uses short-lived tokens. Setting up [Open ID Connect with GitHub Actions](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect) is more complex process that offers hardened security.

+1. If you do not have an existing application, register a [new Active Directory application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md). Create the Active Directory application.

+ ```azurecli-interactive

+ az ad app create --display-name myApp

+ ```

+ This command will output JSON with an `appId` that is your `client-id`. Save the value to use as the `AZURE_CLIENT_ID` GitHub secret later.

+ You'll use the `objectId` value when creating federated credentials with Graph API and reference it as the `APPLICATION-OBJECT-ID`.

+1. Create a service principal. Replace the `$appID` with the appId from your JSON output.

+ This command generates JSON output with a different `objectId` and will be used in the next step. The new `objectId` is the `assignee-object-id`.

+

+ Copy the `appOwnerTenantId` to use as a GitHub secret for `AZURE_TENANT_ID` later.

+ ```azurecli-interactive

+ az ad sp create --id $appId

+ ```

+1. Create a new role assignment by subscription and object. By default, the role assignment will be tied to your default subscription. Replace `$subscriptionId` with your subscription ID, `$resourceGroupName` with your resource group name, and `$assigneeObjectId` with the generated `assignee-object-id`. Learn [how to manage Azure subscriptions with the Azure CLI](/cli/azure/manage-azure-subscriptions-azure-cli).

+ ```azurecli-interactive

+ az role assignment create --role contributor --subscription $subscriptionId --assignee-object-id $assigneeObjectId --scopes /subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Web/sites/--assignee-principal-type ServicePrincipal

+ ```

+1. Run the following command to [create a new federated identity credential](/graph/api/application-post-federatedidentitycredentials?view=graph-rest-beta&preserve-view=true) for your active directory application.

+ * Replace `APPLICATION-OBJECT-ID` with the **objectId (generated while creating app)** for your Active Directory application.

+ * Set a value for `CREDENTIAL-NAME` to reference later.

+ * Set the `subject`. The value of this is defined by GitHub depending on your workflow:

+ * Jobs in your GitHub Actions environment: `repo:< Organization/Repository >:environment:< Name >`

+ * For Jobs not tied to an environment, include the ref path for branch/tag based on the ref path used for triggering the workflow: `repo:< Organization/Repository >:ref:< ref path>`. For example, `repo:n-username/ node_express:ref:refs/heads/my-branch` or `repo:n-username/ node_express:ref:refs/tags/my-tag`.

+ * For workflows triggered by a pull request event: `repo:< Organization/Repository >:pull_request`.

+

+ ```azurecli

+ az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com","subject":"repo:organization/repository:ref:refs/heads/main","description":"Testing","audiences":["api://AzureADTokenExchange"]}'

+ ```

+

+To learn how to create a Create an active directory application, service principal, and federated credentials in Azure portal, see [Connect GitHub and Azure](/azure/developer/github/connect-from-azure#use-the-azure-login-action-with-openid-connect).

+# [Service principal](#tab/userlevel)

+# [OpenID Connect](#tab/openid)

+You need to provide your application's **Client ID**, **Tenant ID**, and **Subscription ID** to the login action. These values can either be provided directly in the workflow or can be stored in GitHub secrets and referenced in your workflow. Saving the values as GitHub secrets is the more secure option.

+1. Open your GitHub repository and go to **Settings**.

+1. Select **Settings > Secrets > New secret**.

+1. Create secrets for `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, and `AZURE_SUBSCRIPTION_ID`. Use these values from your Active Directory application for your GitHub secrets:

+ |GitHub Secret | Active Directory Application |

+ |||

+ |AZURE_CLIENT_ID | Application (client) ID |

+ |AZURE_TENANT_ID | Directory (tenant) ID |

+ |AZURE_SUBSCRIPTION_ID | Subscription ID |

+1. Similarly, define the following additional secrets for the container registry credentials and set them in Docker login action.

+ - REGISTRY_USERNAME

+ - REGISTRY_PASSWORD

+# [Service principal](#tab/userlevel)

+# [Open ID Connect](#tab/openid)

+The Azure Kubernetes Service set context action ([azure/aks-set-context](https://github.com/Azure/aks-set-context)) can be used to set cluster context before other actions like [k8s-deploy](https://github.com/Azure/k8s-deploy). For Open ID Connect, you'll use the Azure Login action before set context.

+```yaml

+on: [push]

+# Environment variables available to all jobs and steps in this workflow

+env:

+ REGISTRY_NAME: {registry-name}

+ CLUSTER_NAME: {cluster-name}

+ CLUSTER_RESOURCE_GROUP: {resource-group-name}

+ NAMESPACE: {namespace-name}

+ SECRET: {secret-name}

+ APP_NAME: {app-name}

+

+jobs:

+ build:

+ runs-on: ubuntu-latest

+ steps:

+ - uses: actions/checkout@main

+

+ # Connect to Azure Container Registry (ACR)

+ - uses: azure/docker-login@v1

+ with:

+ login-server: ${{ env.REGISTRY_NAME }}.azurecr.io

+ username: ${{ secrets.REGISTRY_USERNAME }}

+ password: ${{ secrets.REGISTRY_PASSWORD }}

+

+ # Container build and push to a Azure Container Registry (ACR)

+ - run: |

+ docker build . -t ${{ env.REGISTRY_NAME }}.azurecr.io/${{ env.APP_NAME }}:${{ github.sha }}

+ docker push ${{ env.REGISTRY_NAME }}.azurecr.io/${{ env.APP_NAME }}:${{ github.sha }}

+ working-directory: ./<path-to-Dockerfile-directory>

+

+ - uses: azure/login@v1

+ with:

+ client-id: ${{ secrets.AZURE_CLIENT_ID }}

+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}

+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

+ # Set the target Azure Kubernetes Service (AKS) cluster.

+ - uses: azure/aks-set-context@v2.0

+ with:

+ cluster-name: ${{ env.CLUSTER_NAME }}

+ resource-group: ${{ env.CLUSTER_RESOURCE_GROUP }}

+

+ # Create namespace if doesn't exist

+ - run: |

+ kubectl create namespace ${{ env.NAMESPACE }} --dry-run=client -o json | kubectl apply -f -

+

+ # Create image pull secret for ACR

+ - uses: azure/k8s-create-secret@v1

+ with:

+ container-registry-url: ${{ env.REGISTRY_NAME }}.azurecr.io

+ container-registry-username: ${{ secrets.REGISTRY_USERNAME }}

+ container-registry-password: ${{ secrets.REGISTRY_PASSWORD }}

+ secret-name: ${{ env.SECRET }}

+ namespace: ${{ env.NAMESPACE }}

+ arguments: --force true

+

+ # Deploy app to AKS

+ - uses: azure/k8s-deploy@v1

+ with:

+ manifests: |

+ ${{ github.workspace }}/manifests/deployment.yaml

+ ${{ github.workspace }}/manifests/service.yaml

+ images: |

+ ${{ env.REGISTRY_NAME }}.azurecr.io/${{ env.APP_NAME }}:${{ github.sha }}

+ imagepullsecrets: |

+ ${{ env.SECRET }}

+ namespace: ${{ env.NAMESPACE }}

+```

+- The identity you're using to create your cluster has the appropriate minimum permissions. For more details on access and identity for AKS, see [Access and identity options for Azure Kubernetes Service (AKS)](../concepts-identity.md).

+An Azure resource group is a logical group in which Azure resources are deployed and managed. When you create a resource group, you're asked to specify a location. This location is where resource group metadata is stored, it is also where your resources run in Azure if you don't specify another region during resource creation. Create a resource group using the [az group create][az-group-create] command.

+> If you're using Azure Cloud Shell, ensure that the dropdown in the upper-left of the Cloud Shell window is set to **Bash**.

+## Add a Windows Server 2019 node pool

+## Add a Windows Server 2022 node pool (preview)

+When creating a Windows node pool, the default operating system will be Windows Server 2019. To use Windows Server 2022 nodes, you will need to specify an OS SKU type of `Windows2022`.

+### Install the `aks-preview` Azure CLI

+You also need the *aks-preview* Azure CLI extension version `0.5.68` or later. Install the *aks-preview* Azure CLI extension by using the [az extension add][az-extension-add] command, or install any available updates by using the [az extension update][az-extension-update] command.

+```azurecli-interactive

+# Install the aks-preview extension

+az extension add --name aks-preview

+# Update the extension to make sure you have the latest version installed

+az extension update --name aks-preview

+```

+### Register the `AKSWindows2022Preview` preview feature

+To use the feature, you must also enable the `AKSWindows2022Preview` feature flag on your subscription.

+Register the `AKSWindows2022Preview` feature flag by using the [az feature register][az-feature-register] command, as shown in the following example:

+```azurecli-interactive

+az feature register --namespace "Microsoft.ContainerService" --name "AKSWindows2022Preview"

+```

+It takes a few minutes for the status to show *Registered*. Verify the registration status by using the [az feature list][az-feature-list] command:

+```azurecli-interactive

+az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/AKSWindows2022Preview')].{Name:name,State:properties.state}"

+```

+When ready, refresh the registration of the *Microsoft.ContainerService* resource provider by using the [az provider register][az-provider-register] command:

+```azurecli-interactive

+az provider register --namespace Microsoft.ContainerService

+```

+Use `az aks nodepool add` command to add a Windows Server 2022 node pool:

+```azurecli

+az aks nodepool add \

+ --resource-group myResourceGroup \

+ --cluster-name myAKSCluster \

+ --os-type Windows \

+ --os-sku Windows2022 \

+ --name npwin \

+ --node-count 1

+```

+Use the `az aks nodepool add` command to add a node pool that can run Windows Server containers with the `containerd` runtime.

+1. If the reimage is unsuccessful, redeploy the node.

+ Title: Deploy an application with the Dapr cluster extension for Azure Kubernetes Service (AKS)

+description: Use the Dapr cluster extension for Azure Kubernetes Service (AKS) to deploy an application

+# Quickstart: Deploy an application using the Dapr cluster extension for Azure Kubernetes Service (AKS)

+Dapr can use a number of different state stores (Redis, Cosmos DB, DynamoDB, Cassandra, etc.) to persist and retrieve state. For this example, we will use Redis.

+ Title: AKS release tracker

+description: Learn how to determine which Azure regions have the weekly AKS release deployments rolled out in real time.

+# AKS release tracker

+AKS releases weekly rounds of fixes and feature and component updates that affect all clusters and customers. However, these releases can take up to two weeks to roll out to all regions from the initial time of shipping due to Azure Safe Deployment Practices (SDP). It is important for customers to know when a particular AKS release is hitting their region, and the AKS release tracker provides these details in real time by versions and regions.

+## Why release tracker?

+With AKS release tracker, customers can follow specific component updates present in an AKS version release, such as fixes shipped to a core add-on. In addition to providing real-time updates of region release status, the tracker also links to the specific version of the AKS [release notes][aks-release] to help customers identify which instance of the release is relevant to them. As the data is updated in real time, customers can track the entire SDP process with a single tool.

+## How to use the release tracker

+The top half of the tracker shows the latest and 3 previously available release versions for each region, and links to the corresponding release notes entry. This view is helpful when you want to track the available versions by region.

+The bottom half of the tracker shows the SDP process. The table has two views: one shows the latest version and status update for each grouping of regions and the other shows the status and region availability of each currently supported version.

+<!-- LINKS - external -->

+[aks-release]: https://github.com/Azure/AKS/releases

+## Alias minor version

+> Alias minor version requires Azure CLI version 2.31.0 or above. Use `az upgrade` to install the latest version of the CLI.

+Azure Kubernetes Service allows for you to create a cluster without specifying the exact patch version. When creating a cluster without designating a patch, the cluster will run the minor version's latest GA patch. For example, if you create a cluster with **`1.21`**, your cluster will be running **`1.21.7`**, which is the latest GA patch version of *1.21*.

+When upgrading by alias minor version, only a higher minor version is supported. For example, upgrading from `1.14.x` to `1.14` will not trigger an upgrade to the latest GA `1.14` patch, but upgrading to `1.15` will trigger an upgrade to the latest GA `1.15` patch.

+### Add an ARM64 node pool (preview)

+The ARM64 processor provides low power compute for your Kubernetes workloads. To create an ARM64 node pool, you will need to choose an [ARM capable instance SKU][arm-sku-vm].

+#### Install the `aks-preview` Azure CLI

+You also need the *aks-preview* Azure CLI extension version 0.5.23 or later. Install the *aks-preview* Azure CLI extension by using the [az extension add][az-extension-add] command. Or install any available updates by using the [az extension update][az-extension-update] command.

+```azurecli-interactive

+# Install the aks-preview extension

+az extension add --name aks-preview

+# Update the extension to make sure you have the latest version installed

+az extension update --name aks-preview

+```

+#### Register the `AKSARM64Preview` preview feature

+To use the feature, you must also enable the `AKSARM64Preview` feature flag on your subscription.

+Register the `AKSARM64Preview` feature flag by using the [az feature register][az-feature-register] command, as shown in the following example:

+```azurecli-interactive

+az feature register --namespace "Microsoft.ContainerService" --name "AKSARM64Preview"

+```

+It takes a few minutes for the status to show *Registered*. Verify the registration status by using the [az feature list][az-feature-list] command:

+```azurecli-interactive

+az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/AKSARM64Preview')].{Name:name,State:properties.state}"

+```

+When ready, refresh the registration of the *Microsoft.ContainerService* resource provider by using the [az provider register][az-provider-register] command:

+```azurecli-interactive

+az provider register --namespace Microsoft.ContainerService

+```

+Use `az aks nodepool add` command to add an ARM64 node pool.

+```azurecli

+az aks nodepool add \

+ --resource-group myResourceGroup \

+ --cluster-name myAKSCluster \

+ --name armpool \

+ --node-count 3 \

+ --node-vm-size Standard_Dpds_v5

+```

+* All subnets assigned to node pools must belong to the same virtual network.

+* Windows nodes will SNAT traffic to the new subnets until the node pool is reimaged.

+> When you delete a node pool, AKS doesn't perform cordon and drain, and there are no recovery options for data loss that may occur when you delete a node pool. If pods can't be scheduled on other node pools, those applications become unavailable. Make sure you don't delete a node pool when in-use applications don't have data backups or the ability to run on other node pools in your cluster. To minimize the disruption of rescheduling pods currently running on the node pool you are going to delete, perform a cordon and drain on all nodes in the node pool before deleting. For more information, see [cordon and drain node pools][cordon-and-drain].

+For more information on using labels with node pools, see [Use labels in an Azure Kubernetes Service (AKS) cluster][use-labels].

+For more information on using Azure tags with node pools, see [Use Azure tags in Azure Kubernetes Service (AKS)][use-tags].

+The Federal Information Processing Standard (FIPS) 140-2 is a US government standard that defines minimum security requirements for cryptographic modules in information technology products and systems. AKS allows you to create Linux-based node pools with FIPS 140-2 enabled. Deployments running on FIPS-enabled node pools can use those cryptographic modules to provide increased security and help meet security controls as part of FedRAMP compliance. For more information on FIPS 140-2, see [Federal Information Processing Standard (FIPS) 140-2][fips].

+[arm-vm-sku]: https://azure.microsoft.com/updates/public-preview-arm64based-azure-vms-can-deliver-up-to-50-better-priceperformance/

+Windows Server node pool support includes some limitations that are part of the upstream Windows Server in Kubernetes project. These limitations are not specific to AKS. For more information on the upstream support from the Kubernetes project, see the [Supported functionality and limitations][upstream-limitations] section of the [Intro to Windows support in Kubernetes][intro-windows] document.

+Azure Disks and Azure Files are the supported volume types, and are accessed as NTFS volumes in the Windows Server container.

+To get the latest patches for Windows nodes, you can either [upgrade the node pool][nodepool-upgrade] or [upgrade the node image][upgrade-node-image]. Windows Updates are not enabled on nodes in AKS. AKS releases new node pool images as soon as patches are available, and it's the user's responsibility to upgrade node pools to stay current on patches and hotfixes. This patch process is also true for the Kubernetes version being used. [AKS release notes][aks-release-notes] indicate when new versions are available. For more information on upgrading the Windows Server node pool, see [Upgrade a node pool in AKS][nodepool-upgrade]. If you're only interested in updating the node image, see [AKS node image upgrades][upgrade-node-image].

+AKS clusters with Windows node pools must use the Azure Container Networking Interface (Azure CNI) (advanced) networking model. Kubenet (basic) networking is not supported. For more information on the differences in network models, see [Network concepts for applications in AKS][azure-network-models]. The Azure CNI network model requires extra planning and consideration for IP address management. For more information on how to plan and implement Azure CNI, see [Configure Azure CNI networking in AKS][configure-azure-cni].

+A Windows node pool can have a six-character name.

+Azure Hybrid Benefit can be used on your entire AKS cluster or on individual nodes. For individual nodes, you need to browse to the [node resource group][resource-groups] and apply the Azure Hybrid Benefit to the nodes directly. For more information on applying Azure Hybrid Benefit to individual nodes, see [Azure Hybrid Benefit for Windows Server][hybrid-vms].

+To use Azure Hybrid Benefit on a new AKS cluster, run the `az aks create` command and use the `--enable-ahub` argument.

+To use Azure Hybrid Benefit on an existing AKS cluster, run the `az aks update` command and use the update the cluster by using the `--enable-ahub` argument.

+To check if Azure Hybrid Benefit is set on the Windows nodes in the cluster, run the `az vmss show` command with the `--name` and `--resource-group` arguments to query the virtual machine scale set. To identify the resource group the scale set for the Windows node pool is created in, you can run the `az vmss list -o table` command.

+az vmss show --name myScaleSet --resource-group MC_<resourceGroup>_<clusterName>_<region>

+If the Windows nodes in the scale set have Azure Hybrid Benefit enabled, the output of `az vmss show` will be similar to the following:

+""hardwareProfile": null,

+ "licenseType": "Windows_Server",

+ "networkProfile": {

+ "healthProbe": null,

+ "networkApiVersion": null,

+Use the following configuration:

+If you encounter feature gaps, the open-source [aks-engine][aks-engine] project provides an easy and fully customizable way of running Kubernetes in Azure, including Windows support. For more information, see [AKS roadmap][aks-roadmap].

+ increment-count="number"

+| increment-count | The number by which the counter is increased per request. | No | 1 |

+- [Include fragment](#IncludeFragment) - Inserts a policy fragment in the policy definition.

+## <a name="IncludeFragment"></a> Include fragment

+The `include-fragment` policy inserts the contents of a previously created [policy fragment](policy-fragments.md) in the policy definition. A policy fragment is a centrally managed, reusable XML policy snippet that can be included in policy definitions in your API Management instance.

+The policy inserts the policy fragment as-is at the location you select in the policy definition.

+### Policy statement

+```xml

+<include-fragment fragment-id="fragment" />

+```

+### Example

+In the following example, the policy fragment named *myFragment* is added in the inbound section of a policy definition.

+```xml

+<inbound>

+ <include-fragment fragment-id="myFragment" />

+ <base />

+</inbound>

+[...]

+```

+## Elements

+| Element | Description | Required |

+| -- | - | -- |

+| include-fragment | Root element. | Yes |

+### Attributes

+| Attribute | Description | Required | Default |

+| | -- | -- | - |

+| fragment-id | A string. Expression allowed. Specifies the identifier (name) of a policy fragment created in the API Management instance. | Yes | N/A |

+### Usage

+This policy can be used in the following policy [sections](./api-management-howto-policies.md#sections) and [scopes](./api-management-howto-policies.md#scopes).

+- **Policy sections:** inbound, outbound, backend, on-error

+- **Policy scopes:** all scopes

+### Example

+You can modify general email settings for notifications that are sent from your API Management instance. You can change the administrator email address, the name of the organization sending notifications, and the originating email address.

+* Learn how to manage the administrator [email settings](api-management-howto-configure-notifications.md#configure-email-settings) that asre used in notifications to developers from your API Management instance.

+This article shows you how to configure your API Management service instance to use OAuth 2.0 authorization in the developer portal's test console, but it doesn't show you how to configure an OAuth 2.0 provider.

+## Keeping track of key information

+Throughout this tutorial you'll be asked to record key information to reference later on:

+- **Backend Application (client) ID**: The GUID of the application that represents the backend API

+- **Backend Application Scopes**: One or more scopes you may create to access the API. The scope format is `api://<Backend Application (client) ID>/<Scope Name>` (for example, api://1764e900-1827-4a0b-9182-b2c1841864c2/Read)

+- **Client Application (client) ID**: The GUID of the application that represents the developer portal

+- **Client Application Secret Value**: The GUID that serves as the secret for interaction with the client application in Azure Active Directory

+ * If you use **v1** endpoints, add a body parameter:

+ * Name: **resource**.

+ * If you use **v2** endpoints:

+ * Enter the back-end app scope you created in the **Default scope** field.

+ * Set the value for the [`accessTokenAcceptedVersion`](../active-directory/develop/reference-app-manifest.md#accesstokenacceptedversion-attribute) property to `2` in the [application manifest](../active-directory/develop/reference-app-manifest.md) for both the backend-app and the client-app registrations.

+ > [!NOTE]

+ > When making OAuth 2.0-related changes, it is important that you remember to (re-)publish the developer portal after every modification as relevant changes (for example, scope change) otherwise cannot propagate into the portal and subsequently be used in trying out the APIs.

+[Next steps]: #next-steps

+> [!NOTE]

+> Managed identities are specific to the Azure AD tenant where your Azure subscription is hosted. They don't get updated if a subscription is moved to a different directory. If a subscription is moved, you'll need to recreate and configure the identities.

+## [GraphQL API policies](graphql-policies.md)

+- [Validate GraphQL request](graphql-policies.md#validate-graphql-request) - Validates and authorizes a request to a GraphQL API.

+- [Set GraphQL resolver](graphql-policies.md#set-graphql-resolver) - Retrieves or sets data for a GraphQL field in an object type specified in a GraphQL schema.

+This article gives definitions for the terms that are specific to Azure API Management.

+- **Backend API** - A service, most commonly HTTP-based, that implements an API and its operations. Sometimes backend APIs are referred to simply as backends. For more information, see [Backends](backends.md).

+- **Frontend API** - API Management serves as mediation layer over the backend APIs. Frontend API is an API that is exposed to API consumers from API Management. You can customize the shape and behavior of a frontend API in API Management without making changes to the backend API(s) that it represents. Sometimes frontend APIs are referred to simply as APIs. For more information, see [Import and publish an API](import-and-publish.md).

+- **Product** - A product is a bundle of frontend APIs that can be made available to a specified group of API consumers for self-service onboarding under a single access credential and a set of usage limits. An API can be part of multiple products. For more information, see [Create and publish a product](api-management-howto-add-products.md).

+- **API operation** - A frontend API in API Management can define multiple operations. An operation is a combination of an HTTP verb and a URL template uniquely resolvable within the frontend API. Often operations map one-to-one to backend API endpoints. For more information, see [Mock API responses](mock-api-responses.md).

+- **Version** - A version is a distinct variant of existing frontend API that differs in shape or behavior from the original. Versions give customers a choice of sticking with the original API or upgrading to a new version at the time of their choosing. Versions are a mechanism for releasing breaking changes without impacting API consumers. For more information, see [Publish multiple versions of your API](api-management-get-started-publish-versions.md).

+- **Revision** - A revision is a copy of an existing API that can be changed without impacting API consumers and swapped with the version currently in use by consumers usually after validation and testing. Revisions provide a mechanism for safely implementing nonbreaking changes. For more information, see [Use revisions](api-management-get-started-revise-api.md).

+- **Policy** - A policy is a reusable and composable component, implementing some commonly used API-related functionality. API Management offers over 50 built-in policies that take care of critical but undifferentiated horizontal concerns - for example, request transformation, routing, security, protection, caching. The policies can be applied at various scopes, which determine the affected APIs or operations and dynamically configured using policy expressions. For more information, see [Policies in Azure API Management](api-management-howto-policies.md).

+- **Developer portal** - The developer portal is a component of API Management. It provides a customizable experience for API discovery and self-service onboarding to API consumers. For more information, see [Customize the Developer portal](api-management-customize-styles.md).

+>

+For example, `https://apis.contoso.com/products?api-version=v1` and `https://apis.contoso.com/products?api-version=v2` could refer to the same `products` API but to versions `v1` and `v2` respectively.

+> [!NOTE]

+> Currently, the `stv2` platform isn't available in the US Government cloud or in the following Azure regions: China East, China East 2, China North, China North 2.

+* A new or existing virtual network and subnet in the same region and subscription as your API Management instance. The subnet must be different from the one currently used for the instance hosted on the `stv1` platform, and a network security group must be attached.

+ Title: Import a GraphQL API to Azure API Management using the portal | Microsoft Docs

+description: Learn how to add an existing GraphQL service as an API in Azure API Management. Manage the API and enable queries to pass through to the GraphQL endpoint.

+# Import a GraphQL API

+If you want to import a GraphQL schema and set up field resolvers using REST or SOAP API endpoints, see [Import a GraphQL schema and set up field resolvers](graphql-schema-resolve-api.md).

+ :::image type="content" source="media/graphql-api/import-graphql-api.png" alt-text="Screenshot of selecting GraphQL icon from list of APIs.":::

+ :::image type="content" source="media/graphql-api/create-from-graphql-schema.png" alt-text="Screenshot of fields for creating a GraphQL API.":::

+ | **Display name** | The name by which your GraphQL API will be displayed. |

+ | **Name** | Raw name of the GraphQL API. Automatically populates as you type the display name. |

+ | **GraphQL API endpoint** | The base URL with your GraphQL API endpoint name. <br /> For example: *`https://example.com/your-GraphQL-name`*. You can also use a common ["Star Wars" GraphQL endpoint](https://swapi-graphql.azure-api.net/graphql) as a demo. |

+ | **Upload schema** | Optionally select to browse and upload your schema file to replace the schema retrieved from the GraphQL endpoint (if available). |

+ | **Description** | Add a description of your API. |

+ | **URL scheme** | Select **HTTP**, **HTTPS**, or **Both**. Default selection: *Both*. |

+ | **API URL suffix**| Add a URL suffix to identify this specific API in this API Management instance. It has to be unique in this API Management instance. |

+ | **Base URL** | Uneditable field displaying your API base URL |

+ | **Tags** | Associate your GraphQL API with new or existing tags. |

+ | **Products** | Associate your GraphQL API with a product to publish it. |

+ | **Gateways** | Associate your GraphQL API with existing gateways. Default gateway selection: *Managed*. |

+ | **Version this API?** | Select to apply a versioning scheme to your GraphQL API. |

+1. Select **Create**.

+1. After the API is created, browse the schema on the **Design** tab, in the **Frontend** section.

+ :::image type="content" source="media/graphql-api/explore-schema.png" alt-text="Screenshot of exploring the GraphQL schema in the portal.":::

+ Title: Azure API Management policies for GraphQL APIs | Microsoft Docs

+description: Reference for Azure API Management policies to validate and resolve GraphQL API queries. Provides policy usage, settings, and examples.

+# API Management policies for GraphQL APIs

+This article provides a reference for API Management policies to validate and resolve queries to GraphQL APIs.

+## GraphQL API policies

+- [Validate GraphQL request](#validate-graphql-request) - Validates and authorizes a request to a GraphQL API.

+- [Set GraphQL resolver](#set-graphql-resolver) - Retrieves or sets data for a GraphQL field in an object type specified in a GraphQL schema.

+## Validate GraphQL request

+The `validate-graphql-request` policy validates the GraphQL request and authorizes access to specific query paths. An invalid query is a "request error". Authorization is only done for valid requests.

+**Permissions**

+Because GraphQL queries use a flattened schema:

+* Permissions may be applied at any leaf node of an output type:

+ * Mutation, query, or subscription

+ * Individual field in a type declaration.

+* Permissions may not be applied to:

+ * Input types

+ * Fragments

+ * Unions

+ * Interfaces

+ * The schema element

+**Authorize element**

+Configure the `authorize` element to set an appropriate authorization rule for one or more paths.

+* Each rule can optionally provide a different action.

+* Use policy expressions to specify conditional actions.

+**Introspection system**

+The policy for path=`/__*` is the [introspection](https://graphql.org/learn/introspection/) system. You can use it to reject introspection requests (`__schema`, `__type`, etc.).

+### Policy statement

+```xml

+<validate-graphql-request error-variable-name="variable name" max-size="size in bytes" max-depth="query depth">

+ <authorize>

+ <rule path="query path, for example: '/listUsers' or '/__*'" action="string or policy expression that evaluates to 'allow|remove|reject|ignore'" />

+ </authorize>

+</validate-graphql-request>

+```

+### Example: Query validation

+This example applies the following validation and authorization rules to a GraphQL query:

+* Requests larger than 100 kb or with query depth greater than 4 are rejected.

+* Requests to the introspection system are rejected.

+* The `/Missions/name` field is removed from requests containing more than two headers.

+```xml

+<validate-graphql-request error-variable-name="name" max-size="102400" max-depth="4">

+ <authorize>

+ <rule path="/__*" action="reject" />

+ <rule path="/Missions/name" action="@(context.Request.Headers.Count > 2 ? "remove" : "allow")" />

+ </authorize>

+</validate-graphql-request>

+```

+### Example: Mutation validation

+This example applies the following validation and authorization rules to a GraphQL mutation:

+* Requests larger than 100 kb or with query depth greater than 4 are rejected.

+* Requests to mutate the `deleteUser` field are denied except when the request is from IP address `198.51.100.1`.

+```xml

+<validate-graphql-request error-variable-name="name" max-size="102400" max-depth="4">

+ <authorize>

+ <rule path="/Mutation/deleteUser" action="@(context.Request.IpAddress <> "198.51.100.1" ? "deny" : "allow")" />

+ </authorize>

+</validate-graphql-request>

+```

+### Elements

+| Name | Description | Required |

+| | | -- |

+| `validate-graphql-request` | Root element. | Yes |

+| `authorize` | Add this element to provide field-level authorization with both request- and field-level errors. | No |

+| `rule` | Add one or more of these elements to authorize specific query paths. Each rule can optionally specify a different [action](#request-actions). | No |

+### Attributes

+| Name | Description | Required | Default |

+| -- | - | -- | - |

+| `error-variable-name` | Name of the variable in `context.Variables` to log validation errors to. | No | N/A |

+| `max-size` | Maximum size of the request payload in bytes. Maximum allowed value: 102,400 bytes (100 KB). (Contact [support](https://azure.microsoft.com/support/options/) if you need to increase this limit.) | Yes | N/A |

+| `max-depth` | An integer. Maximum query depth. | No | 6 |

+| `path` | Path to execute authorization validation on. It must follow the pattern: `/type/field`. | Yes | N/A |

+| `action` | [Action](#request-actions) to perform if the rule applies. May be specified conditionally using a policy expression. | No | allow |

+### Request actions

+Available actions are described in the following table.

+|Action |Description |

+|||

+|`reject` | A request error happens, and the request is not sent to the back end. Additional rules if configured are not applied. |

+|`remove` | A field error happens, and the field is removed from the request. |

+|`allow` | The field is passed to the back end. |

+|`ignore` | The rule is not valid for this case and the next rule is applied. |

+### Error handling

+Failure to validate against the GraphQL schema, or a failure for the request's size or depth, is a request error and results in the request being failed with an errors block (but no data block).

+Similar to the [`Context.LastError`](api-management-error-handling-policies.md#lasterror) property, all GraphQL validation errors are automatically propagated in the `GraphQLErrors` variable. If the errors need to be propagated separately, you can specify an error variable name. Errors are pushed onto the `error` variable and the `GraphQLErrors` variable.

+### Usage

+This policy can be used in the following policy [sections](./api-management-howto-policies.md#sections) and [scopes](./api-management-howto-policies.md#scopes).

+- **Policy sections:** inbound

+- **Policy scopes:** all scopes

+## Set GraphQL resolver

+The `set-graphql-resolver` policy retrieves or sets data for a GraphQL field in an object type specified in a GraphQL schema. The schema must be imported to API Management. Currently the data must be resolved using an HTTP-based data source (REST or SOAP API).

+* This policy is invoked only when a matching GraphQL query is executed.

+* The policy resolves data for a single field. To resolve data for multiple fields, configure multiple occurrences of this policy in a policy definition.

+* The context for the HTTP request and HTTP response (if specified) differs from the context for the original gateway API request:

+ * The HTTP request context contains arguments that are passed in the GraphQL query as its body.

+ * The HTTP response context is the response from the independent HTTP call made by the resolver, not the context for the complete response for the gateway request.

+### Policy statement

+```xml

+<set-graphql-resolver parent-type="type" field="field">

+ <http-data-source>

+ <http-request>

+ <set-method>HTTP method</set-method>

+ <set-url>URL</set-url>

+ [...]

+ </http-request>

+ <http-response>

+ [...]

+ </http-response>

+ </http-data-source>

+</set-graphql-resolver>

+```

+### Examples

+### Resolver for GraphQL query

+The following example resolves a query by making an HTTP `GET` call to a backend data source.

+#### Example schema

+```

+type Query {

+ users: [User]

+}

+type User {

+ id: String!

+ name: String!

+}

+```

+#### Example policy

+```xml

+<set-graphql-resolver parent-type="Query" field="users">

+ <http-data-source>

+ <http-request>

+ <set-method>GET</set-method>

+ <set-url>https://data.contoso.com/get/users</set-url>

+ </http-request>

+ </http-data-source>

+</set-graphql-resolver>

+```

+### Resolver for a GraqhQL query that returns a list, using a liquid template

+The following example uses a liquid template, supported for use in the [set-body](api-management-transformation-policies.md#SetBody) policy, to return a list in the HTTP response to a query.

+#### Example schema

+```

+type Query {

+ users: [User]

+}

+type User {

+ id: String!

+ name: String!

+}

+```

+#### Example policy

+```xml

+<set-graphql-resolver parent-type="Query" field="users">

+ <http-data-source>

+ <http-request>

+ <set-method>GET</set-method>

+ <set-url>https://data.contoso.com/users</set-url>

+ </http-request>

+ <http-response>

+ <set-body template="liquid">

+ [

+ {% JSONArrayFor elem in body %}

+ {

+ "name": "{{elem.title}}"

+ }

+ {% endJSONArrayFor %}

+ ]

+ </set-body>

+ </http-response>

+ </http-data-source>

+</set-graphql-resolver>

+```

+### Resolver for GraphQL mutation

+The following example resolves a mutation that inserts data by making a `POST` request to an HTTP data source. The policy expression in the `set-body` policy of the HTTP request modifies a `name` argument that is passed in the GraphQL query as its body.

+#### Example schema

+```

+type Query {

+ users: [User]

+}

+type Mutation {

+ makeUser(name: String!): User

+}

+type User {

+ id: String!

+ name: String!

+}

+```

+#### Example policy

+```xml

+<set-graphql-resolver parent-type="Mutation" field="makeUser">

+ <http-data-source>

+ <http-request>

+ <set-method>POST</set-method>

+ <set-url> https://data.contoso.com/user/create </set-url>

+ <set-header name="Content-Type" exists-action="override">

+ <value>application/json</value>

+ </set-header>

+ <set-body>@{

+ var body = context.Request.Body.As<JObject>(true);

+ JObject jsonObject = new JObject();

+ jsonObject.Add("name", body["name"])

+ return jsonObject.ToString();

+ }</set-body>

+ </http-request>

+ </http-data-source>

+</set-graphql-resolver>

+```

+### Elements

+| Name | Description | Required |

+| | | -- |

+| `set-graphql-resolver` | Root element. | Yes |

+| `http-data-source` | Configures the HTTP request and optionally the HTTP response that are used to resolve data for the given `parent-type` and `field`. | Yes |

+| `http-request` | Specifies a URL and child policies to configure the resolver's HTTP request. Each of the following policies can be specified at most once in the element. <br/><br/>Required policy: [set-method](api-management-advanced-policies.md#SetRequestMethod)<br/><br/>Optional policies: [set-header](api-management-transformation-policies.md#SetHTTPheader), [set-body](api-management-transformation-policies.md#SetBody), [authentication-certificate](api-management-authentication-policies.md#ClientCertificate) | Yes |

+| `set-url` | The URL of the resolver's HTTP request. | Yes |

+| `http-response` | Optionally specifies child policies to configure the resolver's HTTP response. If not specified, the response is returned as a raw string. Each of the following policies can be specified at most once. <br/><br/>Optional policies: [set-body](api-management-transformation-policies.md#SetBody), [json-to-xml](api-management-transformation-policies.md#ConvertJSONtoXML), [xml-to-json](api-management-transformation-policies.md#ConvertXMLtoJSON), [find-and-replace](api-management-transformation-policies.md#Findandreplacestringinbody) | No |

+### Attributes

+| Name | Description | Required | Default |

+| -- | - | -- | - |

+| `parent-type`| An object type in the GraphQL schema. | Yes | N/A |

+| `field`| A field of the specified `parent-type` in the GraphQL schema. | Yes | N/A |

+> [!NOTE]

+> Currently, the values of `parent-type` and `field` aren't validated by this policy. If they aren't valid, the policy is ignored, and the GraphQL query is forwarded to a GraphQL endpoint (if one is configured).

+### Usage

+This policy can be used in the following policy [sections](./api-management-howto-policies.md#sections) and [scopes](./api-management-howto-policies.md#scopes).

+- **Policy sections:** backend

+- **Policy scopes:** all scopes

+ Title: Import GraphQL schema and set up field resolvers | Microsoft Docs

+description: Import a GraphQL schema to API Management and configure a policy to resolve a GraphQL query using an HTTP-based data source.

+# Import a GraphQL schema and set up field resolvers

+

+In this article, you'll:

+> [!div class="checklist"]

+> * Import a GraphQL schema to your API Management instance

+> * Set up a resolver for a GraphQL query using an existing HTTP endpoints

+> * Test your GraphQL API

+If you want to expose an existing GraphQL endpoint as an API, see [Import a GraphQL API](graphql-api.md).

+## Prerequisites

+- An existing API Management instance. [Create one if you haven't already](get-started-create-service-instance.md).

+- A valid GraphQL schema file with the `.graphql` extension.

+- A backend GraphQL endpoint is optional for this scenario.

+## Add a GraphQL schema

+1. From the side navigation menu, under the **APIs** section, select **APIs**.

+1. Under **Define a new API**, select the **Synthetic GraphQL** icon.

+ :::image type="content" source="media/graphql-schema-resolve-api/import-graphql-api.png" alt-text="Screenshot of selecting Synthetic GraphQL icon from list of APIs.":::

+1. In the dialog box, select **Full** and complete the required form fields.

+ :::image type="content" source="media/graphql-schema-resolve-api/create-from-graphql-schema.png" alt-text="Screenshot of fields for creating a GraphQL API.":::

+ | Field | Description |

+ |-|-|

+ | **Display name** | The name by which your GraphQL API will be displayed. |

+ | **Name** | Raw name of the GraphQL API. Automatically populates as you type the display name. |

+ | **Fallback GraphQL endpoint** | For this scenario, optionally enter a URL with a GraphQL API endpoint name. API Management passes GraphQL queries to this endpoint when a custom resolver isn't set for a field. |

+ | **Upload schema file** | Select to browse and upload a valid GraphQL schema file with the `.graphql` extension. |

+ | Description | Add a description of your API. |

+ | URL scheme | Select **HTTP**, **HTTPS**, or **Both**. Default selection: *Both*. |

+ | **API URL suffix**| Add a URL suffix to identify this specific API in this API Management instance. It has to be unique in this API Management instance. |

+ | **Base URL** | Uneditable field displaying your API base URL |

+ | **Tags** | Associate your GraphQL API with new or existing tags. |

+ | **Products** | Associate your GraphQL API with a product to publish it. |

+ | **Gateways** | Associate your GraphQL API with existing gateways. Default gateway selection: *Managed*. |

+ | **Version this API?** | Select to apply a versioning scheme to your GraphQL API. |

+

+1. Select **Create**.

+1. After the API is created, browse the schema on the **Design** tab, in the **Frontend** section.

+## Configure resolver

+Configure the [set-graphql-resolver](graphql-policies.md#set-graphql-resolver) policy to map a field in the schema to an existing HTTP endpoint.

+Suppose you imported the following basic GraphQL schema and wanted to set up a resolver for the *users* query.

+```

+type Query {

+ users: [User]

+}

+type User {

+ id: String!

+ name: String!

+}

+```

+1. From the side navigation menu, under the **APIs** section, select **APIs** > your GraphQL API.

+1. On the **Design** tab of your GraphQL API, select **All operations**.

+1. In the **Backend** processing section, select **+ Add policy**.

+1. Configure the `set-graphql-resolver` policy to resolve the *users* query using an HTTP data source.

+ For example, the following `set-graphql-resolver` policy retrieves the *users* field by using a `GET` call on an existing HTTP data source.

+ ```xml

+ <set-graphql-resolver parent-type="Query" field="users">

+ <http-data-source>

+ <http-request>

+ <set-method>GET</set-method>

+ <set-url>https://myapi.contoso.com/users</set-url>

+ </http-request>

+ </http-data-source>

+ </set-graphql-resolver>

+ ```

+1. To resolve data for other fields in the schema, repeat the preceding step.

+1. Select **Save**.

+## Next steps

+> [!div class="nextstepaction"]

+> [Transform and protect a published API](transform-api.md)

+ Title: Reuse policy configurations in Azure API Management | Microsoft Docs

+description: Learn how to create and manage reusable policy fragments in Azure API Management. Policy fragments are XML elements containing policy configurations that can be included in any policy definition.

+documentationcenter: ''

+# Reuse policy configurations in your API Management policy definitions

+This article shows you how to create and use *policy fragments* in your API Management policy definitions. Policy fragments are centrally managed, reusable XML snippets containing one or more API Management [policy](api-management-howto-policies.md) configurations.

+Policy fragments help you configure policies consistently and maintain policy definitions without needing to repeat or retype XML code.

+A policy fragment:

+* Must be valid XML containing one or more policy configurations

+* May include [policy expressions](api-management-policy-expressions.md), if a referenced policy supports them

+* Is inserted as-is in a policy definition by using the [include-fragment](api-management-advanced-policies.md#IncludeFragment) policy

+Limitations:

+* A policy fragment can't include a policy section identifier (`<inbound>`, `<outbound>`, etc.) or the `<base/>` element.

+* Currently, a policy fragment can't nest another policy fragment.

+## Prerequisites

+If you don't already have an API Management instance and a backend API, see:

+- [Create an Azure API Management instance](get-started-create-service-instance.md)

+- [Import and publish an API](import-and-publish.md)

+While not required, you may want to [configure](set-edit-policies.md) one or more policy definitions. You can copy policy elements from these definitions when creating policy fragments.

+## Create a policy fragment

+1. In the left navigation of your API Management instance, under **APIs**, select **Policy fragments** > **+ Create**.

+1. In the **Create a new policy fragment** window, enter a **Name** and an optional **Description** of the policy fragment. The name must be unique within your API Management instance.

+ Example name: *ForwardContext*

+1. In the **XML policy fragment** editor, type or paste one or more policy XML elements between the `<fragment>` and `</fragment>` tags.

+ :::image type="content" source="media/policy-fragments/create-fragment.png" alt-text="Screenshot showing the create a new policy fragment form.":::

+ For example, the following fragment contains a [`set-header`](api-management-transformation-policies.md#SetHTTPheader) policy configuration to forward context information to a backend service. This fragment would be included in an inbound policy section. The policy expressions in this example access the built-in [`context` variable](api-management-policy-expressions.md#ContextVariables).

+ ```xml

+ <fragment>

+ <set-header name="x-request-context-data" exists-action="override">

+ <value>@(context.User.Id)</value>

+ <value>@(context.Deployment.Region)</value>

+ </set-header>

+ </fragment>

+ ```

+

+1. Select **Create**. The fragment is added to the list of policy fragments.

+## Include a fragment in a policy definition

+Configure the [`include-fragment`](api-management-advanced-policies.md#IncludeFragment) policy to insert a policy fragment in a policy definition. For more information about policy definitions, see [Set or edit policies](set-edit-policies.md).

+* You may include a fragment at any scope and in any policy section, as long as the underlying policy or policies in the fragment support that usage.

+* You may include multiple policy fragments in a policy definition.

+For example, insert the policy fragment named *ForwardContext* in the inbound policy section:

+```xml

+<policies>

+ <inbound>

+ <include-fragment fragment-id="ForwardContext" />

+ <base />

+ </inbound>

+[...]

+```

+> [!TIP]

+> To see the content of an included fragment displayed in the policy definition, select **Recalculate effective policy** in the policy editor.

+## Manage policy fragments

+After creating a policy fragment, you can view and update policy properties, or delete the policy at any time.

+**To view properties of a fragment:**

+1. In the left navigation of your API Management instance, under **APIs**, select **Policy fragments**. Select the name of your fragment.

+1. On the **Overview** page, review the **Policy document references** to see the policy definitions that include the fragment.

+1. On the **Properties** page, review the name and description of the policy fragment. The name can't be changed.

+**To edit a policy fragment:**

+1. In the left navigation of your API Management instance, under **APIs**, select **Policy fragments**. Select the name of your fragment.

+1. Select **Policy editor**.

+1. Update the statements in the fragment and then select **Apply**.

+> [!NOTE]

+> Update affects all policy definitions where the fragment is included.

+**To delete a policy fragment:**

+1. In the left navigation of your API Management instance, under **APIs**, select **Policy fragments**. Select the name of your fragment.

+1. Review **Policy document references** for policy definitions that include the fragment. Before a fragment can be deleted, you must remove the fragment references from all policy definitions.

+1. After all references are removed, select **Delete**.

+For more information about working with policies, see:

+## Reuse policy configurations

+You can create reusable [policy fragments](policy-fragments.md) in your API Management instance. Policy fragments are XML elements containing your configurations of one or more policies. Policy fragments help you configure policies consistently and maintain policy definitions without needing to repeat or retype XML code.

+Use the [`include-fragment`](api-management-advanced-policies.md#IncludeFragment) policy to insert a policy fragment in a policy definition.

+* Switzerland North

+> The regions with * against them have restrictive access in an Azure subscription to enable availability zone support. Please work with your Microsoft sales or customer representative.

+ - **Bitness**: 32-bit or 64-bit. For Windows apps only.

+App Service allows users to choose the major version of the JVM, such as Java 8 or Java 11, and the patch version, such as 1.8.0_232 or 11.0.5. You can also choose to have the patch version automatically updated as new minor versions become available. In most cases, production sites should use pinned patch JVM versions. This will prevent unanticipated outages during a patch version auto-update. All Java web apps use 64-bit JVMs, this is not configurable.

+Only start this step once you've completed all pre-migration actions listed previously and understand the [implications of migration](migrate.md#migrate-to-app-service-environment-v3) including what will happen during this time. This step takes up to three hours and during that time there will be about one hour of application downtime. Scaling and modifications to your existing App Service Environment will be blocked during this step.

+Once you've completed all of the above steps, you can start migration. Make sure you understand the [implications of migration](migrate.md#migrate-to-app-service-environment-v3) including what will happen during this time. This step takes up to three hours and during that time there will be about one hour of application downtime. Scaling and modifications to your existing App Service Environment will be blocked during this step.

+During migration, which requires up to a three hour service window, the following events will occur:

+- All of the apps that are on your App Service Environment are temporarily down. You should expect about one hour of downtime during this period.

+ Yes, you should expect about one hour of downtime during the three hour service window during the migration step so plan accordingly. If downtime isn't an option for you, see the [manual migration options](migration-alternatives.md).

+NAT gateway supports both public IP addresses and public IP prefixes. A NAT gateway can support up to 16 IP addresses across individual IP addresses and prefixes. Each IP address allocates 64,512 ports (SNAT ports) allowing up to 1M available ports. Learn more in the [Scaling section](../../virtual-network/nat-gateway/nat-gateway-resource.md#scale-nat-gateway) of NAT gateway.

+> | api-version | Query | The version of the token API to be used. Use `2019-08-01`. |

+ Title: Understanding disabled listeners

+# Understanding disabled listeners

+ --sku Standard \

+ --location eastus

+[Create an application gateway that hosts multiple web sites](./tutorial-multiple-sites-cli.md)

+ Title: "Configure secure access with managed identities and private endpoints"

+description: Learn how to configure secure communications between Form Recognizer and other Azure Services.

+# Configure secure access with managed identities and private endpoints

+This how-to guide will walk you through the process of enabling secure connections for your Form Recognizer resource. You can secure the following connections:

+* Communication between a client application within a Virtual Network (VNET) and your Form Recognizer Resource.

+* Communication between Form Recognizer Studio or the sample labeling tool (FOTT) and your Form Recognizer resource.

+* Communication between your Form Recognizer resource and a storage account (needed when training a custom model).

+You'll be setting up your environment to secure the resources:

+ :::image type="content" source="media/managed-identities/secure-config.png" alt-text="Screenshot of secure configuration with managed identity and private endpoints.":::

+## Prerequisites

+To get started, you'll need:

+* An active [**Azure account**](https://azure.microsoft.com/free/cognitive-services/)ΓÇöif you don't have one, you can [**create a free account**](https://azure.microsoft.com/free/).

+* A [**Form Recognizer**](https://portal.azure.com/#create/Microsoft.CognitiveServicesTextTranslation) or [**Cognitive Services**](https://portal.azure.com/#create/Microsoft.CognitiveServicesAllInOne) resource in the Azure portal. For detailed steps, _see_ [Create a Cognitive Services resource using the Azure portal](../../cognitive-services/cognitive-services-apis-create-account.md?tabs=multiservice%2cwindows).

+* An [**Azure blob storage account**](https://portal.azure.com/#create/Microsoft.StorageAccount-ARM) in the same region as your Form Recognizer resource. You'll create containers to store and organize your blob data within your storage account.

+* An [**Azure virtual network**](https://portal.azure.com/#create/Microsoft.VirtualNetwork-ARM) in the same region as your Form Recognizer resource. You'll create a virtual network to deploy your application resources to train models and analyze documents.

+* An [**Azure data science VM**](https://portal.azure.com/#create/Microsoft.VirtualNetwork-ARM) optionally deploy a data science VM in the virtual network to test the secure connections being established.

+## Configure resources

+Configure each of the resources to ensure that the resources can communicate with each other:

+* Configure the Form Recognizer Studio to use the newly created Form Recognizer resource by accessing the settings page and selecting the resource.

+* Validate that the configuration works by selecting the Read API and analyzing a sample document. If the resource was configured correctly, the request will successfully complete.

+* Add a training dataset to a container in the Storage account you created.

+* Select the custom model tile to create a custom project. Ensure that you select the same Form Recognizer resource and the storage account you created in the previous step.

+* Select the container with the training dataset you uploaded in the previous step. Ensure that if the training dataset is within a folder, the folder path is set appropriately.

+* If you have the required permissions, the Studio will set the CORS setting required to access the storage account. If you don't have the permissions, you'll need to ensure that the CORS settings are configured on the Storage account before you can proceed.

+* Validate that the Studio is configured to access your training data, if you can see your documents in the labeling experience, all the required connections have been established.

+You now have a working implementation of all the components needed to build a Form Recognizer solution with the default security model:

+ :::image type="content" source="media/managed-identities/default-config.png" alt-text="Screenshot of default security configuration.":::

+Next, you'll complete the following steps:

+* Setup managed identity on the Form Recognizer resource.

+* Secure the storage account to restrict traffic from only specific virtual networks and IP addresses.

+* Configure the Form Recognizer managed identity to communicate with the storage account.

+* Disable public access to the Form Recognizer resource and create a private endpoint to make it accessible from the virtual network.

+* Add a private endpoint for the storage account in a selected virtual network.

+* Validate that you can train models and analyze documents from within the virtual network.

+## Setup managed identity for Form Recognizer

+Navigate to the Form Recognizer resource in the Azure portal and select the **Identity** tab. Toggle the **System assigned** managed identity to **On** and save the changes:

+ :::image type="content" source="media/managed-identities/v2-fr-mi.png" alt-text="Screenshot of configure managed identity.":::

+## Secure the Storage account to limit traffic

+Start configuring secure communications by navigating to the **Networking** tab on your **Storage account** in the Azure portal.

+1. Under **Firewalls and virtual networks**, choose **Enabled from selected virtual networks and IP addresses** from the **Public network access** list.

+1. Ensure that **Allow Azure services on the trusted services list to access this storage account** is selected from the **Exceptions** list.

+1. **Save** your changes.

+ :::image type="content" source="media/managed-identities/v2-stg-firewall.png" alt-text="Screenshot of configure storage firewall.":::

+> [!NOTE]

+>

+> Your storage account won't be accessible from the public internet.

+>

+> Refreshing the custom model labeling page in the Studio will result in an error message.

+## Enable access to storage from Form Recognizer

+To ensure that the Form Recognizer resource can access the training dataset, you'll need to add a role assignment for the managed identity that was created earlier.

+1. Staying on the storage account window in the Azure portal, navigate to the **Access Control (IAM)** tab in the left navigation bar.

+1. Select the **Add role assignment** button.

+ :::image type="content" source="media/managed-identities/v2-stg-role-assign-role.png" alt-text="Screenshot of add role assignment window.":::

+1. On the **Role** tab, search for and select the**Storage Blob Reader** permission and select **Next**.

+ :::image type="content" source="media/managed-identities/v2-stg-role-assignment.png" alt-text="Screenshot of choose a role tab.":::

+1. On the **Members** tab, select the **Managed identity** option and choose **+ Select members**

+1. On the **Select managed identities** dialog window, select the following options:

+ * **Subscription**. Select your subscription.

+ * **Managed Identity**. Select Form **Recognizer**.

+ * **Select**. Choose the Form Recognizer resource you enabled with a managed identity.

+ :::image type="content" source="media/managed-identities/v2-stg-role-assign-resource.png" alt-text="Screenshot of managed identities dialog window.":::

+1. **Close** the dialog window.

+1. Finally, select **Review + assign** to save your changes.

+Great! You've configured your Form Recognizer resource to use a managed identity to connect to a storage account.

+> [!TIP]

+>

+> When you try the [Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio), you'll see the READ API and other prebuilt models don't require storage access to process documents. However, training a custom model requires additional configuration because the Studio can't directly communicate with a storage account.

+ > You can enable storage access by selecting **Add your client IP address** from the **Networking** tab of the storage account to configure your machine to access the storage account via IP allowlisting.

+## Configure private endpoints for access from VNETs

+When you connect to resources from a virtual network, adding private endpoints will ensure both the storage account and the Form Recognizer resource are accessible from the virtual network.

+Next, you'll configure the virtual network to ensure only resources within the virtual network or traffic router through the network will have access to the Form Recognizer resource and the storage account.

+### Enable your virtual network and private endpoints

+1. In the Azure portal, navigate to your Form Recognizer resource.

+1. Select the **Networking** tab from the left navigation bar.

+1. Enable the **Selected Networking and Private Endpoints** option from the **Firewalls and virtual networks** tab and select save.

+> [!NOTE]

+>

+>If you try accessing any of the Form Recognizer Studio features, you'll see an access denied message. To enable access from the Studio on your machine, select the **client IP address checkbox** and **Save** to restore access.

+ :::image type="content" source="media/managed-identities/v2-fr-network.png" alt-text="Screenshot showing how to disable public access to Form Recognizer.":::

+### Configure your private endpoint

+1. Navigate to the **Private endpoint connections** tab and select the **+ Private endpoint**. You'll be

+navigated to the **Create a private endpoint** dialog page.

+1. On the **Create private endpoint** dialog page, select the following options:

+ * **Subscription**. Select your billing subscription.

+ * **Resource group**. Select the appropriate resource group.

+ * **Name**. Enter a name for your private endpoint.

+ * **Region**. Select the same region as your virtual network.

+ * Select **Next: Resource**.

+ :::image type="content" source="media/managed-identities/v2-fr-private-end-basics.png" alt-text="Screenshot showing how to set-up a private endpoint":::

+### Configure your virtual network

+1. On the **Resource** tab, accept the default values and select **Next: Virtual Network**.

+1. On the **Virtual Network** tab, ensure that the virtual network you created is selected in the virtual network.

+1. If you have multiple subnets, select the subnet where you want the private endpoint to connect. Accept the default value to **Dynamically allocate IP address**.

+1. Select **Next: DNS**

+1. Accept the default value **Yes** to **integrate with private DNS zone**.

+ :::image type="content" source="media/managed-identities/v2-fr-private-end-vnet.png" alt-text="Screenshot showing how to configure private endpoint":::

+1. Accept the remaining defaults and select **Next: Tags**.

+1. Select **Next: Review + create** .

+Well done! Your Form Recognizer resource now is only accessible from the virtual network and any IP addresses in the IP allowlist.

+### Configure private endpoints for storage

+Navigate to your **storage account** on the Azure portal.

+1. Select the **Networking** tab from the left navigation menu.

+1. Select the **Private endpoint connections** tab.

+1. Choose add **+ Private endpoint**.

+1. Provide a name and choose the same region as the virtual network.

+1. Select **Next: Resource**.

+ :::image type="content" source="media/managed-identities/v2-stg-private-end-basics.png" alt-text="Screenshot showing how to create a private endpoint":::

+1. On the resource tab, select **blob** from the **Target sub-resource** list.

+1. select **Next: Virtual Network**.

+ :::image type="content" source="media/managed-identities/v2-stg-private-end-resource.png" alt-text="Screenshot showing how to configure a private endpoint for a blob.":::

+1. Select the **Virtual network** and **Subnet**. Make sure **Enable network policies for all private endpoints in this subnet** is selected and the **Dynamically allocate IP address** is enabled.

+1. Select **Next: DNS**.

+1. Make sure that **Yes** is enabled for **Integrate with private DNS zone**.

+1. Select **Next: Tags**.

+1. Select **Next: Review + create**.

+Great work! You now have all the connections between the Form Recognizer resource and storage configured to use managed identities.

+> [!NOTE]

+> The resources are only accessible from the virtual network.

+>

+> Studio access and analyze requests to your Form Recognizer resource will fail unless the request originates from the virtual network or is routed via the virtual network.

+## Validate your deployment

+To validate your deployment, you can deploy a virtual machine (VM) to the virtual network and connect to the resources.

+1. Configure a [Data Science VM](https://azuremarketplace.microsoft.com/marketplace/apps/microsoft-dsvm.dsvm-win-2019?tab=Overview) in the virtual network.

+1. Remotely connect into the VM from your desktop to launch a browser session to access Form Recognizer Studio.

+1. Analyze requests and the training operations should now work successfully.

+That's it! You can now configure secure access for your Form Recognizer resource with managed identities and private endpoints.

+## Common error messages

+* **Failed to access Blob container**:

+ :::image type="content" source="media/managed-identities/cors-error.png" alt-text="Screenshot of error message when CORS config is required":::

+ **Resolution**: [Configure CORS](quickstarts/try-v3-form-recognizer-studio.md#prerequisites-for-new-users).

+* **AuthorizationFailure**:

+ :::image type="content" source="media/managed-identities/auth-failure.png" alt-text="Screenshot of authorization failure error.":::

+ **Resolution**: Ensure that there's a network line-of-sight between the computer accessing the form recognizer studio and the storage account. For example, you may need to add the client IP address in the storage account's networking tab.

+* **ContentSourceNotAccessible**:

+ :::image type="content" source="media/managed-identities/content-source-error.png" alt-text="Screenshot of content source not accessible error.":::

+ **Resolution**: Make sure you've given your Form Recognizer managed identity the role of **Storage Blob Data Reader** and enabled **Trusted services** access or **Resource instance** rules on the networking tab.

+* **AccessDenied**:

+ :::image type="content" source="media/managed-identities/access-denied.png" alt-text="Screenshot of a access denied error.":::

+ **Resolution**: Check to make sure there's connectivity between the computer accessing the form recognizer studio and the form recognizer service. For example, you may need to add the client IP address to the Form Recognizer service's networking tab.

+## Next steps

+> [!div class="nextstepaction"]

+> [Access Azure Storage from a web app using managed identities](../../app-service/scenario-secure-app-access-storage.md?bc=%2fazure%2fapplied-ai-services%2fform-recognizer%2fbreadcrumb%2ftoc.json&toc=%2fazure%2fapplied-ai-services%2fform-recognizer%2ftoc.json)

+## Next steps

+> [Configure secure access with managed identities and private endpoints](managed-identities-secured-access.md)

+ * A [**Java Development Kit** (JDK)](https://wiki.openjdk.java.net/display/jdk8u) version 8 or later. For more information, *see* [supported Java Versions and update schedule](/azure/developer/java/fundamentals/java-support-on-azure#supported-java-versions-and-update-schedule).

+This article contains a quick reference and the **detailed description** of Azure Form Recognizer service Quotas and Limits for all [pricing tiers](https://azure.microsoft.com/pricing/details/form-recognizer/). It also contains some best practices to avoid request throttling.

+| Adjustable | No | Yes² |

+| **Max document size** | 500 MB | 500 MB |

+| Adjustable | No | No |

+| **Max number of pages (Analysis)** | 2 | No limit |

+| Adjustable | No | No |

+| **Max size of labels file** | 10 MB | 10 MB |

+| Adjustable | No | No |

+| **Max size of OCR json response** | 500 MB | 500 MB |

+| Adjustable | No | No |

+# [Form Recognizer v3.0 (Preview)](#tab/v30)

+| Quota | Free (F0)¹ | Standard (S0) |

+|--|--|--|

+| **Compose Model limit** | 5 | 200 (default value) |

+| Adjustable | No | No |

+| **Training dataset size - Template** | 50MB | 50MB (default value) |

+| Adjustable | No | No |

+| **Training dataset size - Neural** | 1GB | 1GB (default value) |

+| Adjustable | No | No |

+| **Max number of pages (Training) - Template** | 500 | 500 (default value) |

+| Adjustable | No | No |

+| **Max number of pages (Training) - Neural** | 50,000 | 50,000 (default value) |

+| Adjustable | No | No |

+| Adjustable | No | Yes³ |

+³ Open a support request to increase the monthly training limit.

+# [Form Recognizer v2.1 (GA)](#tab/v21)

+| Quota | Free (F0)¹ | Standard (S0) |

+|--|--|--|

+| **Compose Model limit** | 5 | 100 (default value) |

+| Adjustable | No | No |

+| **Training dataset size** | 50 MB | 50 MB (default value) |

+| Adjustable | No | No |

+| **Max number of pages (Training)** | 500 | 500 (default value) |

+| Adjustable | No | No |

+--

+¹ For **Free (F0)** pricing tier see also monthly allowances at the [pricing page](https://azure.microsoft.com/pricing/details/form-recognizer/).</br>

+Before requesting a quota increase (where applicable), ensure that it's necessary. Form Recognizer service uses autoscaling to bring the required computational resources in "on-demand" and at the same time to keep the customer costs low, deprovision unused resources by not maintaining an excessive amount of hardware capacity. Every time your application receives a Response Code 429 ("Too many requests") while your workload is within the defined limits (see [Quotas and Limits quick reference](#form-recognizer-service-quotas-and-limits)) the most likely explanation is that the Service is scaling up to your demand and didn't reach the required scale yet, thus it doesn't immediately have enough resources to serve the request. This state is transient and shouldn't last long.

+#### Have the required information ready

+- In Problem type,* select "Quota or usage validation"

+ - Provide a TPS expectation you would like to scale to meet.

+ Let us suppose that a Form Recognizer resource has the default limit set. Start the workload to submit your analyze requests. If you find that you're seeing frequent throttling with response code 429, start by implementing an exponential backoff on the GET analyze response request. By using a progressively longer wait time between retries for consecutive error responses, for example a 2-5-13-34 pattern of delays between requests. In general, it's recommended to not call the get analyze response more than once every 2 seconds for a corresponding POST request.

+## Next steps

+> [!div class="nextstepaction"]

+> [Learn about error codes and troubleshooting](preview-error-guide.md)

+The operating system check verifies whether the Hybrid Runbook Worker is running [one of the supported operating systems.](/azure/automation/update-management/operating-system-requirements.md#windows-operating-system)

+one of the supported operating systems

+### Windows

+### Linux

+|Operating system |Notes |

+|||

+| [Azure Storage account](migrate-storage.md) |  |

+| [Azure Storage: Azure Data Lake Storage](migrate-storage.md) |  |

+| [Azure Storage: Disk Storage](migrate-storage.md) |  |

+| [Azure Storage: Blob Storage](migrate-storage.md) |  |

+| [Azure Storage: Managed Disks](migrate-storage.md) |   |

+| [Azure Virtual Machine Scale Sets](migrate-vm.md) |   |

+| [Azure Virtual Machines](migrate-vm.md) |  |

+| Virtual Machines:ΓÇ»[Av2-Series](migrate-vm.md) |  |

+| Virtual Machines:ΓÇ»[Bs-Series](migrate-vm.md) |  |

+| Virtual Machines:ΓÇ»[DSv2-Series](migrate-vm.md) |  |

+| Virtual Machines:ΓÇ»[DSv3-Series](migrate-vm.md) |  |

+| Virtual Machines:ΓÇ»[Dv2-Series](migrate-vm.md) |  |

+| Virtual Machines:ΓÇ»[Dv3-Series](migrate-vm.md) |  |

+| Virtual Machines:ΓÇ»[ESv3-Series](migrate-vm.md) |  |

+| Virtual Machines:ΓÇ»[Ev3-Series](migrate-vm.md) |  |

+| Virtual Machines:ΓÇ»[F-Series](migrate-vm.md) |  |

+| Virtual Machines:ΓÇ»[FS-Series](migrate-vm.md) |  |

+| Virtual Machines:ΓÇ»[Azure Compute Gallery](migrate-vm.md)|  |

+ Title: Migrate Azure Storage accounts to availability zone support

+description: Learn how to migrate your Azure storage accounts to availability zone support.

+# Migrate Azure Storage accounts to availability zone support

+

+This guide describes how to migrate Azure Storage accounts from non-availability zone support to availability support. We'll take you through the different options for migration.

+Azure Storage always stores multiple copies of your data so that it is protected from planned and unplanned events, including transient hardware failures, network or power outages, and massive natural disasters. Redundancy ensures that your storage account meets the Service-Level Agreement (SLA) for Azure Storage even in the face of failures.

+Azure Storage offers the following types of replication:

+- Locally redundant storage (LRS)

+- Zone-redundant storage (ZRS)

+- Geo-redundant storage (GRS) or read-access geo-redundant storage (RA-GRS)

+- Geo-zone-redundant storage (GZRS) or read-access geo-zone-redundant storage (RA-GZRS)

+For an overview of each of these options, see [Azure Storage redundancy](../storage/common/storage-redundancy.md).

+You can switch a storage account from one type of replication to any other type, but some scenarios are more straightforward than others. This article describes two basic options for migration. The first is a manual migration and the second is a live migration that you must initiate by contacting Microsoft support.

+## Prerequisites

+- Make sure your storage account(s) are in a region that supports ZRS. To determine whether or not the region supports ZRS, see [Zone-redundant storage](../storage/common/storage-redundancy.md#zone-redundant-storage).

+- Confirm that your storage account(s) is a general-purpose v2 account. If your storage account is v1, you'll need to upgrade it to v2. To learn how to upgrade your v1 account, see [Upgrade to a general-purpose v2 storage account](../storage/common/storage-account-upgrade.md).

+## Downtime requirements

+If you choose manual migration, downtime is required. If you choose live migration, there's no downtime requirement.

+## Migration option 1: Manual migration

+### When to use a manual migration

+Use a manual migration if:

+- You need the migration to be completed by a certain date.

+- You want to migrate your data to a ZRS storage account that's in a different region than the source account.

+- You want to migrate data from ZRS to LRS, GRS or RA-GRS.

+- Your storage account is a premium page blob or block blob account.

+- Your storage account includes data that's in the archive tier.

+### How to manually migrate Azure Storage accounts

+To manually migration your Azure Storage accounts:

+1. Create a new storage account in the primary region with Zone Redundant Storage (ZRS) as the redundancy setting.

+1. Copy the data from your existing storage account to the new storage account. To perform a copy operation, use one of the following options:

+ - **Option 1:** Copy data by using an existing tool such as [AzCopy](../storage/common/storage-use-azcopy-v10.md), [Azure Data factory](../data-factory/connector-azure-blob-storage.md?tabs=data-factory), one of the Azure Storage client libraries, or a reliable third-party tool.

+ - **Option 2:** If you're familiar with Hadoop or HDInsight, you can attach both the source storage account and destination storage account to your cluster. Then, parallelize the data copy process with a tool like [DistCp](https://hadoop.apache.org/docs/r1.2.1/distcp.html).

+1. Determine which type of replication you need and follow the directions in [Switch between types of replication](../storage/common/redundancy-migration.md#switch-between-types-of-replication).

+## Migration option 2: Request a live migration

+### When to request a live migration

+Request a live migration if:

+- You want to migrate your storage account from LRS to ZRS in the primary region with no application downtime.

+- You want to migrate your storage account from ZRS to GZRS or RA-GZRS.

+- You don't need the migration to be completed by a certain date. While Microsoft handles your request for live migration promptly, there's no guarantee as to when a live migration will complete. Generally, the more data you have in your account, the longer it takes to migrate that data.

+### Live migration considerations

+During a live migration, you can access data in your storage account with no loss of durability or availability. The Azure Storage SLA is maintained during the migration process. There's no data loss associated with a live migration. Service endpoints, access keys, shared access signatures, and other account options remain unchanged after the migration.

+However, be aware of the following limitations:

+- The archive tier is not currently supported for ZRS accounts.

+- Unmanaged disks don't support ZRS or GZRS.

+- Only general-purpose v2 storage accounts support GZRS and RA-GZRS. GZRS and RA-GZRS support block blobs, page blobs (except for VHD disks), files, tables, and queues.

+- Live migration from LRS to ZRS isn't supported if the storage account contains Azure Files NFSv4.1 shares.

+- For premium performance, live migration is supported for premium file share accounts, but not for premium block blob or premium page blob accounts.

+### How to request a live migration

+[Request a live migration](../storage/common/redundancy-migration.md) by creating a new support request from Azure portal.

+## Next steps

+For more guidance on moving an Azure Storage account to another region, see:

+> [!div class="nextstepaction"]

+> [Move an Azure Storage account to another region](../storage/common/storage-account-move.md).

+Learn more about:

+> [!div class="nextstepaction"]

+> [Azure Storage redundancy](../storage/common/storage-redundancy.md)

+> [!div class="nextstepaction"]

+> [Regions and Availability Zones in Azure](az-overview.md)

+> [!div class="nextstepaction"]

+> [Azure Services that support Availability Zones](az-region.md)

+ Title: Migrate Azure Virtual Machines and Azure Virtual Machine Scale Sets to availability zone support

+description: Learn how to migrate your Azure Virtual Machines and Virtual Machine Scale Sets to availability zone support.

+

+# Migrate Virtual Machines and Virtual Machine Scale Sets to availability zone support

+This guide describes how to migrate Virtual Machines (VMs) and Virtual Machine Scale Sets (VMSS) from non-availability zone support to availability zone support. We'll take you through the different options for migration, including how you can use availability zone support for Disaster Recovery solutions.

+Virtual Machine (VM) and Virtual Machine Scale Sets (VMSS) are zonal services, which means that VM resources can be deployed by using one of the following methods:

+- VM resources are deployed to a specific, self-selected availability zone to achieve more stringent latency or performance requirements.

+- VM resources are replicated to one or more zones within the region to improve the resiliency of the application and data in a High Availability (HA) architecture.

+When you migrate resources to availability zone support, we recommend that you select multiple zones for your new VMs and VMSS, to ensure high-availability of your compute resources.

+## Prerequisites

+To migrate to availability zone support, your VM SKUs must be available across the zones in for your region. To check for VM SKU availability, use one of the following methods:

+- Use PowerShell to [Check VM SKU availability](../virtual-machines/windows/create-PowerShell-availability-zone.md#check-vm-sku-availability).

+- Use the Azure CLI to [Check VM SKU availability](../virtual-machines/linux/create-cli-availability-zone.md#check-vm-sku-availability).

+- Go to [Foundational Services](az-region.md#an-icon-that-signifies-this-service-is-foundational-foundational-services).

+## Downtime requirements

+Because zonal VMs are created across the availability zones, all migration options mentioned in this article require downtime during deployment because zonal VMs are created across the availability zones.

+## Migration Option 1: Redeployment

+### When to use redeployment

+Use the redeployment option if you have good Infrastructure as Code (IaC) practices setup to manage infrastructure. The redeployment option gives you more control, and the ability to automate various processes within your deployment pipelines.

+### Redeployment considerations

+- When you redeploy your VM and VMSS resources, the underlying resources such as managed disk and IP address for the VM are created in the same availability zone. You must use a Standard SKU public IP address and load balancer to create zone-redundant network resources.

+- For zonal deployments that require reasonably low network latency and good performance between application tier and data tier, use [proximity placement groups](../virtual-machines/co-location.md). Proximity groups can force grouping of different VM resources under a single network spine. For an example of an SAP workload that uses proximity placement groups, see [Azure proximity placement groups for optimal network latency with SAP applications](../virtual-machines/workloads/sap/sap-proximity-placement-scenarios.md)

+### How to redeploy

+To redeploy, you'll need to recreate your VM and VMSS resources. To ensure high-availability of your compute resources, it's recommended that you select multiple zones for your new VMs and VMSS.

+To learn how create VMs in an availability zone, see:

+- [Create VM using Azure CLI](../virtual-machines/linux/create-cli-availability-zone.md)

+- [Create VM using Azure PowerShell](../virtual-machines/windows/create-PowerShell-availability-zone.md)

+- [Create VM using Azure portal](../virtual-machines/create-portal-availability-zone.md?tabs=standard)

+To learn how to create VMSS in an availability zone, see [Create a virtual machine scale set that uses Availability Zones](../virtual-machine-scale-sets/virtual-machine-scale-sets-use-availability-zones.md).

+## Migration Option 2: Azure Resource Mover

+### When to use Azure Resource Mover

+Use Azure Resource Mover for an easy way to move VMs or encrypted VMs from one region without availability zones to another with availability zones. If you want to learn more about the benefits of using Azure Resource Mover, see [Why use Azure Resource Mover?](../resource-mover/overview.md#why-use-resource-mover).

+### Azure Resource Mover considerations

+When you use Azure Resource mover, all keys and secrets are copied from the source key vault to the newly created destination key vault in your target region. All resources related to your customer-managed keys, such as Azure Key Vaults, disk encryption sets, VMs, disks, and snapshots, must be in the same subscription and region. Azure Key VaultΓÇÖs default availability and redundancy feature can't be used as the destination key vault for the moved VM resources, even if the target region is a secondary region to which your source key vault is replicated.

+### How to use Azure Resource Mover

+To learn how to move VMs to another region, see [Move Azure VMs to an availability zone in another region](../resource-mover/move-region-availability-zone.md)

+To learn how to move encrypted VMs to another region, see [Tutorial: Move encrypted Azure VMs across regions](../resource-mover/tutorial-move-region-encrypted-virtual-machines.md)

+## Disaster Recovery Considerations

+Typically, availability zones are used to deploy VMs in a High Availability configuration. They may be too close to each other to serve as a Disaster Recovery solution during a natural disaster. However, there are scenarios where availability zones can be used for Disaster Recovery. To learn more, see [Using Availability Zones for Disaster Recovery](../site-recovery/azure-to-azure-how-to-enable-zone-to-zone-disaster-recovery.md#using-availability-zones-for-disaster-recovery).

+The following requirements should be part of a disaster recovery strategy that helps your organization run its workloads during planned or unplanned outages across zones:

+- The source VM must already be a zonal VM, which means that it's placed in a logical zone.

+- You'll need to replicate your VM from one zone to another zone using Azure Site Recovery service.

+- Once your VM is replicated to another zone, you can follow steps to run a Disaster Recovery drill, fail over, reprotect, and failback.

+- To enable VM disaster recovery between availability zones, follow the instructions in [Enable Azure VM disaster recovery between availability zones](../site-recovery/azure-to-azure-how-to-enable-zone-to-zone-disaster-recovery.md) .

+## Next Steps

+Learn more about:

+> [!div class="nextstepaction"]

+> [Regions and Availability Zones in Azure](az-overview.md)

+> [!div class="nextstepaction"]

+> [Azure Services that support Availability Zones](az-region.md)

+To start using this GitHub Action, go to your repository and select the **Actions** tab. Select **New workflow**, then **Set up a workflow yourself**. Finally, search the marketplace for ΓÇ£Azure App Configuration Sync.ΓÇ¥

+By default the GitHub Action does not enable strict mode, meaning that the sync will only add key-values from the configuration file to the App Configuration instance (no key-value pairs will be deleted). Enabling strict mode will mean key-value pairs that aren't in the configuration file are deleted from the App Configuration instance, so that it matches the configuration file. If you are syncing from multiple sources or using Azure Key Vault with App Configuration, you'll want to use different prefixes or labels with strict sync to avoid wiping out configuration settings from other files (see samples below).

+ Title: Turn on transparent data encryption manually in Azure Arc-enabled SQL Managed Instance

+description: How-to guide to turn on transparent data encryption in an Azure Arc-enabled SQL Managed Instance

+# Enable transparent data encryption on Azure Arc-enabled SQL Managed Instance

+This article describes how to enable transparent data encryption on a database created in an Azure Arc-enabled SQL Managed Instance.

+## Prerequisites

+Before you proceed with this article, you must have an Azure Arc-enabled SQL Managed Instance resource created and have connected to it.

+- [An Azure Arc-enabled SQL Managed Instance created](./create-sql-managed-instance.md)

+- [Connect to Azure Arc-enabled SQL Managed Instance](./connect-managed-instance.md)

+## Turn on transparent data encryption on a database in Azure Arc-enabled SQL Managed Instance

+Turning on transparent data encryption in Azure Arc-enabled SQL Managed Instance follows the same steps as SQL Server on-premises. Follow the steps described in [SQL Server's transparent data encryption guide](/sql/relational-databases/security/encryption/transparent-data-encryption#enable-tde).

+After creating the necessary credentials, it's highly recommended to back up any newly created credentials.

+## Back up a transparent data encryption credential from Azure Arc-enabled SQL Managed Instance

+When backing up from Azure Arc-enabled SQL Managed Instance, the credentials will be stored within the container. It isn't necessary to store the credentials on a persistent volume, but you may use the mount path for the data volume within the container if you'd like: `/var/opt/mssql/data`. Otherwise, the credentials will be stored in-memory in the container. Below is an example of backing up a certificate from Azure Arc-enabled SQL Managed Instance.

+> [!NOTE]

+> If the `kubectl cp` command is run from Windows, the command may fail when using absolute Windows paths. `kubectl` can mistake the drive in the path as a pod name. For example, `kubectl` might mistake `C` to be a pod name in `C:\folder`. Users can avoid this issue by using relative paths or removing the `C:` from the provided path while in the `C:` drive. This issue also applies to environment variables on Windows like `$HOME`.

+1. Back up the certificate from the container to `/var/opt/mssql/data`.

+ ```sql

+ USE master;

+ GO

+ BACKUP CERTIFICATE <cert-name> TO FILE = '<cert-path>'

+ WITH PRIVATE KEY ( FILE = '<private-key-path>',

+ ENCRYPTION BY PASSWORD = '<UseStrongPasswordHere>');

+ ```

+ Example:

+ ```sql

+ USE master;

+ GO

+ BACKUP CERTIFICATE MyServerCert TO FILE = '/var/opt/mssql/data/servercert.crt'

+ WITH PRIVATE KEY ( FILE = '/var/opt/mssql/data/servercert.key',

+ ENCRYPTION BY PASSWORD = '<UseStrongPasswordHere>');

+ ```

+2. Copy the certificate from the container to your file system.

+ ```console

+ kubectl cp --namespace <namespace> --container arc-sqlmi <pod-name>:<pod-certificate-path> <local-certificate-path>

+ ```

+ Example:

+ ```console

+ kubectl cp --namespace arc-ns --container arc-sqlmi sql-0:/var/opt/mssql/data/servercert.crt ./sqlcerts/servercert.crt

+ ```

+3. Copy the private key from the container to your file system.

+ ```console

+ kubectl cp --namespace <namespace> --container arc-sqlmi <pod-name>:<pod-private-key-path> <local-private-key-path>

+ ```

+ Example:

+ ```console

+ kubectl cp --namespace arc-ns --container arc-sqlmi sql-0:/var/opt/mssql/data/servercert.key ./sqlcerts/servercert.key

+ ```

+4. Delete the certificate and private key from the container.

+ ```console

+ kubectl exec -it --namespace <namespace> --container arc-sqlmi <pod-name> -- bash -c "rm <certificate-path> <private-key-path>

+ ```

+ Example:

+ ```console

+ kubectl exec -it --namespace arc-ns --container arc-sqlmi sql-0 -- bash -c "rm /var/opt/mssql/data/servercert.crt /var/opt/mssql/data/servercert.key"

+ ```

+## Restore a transparent data encryption credential to Azure Arc-enabled SQL Managed Instance

+Similar to above, restore the credentials by copying them into the container and running the corresponding T-SQL afterwards.

+> [!NOTE]

+> If the `kubectl cp` command is run from Windows, the command may fail when using absolute Windows paths. `kubectl` can mistake the drive in the path as a pod name. For example, `kubectl` might mistake `C` to be a pod name in `C:\folder`. Users can avoid this issue by using relative paths or removing the `C:` from the provided path while in the `C:` drive. This issue also applies to environment variables on Windows like `$HOME`.

+1. Copy the certificate from your file system to the container.

+ ```console

+ kubectl cp --namespace <namespace> --container arc-sqlmi <local-certificate-path> <pod-name>:<pod-certificate-path>

+ ```

+ Example:

+ ```console

+ kubectl cp --namespace arc-ns --container arc-sqlmi ./sqlcerts/servercert.crt sql-0:/var/opt/mssql/data/servercert.crt

+ ```

+2. Copy the private key from your file system to the container.

+ ```console

+ kubectl cp --namespace <namespace> --container arc-sqlmi <local-private-key-path> <pod-name>:<pod-private-key-path>

+ ```

+ Example:

+ ```console

+ kubectl cp --namespace arc-ns --container arc-sqlmi ./sqlcerts/servercert.key sql-0:/var/opt/mssql/data/servercert.key

+ ```

+3. Create the certificate using file paths from `/var/opt/mssql/data`.

+ ```sql

+ USE master;

+ GO

+ CREATE CERTIFICATE <certicate-name>

+ FROM FILE = '<certificate-path>'

+ WITH PRIVATE KEY ( FILE = '<private-key-path>',

+ DECRYPTION BY PASSWORD = '<UseStrongPasswordHere>' );

+ ```

+ Example:

+ ```sql

+ USE master;

+ GO

+ CREATE CERTIFICATE MyServerCertRestored

+ FROM FILE = '/var/opt/mssql/data/servercert.crt'

+ WITH PRIVATE KEY ( FILE = '/var/opt/mssql/data/servercert.key',

+ DECRYPTION BY PASSWORD = '<UseStrongPasswordHere>' );

+ ```

+4. Delete the certificate and private key from the container.

+ ```console

+ kubectl exec -it --namespace <namespace> --container arc-sqlmi <pod-name> -- bash -c "rm <certificate-path> <private-key-path>

+ ```

+ Example:

+ ```console

+ kubectl exec -it --namespace arc-ns --container arc-sqlmi sql-0 -- bash -c "rm /var/opt/mssql/data/servercert.crt /var/opt/mssql/data/servercert.key"

+ ```

+## Next steps

+[Transparent data encryption](/sql/relational-databases/security/encryption/transparent-data-encryption)

+ Title: Tutorial ΓÇô Deploy Active Directory connector using Azure portal

+description: Tutorial to deploy an Active Directory connector using Azure portal

+# Tutorial ΓÇô Deploy Active Directory connector using Azure portal

+Active Directory (AD) connector is a key component to enable Active Directory authentication on Azure Arc-enabled SQL Managed Instances.

+This article explains how to deploy, manage, and delete an Active Directory (AD) connector in directly connected mode from the Azure portal.

+## Prerequisites

+For details about how to set up OU and AD account, go to [Deploy Azure Arc-enabled data services in Active Directory authentication - prerequisites](active-directory-prerequisites.md).

+Make sure you have the following deployed before proceed with the steps in this article:

+- An Arc-enabled Azure Kubernetes cluster.

+- A data controller in directly connected mode.

+## Create a new AD connector

+1. Log in to [Azure portal](https://portal.azure.com).

+1. In the search resources field at the top of the portal, type **data controllers**, and select **Azure Arc data controllers**.

+Azure takes you to where you can find all available data controllers deployed in your selected Azure subscription.

+1. Select the data controller where you wish to add an AD connector.

+1. Under **Settings** select **Active Directory**. The portal shows the Active Directory connectors for this data controller.

+1. Select **+ Add Connector**, the portal presents an **Add Connector** interface.

+1. Under **Active Directory connector**

+ 1. Specify your **Connector name**.

+ 2. Choose the account provisioning type - either **Automatic** or **Manual**.

+The account provisioning type determines whether you deploy a customer-managed keytab AD connector or a system-managed keytab AD connector.

+### Create a new customer-managed keytab AD connector

+1. Click **Add Connector**.

+

+1. Choose the account provisioning type **Manual**.

+

+1. Set the editable fields for your connector:

+ - **Realm**: The name of the Active Directory (AD) domain in uppercase. For example *CONTOSO.COM*.

+ - **Nameserver IP address**: A comma-separated list of Active Directory DNS server IP addresses. For example: *10.10.10.11, 10.10.10.12*.

+ - **Netbios domain name**: Optional. The NETBIOS name of the Active Directory domain. For example *CONTOSO*. Defaults to the first label of realm.

+ - **DNS domain name**: Optional. The DNS domain name associated with the Active Directory domain. For example, *contoso.com*.

+ - **DNS replicas**: Optional. The number of replicas to deploy for the DNS proxy service. Defaults to `1`.

+ - **Prefer Kubernetes DNS for PTR lookups**: Optional. Check to set Kubernetes DNS for IP address lookup. Clear to use Active Directory DNS.

+ 

+1. Click **Add Connector** to create a new customer-managed keytab AD connector.

+### Create a new system-managed keytab AD connector

+1. Click **Add Connector**.

+1. Choose the account provisioning type **Automatic**.

+1. Set the editable fields for your connector:

+ - **Realm**: The name of the Active Directory (AD) domain in uppercase. For example *CONTOSO.COM*.

+ - **Nameserver IP address**: A comma-separated list of Active Directory DNS server IP addresses. For example: *10.10.10.11, 10.10.10.12*.

+ - **OU distinguished name** The distinguished name of the Organizational Unit (OU) pre-created in the Active Directory (AD) domain. For example, `OU=arcou,DC=contoso,DC=com`.

+ - **Domain Service Account username** The username of the Domain Service Account in Active Directory.

+ - **Domain Service Account password** The password of the Domain Service Account in Active Directory.

+ - **Primary domain controller hostname (Optional)** The hostname of the primary Active Directory domain controller. For example, `azdc01.contoso.com`.

+ - **Secondary domain controller hostname (Optional)** The secondary domain controller hostname.

+ - **Netbios domain name**: Optional. The NETBIOS name of the Active Directory domain. For example *CONTOSO*. Defaults to the first label of realm.

+ - **DNS domain name**: Optional. The DNS domain name associated with the Active Directory domain. For example, *contoso.com*.

+ - **DNS replicas (Optional)** The number of replicas to deploy for the DNS proxy service. Defaults to `1`.

+ - **Prefer Kubernetes DNS for PTR lookups**: Optional. Check to set Kubernetes DNS for IP address lookup. Clear to use Active Directory DNS.

+ 

+1. Click **Add Connector** to create a new system-managed keytab AD connector.

+## Edit an existing AD connector

+1. Select the AD connect that you want to edit. Select the ellipses (**...**), and then **Edit**. The portal presents an **Edit Connector** interface.

+1. You may update any editable fields. For example:

+ - **Primary domain controller hostname** The hostname of the primary Active Directory domain controller. For example, `azdc01.contoso.com`.

+ - **Secondary domain controller hostname** The secondary domain controller hostname.

+ - **Nameserver IP address**: A comma-separated list of Active Directory DNS server IP addresses. For example: *10.10.10.11, 10.10.10.12*.

+ - **DNS replicas** The number of replicas to deploy for the DNS proxy service. Defaults to `1`.

+ - **Prefer Kubernetes DNS for PTR lookups**: Check to set Kubernetes DNS for IP address lookup. Clear to use Active Directory DNS.

+1. Click on **Apply** for changes to take effect.

+## Delete an AD connector

+1. Select the ellipses (**...**) on the right of the Active Directory connector you would like to delete.

+1. Select **Delete**.

+To delete multiple AD connectors at one time:

+1. Select the checkbox in the beginning row of each AD connector you want to delete.

+ Alternatively, select the checkbox in the top row to select all the AD connectors in the table.

+1. Click **Delete** in the management bar to delete the AD connectors that you selected.

+## Next steps

+* [Tutorial ΓÇô Deploy Active Directory connector using Azure CLI](deploy-active-directory-connector-cli.md)

+* [Tutorial ΓÇô Deploy AD connector in customer-managed keytab mode](deploy-customer-managed-keytab-active-directory-connector.md)

+* [Tutorial ΓÇô Deploy Active Directory connector in system-managed keytab mode](deploy-system-managed-keytab-active-directory-connector.md)

+* [Deploy Arc-enabled SQL Managed Instance with Active Directory Authentication](deploy-active-directory-sql-managed-instance.md).

+# Overview: Azure Arc-enabled SQL Managed Instance business continuity

+# Azure Arc-enabled SQL Managed Instance - disaster recovery

+|Always On availability groups²|Business Critical service tier.|

+|Minimum replica commit availability group ²|Business Critical service tier.

+| Azure portal | Yes |

+# High Availability with Azure Arc-enabled SQL Managed Instance

+- An Azure Arc-enabled SQL managed instance that is deployed with high availability does not currently support point-in-time restore.

+#Customer intent: As a data professional, I want to understand why my solutions would benefit from running with Azure Arc-enabled data services so that I can leverage the capability of the feature.

+## May 24, 2022

+This release is published May 24, 2022.

+### Image tag

+`v1.7.0_2022-05-24`

+For complete release version information, see [Version log](version-log.md).

+### Data controller reminders and warnings

+Reminders and warnings are implemented in Azure portal, custom resource status, and through CLI when the billing data related to all resources managed by the data controller has not been uploaded or exported for an extended period.

+### SQL Managed Instance

+General Availability of Business Critical service tier. Azure Arc-enabled SQL Managed Instance instances that have a version greater than or equal to v1.7.0 will be charged through Azure billing meters.

+### User experience improvements

+#### Azure portal

+Added ability to create AD Connectors from Azure portal.

+Preview expected costs for Azure Arc-enabled SQL Managed Instance Business Critical tier when you create new instances.

+#### Azure Data Studio

+Added ability to upgrade Azure Arc-enabled SQL Managed Instances from Azure Data Studio in the indirect and direct connectivity modes.

+Preview expected costs for Azure Arc-enabled SQL Managed Instance Business Critical tier when you create new instances.

+Add support for `NodeSelector`, `TopologySpreadConstraints` and `Affinity`. Only available through Kubernetes yaml/json file create/edit currently. No Azure CLI, Azure portal, or Azure Data Studio user experience yet.

+Notifications added in Azure portal if billing data has not been uploaded to Azure recently.

+Metrics for each replica in a Business Critical instance are now sent to the Azure portal so you can view them in the monitoring charts.

+- Removed block on data controller upgrade if there are Business Critical instances that exist

+- Azure Arc-enabled SQL Managed Instance Business Critical instances can be upgraded from the January release and going forward (preview)

+- Added support for `LicenseType: DisasterRecovery` which will ensure that instances which are used for Business Critical distributed availability group secondary replicas:

+- Ability to specify a single replica for a Business Critical instance using Azure CLI or Kubernetes yaml file

+- Upgrade from July 2021 release in-place (only for generally available services such as Azure Arc data controller and General Purpose SQL Managed Instance) using Azure CLI.

+- Upgrade instances of Azure Arc-enabled SQL Managed Instance General Purpose in-place

+- Point in time restore for Azure Arc enabled SQL Managed Instance is being made generally available with this release. Currently point in time restore is only supported for the General Purpose SQL Managed Instance. Point in time restore for Business Critical SQL Managed Instance is still under preview.

+- You can only upgrade generally available services such as Azure Arc data controller and General Purpose SQL Managed Instance at this time. If you also have Business Critical SQL Managed Instance and/or Azure Arc enabled PostgreSQL Hyperscale, remove them first, before proceeding to upgrade.

+This release announces general availability for Azure Arc-enabled SQL Managed Instance [General Purpose service tier](service-tiers.md) in indirectly connected mode.

+ > - SQL Managed Instance [Business Critical service tier](service-tiers.md)

+ - One General Purpose, 16 vCore managed instance

+ - Two Business Critical, 8-vCore managed instances

+ - One more General Purpose, 16 vCore managed instance

+ - One more Business Critical, 32 vCore managed instance

+ - 32 (2x16) vCore one year reservation for General Purpose managed instance

+ - 48 (2x8 + 32) vCore one year reservation for Business Critical managed instance

+- **General Purpose** is a budget-friendly tier designed for most workloads with common performance and availability features.

+- **Business Critical** tier is designed for performance-sensitive workloads with higher availability features.

+Area | Business Critical | General Purpose

+### Choose General Purpose if

+- CPU/memory requirements meet or are within the limits of the General Purpose service tier

+- The application does not require any of the features found in the Business Critical service tier (same as SQL Server Enterprise Edition)

+### Choose Business Critical if

+- CPU/memory requirements exceed the limits of the General Purpose service tier

+- Application requires features found only in the Business Critical service tier (same as SQL Server Enterprise Edition)

+|Service tier|General Purpose|Business Critical|

+- Database instances can be deployed in either a single pod pattern or a multiple pod pattern. An example of a single pod pattern is a General Purpose pricing tier Azure SQL managed instance. An example of a multiple pod pattern is a highly available Business Critical pricing tier Azure SQL managed instance. Database instances deployed with the single pod pattern **must** use a remote, shared storage class in order to ensure data durability and so that if a pod or node dies that when the pod is brought back up it can connect again to the persistent volume. In contrast, a highly available Azure SQL managed instance uses Always On Availability Groups to replicate the data from one instance to another either synchronously or asynchronously. Especially in the case where the data is replicated synchronously, there is always multiple copies of the data - typically three copies. Because of this, it is possible to use local storage or remote, shared storage classes for data and log files. If utilizing local storage, the data is still preserved even in the case of a failed pod, node, or storage hardware because there are multiple copies of the data. Given this flexibility, you might choose to use local storage for better performance.

+Upgrade the data controller by running an upgrade on the Arc data controller extension first. This can be done as follows:

+```azurecli

+az k8s-extension update --resource-group <resource-group> --cluster-name <connected cluster name> --cluster-type connectedClusters --name <name of extension> --version <extension version> --release-train stable --config systemDefaultValues.image="<registry>/<repository>/arc-bootstrapper:<imageTag>"

+```

+You can retrieve the name of your extension and its version, by browsing to the Overview blade of your Arc enabled kubernetes cluster and select Extensions tab on the left. You can also retrieve the name of your extension and its version running `az` CLI As follows:

+```azurecli

+az k8s-extension list --resource-group <resource-group> --cluster-name <connected cluster name> --cluster-type connectedClusters

+```

+For example:

+```azurecli

+az k8s-extension list --resource-group myresource-group --cluster-name myconnected-cluster --cluster-type connectedClusters

+```

+After retrieving the Arc data controller extension name and its version, the extension can be upgraded as follows:

+For example:

+```azurecli

+az k8s-extension update --resource-group myresource-group --cluster-name myconnected-cluster --cluster-type connectedClusters --name arcdc-ext --version 1.2.19481002 --release-train stable --config systemDefaultValues.image="mcr.microsoft.com/arcdata/arc-bootstrapper:v1.6.0_2022-05-02"

+```

+Once the extension is upgraded, run the `az arcdata dc upgrade` command to upgrade the data controller. If you don't specify a target image, the data controller will be upgraded to the latest version.

+> [!NOTE]

+> Currently upgrade is only supported to the next immediate version. Hence, if you are more than one version behind, specify the `--desired-version` to avoid compatibility issues.

+az sql mi-arc upgrade --resource-group <resource group> --name <instance name> --desired-version <imageTag> [--no-wait]

+az sql mi-arc upgrade --resource-group myresource-group --name sql1 --desired-version v1.6.0_2022-05-02 [--no-wait]

+ Running Version: v1.5.0_2022-04-05

+ Running Version: v1.6.0_2022-05-02

+#Customer intent: As a data professional, I want to understand what versions of components align with specific releases.

+## May 24, 2022

+|Component |Value |

+|--||

+|Container images tag |`v1.7.0_2022-05-24`|

+|CRD names and versions |`datacontrollers.arcdata.microsoft.com`: v1beta1, v1 through v6</br>`exporttasks.tasks.arcdata.microsoft.com`: v1beta1, v1, v2</br>`kafkas.arcdata.microsoft.com`: v1beta1</br>`monitors.arcdata.microsoft.com`: v1beta1, v1, v2</br>`sqlmanagedinstances.sql.arcdata.microsoft.com`: v1beta1, v1 through v6</br>`postgresqls.arcdata.microsoft.com`: v1beta1, v1beta2</br>`sqlmanagedinstancerestoretasks.tasks.sql.arcdata.microsoft.com`: v1beta1, v1</br>`failovergroups.sql.arcdata.microsoft.com`: v1beta1, v1beta2,v1</br>`activedirectoryconnectors.arcdata.microsoft.com`: v1beta1, v1beta2|

+|ARM API version|2022-03-01-preview (No change)|

+|`arcdata` Azure CLI extension version| 1.4.1|

+|Arc enabled Kubernetes helm chart extension version|1.2.19581002|

+|Arc Data extension for Azure Data Studio|1.3.0|

+This release introduces general availability for Azure Arc-enabled SQL Managed Instance General Purpose and Azure Arc-enabled SQL Server. The following table describes the components in this release.

+> This document is for GitOps with Flux v1. GitOps with Flux v2 is now available for Azure Arc-enabled Kubernetes and Azure Kubernetes Service (AKS) clusters; [learn about GitOps with Flux v2](./conceptual-gitops-flux2.md). Eventually Azure will stop supporting GitOps with Flux v1, so begin using Flux v2 as soon as possible.

+description: "This article provides a conceptual overview of a CI/CD workflow using GitOps with Flux"

+> The workflow described in this document uses GitOps with Flux v1. GitOps with Flux v2 is now available for Azure Arc-enabled Kubernetes and Azure Kubernetes Service (AKS) clusters; [learn about CI/CD workflow using GitOps with Flux v2](./conceptual-gitops-flux2-ci-cd.md). Eventually Azure will stop supporting GitOps with Flux v1, so begin using Flux v2 as soon as possible.

+At least one Azure Arc-enabled Kubernetes cluster serves the different environments needed by the application. For example, a single cluster can serve both a dev and QA environment through different namespaces. A second cluster can provide easier separation of environments and more fine-grained control.

+If you run the above command while being logged into Azure CLI using a service principal, you may observe the following warning:

+```console

+Unable to fetch oid of 'custom-locations' app. Proceeding without enabling the feature. Insufficient privileges to complete the operation.

+```

+This is because a service principal doesn't have permissions to get information of the application used by Azure Arc service. To avoid this error, execute the following steps:

+1. Login into Azure CLI using your user account. Fetch the Object ID of the Azure AD application used by Azure Arc service:

+ az ad sp show --id bc313c14-388c-4e7d-a58e-70017303ee3b --query objectId -o tsv

+1. Login into Azure CLI using the service principal. Use the `<objectId>` value from above step to enable custom locations feature on the cluster:

+> * Which Azure Arc-enabled Kubernetes cluster extensions are currently available.

+> * How to view, list, update, and delete extension instances.

+A conceptual overview of this feature is available in [Cluster extensions - Azure Arc-enabled Kubernetes](conceptual-extensions.md).

+* [Install or upgrade Azure CLI](/cli/azure/install-azure-cli) to version >= 2.16.0.

+* `connectedk8s` (version >= 1.2.0) and `k8s-extension` (version >= 1.0.0) Azure CLI extensions. Install these Azure CLI extensions by running the following commands:

+* An existing Azure Arc-enabled Kubernetes connected cluster.

+ * If you haven't connected a cluster yet, use our [quickstart](quickstart-connect-cluster.md).

+ * [Upgrade your agents](agent-upgrade.md#manually-upgrade-agents) to version >= 1.5.3.

+| [Azure Arc-enabled Machine Learning](../../machine-learning/how-to-attach-kubernetes-anywhere.md) | Deploy and run Azure Machine Learning on Azure Arc-enabled Kubernetes clusters. |

+| [Dapr extension for Azure Kubernetes Service (AKS) and Arc-enabled Kubernetes](/azure/aks/dapr)| Eliminates the overhead of downloading Dapr tooling and manually installing and managing the runtime on your clusters. |

+* Deploy machine learning workloads using [Azure Machine Learning for Kubernetes clusters](../../machine-learning/how-to-attach-kubernetes-anywhere.md?toc=/azure/azure-arc/kubernetes/toc.json).

+> [Deploy configurations using GitOps with Flux v2](tutorial-use-gitops-flux2.md)

+The above warning is observed when you have used a service principal to log into Azure. This is because a service principal doesn't have permissions to get information of the application used by Azure Arc service. To avoid this error, execute the following steps:

+1. Login into Azure CLI using your user account. Fetch the Object ID of the Azure AD application used by Azure Arc service:

+1. Login into Azure CLI using the service principal. Use the `<objectId>` value from above step to enable custom locations feature on the cluster:

+ Title: Azure Key Vault Secrets Provider extension

+# Using Azure Key Vault Secrets Provider extension to fetch secrets into Arc clusters

+ - Tanzu Kubernetes Grid

+To deploy using Azure portal, go to the cluster's **Extensions** blade under **Settings**. Click on **+Add** button.

+[](media/tutorial-akv-secrets-provider/extension-install-add-button.jpg#lightbox)

+From the list of available extensions, select the **Azure Key Vault Secrets Provider** to deploy the latest version of the extension. You can also choose to customize the installation through the portal by changing the defaults on **Configuration** tab.

+[](media/tutorial-akv-secrets-provider/extension-install-new-resource.jpg#lightbox)

+Alternatively, you can use the CLI experience captured below.

+az k8s-extension create --cluster-name $CLUSTER_NAME --resource-group $RESOURCE_GROUP --cluster-type connectedClusters --extension-type Microsoft.AzureKeyVaultSecretsProvider --name akvsecretsprovider

+ "name": "akvsecretsprovider",

+ "releaseTrain": "Stable",

+ "createdAt": "2022-05-12T18:35:56.552889+00:00",

+ "lastModifiedAt": "2022-05-12T18:35:56.552889+00:00",

+ "version": "1.1.3"

+ "defaultValue": "stable",

+ "releaseTrain": "Stable",

+ "createdAt": "2022-05-12T18:35:56.552889+00:00",

+ "lastModifiedAt": "2022-05-12T18:35:56.552889+00:00",

+ "version": "1.1.3"

+ - name: secrets-store-inline

+ - name: secrets-store-inline

+az k8s-extension create --cluster-name $CLUSTER_NAME --resource-group $RESOURCE_GROUP --cluster-type connectedClusters --extension-type Microsoft.AzureKeyVaultSecretsProvider --name akvsecretsprovider --configuration-settings secrets-store-csi-driver.enableSecretRotation=true secrets-store-csi-driver.rotationPollInterval=3m secrets-store-csi-driver.syncSecret.enabled=true

+> This tutorial uses GitOps with Flux v1. GitOps with Flux v2 is now available for Azure Arc-enabled Kubernetes and Azure Kubernetes Service (AKS) clusters; [go to the tutorial that uses GitOps with Flux v2](./tutorial-gitops-flux2-ci-cd.md). Eventually Azure will stop supporting GitOps with Flux v1, so begin using Flux v2 as soon as possible.

+In this tutorial, you'll set up a CI/CD solution using GitOps with Flux v2 and Azure Arc-enabled Kubernetes or Azure Kubernetes Service (AKS) clusters. Using the sample Azure Vote app, you'll:

+> [!NOTE]

+> Eventually Azure will stop supporting GitOps with Flux v1, so begin using Flux v2 as soon as possible.

+> This tutorial is for GitOps with Flux v1. GitOps with Flux v2 is now available for Azure Arc-enabled Kubernetes and Azure Kubernetes Service (AKS) clusters; [go to the tutorial for GitOps with Flux v2](./tutorial-use-gitops-flux2.md). Eventually Azure will stop supporting GitOps with Flux v1, so begin using Flux v2 as soon as possible.

+# Tutorial: Use GitOps with Flux v2 in Azure Arc-enabled Kubernetes or AKS clusters

+> [!NOTE]

+> Eventually Azure will stop supporting GitOps with Flux v1, so begin using Flux v2 as soon as possible.

+> [!IMPORTANT]

+> Add-on Azure management services, like Kubernetes Configuration, are charged when enabled. Costs related to use of Flux v2 will start to be billed on July 1, 2022. For more information, see [Azure Arc pricing](https://azure.microsoft.com/pricing/details/azure-arc/).

+> The `microsoft.flux` extension released major version 1.0.0. This includes the [multi-tenancy feature](#multi-tenancy). If you have existing GitOps Flux v2 configurations that use a previous version of the `microsoft.flux` extension you can upgrade to the latest extension manually using the Azure CLI: "az k8s-extension create -g <RESOURCE_GROUP> -c <CLUSTER_NAME> -n flux --extension-type microsoft.flux -t <CLUSTER_TYPE>" (use "-t connectedClusters" for Arc clusters and "-t managedClusters" for AKS clusters).

+GitOps is currently supported in all regions that Azure Arc-enabled Kubernetes supports. [See the supported regions](https://azure.microsoft.com/global-infrastructure/services/?regions=all&products=kubernetes-service,azure-arc). GitOps is currently supported in a subset of the regions that AKS supports. The GitOps service is adding new supported regions on a regular cadence.

+> [!TIP]

+> Because of how Helm handles index files, processing helm charts is an expensive operation and can have very high memory footprint. As a result, helm chart reconciliation, when occurring in parallel can cause memory spikes and OOMKilled if you are reconciling a large number of helm charts at a given time. By default, the source-controller sets its memory limit at 1Gi and its memory requests at 64Mi. If you need to increase this limit and requests due to a high number of large helm chart reconciliations, you can do so by running the following command after Microsoft.Flux extension installation.

+>

+> `az k8s-extension update -g <resource-group> -c <cluster-name> -n flux -t connectedClusters --config source-controller.resources.limits.memory=2Gi source-controller.resources.requests.memory=300Mi`

+> This article is for GitOps with Flux v1. GitOps with Flux v2 is now available for Azure Arc-enabled Kubernetes and Azure Kubernetes Service (AKS) clusters; [go to the tutorial for GitOps with Flux v2](./tutorial-use-gitops-flux2.md). Eventually Azure will stop supporting GitOps with Flux v1, so begin using Flux v2 as soon as possible.

+## Version 1.13 - November 2021

+### Known issues

+- Extensions may get stuck in transient states (creating, deleting, updating) on Windows machines running the 1.13 agent in certain conditions. Microsoft recommends upgrading to agent version 1.14 as soon as possible to resolve this issue.

+### Fixed

+- Improved reliability when installing or upgrading the agent.

+### New features

+- Local configuration of agent settings now available using the [azcmagent config command](manage-agent.md#config).

+- Proxy server settings can be [configured using agent-specific settings](manage-agent.md#update-or-remove-proxy-settings) instead of environment variables.

+- Extension operations will execute faster using a new notification pipeline. You may need to adjust your firewall or proxy server rules to allow the new network addresses for this notification service (see [networking configuration](network-requirements.md)). The extension manager will fall back to the existing behavior of checking every 5 minutes when the notification service cannot be reached.

+- Detection of the AWS account ID, instance ID, and region information for servers running in Amazon Web Services.

+## Version 1.18 - May 2022

+### New features

+- The agent can now be configured to operate in [monitoring mode](security-overview.md#agent-modes), which simplifies configuration of the agent for scenarios where you only want to use Arc for monitoring and security scenarios. This mode disables other agent functionality and prevents use of extensions that could make changes to the system (for example, the Custom Script Extension).

+- VMs and hosts running on Azure Stack HCI now report the cloud provider as "HCI" when [Azure benefits are enabled](/azure-stack/hci/manage/azure-benefits#enable-azure-benefits).

+### Fixed

+- `systemd` is now an official prerequisite on Linux and your package manger will alert you if you try to install the Azure Connected Machine agent on a server without systemd.

+- Guest configuration policies no longer create unnecessary files in the `/tmp` directory on Linux servers

+- Improved reliability when extracting extensions and guest configuration policy packages

+- Improved reliability for guest configuration policies that have child processes

+You can enable Azure Arc-enabled servers for multiple Windows or Linux machines in your environment with several flexible options depending on your requirements. Using the template script we provide, you can automate every step of the installation, including establishing the connection to Azure Arc. However, you are required to execute this script manually with an account that has elevated permissions on the target machine and in Azure.

+One method to connect the machines to Azure Arc-enabled servers is to use an Azure Active Directory [service principal](../../active-directory/develop/app-objects-and-service-principals.md). This service principal method can be used instead of your privileged identity to [interactively connect the machine](onboard-portal.md). This service principal is a special limited management identity that has only the minimum permission necessary to connect machines to Azure using the `azcmagent` command. This method is safer than using a higher privileged account like a Tenant Administrator and follows our access control security best practices. **The service principal is used only during onboarding; it is not used for any other purpose.**

+Before you start connecting your machines, review the following requirements:

+1. Make sure you have administrator permission on the machines you want to onboard.

+ Administrator permissions are required to install the Connected Machine agent on the machines; on Linux by using the root account, and on Windows as a member of the Local Administrators group.

+1. Review the [prerequisites](prerequisites.md) and verify that your subscription and resources meet the requirements. You will need to have the **Azure Connected Machine Onboarding** role or the **Contributor** role for the resource group of the machine.

+ For information about supported regions and other related considerations, see [supported Azure regions](overview.md#supported-regions). Also review our [at-scale planning guide](plan-at-scale-deployment.md) to understand the design and deployment criteria, as well as our management and monitoring recommendations.

+<!--The installation methods to install and configure the Connected Machine agent requires that the automated method you use has administrator permissions on the machines: on Linux by using the root account, and on Windows as a member of the Local Administrators group.

+Before you get started, be sure to review the [prerequisites](prerequisites.md) and verify that your subscription and resources meet the requirements. For information about supported regions and other related considerations, see [supported Azure regions](overview.md#supported-regions). Also review our [at-scale planning guide](plan-at-scale-deployment.md) to understand the design and deployment criteria, as well as our management and monitoring recommendations.-->

+To connect hybrid machines, you install the [Azure Connected Machine agent](agent-overview.md) on each machine. This agent does not deliver any other functionality, and it doesn't replace the Azure [Log Analytics agent](../../azure-monitor/agents/log-analytics-agent.md) / [Azure Monitor Agent](../../azure-monitor/agents/azure-monitor-agent-overview.md). The Log Analytics agent or Azure Monitor Agent for Windows and Linux is required in order to:

+Windows operating systems:

+Linux operating systems:

+* systemd

+* wget (to download the installation script)

+## Agent modes

+A simpler way to configure local security controls for monitoring and security scenarios is to use the *monitor mode*, available with agent version 1.18 and newer. Modes are pre-defined configurations of the extension allowlist and guest configuration agent maintained by Microsoft. As new extensions become available that enable monitoring scenarios, Microsoft will update the allowlist and agent configuration to include or exclude the new functionality, as appropriate.

+There are two modes to choose from:

+1. **full** - the default mode. This allows all agent functionality.

+1. **monitor** - a restricted mode that disables the guest configuration policy agent and only allows the use of extensions related to monitoring and security.

+To enable monitor mode, run the following command:

+```bash

+azcmagent config set config.mode monitor

+```

+You can check the current mode of the agent and allowed extensions with the following command:

+```bash

+azcmagent config list

+```

+While in monitor mode, you cannot modify the extension allowlist or blocklist. If you need to change either list, change the agent back to full mode and specify your own allowlist and blocklist.

+To change the agent back to full mode, run the following command:

+```bash

+azcmagent config set config.mode full

+```

+By default, the Azure Active Directory system assigned identity used by Arc can only be used to update the status of the Azure Arc-enabled server in Azure. For example, the *last seen* heartbeat status. You can optionally assign other roles to the identity if an application on your server uses the system assigned identity to access other Azure services. To learn more about configuring a system-assigned managed identity to access Azure resources, see [Authenticate against Azure resources with Azure Arc-enabled servers](managed-identity-authentication.md).

+To view examples of using the ```az ssh arc``` command, view the az CLI documentation page for [az ssh](/cli/azure/ssh).

+| CPU |The CPU utilization of the Azure Cache for Redis server as a percentage during the specified reporting interval. This value maps to the operating system `\Processor(_Total)\% Processor Time` performance counter. Note: This metric can be noisy due to low priority background security processes running on the node, so we recommend monitoring Server Load metric to track load on a Redis server.|

+Azure Cache for Redis persistence features are intended to be used to restore data after data loss, not importing it to a new cache. You cannot import from AOF page blob backups to a new cache. To export data for importing back to a new cache, use the export RDB feature or automatic recurring RDB export. For more information on importing to a new cache, see [Import](cache-how-to-import-export-data.md#import).

+> [!NOTE]

+> Importing from AOF page blob backups to a new cache is not a supported option.

+If you enable data persistence, geo-replication can't be enabled for your premium cache.

+Use a second storage account for AOF persistence when you believe you have higher than expected set operations on the cache. Setting up the secondary storage account helps ensure your cache doesn't reach storage bandwidth limits.

+## Setting up the working environment

+In this sample, you use Maven to run the quickstart app.

+ This code shows you how to connect to an Azure Cache for Redis instance using the cache host name and key environment variables. The code also stores and retrieves a string value in the cache. The `PING` and `CLIENT LIST` commands are also executed.

+Otherwise, if you're finished with the quickstart sample application, you can delete the Azure resources created in this quickstart to avoid charges.

+ :::image type="content" source="./media/cache-java-get-started/azure-cache-redis-delete-resource-group.png" alt-text="Azure resource group deleted":::

+ | **DNS name** | Enter a globally unique name. | The cache name must be a string between 1 and 63 characters. The string can contain only numbers, letters, or hyphens. The name must start and end with a number or letter, and can't contain consecutive hyphens. Your cache instance's _host name_ will be _\<DNS name>.redis.cache.windows.net_. |

+* An **entry script**. This script accepts requests, scores the request using the model, and returns the results.